7/31/2019 Using Risk Management Frameworks
1/51
Lawrence Lake
Managing Director
Protiviti Inc.
Using Risk ManagementFrameworks
7/31/2019 Using Risk Management Frameworks
2/51
2003 Protiviti Inc.
2
What are Risk Management Frameworks
and Why have them?
What is a Risk Control Matrix, COSO,
COBIT, Risk Universe, Key Controls,
Critical Controls?
Using them in SOA, ERA or Revenue Cycle
7/31/2019 Using Risk Management Frameworks
3/51
2003 Protiviti Inc.
3
Business risks are greatertoday than ever
Globalization means increased exposure to internationalevents
Need for efficiencies, innovation and differentiation tocompete
We now know the unthinkable can happen
Financial reporting is now a risk area
Application is uneven at companies applying EWRM
We live in unpredictable times
7/31/2019 Using Risk Management Frameworks
4/51
2003 Protiviti Inc.
4Source: FEI survey
Points of view from a recent survey
Many executives see an array of ever-increasing businessrisks
Business risk management practices require improvement
Substantial revisions in business risk management haveeither been made or will be made
Senior executives want more confidence that all potentiallysignificant risks are identified and managed
Why is business risk a priority
7/31/2019 Using Risk Management Frameworks
5/51
2003 Protiviti Inc.
5
Gartner reveals topfive business issues
The Gartner Group, based upon interviews and surveys
Cost constraints
Security of data and privacy
Stakeholder returns
Managing business risk
Innovation
7/31/2019 Using Risk Management Frameworks
6/51
2003 Protiviti Inc.
6
Key indicators of need
Management wants increased confidence that all potentially significantrisks are identified and managed Key decisions are made without asystematic evaluation of risk and reward trade-offs
Risk management isnt integrated with strategic and business planning
Risks are not systematically identified, sourced, measured andmanaged
Units of the organization are managing similar risks differently
Inability to measure performance on a risk-adjusted basis
Capital investment process requires improvement
Increasing demands for more information relating to risks and internalcontrols from the board and investors
7/31/2019 Using Risk Management Frameworks
7/51
2003 Protiviti Inc.
7
A common frameworkwill accelerate progress
We need a common language
We need criteria against which to benchmark
Now we can communicate more effectively
Familiarity of concepts is useful
Application guidance is critical piece
Issuance of framework is only the beginning
7/31/2019 Using Risk Management Frameworks
8/51
2003 Protiviti Inc.
8
Traditional Risk Universe Framework
7/31/2019 Using Risk Management Frameworks
9/51
2003 Protiviti Inc.
9
Risk Control Matrix
Regulation
Risk Category
Regulatory guidance
Tested (Y/N) Test PlanRegulation Control RankingOwnerRisk Category Control Description Program Type
Regulatory Control Example- Written Policies and Procedures (OIG)
Regulatory guidance
OIG Implementing
Written Policies
and Procedures
Vendor commitment to
compliance is
documented in written
code of conduct
document.
General Vendor Primary Obtain copy of
vendor
compliance
documentation
(e.g., code of
conduct)
Vendor sign off on
program contract
specifying intention to
comply with TAP
internal guidelines and
code of conduct.
General Pharmaceutical
Manufacture
Secondary Review contract
with vendor to
ensure contract
exists specifying
requirements
and vendor
si nature occurs
Program
Type
Owner Control
Ranking
Test PlanTested (Y/N)
Develop and distribute
written standards of
conduct, as well as written
policies, procedures, and
protocols that verbalize
the company's
commitment to
compliance. (section C)
Risk Category Control DescriptionRegulation
7/31/2019 Using Risk Management Frameworks
10/51
2003 Protiviti Inc.
10
Entity-level Controls
Entity-level controls are those controls that management relies upon toestablish the appropriate tone at the top relative to financial reporting.
An entity-level assessment for each control entity should be conductedas early as possible in the evaluation process
Process-Level Controls
Process level controls are usually directly involved with initiating,recording, processing or reporting transactions
General IT and Application Controls
General IT controls typically impact a number of individual applicationsand data in the technology environment
Application controls relate primarily to the controls programmed withinan application that can be relied upon to mitigate business process-levelrisks
Control Levels
7/31/2019 Using Risk Management Frameworks
11/51
2003 Protiviti Inc.
11
Control Levels Examples of Entity-Level Controls
COSO Component
Risk Assessment
Control Environment
Information andCommunication
Control Activities
Monitoring
Attributes
Entity-wide objectives Activity-level objectives Risk Identification Managing Change
Integrity and ethical values Commitment to competence
Board of Directors or Audit Committee Managements philosophy and operating
style Organizational structure Assignment of authority and responsibility Human resource policies and procedures
External and internal information is identified,captured, processed and reported
Effective communication down, across, upthe organization
Policies, procedures, and actions to addressrisks to achievement of stated objectives
Ongoing monitoring Separate evaluations
Reporting deficiencies
Application:Address attributes for each COSOcomponent -- For each attribute, evaluateappropriate points of focus, as illustratedbelow for ONE attribute, Human ResourcePolicies and Procedures
Points of Focus: Is there a process for defining the level of
competence needed for specific jobs, includingthe requisite knowledge and skills?
Are there human resource policies andprocesses for acquiring, recognizing, rewarding,and developing personnel in key positions?
Is the background of prospective employeeschecked and references obtained?
Are performance expectations clearly definedand reinforced with appropriate performancemeasures?
Are employee retention, promotion andperformance evaluation processes effective?
Is the established code of conduct reinforcedand disciplinary action taken when warranted?
Are everyones control-related responsibilities
clearly articulated and carried out?
Source: Section 404 FAQs, Question 40.
7/31/2019 Using Risk Management Frameworks
12/51
2003 Protiviti Inc.
12
Control Types
Manual vs. System-based controls
Manual controls predominantly depend upon the manual execution by one or moreindividuals
Automated controls predominantly rely upon programmed applications or IT systems toexecute a step or perhaps prevent a transaction from occurring without manual decision orinteraction
There are also system-dependant manual controls, e.g., controls that are manual(comparing one thing to another) but what is being compared is system-generated and notindependently collaborated; therefore, the manual control is dependant on reliability ofsystem processing
Preventive vs. Detective controls
Preventive controls, either people-based or systems-based, are designed to preventerrors or omissions from occurring and are generally positioned at the source of the riskwithin a business process
Detective controls are processes, either people-based or systems-based, that aredesigned to detect and correct an error (or fraud) or an omission within a timely mannerprior to completion of a stated objective (e.g., begin the next transaction processing cycle,close the books, prepare final financial reports, etc.)
7/31/2019 Using Risk Management Frameworks
13/51
2003 Protiviti Inc.
13
Control Reliability
As transaction volumes increase and withincreasingly complex calculations, systems-based controls are often more reliable thanpeople-based controls because they are less
prone to mistakes than human beings, ifdesigned, operated, maintained and securedeffectively
A shift toward an anticipatory, proactiveapproach to controlling risk requires greateruse of preventive controls than the reactive
find and fix approach embodied in adetective control
Effectively designed controls that prevent riskat the source free up people resources tofocus on the critical tasks of the business
Systems-Based,Preventive Control
Systems-Based,Detective Control
People-Based,Preventive Control
People-Based,Detective Control
MORE RELIABLE/DESIRABLE
LESS RELIABLE/DESIRABLE
NOTE:The above framework is
intended to apply to process-levelcontrols. It does not always applyat the entity-level, e.g., the internalaudit function.
7/31/2019 Using Risk Management Frameworks
14/51
2003 Protiviti Inc.
14
Definitions:
KEY CONTROL:An activity or task performed by management or otherpersonnel designed to provide reasonable assurance regarding the achievementof certain objectives as well as mitigating the risk of an unanticipated outcome.Significant reliance is placed upon this controls effective design and operation.
Upon failure of the key control, the risk of occurrence of an undesired activitywould not be mitigated regardless of other controls identified. In other words,reasonable assurance of achieving the process objectives could not be obtained.
CRITICAL CONTROL:The FIRST subset of key controls; these controlshave a pervasive impact on financial reporting (segregation of duties, system anddata access, change controls, physical safeguards, authorizations, input controls,
reconciliations, review process, etc.) and have the most direct impact onachieving financial statement assertions. Upon failure of a critical control, the riskof occurrence of an undesired activity would not be mitigated regardless of othercontrols identified within ANY process. Failure of critical controls would affectthe ability of management to achieve not only process objectives, but also thecompanys financial statement objectives.
What is a Critical Control?
7/31/2019 Using Risk Management Frameworks
15/51
2003 Protiviti Inc.
15
Control Types
Primary vs. secondary controls Primary controls are controls that are especially critical to the mitigation of risk and
the ultimate achievement of one or more financial reporting assertions for eachsignificant account balance, class of transactions and disclosure; these are thecontrols that managers and process owners primarily rely on
Secondary controls are important to the mitigation of risk and the ultimate
achievement of one or more financial reporting assertions, but are not consideredcritical by management and process owners; while these controls are significant,
there are compensating controls that also assist in achieving the assertions
Controls over routine processes vs. controls over non-routineprocesses
Controls over routine processes are the manual and automated controls overtransactions
Controls over non-routine processes are the manual and automated controls overestimates and period-end adjustments; these controls often address the greatestrisks in the financial reporting process and are most susceptible to managementoverride
7/31/2019 Using Risk Management Frameworks
16/51
2003 Protiviti Inc.
16
Control Levels Examples of Common
Process-Level Control Activities
Pervasive Process-Level Controls*
Establish and communicate objectives
Authorize and approve
Establish boundaries and limits
Assign key tasks to quality people
Establish accountability for results Measure performance
Facilitate continuous learning
Segregate incompatible duties
Restrict process system and data access
Create physical safeguards
Implement process/systems changecontrols
Maintain redundant/backup capabilities
Obtain prescribed approvals
Establish transaction/document control
Establish processing/transmissioncontrol totals
Establish/verify sequencing Validate against predefined parameters
Test samples/assess processperformance
Recalculate computations
Perform reconciliations
Match and compare
Independently analyze results forreasonableness
Independently verify existence
Verify occurrence with counterparties
Report and resolve exceptions
Evaluate reserve requirements
Specific Process-Level Controls**
*Controls affecting multiple processes, including entity-level and general IT controls
** Controls specific to a process, including programmedapplication controls
7/31/2019 Using Risk Management Frameworks
17/51
2003 Protiviti Inc.
17
What is the COSO ERMFramework?
7/31/2019 Using Risk Management Frameworks
18/51
2003 Protiviti Inc.
18
SOA and the COSO Framework
Complying with SOA Section 404 in theContext of the COSO Framework
The COSO Framework is recommended by the SECas an accepted internal control framework to guidecorporate compliance with SOA 404. COSO requiresan entity-level (or tone at the top) internal controlfocus and an activity or process level focus (the rightside of the cube), with the three objectives ofeffectiveness and efficiency of operations (including
safeguarding of assets), reliability of financialreporting, and compliance with applicable laws andregulations (across the top of the cube).
Our approach captures the five components of internal
control: the control environment, risk assessment,control activities, information/communication, andmonitoring.
7/31/2019 Using Risk Management Frameworks
19/51
2003 Protiviti Inc.
19
The COSO ERM Framework
Began over four years ago
COSO concluded a broadly recognized common structure forERM is needed
Framework developed through input from many sources,including members of the five COSO organizations
Originally Authored by PwC
COSO-appointed advisory council provided input and guidanceto the process
7/31/2019 Using Risk Management Frameworks
20/51
2003 Protiviti Inc.
20
The COSO ERM Framework
Was initiated in May 2001 before the events leading to TheSarbanes-Oxley Act of 2002
Speaks to many of the issues currently facing organizations
How does an organization determine the appropriate levelof risk for the value it seeks to create for stakeholders
How does an organization communicate its risk policy tostakeholders
Final Version released September 2004
7/31/2019 Using Risk Management Frameworks
21/51
2003 Protiviti Inc.
21
The COSO ERM Framework
Details essential components and concepts of enterprise riskmanagement for all organizations, regardless of size
Identifies the interrelationships between enterprise risk
management and internal control
Is intended to be comprehensive and holistic approach
Is intended for application across many sectors andorganizations
ERM pro ides a path a for
7/31/2019 Using Risk Management Frameworks
22/51
2003 Protiviti Inc.
22
ERM provides a pathway forsupporting ongoing compliance
AND moving beyond compliance
An enterprise-wide risk assessment process infuses thedisclosure process with new risks more timely as they emerge
ERM builds upon the disclosure infrastructure to broaden the
focus on transparency beyond financial reporting
ERM instills the discipline needed to continuously improve riskmanagement capabilities
The COSO ERM Framework:
Provides a much needed common language Illustrates how ERM is built around the Internal Control
Integrated Framework
The COSO Framework
7/31/2019 Using Risk Management Frameworks
23/51
2003 Protiviti Inc.
23
The COSO Frameworkprovides an understanding of
the components of ERM
Enterprise Risk Management:
Is a process
Is effected by people
Is applied in strategy setting
Is applied across the enterprise
Is designed to identify potential events
Manages risks with risk appetite
Provides reasonable assurance
Supports achievement of objectivesMonitoring
Information & Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment
DIVISION
BUSINESS
UNIT
SUBSIDIARY
STRA
TEGIC
OPER
ATION
S
REPO
RTING
COMP
LIANC
E
ENTITY-LEVEL
Source: COSO proposed ERM Framework
7/31/2019 Using Risk Management Frameworks
24/51
2003 Protiviti Inc.
24
Monitoring
Information & Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment Risk management philosophy Risk culture Board of directors
Integrity and ethical values Commitment to competence Managements philosophy and operating style Risk appetite Organizational structure Assignment of authority and responsibility Human resources policies and practices
The COSO ERM FrameworkInternal Environment
Key points:
Reinforces control environment
Adds key risk elements
Source: COSO proposed ERM Framework
7/31/2019 Using Risk Management Frameworks
25/51
2003 Protiviti Inc.
25
Monitoring
Information & Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment Strategic objectives Related objectives Selected objectives
Risk appetite Risk tolerance
The COSO ERM FrameworkObjective Setting
Key points:
Integration with strategic management
Integration with business planning
(operations)
Integration with performancemeasurement
Integration with compliance function
Source: COSO proposed ERM Framework
7/31/2019 Using Risk Management Frameworks
26/51
2003 Protiviti Inc.
26
Monitoring
Information & Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment Events Factors influencing strategy and objectives Methodologies and techniques
Event interdependencies Event categories Risks and opportunities
The COSO ERM FrameworkEvent Identification
Key points:
Focus on objectives
Need a common language
Group into families
Understanding interdependencies isfoundation for model building
Source: COSO proposed ERM Framework
7/31/2019 Using Risk Management Frameworks
27/51
2003 Protiviti Inc.
27
Monitoring
Information & Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment
The COSO ERM FrameworkRisk Assessment
Inherent and residual risk Likelihood and impact Methodologies and techniques
Correlation
Source: COSO proposed ERM Framework
Key points:
Focus on events
Need a common process
Correlations enable more effectivemeasurement
7/31/2019 Using Risk Management Frameworks
28/51
2003 Protiviti Inc.
28
Prioritize Risks
7/31/2019 Using Risk Management Frameworks
29/51
2003 Protiviti Inc.
29
Monitoring
Information & Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment
The COSO ERM FrameworkRisk Response
Identify risk response Evaluate possible risk responses Select responses
Portfolio view
Key points:
Several responses available
Choices are strategic and tactical
This makes risk management real tooperators
Source: COSO proposed ERM Framework
7/31/2019 Using Risk Management Frameworks
30/51
2003 Protiviti Inc.
30
Monitoring
Information & Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment
The COSO ERM FrameworkControl Activities
Integration with risk response Types of control activities General controls
Application controls Entity specific
Key points:
Integral to risk response
Similar to integrated framework
Emphasize preventive and systems-based controls
Source: COSO proposed ERM Framework
7/31/2019 Using Risk Management Frameworks
31/51
2003 Protiviti Inc.
31
Monitoring
Information & Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment
The COSO ERM FrameworkInformation & Communication
Information Strategic and integrated systems Communication
Key points:
Similar to integrated framework butexpanded focus
Source: COSO proposed ERM Framework
7/31/2019 Using Risk Management Frameworks
32/51
2003 Protiviti Inc.
32
Monitoring
Information & Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment
The COSO ERM FrameworkMonitoring
Separate evaluations Ongoing evaluations
Key points:
Similar to integrated framework butexpanded focus
Source: COSO proposed ERM Framework
7/31/2019 Using Risk Management Frameworks
33/51
2003 Protiviti Inc.
33
The COSO ERM FrameworkWhats the message?
There are a multitude of possible elements that make up an ERMsolution the COSO framework lists many of these elements
Companies have different objectives, strategies, structure, culture, risk
appetite and financial wherewithal -- no two ERM solutions are alike
The specific policies, processes, skillsets, reports, methodologies andsystems comprising the elements defining the solution for one companymay differ from another company
Companies looking for off-the-shelf ERM solutions are settingthemselves up for disappointment in terms of what they find or theresults they get
Recognize that ERM is a
7/31/2019 Using Risk Management Frameworks
34/51
2003 Protiviti Inc.
34
What elements need
to be put in place?
Recognize that ERM is ajourney not a destination and
requires a change process
What are theexpected
outcomes?
How will we knowwe are successful?
Where arewe now?
How do weget there?
What are the obstacles
along the way?
Why do we need tobegin our journey?
Achievable
Goal
7/31/2019 Using Risk Management Frameworks
35/51
2003 Protiviti Inc.
35
Financial and hazardrisks and internalcontrols
Preserve enterprisevalue
Treasury, insurance andoperations involved
Financial and operations
Selected risk areas, unitsand processes
Business risk andinternal controls
Preserve enterprisevalue
Business managersaccountable (risk-by-risk)
Management
Selected risk areas, unitsand processes
Business risk andinternal controls
Create and preserveenterprise value
Strategy, people, process,technology and knowledgealigned to manage risk onan enterprise-wide basis
Strategy
Enterprise-wide
Risk management focus, scopeand emphasis are often limited
CURRENT STATE CAPABILITIES FUTURE STATE VISION
Enterprise RiskManagement
Business RiskManagement
RiskManagement
Focus
Objective
Scope
Emphasis
Application
7/31/2019 Using Risk Management Frameworks
36/51
2003 Protiviti Inc.
36Time
Operational Effectiveness and Efficiency
Enterprise Risk Management
Section 404
Compliance
INDUSTRY -- All
INDUSTRY -- All
INDUSTRY -- All
Sustainabi
lityoftheControlStructure
Va
lueContributedProtect and
EnhanceEnterprise
Value
ImplementOngoing
ComplianceStructure
D R I V E R S
Comply with SOA
Comply with SOA
Reinforce process owneraccountability
Identify areas to address
Improve quality Reduce costs Compress time
Improve governance
Improve risk evaluation Improve strategy setting Achieve business objectives
Required
Voluntary
Comply with otherregulations
Section 404 and302 Integration
Other Compliance
INDUSTRY -- Health care, FSI
Self -Assessment
Comply
with 302and 404
ImproveQuality,
Cost andTime
Know Your End Game
The Journey can start with SOA
7/31/2019 Using Risk Management Frameworks
37/51
2003 Protiviti Inc.
37
COBITs Control Framework
Starts from the premise that IT needs todeliver the information that the enterprise
needs to achieve its objectives.
Promotes process focus and process
ownership
Divides IT into 34 processes belonging to fourdomains and provides a high level control
objective for each
Looks at fiduciary, quality and security needs
of enterprises,providing seven information
criteria that can be used to generically define
what the business requires from IT
Is supported by a set of over 300 detailed
control objectives
Planning
Acquiring & Implementing
Delivery & Support
Monitoring
Effectiveness
Efficiency
Availability
IntegrityConfidentiality
Reliability
Compliance
7/31/2019 Using Risk Management Frameworks
38/51
2003 Protiviti Inc.
38
The CobiT Frameworks Principles
BusinessRequirements
IT Processes IT Resources
7/31/2019 Using Risk Management Frameworks
39/51
2003 Protiviti Inc.
39
The CobiT Frameworks Principles
7/31/2019 Using Risk Management Frameworks
40/51
2003 Protiviti Inc.
40
Information Criteria
ITProces
ses
People
ApplicationSys
tems
Data
Technology
Facilities
Domains
Processes
Activities
COBIT Cube
7/31/2019 Using Risk Management Frameworks
41/51
2003 Protiviti Inc.
41
Sarbanes-Oxley, COSO and CobiT
Monitoring
Information and Communication
Control Activities
Risk Assessment
Control Environment
C
OSO
Components
COBIT Objectives
Plan
and
Orga
nize
Section
302
Section
302
Supp
ort
Deliv
erand
Monito
rand
Evaluate
Acquire
and
Implem
ent
Section
404
Section
404
IT controls should consider the overallgovernance framework to support the
quality and integrity of information.
Competency in all five layers of COSOs framework arenecessary to achieve an integrated control program.
Controls in IT are relevant to both financial reportingAnd disclosure requirements of Sarbanes-Oxley.
7/31/2019 Using Risk Management Frameworks
42/51
2003 Protiviti Inc.
42
Implementing an ERM
Framework What WeNeed?
7/31/2019 Using Risk Management Frameworks
43/51
2003 Protiviti Inc.
43
Following is an illustrative approach for facilitating a changeprocess
The objective is to craft a future goal state for risk management
within the organization and sustain the journey toward realizingthat goal
Define and implementthe ERM solution
DefineProjectScope
CreateERM
Vision
BuildERM
BusinessCase
ManageERM
Journey
ContinuouslyImprove
ERMCapabilities
7/31/2019 Using Risk Management Frameworks
44/51
2003 Protiviti Inc.
44
Articulate the problem to be solved (the business motivation)
Define project sponsor
Organize working committee of senior executives
Articulate current state
Inventory existing risk management initiatives
Define project scope
DefineProjectScope
7/31/2019 Using Risk Management Frameworks
45/51
2003 Protiviti Inc.
45
Define risk management vision, goals and objectives
Define future goal state
Understand the journey elements needed to make the future state
happen Foundation elements
Process elements
Enhancement elements
CreateERM
Vision
Create ERM vision
7/31/2019 Using Risk Management Frameworks
46/51
2003 Protiviti Inc.
46
Identify the relevantjourney elements
INCREASING RISK MANAGEMENT CAPABILITIES
Establishsustainablecompetitiveadvantage
Improveenterprise
performance
Quantifymultiple risks
enterprise-wide
Continuouslyimprove
Design/implementcapabilities
Establishoversight andgovernance
Assess riskand developstrategies
Adoptcommonlanguage
Categories of ERM Journey Elements
FOUNDATIONELEMENTS
PROCESSELEMENTS
ENHANCEMENTELEMENTS
EWRMValue
Proposition
A journey element consists of the processes, people, reports, methodologies,
technology, or a combination thereof, integrated within the ERM solution toachieve the expected outcomes specified in the business case
E l f
7/31/2019 Using Risk Management Frameworks
47/51
2003 Protiviti Inc.
47
A common language for risks and riskmanagement?
Does thecompany have:
Establish oversight and governanceAdopt common language
Overall an effective oversight structure andgovernance?
PossibleJourneyelements
Risk model
Risk management glossary
Process classification scheme
Other relevant frameworks
Improved dialogue about risk and itssources, drivers or root causes
More organized process for sharingof information
Overall risk management policy Top-down communications of risk
management direction Organizational oversight structure, withBoard oversight
Risk management oversight committee(s)and management accountability
Designated senior executive responsiblefor risk management (I.e., a CRO)
Integrated risk management and
governance processes Business risk management staff function
Increase chances of identifying allkey risks
Enable people from multipledisciplines to focus on issues faster
Achieve clarity as to risk managementrole, purpose and accountabilities
Get things done quicker by executivesempowered to act
Possibleexpectedoutcomes
Examples offoundation elements
The companys selected
7/31/2019 Using Risk Management Frameworks
48/51
2003 Protiviti Inc.
48
Establish
sustainable
competitive
advantage
Improve
enterprise
performance
Quantify
multiple risksEnterprise
wide
Continuouslyimprove
Design/implement
capabilities
Establish
oversight and
governance
Assess risk
and develop
strategies
Adopt
commonlanguage
Categories of ERM Journey Elements
FOUNDATION PROCESS ENHANCEMENT
Monitoring
Information &Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
p yjourney elements build
COSO ERM components
7/31/2019 Using Risk Management Frameworks
49/51
2003 Protiviti Inc.
49
Articulate the ERM vision, including the desired journey elements andexpected outcomes
Describe the overall effort
Analyze the related costs and benefits and provide the economicjustification for going forward
Provide a context for monitoring progress over time
BuildERM
BusinessCase
Build ERM business case
7/31/2019 Using Risk Management Frameworks
50/51
2003 Protiviti Inc.
50
Organize the ERM journey to understand and respond to sponsorexpectations, address change issues, manage journey risks/constraintsand communicate relevant messages often
Develop journey management plan, laying out the appropriate sequenceof elements
Monitor journey performance
Assess journey impact
Manage discrete projects to deliver the journey elements according tothe selected priority and appropriate sequence
ManageERM
Journey
Manage ERM journey
7/31/2019 Using Risk Management Frameworks
51/51
2003 Protiviti Inc.
ContinuouslyImprove
ERMCapabilities
Continuously improveERM capabilities
Continuously improve capabilities to move the company up thecapability maturity curve