COSO Enterprise Risk Management: Understanding the New Integrated ERM Framework

COSO Enterprise Risk Management: Understanding the New Integrated ERM Framework

by Robert Moeller
Released April 2007
Publisher(s): Wiley
ISBN: 9780471741152

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Praise for COSO Enterprise Risk Management "COSO ERM is a thoughtful introduction to the challenges of risk management at the enterprise level and contains a wealth of information on dealing with it through the use of the COSO framework. Detailed procedures covering a wide variety of situations are followed by a thorough explanation of how each is deployed. As a project management professional, I appreciate how the author addresses the need for risk management at a project level. His background as someone who 'practices what they preach' and realizes the impact of the Sarbanes-Oxley auditing rules comes through clearly in the book, and it should be mandatory reading for anyone seeking to understand how to tackle their own ERM issues."
--Greg Gomel, PMP, CQM, CSQE, ITIL, Director, Project Management, Insight North America "This volume clearly and comprehensively outlines the usefulness of COSO Enterprise Risk Management guidance. It should provide considerable benefit to those having governance responsibilities in this important area."
--Curtis Verschoor, L & Q Research Professor, School of Accountancy and MISDePaul University, Chicago Transform your company's internal control function into a valuable strategic tool Today's companies are expected to manage a variety of risks that would have been unthinkable a decade ago. More than ever, it is vital to understand the dimensions of risk as well as how to best manage it to gain a competitive advantage. COSO Enterprise Risk Management clearly enables organizations of all types and sizes to understand and better manage their risk environments and make better decisions through use of the COSO ERM framework. A pragmatic guide for integrating ERM with COSO internal controls, this important book:

  • Offers you expert advice on how to carry out internal control responsibilities more efficiently

  • Updates you on the ins and outs of the COSO Report and its emergence as the new platform for understanding all aspects of risk in today's organization

  • Shows you how an effective risk management program, following COSO ERM, can help your organization to better comply with the Sarbanes-Oxley Act

  • Knowledgeably explains how to implement an effective ERM program

COSO Enterprise Risk Management is the invaluable working resource that will show you how to identify risks, avoid pitfalls within your corporation, and keep it moving ahead of the competition.

Table of contents

  1. Copyright
    1. Dedication
  2. Preface
  3. 1. Importance of Enterprise Risk Management Today
    1. COSO Risk Management: How Did We Get Here?
    2. COSO Internal Control Framework
      1. COSO Internal Control Elements
        1. The Control Environment
        2. Control Environment Factors
          1. Integrity and Ethical Values
          2. Commitment to Competence
          3. Board of Directors and Audit Committee
          4. Management’s Philosophy and Operating Style
          5. Organization Structure
          6. Assignment of Authority and Responsibility
          7. Human Resources Policies and Practices
        3. Risk Assessment
      2. Other Components and Activities
    3. COSO Internal Control Framework as a Recognized Standard
    4. Origins of COSO ERM
    5. Notes
  4. 2. Risk Management Fundamentals
    1. Fundamentals: Risk Management Phases
      1. Risk Identification
        1. Brainstorming Approaches
      2. Key Risk Assessments
        1. Probability and Uncertainty
        2. Risk Interdependencies
        3. Risk Ranking
      3. Quantitative Risk Analysis
        1. Expected Values and Response Planning
        2. Risk Monitoring
          1. Risk Monitoring through Process Owner Follow-up
          2. Risk Monitoring through Auditor Follow-up
    2. Other Risk Assessment Techniques
      1. Delphi Method
      2. Monte Carlo Simulation
      3. Decision Tree Analysis
    3. Risk Management Fundamentals Going Forward
    4. Notes
  5. 3. Components of COSO ERM
    1. ERM Definitions and Objectives: A Portfolio View of Risk
    2. COSO ERM Framework Model
      1. Internal Environment
      2. Objective Setting
      3. Event Identification
      4. Risk Assessment
      5. Risk Response
      6. Control Activities
      7. Information and Communication
      8. Monitoring
    3. Other Dimensions of The ERM Framework
    4. Notes
  6. 4. COSO ERM Organizational Objectives
    1. ERM Risk Objective Categories
      1. ERM Strategic Risks
      2. Operations-Level Risks
      3. Reporting Risks
      4. Legal and Regulatory Compliance Risks
        1. Understanding Regulatory Compliance Risks
        2. Organization Legal Risks
    2. COSO ERM Entity- and Unit-level Risks
      1. Risks Encompassing the Entire Organization
      2. Business Unit-Level Risks
    3. Putting It All Together
    4. Notes
  7. 5. Implementing an Effective ERM Program
    1. Roles and Responsibilities of an ERM Function
      1. CRO Responsibilities
      2. Risk Management Enterprise Governance and Oversight
      3. ERM Activity Scope and Review Planning
      4. Risk Management Policies, Standards, and Strategies
      5. Business, IT, and Risk Transfer Processes
        1. General Business Operations Risks
        2. IT General and Application-Specific Risks
        3. Alternative Risk Transfer and Facility-Related Risks
      6. Risk Assessment Reviews and Corrective Action Practices
    2. ERM Communications Approaches
    3. CRO and an Effective Enterprise Risk Management Function
    4. Notes
  8. 6. Integrating ERM with COSO Internal Controls
    1. COSO Internal Controls: Background and Earlier Legislation
      1. Foreign Corrupt Practices Act of 1977
      2. The FCPA Aftermath: What Happened?
      3. Efforts Leading to the Treadway Commission
        1. AICPA and CICA Commissions on Auditor Responsibilities
        2. SEC 1979 Internal Control Reporting Proposal
        3. Minahan Committee and Financial Executives Research Foundation
        4. Earlier AICPA Auditing Standards: SAS No. 55
        5. Treadway Commission Report
    2. COSO Internal Control Framework
      1. COSO Internal Controls Framework Model
        1. COSO Internal Control Elements: The Control Environment
          1. Integrity and Ethical Values
          2. Commitment to Competence
      2. Board of Directors and Audit Committee
      3. Management’s Philosophy and Operating Style
      4. Enterprise Structure
      5. Assignment of Authority and Responsibility
      6. Human Resources Policies and Practices
      7. COSO Internal Control Environment in Perspective
        1. Risk Assessment
        2. Control Activities
        3. Communications and Information
          1. Relationship of Information and Internal Control
          2. Strategic and Integrated Systems
          3. Quality of Information
          4. Communications Aspect of Internal Control
          5. Communications: Internal Components
          6. External Communications
          7. Means and Methods of Communication
        4. COSO Internal Control Elements: Monitoring
          1. Ongoing Monitor Activities
          2. Separate Internal Control Evaluation
          3. Internal Control Evaluation Process
          4. Evaluation Action Plans
          5. Reporting Internal Control Deficiencies
    3. COSO Internal Controls and COSO ERM Compared
    4. Notes
  9. 7. Sarbanes-Oxley and COSO ERM
    1. Sarbanes-Oxley Background
    2. SOx Legislation Overview
      1. Setting the Rules: The Public Company Accounting Oversight Board
      2. Section 404: Management’s Assessment of Internal Controls
        1. Launching the Section 404 Compliance Review: Identifying Key Processes
        2. Launching the Section 404 Review: Organizing the Internal Control Review
        3. Enterprise Risk Management and SOx Section 404 Reviews
      3. Section 302: Corporate Responsibility for Financial Reports
      4. Financial Officer Codes of Ethics
      5. Sarbanes-Oxley: The Other Sections
    3. SOx and COSO ERM
    4. Notes
  10. 8. Importance of ERM in the Corporate Board Room
    1. Board Decisions and Risk Management
    2. Board Organization and Governance Rules
      1. Corporate Charters and the Board Committee Structure
    3. Audit Committee and Managing Risks
    4. Establishing a Board-level Risk Committee
    5. Audit and Risk Committee Coordination
    6. COSO ERM and Corporate Governance
    7. Notes
  11. 9. Role of Internal Audit in ERM
    1. Internal Audit Standards for Evaluating Risk
    2. COSO ERM for More Effective Internal Audit Planning
      1. Using COSO ERM to Build an Annual Audit Plan
      2. Risk Tolerance and Building Internal Audit Plans
      3. Risk-Based Audit Plan: Global Computer Products Example
        1. Identify Auditable Entities within Internal Audit’s Scope and Capabilities
        2. Redefine and Rank Risks
        3. Building an Internal Audit Plan
        4. Execute Plan and Monitor Performance
    3. Risk-based Internal Audit Findings and Recommendations
    4. COSO ERM and Internal Audit
    5. Notes
  12. 10. Understanding Project Management Risks
    1. Project Management Process
      1. PMBOK: Project Management Book of Knowledge
      2. PMBOK: Risk Management for Project Managers
      3. Risk Management Planning
      4. Risk Identification
      5. Project Qualitative Risk Analysis
      6. Project Quantitative Risk Analysis
      7. Project Risk Response Planning
      8. Project Risk Monitoring and Control
    2. Project-related Risks: What Can Go Wrong
    3. Implementing COSO ERM for Project Managers
      1. Embracing Project Management Standards
    4. Establishing a Program Management Office (PMO)
    5. Notes
  13. 11. Information Technology and ERM
    1. IT and the COSO ERM Framework
    2. Application Systems Risks
      1. Application Development and Acquisition Risks
        1. System Development Life Cycles
        2. Purchased Software Application Risks
        3. In-House Developed Software Application Risks
      2. Software and Application Systems Testing
      3. Control and Balancing Procedures
    3. Effective IT Continuity Planning
    4. Worms, Viruses, and System Network Risks
    5. IT and Effective ERM Processes
    6. Notes
  14. 12. Establishing an Effective Risk Culture
    1. First Steps to Launching the Culture—an Example
    2. Promoting the Concept of Enterprise Risk
      1. Defining the Risk Management Philosophy
      2. Translating a Risk Philosophy into a Culture
    3. Building the COSO ERM Culture: Risk-related Education Programs
    4. Keeping the Risk Culture Current
    5. Notes
  15. 13. ERM Worldwide
    1. ERM “Standards” versus an ERM Framework
      1. Risk Management Guidelines in Australia and New Zealand
      2. Canadian Risk Management Guidelines
      3. British Risk Management Standards
      4. Beyond the United Kingdom: The FERMA Risk Management Standards
    2. ERM and ISO
      1. Impacts and Influences of International Accounting Standards
    3. Convergence of Risk Management Standards and Practices
    4. Notes
  16. 14. COSO ERM Going Forward
    1. Future Prospect for COSO ERM
    2. COSO ERM and ISO
    3. Learning More About Risk Management
    4. ERM: New Professional Opportunities
    5. Notes

Product information

  • Title: COSO Enterprise Risk Management: Understanding the New Integrated ERM Framework
  • Author(s): Robert Moeller
  • Release date: April 2007
  • Publisher(s): Wiley
  • ISBN: 9780471741152