COSO ERM FRAMEWORKS
comprehensive framework for helping organizations assess and improve their
ENTERPRISE RISK MANAGEMENT (ERM)
- concerns the identification and management of events and
circumstances that can affect the ability of a firm to achieve its objectives.
- holistic approach
- a coordinated, organization-wide risk management system
BENEFITS (IIIRIE)
1. Increasing the range of opportunities- positive (new opportunities) and
negative (unique challenges)
- maintain revenue from existing customers (preserving value)
- create additional revenue by appealing to a broader consumer base
(creating value).
2. Identifying and managing risk entity-wide
3. Increasing positive outcomes and advantages while reducing negative
surprises - improve their ability to identify risks and establish appropriate
responses, reducing surprises and related costs or losses, while profiting
from advantageous developments
4. Reducing performance variability- allows organizations to anticipate the
risks that would affect performance and enable them to put in place the
actions needed to minimize disruption and maximize opportunity.
5. Improve resource deployment - in the face of finite resources, to assess
overall resource needs, prioritize resource deployment, and enhance
resource allocation.
6. Enhancing enterprise resilience- medium- and long-term viability
depends on its ability to anticipate and respond to change, not only to
survive but also to evolve and thrive
COSO FRAMEWORK (Committee of Sponsoring Organizations of Treadway
Commission)
- a system used to establish internal controls to be integrated into business
processes.
- initial mission are financial reporting and fraud
1st Standard (1992) - Internal Control – Integrated Framework, d provided a
internal control system.
2nd Standard (2004) - The 2004 Enterprise Risk Management — Integrated
Framework (COSO ERM cube)- has both risk management and internal control
within its scope.
3rd Standard (2017) - the 2017 COSO ERM – Integrating Strategy and Performance
Framework
COSO ERM CUBE
- suggests that enterprise risk management is not strictly a serial set of
activities, where one component affects only the next. It is considered to
be a multidirectional, iterative process in which almost any component
can and does influence all other components
- consists of OBJECTIVES, COMPONENTS, AND BUSINESS UNIT
OBJECTIVES
1. Strategic Objectives - high-level goals, aligned with and supporting the
entity’s mission/vision
2. Operations Objectives - effectiveness and efficiency of operations
(performance and profitability goals)
3. Reporting Objectives - reliability of reporting (internal and external
reporting)
4. Compliance Objectives - adherence to relevant laws and regulations
COMPONENTS
1. Internal Environment - tone of an organization, influencing the risk
consciousness of its people and is the basis for all other components of
enterprise risk management, providing discipline and structure.
(EROICOAH)
 Entity’s risk management philosophy - set of shared beliefs and
attitudes characterizing how the entity considers risk in
everything it does
 Risk appetite
  Oversight by the BOD  Physical controls – Equipment, inventories, securities, cash, and
 Integrity and ethical values other assets are physically secured and periodically counted and
 Commitment to competence compared with amounts shown on control records.
 Organization structure  Performance indicators – Relating different sets of data −
 Assignment of authority and responsibility operating or financial − to one another.
 Human resource standards  Segregation of duties – Duties are divided, or segregated, among
2. Objective Setting different people to reduce the risk of error or fraud
 Strategic Objectives 7. Information and Communication - Relevant information is identified,
 Operations Objectives captured, and communicated in a form and timeframe that enables
 Reporting Objectives people to carry out their responsibilities
 Compliance Objectives  Appropriate
3. Event identification - identifying potential events from internal or  Timely
external sources affecting the achievement of objectives.  Current
 Event Inventories – listing of potential events  Accurate
 Internal Analysis – part of routine business planning cycle process  Accessible
 Escalation or threshold triggers - triggers alert management 8. Monitoring
 Facilitated workshops and interviews - drawing on accumulated  Ongoing monitoring activities - these pertains to the activities that
knowledge and experience of employees through structured serve to monitor the effectiveness of enterprise risk management
discussions in the ordinary course of running the business.
 Process Flow Analysis - combination of inputs, tasks,  Separate evaluations - fresh look from time to time, focusing
responsibilities, and outputs that combine to form a process. directly on enterprise risk management effectiveness.
4. Risk Assessment
COSO ERM – INTEGRATING STRATEGY AND PERFORMANCE FRAMEWORK
 Benchmarking
 Probabilistic Models - more clearly connect ERM with a multitude of stakeholder expectations;
 Non-probabilistic models position risk in the context of performance, rather than as an isolated
5. Risk - Response exercise; enable organizations to better anticipate risk, not simply the
6. Control Activities - the policies and procedures that help ensure that potential for crises; and provide an understanding that change creates
management’s risk responses are carried out. I opportunities.
 Top-level reviews - Senior management reviews actual
performance versus budgets, forecasts, prior periods, and OBJECTIVES
competitors. 1. More clearly connect ERM with a multitude of stakeholder expectations-
 Direct functional or activity management – Managers running align ERM practices more closely with the expectations of various
functions or activities review performance reports. stakeholders
 Information processing – A variety of controls are performed to 2. Position risk in the context of performance, rather than as an isolated
check accuracy, completeness, and authorization of transactions exercise
 3. Enable organizations to better anticipate risk, not simply the potential for
crises- shift the focus of risk management from merely reacting to crises
as they arise to proactively identifying and anticipating risks before they
escalate into significant problems
4. Provide an understanding that change creates opportunities
COMPONENTS
1. Governance and Culture – Governance refers to the structure and
processes that guide decision-making and oversight within the
organization. (Accountability) Culture relates to ethical values, desired
behaviors and understanding of risk.
Principle 1: Exercises Board Risk Oversight
Principle 2: Establishes Operating Structures
Principle 3: Defines Desired Culture
Principle 4: Demonstrates Commitment to Core Values
Principle 5: Attracts, Develops and Retains Capable Individuals
2. Strategy and Objective- Setting- Strategy refers to the long-term plans
and initiatives designed to achieve the organization's mission and vision,
while objectives are specific, measurable targets that support the
realization of those strategic goals
Principle 6: Analyses Business Context
Principle 7: Defines Risk Appetite
Principle 8: Evaluates Alternative Strategies
Principle 9: Formulates Business Objectives
3. Performance - risks that could impact the achievement of strategy and
objectives should be identified and assessed. Th
Principle 10: Identifies Risk (new and emerging risks and changes to known risks)
Principle 11: Assesses Severity of Risk – impact, likelihood, time to recover
 Qualitative assessment involves a subjective evaluation of risks based on
their potential impact.
 Quantitative assessment involves a more objective and data-driven
analysis of risks.
Principle 12: Prioritize Risk – severity in the context of risk appetite
 Adaptability: This criterion assesses the organization's ability to adapt
and respond to a particular risk.
 Complexity: Risks that are more complex in nature or require intricate
solutions may be given higher priority
 Velocity: Velocity refers to the speed at which a risk can materialize and
impact the organization
 Persistence and Recovery: This criterion evaluates the duration and long-
term impact of a risk
 Acceptable Variation in Performance: This criterion assesses the level of
tolerance the organization has for variations in performance caused by a
particular risk.
Principle 13: Implements Risk Responses
Principle 14: Portfolio View of Risk
4. Review and Revision - focuses on continuously assessing and improving
the (ERM) system
Principle 15: Assesses Substantial Change: This principle emphasizes the need to
continuously assess any substantial changes in the organization's risk profile and
environment
Principle 16: Review Risk and Performance: This principle emphasizes the
importance of evaluating risk responses to ensure they are functioning as
intended. T
Principle 17: Pursues Improvement in ERM: This principle emphasizes the
importance of continuously improving the organization's ERM processes and
practices
 5. Information, Communication, and Reporting: risk management process
recognizes the critical importance of establishing a continuous flow of
relevant information throughout the organization.
Principle 18: Leverages Information and Technology: using data and technology
to support ERM
1. Ongoing Risk Identification – staff member can identify and raise risks to
the management
2. Desk- based Risk Assessment - - involves a discussion and assessment of
risks (little input from others)
STEPS ON CONSTRUCTING A DIVERSIFIED PORTFOLIO

Principle 19: Communicates Risk Information: ensure that all stakeholders are 1. Assess your risk tolerance
aware of the risks and their responsibilities in managing them 2. Asset allocation
3. Diversification within asset classes
Principle 20: Reporting on Risk, Culture and Performance provides stakeholders
4. regular rebalancing
with valuable information about the organization's risk profile, culture, and
5. consider costs
performance.
6. monitor and adjust
RISK EVENTS
DIVERSIFICATION
Potential or actual financial or non-financial losses, near misses and gains in the
Within an organization can take various forms, tailored to its specific industry,
organization.
capabilities, and market dynamics.
Positive - can work in the company’s favor which allows the business to benefit
TYPES
from them through increased profitability, establishing a strong market position,
and enhancing competitive advantage 1. Cultural Diversification: Embracing employees from different cultural
backgrounds to foster a more inclusive workplace.
Negative - the events that are uncertain and matters that result in losses to the
2. Product Diversification: Expanding the range of products or services
achievement of the objective and that could harm an organization
offered to reduce dependency on a single product line.
External Context - the environment wherein the firm operates and seeks to 3. Market Diversification: Entering new markets to protect the organization
achieve its objectives from market-specific risks.
4. Investment Diversification: Allocating resources across different financial
External Risks - those exposures that result from environmental conditions that instruments or projects to minimize risks.
the firm commonly cannot influence, such as the regulatory, environment, and 5. Workforce Diversification: Hiring individuals with diverse skill sets,
market conditions. (NETCORE) experiences, and perspectives to enhance creativity and problem-solving.
Internal context - internal environment wherein the firm functions and seeks to
achieve its objectives

Internal Risks - are exposures that derive from decision-making and the use of
internal and external resources, including the firm's operations and its objectives.
(FMEL)

TOOLS TO IDENTIFY RISK EVENT

BENEFITS OF ERM PROCESS
1. Accountability
BOARD OF DIRECTORS (BEST-PERFORMING INVOLVED ALL DIRECTORS)
- regularly receive reports on the status of risk management, perform
monitoring of risk management, deliberate and decide on important
fundamental matters relating to risk management.
- provides an oversight role to risk management activities including the
periodic review and approval of the ERM Policy, ERM Framework and
ERM Process through the BROC.
BOARD RISK OVERSIGHT COMMITTEE (3 members)
(Philippine SEC, in its Memorandum Circular No. 19, Series of 2016, discussing the
Code of Corporate Governance for Publicly-Listed Companies)
- performs an oversight of the risk management activities of the
organization and system to ensure its functionality and effectiveness
- Assists the Board in fulfilling its responsibility for oversight of the
organization’s risk management activities.
- Sets the risk appetite of the organization
CHIEF EXECUTIVE OFFICER
- overall/ ultimate risk management executive responsible for ERM
priorities, strategies, and policies (ultimate risk owner)
- ensuring that critical risks faced by the organization are being managed
and mitigated to acceptable levels
- heads of the RMET that sets the direction and leads the decision-making
- ensures that sufficient resources are allocated to pursuing ERM initiatives,
strategies and action plans.
- Reports to the BROC on a regular basis on ERM related matters.
RISK MANAGEMENT EXECUTIVE TEAM (think-tank)
- assists the CEO
- defines risk priorities
- Aligns risk policies and strategies with overall company plan.
- They are the primary risk owners.
1. Chief Risk Officer
 required to have a broad and independent view of the organization and
be a strategic thinker, with an ability to anticipate potential disruptions
and influence decisions.
 reports to the CEO (or to the BROC)
 champion of the ERM process in the organization (owner of process not
the risks)
 make sure that all these risk owners are collaborating, coordinating, and
working together to identify, prioritize, and manage the risks.
 Develops, implements risk management process, frameworks, policies,
tools and methodologies;
 Analyzes, develops and executes policies and report risks;
 offers valuable insights and recommendations regarding emerging risks
that could affect the organization
 play a crucial role in embedding a culture of risk awareness and resilience
throughout the organization
 Developing risk maps and strategic action plans to address primary
threats effectively.
 Monitoring and tracking the progress of risk mitigation efforts undertaken
by the organization.
 Generating and disseminating risk analyses and progress reports to
executives, board members, and employees.
 Integrating strategic risk management priorities into the company's
overarching strategic plan.
 Formulating and executing information assurance strategies to safeguard
against and manage risks associated with data usage, storage, and
transmission.
 Evaluating potential disruptions to business processes resulting from
employee errors or system failures and devising strategies to minimize
associated risks.
 Identifying and quantifying the level of risk that the company should
accept, known as risk appetite.
2. Chief Financial Officer
 Sometimes double as the CRO
3. Chief Operations Officer
 4. Chief Information Officer b. well-defined risk management goals, objectives and oversight
5. Chief Legal Officer c. uniform processes for assessing risk and developing strategies to
6. Chief Compliance Officer manage prioritized risk
d. designing and implementing risk management strategies and
RISK MANAGEMENT UNIT
e. continuing assessments to improve risk strategies, processes and
- Composed of the different Risk Leaders and Risk Owners that support and measures;
incorporates the ERM process with the RMET (second in command) , 2. Oversees the implementation of the enterprise risk management plan
CRO, risk leaders, and owners in the implementation of the ERM process. 2.1 Conducts regular discussions on the company’s prioritized and residual
- designed to carry out the activities in the ERM approach with guidance risk exposures
provided by their superiors (members of the RMET) and other members 2.2 assesses how the concerned units or offices are addressing and managing
of their teams. these risks;
- Suggest to the RMET the development of additional ERM Policies and 3. Evaluated the risk management plan.
other related guidelines. 3.1 Revisiting defined risk management strategies,
- Gathers and evaluates the risk reports provided by the Risk Leaders and 3.2 Monitoring emerging or changing material exposures
Risk Owners and monitors the status of risk management strategies and 4. Advises the Board on its risk appetite levels and risk tolerance limits;
action plans. 5. Reviews at least annually the company’s risk appetite levels and risk
- Drives the continuous improvement of the organization’s current ERM tolerance limits based on changes and developments in the business
Process. 5.1 Compliance with the regulatory framework
5.2 Response to external economic environment
RISK LEADERS 6. Proactive risk management and stakeholder protection
- Leads the risk owners and constantly reviews and provides updates in the 6.1 Risk identification
behavior of the critical risk 6.2 Likelihood of occurrence
- guides the risk owners in making reports to be forwarded to CRO/RMET 6.3 financial impact estimation
6.4 Priority area identification
RISK OWNERS 7. Providing oversight over following:
- performs the risk process 7.1 Credit Risk Management
7.2 Market Risk Management
INTERNAL AUDIT 7.3 Liquidity Risk Management
7.4 Operational Risk Management
Performs an independent validation of the effectiveness of the risk management
7.5 Legal and Compliance Risk Management
process and monitors the effectiveness of the risk management treatment.
8. Reports to the Board on a regular basis, or as deemed necessary, the
BROC DUTIES AND RESPONSIBILITIES company’s material risk exposures, the actions taken to reduce the risks,
and recommends further action or plans, as necessary.
1. Develops a formal enterprise risk management plan which contains the
following elements: Material risk exposure is a quantitative or qualitative scenario where the
a. common language or register of risks exposure to danger, harm or loss has a material impact