The COSO cube helps us look at the whole organizations enterprise risk management model and focus on individual parts. Enterprise risk management (ERM) is the process of planning, organizing, leading and controlling the activities of an organization in order to minimize the effects of risk on our capital and earnings. In other way, enterprise risk management is a way to plot a path and using tools and techniques to stay on that path. While COSO guidance is not mandatory it is highly influential, many great benefit in the frameworks as risk management and internal control systems can be assessed and improved. On the top of the cube, there are objectives such as our strategic objectives, operational objectives, financial reporting and our compliance objectives.
The prominance of financial reporting and compliance reflect the heritage and context in which the frameworks were created a host of banks and Enron WorldCom have put this issues in the public and nit just a corporate conscience. The front of the cube we have eight components needed to meet the objectives from the top of the cube. The third and final dimension of cube cuts the organization into different levels, this is to focus on each part of the organization as well as the whole and to stress that each component applies from the global board all the way to operational units. At the front of the third dimension we have the entity which represents the whole organization whithin that break that down into each division business unit and subsidiaries
- Internal Environment
- Objective setting
- Event Identification
- Risk Assessment
- Risk Response
- Control Activities
- Information & Communication
Of the top slice on the front of the cube we have our first component the internal environment. This is about the setting the tone of the organization influences risk appetite towards attitudes towards risk management and ethical values. Ultimately, the company’s tone is set by the board, a board lacking technical knowledge or experience diversity or an independent voice is unlikely to set the right tone, the works directors do in board committees can make a significant contribution to tone audit and risk committees also have an important role to play here. Going back to the layers of our organization it is important to remember the importance of management at division and business unit level control mechanisms will only work if operated properly. Management tolerating staff ignoring controls or the emphasis of achievement over results and responsible handling of risks our recipes for failure.
The organization should have a clear vision and the board sets objectives that support that vision. The vision and the objectives should be consistent with you risk appetite for the board to set objectives effectively it needs to be aware of the risks of rising different objectives our issues. The board also needs to consider risk appetite and take a high level view of how much risk is willing to accept the board will consider a tolerance that is the acceptable variation around individual objectives as part of this process. The objectives should cascade through the organization to division business unit and subsidiary level typing back to the business vision.
The organization must identify internal and external events that affect the achievement of its objectives. Negative impacts represent risks, positive impacts represent opportunities which should feedback into strategy. We need to pay attention to both operational disruption and the dangers to the achievement of strategic objectives.
The likelihood and impact of risks are assessed as a basis for determining risk management managers also need to consider hor individual risks interrelate as well as assessing in herint risk levels the organization should assess re sidual risks left after management actions have been taken.
In the jargon management selects appropriate actions to align risks with risk tolerance and risk appetite. What that means is the whenever choosing a response to manage the risk to a level that is acceptable, the risk response chosen must be realistic and take into account the costs of responding as well as the impact on risk. An important principle of enterprise risk management is that the risks are not treated in isolation but rather considering the organization as whole. Part of the risk response stage we’ll be designing a sound system of internal controls a mix of controls will be appropriate including preventative and detective controls manual and automatic controls
Policies and procedures should operate to ensure that risk responses are effective once designed the controls in place need to operate properly. COSO has separate guidance purely on internal controls with its own cube that guidance includes the wisdom that is not merely about policy manual systems and forms but people at every level of the organization the impact on the internal control
Informations system should ensure that data is identified captured and communicated in a format and time frame that enables managers and staff to carry out their responsibilities. The information provided to management needs to be relevant and of appropriate quality, must cover all of the objectives showing on top of the cube. Needs to be good communication with staff, communication is an important way of strengthening the internal environment by embedding risk awareness in staffs thinking
The management system should be monitored and modified if necessary with the principle that unmonitored controls tend to deteriorate over time. It is usual to draw a distinction between regular review and periodic review, weaknesses should be reported, assessed and root cause is corrected.