Post on 05-Feb-2018
FFIRS 07/02/2011 10:22:33 Page 2
FFIRS 07/02/2011 10:22:33 Page 1
COSO Enterprise RiskManagement
FFIRS 07/02/2011 10:22:33 Page 2
FFIRS 07/02/2011 10:22:33 Page 3
COSO Enterprise RiskManagement
Establishing Effective Governance,Risk, and Compliance Processes
Second Edition
ROBERT R. MOELLER
John Wiley & Sons, Inc.
FFIRS 07/02/2011 10:22:33 Page 4
Copyright# 2007, 2011 by John Wiley & Sons, Inc. All rights reserved. First edition 2007
Second edition 2011
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
‘‘PMI’’ and ‘‘PMBOK’’ are registered marks for the Project Management Institute, Inc.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise,
except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without
either the prior written permission of the Publisher, or authorization through payment of the
appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers,
MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com.
Requests to the Publisher for permission should be addressed to the Permissions Department,
John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-
6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts
in preparing this book, they make no representations or warranties with respect to the accuracy or
completeness of the contents of this book and specifically disclaim any implied warranties of
merchantability or fitness for a particular purpose. No warranty may be created or extended by sales
representatives or written sales materials. The advice and strategies contained herein may not be
suitable for your situation. You should consult with a professional where appropriate. Neither the
publisher nor author shall be liable for any loss of profit or any other commercial damages, including
but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services or for technical support, please
contact our Customer Care Department within the United States at (800) 762-2974, outside the
United States at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in
print may not be available in electronic books. For more information about Wiley products, visit
our web site at www.wiley.com.
Library of Congress Cataloging-in-Publication DataMoeller, Robert R
COSO enterprise risk management : establishing effective governance, risk, and compliance
processes / Robert R. Moeller.—2nd ed.
p. cm.—(Wiley corporate f&a ; 560)
Includes index.
ISBN 978-0-470-91288-1 (hardback); ISBN 978-1-118-10252-7 (ebk);
ISBN 978-1-118-10253-4 (ebk); ISBN 978-1-118-10254-1 (ebk)
1. Risk management. I. Title.
HD61.M568 2011
658.15 05—dc22 2011012021
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1
FFIRS 07/02/2011 10:22:33 Page 5
To my wife and very best friend, Lois Moeller
FFIRS 07/02/2011 10:22:33 Page 6
FTOC 06/07/2011 11:36:42 Page 7
Contents
Preface xi
Chapter 1: Introduction: Enterprise Risk Management Today 1
The COSO Internal Controls Framework: How Did We Get Here? 2
The COSO Internal Controls Framework 3
COSO Internal Controls: The Principal Recognized Internal Controls Standard 14
An Introduction to COSO ERM 14
Governance, Risk, and Compliance 15
Global Computer Products: Our Example Company 16
Chapter 2: Importance of Governance, Risk, and CompliancePrinciples 21
Road to Effective GRC Principles 22
Importance of GRC Governance 23
Risk Management Component of GRC 25
GRC and Enterprise Compliance 26
Importance of Effective GRC Practices and Principles 28
Chapter 3: Risk Management Fundamentals 31
Fundamentals: Risk Management Phases 32
Other Risk Assessment Techniques 45
Chapter 4: COSO ERM Framework 51
ERM Definitions and Objectives: A Portfolio View of Risk 51
COSO ERM Framework Model 55
Other Dimensions of the ERM Framework 86
Chapter 5: Implementing ERM in the Enterprise 89
Roles and Responsibilities of an Enterprise Risk Management Function 90
Risk Management Policies, Standards, and Strategies 100
Business, IT, and Risk Transfer Processes 105
Risk Management Reviews and Corrective Action Practices 108
ERM Communications Approaches 112
CRO and an Effective Enterprise Risk Management Function 113
vii
FTOC 06/07/2011 11:36:43 Page 8
Chapter 6: Importance of Strong Enterprise Governance Practices 115
History and Background of Enterprise Governance: A U.S. Perspective 116
Enterprise Integrity and Ethical Behavior 119
Disclosure and Transparency 125
Rights and Equitable Treatment of Shareholders
and Key Stakeholders 126
Governance Role and Responsibilities of the Board 128
Governance as a Key Element of GRC 128
Chapter 7: Enterprise Compliance Issues Today 131
Compliance Issues Today 132
Establish a Compliance Assessment Team 133
Compliance Risk Assessments and Compliance Program Reviews 136
Work Unit–Level Compliance Tracking and Review Processes 138
Compliance-Related Procedures and Staff Education Programs 141
Enterprise Hotline Compliance and Whistleblower Support 142
Assessing the Overall Enterprise Compliance Program 144
Chapter 8: Integrating ERM with COSO Internal Controls 147
COSO Internal Controls Background and Earlier Legislation 147
Efforts Leading to the Treadway Commission 151
COSO Internal Controls Framework 156
COSO Internal Controls and COSO ERM: Compared 174
Chapter 9: Sarbanes-Oxley and Enterprise Risk ManagementConcerns 177
Sarbanes-Oxley Act Background 177
SOx Legislation Overview 179
Enterprise Risk Management and SOx Section 404 Reviews 193
Internal Controls Reporting and Materiality 198
PCAOB Risk-Based Auditing Standards 199
Sarbanes-Oxley: The Other Sections 200
SOx and COSO ERM 201
Chapter 10: Corporate Culture and Risk Portfolio Management 203
Whistleblower and Hotline Functions 204
Risk Portfolio Management 208
Integrated Enterprise-Wide Risk Management 211
Chapter 11: OCEG Capability Model GRC Standards 215
GRC Capability Model ‘‘Red Book’’ 215
Other OCEG Materials: The ‘‘Burgundy Book’’ 223
Level and Scope of the OCEG Standards-Setting Authority 224
viii & Contents
FTOC 06/07/2011 11:36:43 Page 9
Chapter 12: Importance of GRC Principles in the Board Room 225
Board Decisions and Risk Management 226
Board Organization and Governance Rules 230
Corporate Charters and the Board Committee Structure 231
Audit Committees and Managing Risks 235
Establishing a Board-Level Risk Committee 238
Audit and Risk Committee Coordination 244
COSO ERM and Corporate Governance 245
Chapter 13: Role of Internal Audit in Enterprise Risk Management 247
Internal Audit Standards for Evaluating Risk 248
COSO ERM for More Effective Internal Audit Planning 251
Risk-Based Internal Audit Findings and Recommendations 264
COSO ERM and Internal Audit 265
Chapter 14: Understanding Project Management Risks 267
Project Management Process 268
PMBOK1 Guide: A Guide to the Project Management Book of Knowledge 269
PMBOK1 Guide’s Project Manager Risk Management Approach 272
Project-Related Risks: What Can Go Wrong 282
Implementing ERM for Project Managers 285
Chapter 15: Information Technology and EnterpriseRisk Management 291
IT and the COSO ERM Framework 292
IT Application Systems Risks 294
Effective IT Continuity Planning 302
Worms, Viruses, and System Network Risks 307
IT and Effective ERM Processes 309
Chapter 16: Establishing an Effective GRC Culturethroughout the Enterprise 311
First Steps to Establishing a GRC Culture: An Example 312
Promoting the Concept of Enterprise Risk 314
Establishing of Enterprise-Wide Governance Awareness 319
Enterprise Codes of Conduct 323
Building a GRC Culture: Risk, Governance, and Compliance
Education Programs 326
Keeping the GRC Culture Current 327
Chapter 17: ISO 31000 and 38500 Risk ManagementWorldwide Standards 331
ISO Standards-Setting Process 332
Understanding ISO 31000 334
Contents & ix
FTOC 06/07/2011 11:36:43 Page 10
ISO 38500: The Corporate Governance of IT 337
Implementing an ISO Standard 340
Chapter 18: ERM and GRC Principles Going Forward 343
ERM and GRC for the Internal Controls Professional 344
COSO’s Ongoing Support Role 347
COSO ERM and GRC Future Prospects 348
About the Author 351
Index 353
x & Contents
FPREF 06/18/2011 11:18:31 Page 11
Preface
R ISK MANAGEMENT IS ONE of those concepts where many business
professionals will agree that, ‘‘Yes, we need a good risk management pro-
gram!’’ but those same professionals often have difficulty, when pressed for a
better definition, explaining what they mean by the term risk management. For many
business professionals, this lack of a consistent understanding of risk management has
been similar, until recently, to the earlier lack of a general understanding of the term
internal controls. Going as far back as the 1950s in the United States, internal and
external auditors as well as many business professionals talked about the importance
of good internal controls, but there was no one widely accepted, consistent definition
of what was meant by that expression. It was not until the early 1990s with the
release of the COSO internal control framework that we have had a consistent and
widely recognized definition of internal controls for all enterprises.
Risk management has had a similar history of inconsistent and not always clearly
understood definitions. Insurance enterprises had their own definitions of risk
management while others, such as credit management, have had a whole different
set of definitions and understandings. Project managers had been frequently asked to
rate a proposed new effort as high, medium, or low risk without fully understanding
the meaning of such a rating. Over past years and until the very recent present, many
enterprises including for-profit entities, not-for-profits, or governmental agencies
have not had a consistent definition of the meaning of risk management and
what was necessary to establish an effective risk management structure or frame-
work. To help with this definition problem, the COSO guidance setting entity1
developed a risk management definition or framework definition called COSO Enter-
prise Risk Management or COSO ERM. This risk management framework, updated
with COSO guidance and published in 2011,2 provides a structure and set of
definitions to allow enterprises of all types and sizes to understand and better manage
their risk environments.
Similar to our concerns about a better way to look at and understand risk
management, enterprises have had similar needs to improve their enterprise govern-
ance practices and both regulatory and ethics compliance standards. Although there
have always been issues, interests in better enterprise governance and compliance
standards first became particularly important at the beginning of this century with
the corporate fraud–related failure of the high-flying corporation Enron. This led to
the passage of the Sarbanes-Oxley Act (SOx) in the United States and a worldwide
xi
FPREF 06/18/2011 11:18:31 Page 12
interest in enterprise governance and compliance issues. These concerns became even
more significant with the worldwide financial recession starting around 2008.
While enterprise risk management is a major focus of this book, governance, risk,
and compliance issues are all equally important. Using the initials for each, we
frequently refer to these as GRC issues and standards. Enterprises need to build and
launch effective GRC processes.
Starting with the letter R of this concept, a major objective of this book is to help
business professionals, at all levels from staff internal auditors to corporate board
members, to understand risk management concepts and best practices in general
and make more effective use of the COSO ERM risk management framework. Using
the COSO ERM framework’s model and terminology, we will discuss the importance of
understanding the various risks facing many aspects of business operations and how to
use something called an enterprise’s appetite for risk to help make appropriate decisions
in many areas of business operations.
COSO ERM concepts are important for all levels of an enterprise. In addition to its
applicability for more senior managers, the chapters following will explain how all
professionals in an enterprise can make better decisions through use of this COSO ERM
framework and its recently released supporting guidance. The COSO ERM framework
provides an improved way of looking at all aspects of risk in today’s enterprise. This
book is designed to help professionals to develop and follow an effective risk culture
for many business and operating decisions.
This updated second edition will also discuss effective enterprise governance
practices including some of the key regulatory issues currently facing the modern
enterprise. Our emphasis is not to just discuss rules and standards but to emphasize
effective processes, particularly with an emphasis on using IT tools and processes and
utilizing the internal audit function. Also, many of the following chapters will reference
an example company that we have called Global Computer Products to help the reader
understand the use and practical application of COSO ERM and other effective GRC
processes. This hypothetical example company will be described in more detail in the
chapters following.
Chapter by chapter, this new second edition covers the following COSO ERM and
GRC process description and recommended good practices:
& Chapter 1. Introduction: Enterprise Risk Management Today. This intro-
ductory chapter introduces the concept of enterprise risk management and the
related concepts of enterprise governance and compliance standards. We start by
looking at an important standard for defining internal control, the Committee of
Sponsoring Organizations (COSO) internal control framework, a worldwide
accepted set of guidance materials for defining internal control in enterprises
today. From this internal controls framework the chapter then introduces the
similar looking in appearance, but very different, COSO enterprise risk manage-
ment (ERM) framework, the major topic of many of the chapters in this book. We
should note here that the COSO materials are not really standards in the sense of
an SEC-mandated standards requirement, but they are really very strong
xii & Preface
FPREF 06/18/2011 11:18:31 Page 13
guidance materials. Because they are so pervasive today, we will frequently
reference them as standard practices. The chapter will also introduce us to an
example company, Global Computer Products, which will be referenced for many
examples throughout the book. However, the major objective of this chapter is to
introduce COSO ERM and related governance and compliance principles and how
they have changed since our first edition.& Chapter 2. Importance of Governance, Risk, and Compliance (GRC)
Principles. Events such as the collapse of the energy trading firm, Enron, and
its public accounting firm, Arthur Andersen, and the enactment of the Sarbanes-
Oxley Act (SOx) in 2002 raised a whole series of enterprise GRC issues that had
been previously all but ignored. The collapse of housing markets almost worldwide
during our recent great recession has also focused on needs today for improved
compliance processes. This chapter reviews the elements of effective GRC processes
and discusses why past events such as Enron and the more recent financial crises
have emphasized the growing importance of enterprise governance, risk, and
compliance processes.& Chapter 3. Risk Management Fundamentals. Key concepts and the termi-
nology used in risk assessments are introduced here. These include some of the
basic graphical and probability tools that have been used by risk managers over
time as well as the terminology used for risk transfers and assessments. These
concepts will be helpful in understanding risks in both a quantitative and qualita-
tive sense and in using and understanding COSO ERM. This chapter also will
introduce some of the basic concepts of probability and how they are used to
measure and assess risks.& Chapter 4. The COSO ERM Framework. This chapter discusses some of the
events that led to COSO ERM including ongoing industry and public concerns about
the lack of a consistent definition of internal controls and an uncertainty of the
meaning and concept of risk on an overall enterprise level. We introduce the three-
dimensional model or framework for understanding enterprise risk, COSO ERM,
with its eight vertical components or layers as one model dimension, a second
dimension of four vertical columns covering key risk objectives, and a third
dimension describing the enterprise units in the risk framework. An understanding
of these framework components sets the stage for understanding and using COSO
ERM. The chapter also highlights some of the recent guidance material released by
COSO on how to more effectively implement and use COSO ERM.& Chapter 5. Implementing ERM in the Enterprise. Risk management must be
understood in terms of its strategic, operational, reporting, and compliance
objectives as well how it should be implemented throughout the enterprise,
from an individual business unit to the entire enterprise. Beyond the Chapter 3
discussion of risk management fundamentals and the introduction of COSO
ERM, these are the other two dimensions of this risk management framework,
this chapter discusses these other two elements and how all three relate together.
The idea is to think of enterprise risk management as an overall structure that
will allow managers to understand and manage risks throughout an enterprise.
Preface & xiii