Thought Leadership In ERM - COSO
C o m m i t t e eo fS p o n s o r i n gO r g a n i z a t i o n so ft h eT r e a d w a yC o m m i s s i o nThought Leadership in ERMD evelo p i n gK e yR iskI n dic a torstoS tre n g the nE n ter p riseR iskM a n a g eme n tHow Key Risk Indicators can Sharpen Focuson Emerging RisksByMark S. Beasley Bruce C. Branson Bonnie V. Hancock
AuthorsERM Initiative at North Carolina State UniversityMark S. BeasleyDeloitte Professor of Enterprise Risk ManagementBruce C. BransonAssociate Director, ERM InitiativeThe ERM Initiative at North Carolina State University is pioneeringthought-leadership about the emergent discipline of enterpriserisk management, with a particular focus on the integration of ERMin strategy planning and governance. The ERM Initiative conductsoutreach to business professionals through executive educationand its internet portal (www.erm.ncsu.edu); research, advancingknowledge and understanding of ERM issues; and undergraduateand graduate business education for the next generationof business executives.Bonnie V. HancockExecutive Director, ERM InitiativeCOSO Board MembersDavid L. LandsittelCOSO ChairLarry E. RittenbergCOSO Chair - EmeritusMark S. BeasleyAmerican Accounting AssociationChuck LandesAmerican Institute of Certified Public AccountantsRichard F. ChambersThe Institute of Internal AuditorsJeff ThomsonInstitute of Management AccountantsMarie HolleinFinancial Executives InternationalPrefaceThis project was commissioned by COSO, which is dedicated to providing thought leadershipthrough the development of comprehensive frameworks and guidance on enterprise riskmanagement, internal control, and fraud deterrence designed to improve organizationalperformance and governance and to reduce the extent of fraud in organizations. COSO is aprivate sector initiative, jointly sponsored and funded by the following organizations:American Accounting Association (AAA)American Institute of Certified Public Accountants (AICPA)Financial Executives International (FEI)Institute of Management Accountants (IMA)The Institute of Internal Auditors (IIA)Committee of Sponsoring Organizationsof the Treadway Commissionwww.co s o.o rg
Thought Leadership in ERMD evelo p i n gK e yR iskI n dic a torstoS tre n g the nE n ter p riseR iskM a n a g eme n tHow Key Risk Indicators can Sharpen Focuson Emerging RisksResearch Commissioned byCo m m i t te e o f S p o n s o r i n g Organizations of the Treadway CommissionDecember 2010
Copyright 2010, The Committee of Sponsoring Organizations of the Treadway Commission (COSO).1 2 3 4 5 6 7 8 9 0 PIP 19876543210All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted or displayed in any form orby any means without written permission. For information regarding licensing and reprint permissions please contact theAmerican Institute of Certified Public Accountants, licensing and permissions agent for COSO copyrighted materials.Direct all inquiries to copyright@aicpa.org or to AICPA, Attn: Manager, Rights and Permissions, 220 Leigh Farm Rd.,Durham, NC 27707. Telephone inquiries may be directed to 888-777-7707.www.co s o.o rg
Thought Leadership in ERM Developing Key Risk Indicators to Strengthen Enterprise Risk Management IIIIntroductionBoards of directors have become increasingly awareof their responsibilities related to effective oversightof management’s execution of enterprise-wide riskmanagement processes. This is due, in part, to significantexternal pressures that have developed recently thatare thrusting risk management and its oversight to theforefront of many board agendas and management actionplans. For example, the New York Stock Exchange in 2004adopted governance rules that require audit committees ofNYSE-listed firms to oversee management’s risk oversightprocesses. In 2008, Standard & Poor’s began explicitlyevaluating an issuer’s enterprise risk management (ERM)processes in seventeen new industries, as an additionalcomponent of their credit ratings analysis. In 2009, theSecurities and Exchange Commission (SEC) expandedproxy disclosure requirements to increase information forinvestors about the board’s role in risk oversight. The 2010Federal Financial Reform legislation now mandates riskcommittees for boards of financial institutions and otherentities overseen by the Federal Reserve.Many organizations are embracing an enterprise-wideapproach to risk oversight known as enterprise riskmanagement (ERM) and executive management teamsleading these efforts are turning to frameworks, such asCOSO’s 2004 Enterprise Risk Management – IntegratedFramework (COSO ERM Framework), to aid them instrengthening their enterprise-wide risk managementprocesses.COSO’s ERM Framework defines ERM as follows:As indicated by this definition, ERM provides the opportunityfor organizational leaders to achieve a robust and holisticenterprise-wide view of potential events that may affect theachievement of the organization’s objectives. Because risksare constantly evolving as an organization strives to achieveits objectives, there is a high demand for relevant and timelyrisk information.Many organizations are seeking to develop a process thatprovides management and the board of directors withrich information about potential events that may affect theentity, especially top risk exposures, that they can monitoron an ongoing basis. While most organizations monitornumerous key performance indicators (KPIs), often thoseindicators shed insights about risk events that have alreadyaffected the organization. Increasingly, boards and seniorexecutives are looking to develop metrics or indicators tohelp to better monitor potential future shifts in risk conditionsor new emerging risks so that management and boardsare able to more proactively identify potential impactson the organization’s portfolio of risks. Doing so enablesmanagement and the board to be in a better position tomanage events that may arise in the future on a more timelyand strategic basis. This latter type of metric or indicator isfrequently referred to as a key risk indicator (KRI).The purpose of this thought paper is to help managementdevelop effective key risk indicators (KRIs) to heighten boardand management enterprise risk awareness in order toincrease the effectiveness of an ERM process and improvethe execution of an organization’s strategy.Enterprise risk management is a process, effected byan entity’s board of directors, management, and otherpersonnel, applied in strategy setting and across theenterprise, designed to identify potential events thatmay affect the entity, and manage risk to be within the riskappetite, to provide reasonable assurance regarding theachievement of entity objectives.www.co s o.o rg
iv Developing Key Risk Indicators to Strengthen Enterprise Risk Management Thought Leadership in ERMContent OutlinePageDescriptionDifferentiating Key Performance Indicatorsfrom Key Risk Indicators1Developing Effective Key Risk Indicators2KRIs Provide Opportunities for ProactiveStrategic Risk Management4Sources of Information When Developing KRIs5KRI Communication and Reporting:Role of the Board, Management, and Risk Owners7The Value Proposition for Key Risk Indicators10Summary Observations11About COSO12About the Authors12www.co s o.o rg
Thought Leadership in ERM Developing Key Risk Indicators to Strengthen Enterprise Risk Management 1Differentiating Key Performance Indicators from Key Risk IndicatorsIt is important to distinguish key performance indicators(KPIs) from key risk indicators (KRIs). Both managementand boards regularly review summary data that includeselected KPIs designed to provide a high-level overview ofthe performance of the organization and its major operatingunits. These reports often are focused almost exclusivelyon the historical performance of the organization andits key units and operations. For example, reports oftenhighlight monthly, quarterly, and year-to-date sales trends,customer shipments, delinquencies, and other performancedata points relevant to the organization. It is important torecognize that these measures may not provide an adequate“early warning indicator” of a developing risk because theymostly focus on results that have already occurred.While KPIs are important to the successful management ofan organization by identifying underperforming aspects ofthe enterprise as well as those aspects of the business thatmerit increased resources and energy, senior managementand boards also benefit from a set of KRIs that providetimely leading-indicator information about emerging risks.Measures of events or trigger points that might signalissues developing internally within the operations of theorganization or potential risks emerging from externalevents, such as macroeconomic shifts that affect thedemand for the organization’s products or services, mayprovide rich information for management and boards toconsider as they execute the strategies of the organization.Key risk indicators are metrics used by organizations toprovide an early signal of increasing risk exposures invarious areas of the enterprise. In some instances, theymay represent key ratios that management throughoutthe organization track as indicators of evolving risks, andpotential opportunities, which signal the need for actionsthat need to be taken. Others may be more elaborate andinvolve the aggregation of several individual risk indicatorsinto a multi-dimensional score about emerging events thatmay lead to new risks or opportunities.An example related to the oversight of accounts receivablecollection helps illustrate the difference in KPIs and KRIs.A key performance indicator for customer credit is likely toinclude data about customer delinquencies and write-offs.This key performance indicator, while important, providesinsights about a risk event that has already occurred (e.g.,a customer failed to pay in accordance with the salesagreement or contract). A KRI could be developed to helpanticipate potential future customer collection issues so thatthe credit function could be more proactive in addressingcustomer payment trends before risk events occur. Arelevant KRI for this example might be analysis of reportedfinancial results of the company’s 25 largest customers orgeneral collection challenges throughout the industry to seewhat trends might be emerging among customers that couldpotentially signal challenges related to collection efforts infuture periods.ObjectiveManage the collection of accounts receivable to reduce loss due to write-offsKey Performance Indicator (KPI)Key Risk Indicator (KRI)Data about write-offs of accounts in most recentmonth, quarter, year.Analysis of reported financial results for thecompany’s 25 largest customers or general collectionchallenges throughout the industry that highlighttrends signaling future collection concerns.www.co s o.o rg
2 Developing Key Risk Indicators to Strengthen Enterprise Risk Management Thought Leadership in ERMDeveloping Effective Key Risk IndicatorsA goal of developing an effective set of KRIs is to identifyrelevant metrics that provide useful insights about potentialrisks that may have an impact on the achievement ofthe organization’s objectives. Therefore, the selectionand design of effective KRIs starts with a firm grasp oforganizational objectives and risk-related events that mightaffect the achievement of those objectives. Linkage of toprisks to core strategies helps pinpoint the most relevantinformation that might serve as an effective leading indicatorof an emerging risk.In the simple illustration below, management has anobjective to achieve greater profitability by increasingrevenues and decreasing costs. They have identified fourstrategic initiatives that are critical to accomplishing thoseobjectives. Several potential risks have been identified thatmay have an impact on one or more of four key strategicinitiatives. Mapping key risks to core strategic initiativesputs management in a position to begin identifying the mostcritical metrics that can serve as leading key risk indicatorsto help them oversee the execution of core strategicinitiatives. As shown below, KRIs have been identified foreach critical risk. Mapping KRIs to critical risks and corestrategies reduces the likelihood that management becomesdistracted by other information that may be less relevant tothe achievement of enterprise objectives.Linking ObjectivesLinking Objectives to Strategies to Risks To KRI’sStrategicInitiative #1IncreaseRevenuesStrategicInitiative #2ProfitabilityStrategicInitiative #3ReduceCostsStrategicInitiative #4To illustrate further, consider a simple example involving achain of family-style buffet restaurants. Management isinterested in avoiding a negative earnings event that couldarise due to unexpected market conditions that mightnegatively affect revenues. They know that restauranttraffic is directly affected by the availability of customerdiscretionary income. As discretionary income levels falloff, customers are less likely to dine outside their homes.A key metric that management uses as a leading indicatorof potential changes in customer discretionary incomelevels is average gasoline prices people pay at the pump.Management has determined that when gasoline pricesspike (or are expected to rise), discretionary income forindividuals and families representing their core customerwww.co s o.o PotentialRiskKRIPotentialRiskKRIbase decreases. When gas prices rise rapidly or areforecasted to stay at unusually high levels, customer trafficbegins to drop.Management has found that close monitoring of forecastsof per-gallon prices of gas in the chain’s geographicmarket and trends in oil futures prices help managementproactively identify early indicators of potential changesin customer visits. Monitoring these key risk metricsprovides management the opportunity to proactively modifysales strategies by adjusting marketing and restaurantpromotion events thereby reducing the impact of the risk asdiscretionary income begins to decline.
Thought Leadership in ERM Developing Key Risk Indicators to Strengthen Enterprise Risk Management 3ExampleA buffet-style restaurant chain monitors gas prices to identify sales and profitability trendsthat may signal the need for modifications to sales strategies.ObjectiveStrategic Initiative Potential RisksKey Risk IndicatorsStrategic ResponseIncrease earningsthrough revenueincreases.Promote premiumbuffet options toattract additionalcustomers.Trends in pergallon gasolineprices in the chain’sgeographic marketsRevise marketingto promote more“value” optionsif gasoline pricetrends are rising.Customerincome levelsand discretionaryincome drop andprevent customersfrom visitingrestaurants or fromselecting premiumbuffet options.An effective method for developing KRIs begins by analyzinga risk event that has affected the organization in the past(or present) and then working backwards to pinpointintermediate and root cause events that led to the ultimateloss or lost opportunity. The goal is to develop key riskindicators that provide valuable leading indications that risksTrends in oil futurespricesmay be emerging. The closer the KRI is to the ultimate rootcause of the risk event, the more likely the KRI will providemanagement time to proactively take action to respond tothe risk event. This process can be depicted visually in thefollowing manner.Leading Indicators of Risk EventLeading Indicators of Risk EventPotentialRiskRisk EventIntermediate EventLeading Indicators of Event?Root Cause EventLeading Indicators of Event?In this diagram, the passage of time proceeds from a rootcause event to (potentially) an intermediate event thatultimately leads to a risk event. In developing a KRI to serveas a leading indicator for potential future occurrences ofthis risk, it can be helpful to think through the chain of eventsthat led to the loss so that management can uncover theultimate driver (i.e., root cause(s)) of the risk event.Management can then use that analysis to identifyinformation associated with the root cause event orintermediate event that might serve as a key risk indicatorrelated to either event. When KRIs for root cause events andintermediate events are monitored, management is in anenviable position to identify early mitigation strategies thatcan begin to reduce or eliminate the impact associated withan emerging risk event.www.co s o.o rg
4 Developing Key Risk Indicators to Strengthen Enterprise Risk Management Thought Leadership in ERMAs an illustration, let’s assume that management is concernedabout the risk that the organization may breach covenantsassociated with its outstanding debt. In this example, acovenant breach would represent the risk event that is ofconcern. In developing effective KRIs to help managementmonitor the risk of default, they may look backwards toidentify potential intermediate events that may arise beforethe organization reaches the point of a covenant breach.For example, an intermediate event preceding a possiblecovenant breach might involve decreases in sales in recentmonths (i.e., covenants based on net income or interestcoverage). Additionally, shortages of cash or increases in theneed for short-term borrowings or draws under existinglines-of-credit may provide early warning signs that acovenant breach may be looming in the near term. Key riskindicators that help monitor these intermediate events putmanagement in a better position to implement potentialmitigation strategies, such as earlier discussions with keylenders before an actual covenant breach has occurred.But, only monitoring KRIs tied to intermediate events allowsless time for management to proactively manage theemerging risk event than would be the case if managementhad access to KRIs related to earlier root cause eventsthat often precede intermediate events. In this example,external data, such as customer industry reports andeconomic indicators, combined with internal data, such asinput pricing trends, labor issues, plant capacity, key staffturnover, among other KRIs may provide useful leadingindicators of conditions that may likely initiate events, suchas future drops in sales or future cash shortages that willlead to an intermediate event and ultimately to the actualrisk event of covenant default. In addition, these key riskindicators may highlight potential opportunities to increasesales or improve operations that management may wish tocapture.The following figure illustrates the linkage of KRIs to bothroot cause events and intermediate events.KRIsto Inform About Risk of Debt Covenant DefaultExampleKRIs to Inform About Risk of Debt Covenant DefaultPotentialRiskRisk EventDebt covenant breachIntermediate EventLeading KRIs might include sales trends, cash on hand,changes in short-term borrowings, etc.Root Cause EventLeading KRIs might include customer financial reports, industry reports,economic conditions, pricing trends, labor issues, plant capacity, etc.KRIs Provide Opportunities for Proactive Strategic Risk ManagementA well-designed ERM system provides information that allowsmanagement to understand whether key strategic objectivesare being met and to identify opportunities to adjust strategiesand tactics to take advantage of shifts in the environment thatmight be exploited for the benefit of the organization and itswww.co s o.o rgstakeholders. As illustrated by the figure on the next page,management selects initial strategies at a point in time. Astime goes by, the range of uncertainty begins to increase,threatening the successful execution of those strategies.
Thought Leadership in ERM Developing Key Risk Indicators to Strengthen Enterprise Risk Management 5To help monitor risks that unfold due to that uncertainty,trigger points are established with action plans pinpointedmanagement has identified various KRIs that they arein advance.monitoring as they execute the chosen strategic initiatives.In advance, management has pre-determined certainThis strategic use of KRIs increases the likelihood that goalslevels or thresholds for each KRI that will trigger actions byand objectives set by management are achieved due to themanagement to adjust their strategies proactively to manage fact that risks and the related strategies are managed morethe riskKRIsaccordingly.Once strategiesare revised, newKRIproactively whenKRIs have Risksbeen identified.FacilitateProactiveManagementof relevantEmergingTrigger PointsKRIsTrigger PointsKRIs Facilitate Proactive Management of Emerging RisksKRIsUncertaintyIncreaseswith LongerTime HorizonsTimeInitial StrategiesRevise StrategiesRevise StrategiesSources of Information When Developing KRIsVirtually all organizations possess existing risk metrics thathave evolved over time. These metrics should be carefullyevaluated for their efficacy and continue to be employed iffound to be valuable in highlighting potential emerging risks.Augmenting these existing KRIs with new metrics is likely tobe required, however.The KRI identification process may benefit from subjectmatter experts within the organization as these individualsmay be in the best position to know where stress points(i.e., root cause events and intermediate events) exist inthe units they manage or processes they oversee. Theirinput helps ensure that key risks are not overlooked andthat KRIs designed to highlight these risks or trends aremost likely to be effective in communicating an earlyindication of necessary action. One caution to note is thatthese individuals may be biased towards existing riskmetrics already in use, and that they are comfortable with,at the expense of possibly improved measures that requireadditional analysis and validation before adoption.Another important element in designing effective KRIsinvolves the assurance that all parties involved in collectingand aggregating KRI data are clear about definitions ofindividual data items to be captured and any conversionor standardization methodology to be utilized. Withoutconfidence in the uniformity of the KRI measurementapproach, aggregated information will lack robustnessand introduce noise into the ultimate decision process. Forexample, if customer financial conditions are to be capturedacross business units as a KRI, it will be important tocarefully define how that is to be measured. In this scenario,the following questions may need to be addressed. Shouldall customers be equally weighted? Should customer size/volume of business be a factor? How much time mustelapse before a customer is deemed to be in a difficultfinancial state? Are any customers shared by more than onebusiness unit? If so, which unit makes the determination?www.co s o.o rg
6 Developing Key Risk Indicators to Strengthen Enterprise Risk Management Thought Leadership in ERMAn important element of any KRI is the quality of theavailable data used to monitor a specific risk. Attention mustbe paid to the source of the information, either internal tothe organization or drawn from an external party. Sources ofinformation are likely to exist that can help inform the choiceof KRIs to be employed. For example, internal data may beavailable related to prior risk events that can be informativeabout potential future exposures. However, internal datais typically unavailable for many risks—especially thosethat have not been encountered previously. And, often riskslikely to have a significant impact may arise from externalsources, such as changes in economic conditions, interestrate shifts, or new regulatory requirements or legislation.Thus, many organizations discover that relevant KRIs areoften based on external data, given that many root causeevents and intermediate events that affect strategies arisefrom outside the organization.External sources such as trade publications and lossregistries compiled by independent information providersmay be helpful in identifying potential risks not yetexperienced by the organization. Discussions with keystakeholders such as customers, employees and suppliersmay provide important insights into risks they face thatmay ultimately create risks for the organization. A carefulunderstanding of regulatory and legal requirements thatmust be fulfilled is likely to be helpful in anticipating potentialrisks and events that precede them.KRI data sourced from external and/or independent partiesprovides the benefit of objectivity. External/independentparties are not necessarily unaffiliated with the organization,but are removed from the business unit from which the KRI ismeasured. Almost certainly, trade-offs will be required in thisarea. Those individuals charged with ongoing managementof a particular risk are the least objective source (but attimes may be the only available resource for the datarequired to produce the KRI in question). A careful validationof external sources is desirable to enhance confidence inthe ultimate effectiveness of the KRI built from that data.It is unlikely that a single KRI will adequately capture allfacets of a developing risk or risk trend. For this reason, it ishelpful to analyze a collection of KRIs simultaneously to helpform a better understanding of the risk being monitored. Thatsaid, some KRIs are likely to possess superior predictivepower over other risk metrics and it will be importantto weight each piece of information to reflect its pastperformance in forecasting a risk event. Some have referredto this process as assembling a mosaic of information thatcollectively can best provide the early warning of potentialthreats developing over time. Realistically, substantialjudgment and experience must be brought to bear on thisprocess to extract the most meaningful inferences. As theuse of KRIs evolves in an organization, opportunities formaking these judgments will likely yield improvements in KRIperformance.The following graphic summarizes core elements of welldesigned KRIs.Based on established practices or benchmarksDeveloped consistently across the organizationProvide an unambiguous and intuitive view of the highlighted riskAllow for measurable comparisons across time and business unitsProvide opportunities to assess the performance of risk owners on a timely basisConsume resources efficientlyAn effective way to get started is to take the top 5-10 mostsignificant risks the organization faces, and charge each riskowner (the person with primary management responsibilityfor a given risk) with the task of identifying one or twoKRIs for their assigned risks. Often, there will be initialwww.co s o.o rgconfusion as to the difference between key performanceindicators that are currently being tracked and KRIs. It willbe important to provide an example or two to help the riskowners make this distinction.
Thought Leadership in ERM Developing Key Risk Indicators to Strengthen Enterprise Risk Management In the following table, several KRIs are illustrated for aset of hypothetical risks faced by a regional grocery storechain seeking to grow earnings by adding new stores inthe Washington, DC and surrounding areas. The companyacquires and develops real estate properties where thegrocery store serves as the anchor tenant alongside other7smaller retail outlets. Acquisition and development of storeproperties are contingent on the company’s ability to obtainfavorable financing. While these are unique to a particularbusiness context, they nicely portray the goal of developinganticipatory data to actively monitor important risks facingthis enterprise.ExampleRegional grocery store chain seeks to grow earnings by adding new stores in NorthernVirginia and Washington, DC area.Risk Events1.Economic downturn inWashington, DC marketsaffect retail storefrontrental demand and realestate valuesSample KRIs to Monitor Risk Proactively Actual and projected retail store occupancy rates in theWashington, DC market Commercial real estate rental market information about leasing pricesand options for similar quality retail properties in theWashington, DC area.2. Competition increasesin the Washington, DCmarkets Change in number of grocery stores in market area Announcements of expansions by big-box retailers and superstores Significant and sustained price reductions by grocery competitorsin the Washington, DC area3. Cost of financingtoo high Spreads on debt issuances for comparably rated companies Actual and projected interest rates Company stock performance and related trends in competitor stock4. Delays in developingproperty and openingstores Compare actual construction and store opening benchmark dates topre-determined target dates Monitor construction labor union issues, including competing demands forconstruction labor that might arise due to other major construction projectsin Washington, DC area5. Long term economicdownturn results indeteriorating customerbase Employment outlook for federal government agencies and governmentsupportive businesses Forecasts related to unemployment Consumer spending trends in Washington, DC areaKRI Communication and Reporting: Role of the Board, Management, and Risk OwnersAs is true for the larger goal of implementing an enterpriserisk management process in general, the developmentand implementation of a set of KRIs requires sensitivityto organizational culture and a strong message of theimportance of this task from top management and theboard of directors. Creating buy-in from those individualswithin the organization that have day-to-day managementresponsibility for various risks will be necessary.The primary beneficiary of KRIs will be the risk ownersthemselves. They will have a set of predictive tools thatshould allow them to better manage their business unitsto meet goals and objectives set for that unit. Seniormanagement and boards of directors do not need to know,nor are they necessarily in a position to fully appreciate,all KRIs employed within the organization, but th
Differentiating Key performance Indicators from Key Risk Indicators It is important to distinguish key performance indicators (KPIs) from key risk indicators (KRIs). Both management and boards regularly review summary data that include s
Deloitte Professor of ERM Associate Director Executive Director ERM Initiative ERM Initiative ERM Initiative The ERM Initiative in the Poole College of Management at North Carolina State University provides thought leadership on enterprise risk management (ERM) and its integration with strategic planning and corporate governance, with a focus .
1992 on the Internal Controls-Integrated Framework. Because, Internal control has different meanings to different parties, COSO tries to establish a common definition and standard that can serve such parties. Under COSO’s report, (quoted from July 1994 Edition of COSO Internal Controls-Integrated Framework, “COSO Report”), “Internal
developed a risk management definition or framework definition called COSO Enter-prise Risk Management or COSO ERM. This risk management framework, updated with COSO guidance and published in 2011,2 provides a structure and set of definitions to allow enterprises of all types and sizes to understand and better manage their risk environments.
development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. The COSO Enterprise Risk Management - Integrated Framework defines essential ERM components, discusses key ERM principles and concepts, suggests a common ERM language, and provides clear direction and guidance for ERM.
Risk Management for CEOs & Managers Presented By: . Seven risks NCUA expects credit unions to manage Background of Enterprise Risk Management (ERM) CEO/Managers guide to ERM Components of ERM Benefits of ERM Questions . 3 Financial Institutions . COSO 2017 Executive Summary Risk appetite is the aggregate level and types
Surveys were conducted to understand the current practices of enterprise risk management (ERM) stakeholder engagement. Depending on the level of ERM maturity within an organization, challenges still exist to improve ERM buy-in. The benefit of risk management is difficult to measure. The value that ERM can bring to
COSO ICIF 2013 COSO Internal Control Integrated Framework Risk Assessment/Control Activities Principles and Points of Focus COSO Permission to Reprint: 201503‐0048 Michael L. Piazza Principal Associate Professional Development Associates Risk Ass
4. Marco De Referencia De Cobit 5 5. Articulacion Coso, Cobit Y Ley Sarbanes-Oxley 6. Analizando El Marco De Referencia De COSO Para TI En COBIT 5 7. Propuesta De Articulación COBIT 5 Con COSO, Orientado A Cumplir Los Lineamientos De La Ley SARBANES-OXLEY 8. Metodología Que Apoya La Implementación 9. Resultados 10. Discusión 11 .
