1

COSO ERM Update

– Applying the New

Framework

Paul J. Sobel, CIA, QIAL, CRMA

COSO Chairman

Chief Risk Officer – Georgia-Pacific

2

Focus of Presentation

• Market Acceptance of the COSO ERM Framework

• Using COSO ERM to Evaluate and Advance Risk

Management

• COSO/WBCSD Joint ESG Guidance

• Other Guidance Updates

3

Graphic has stronger ties to the business model

New Graphics/Concepts Are Embraced

4

Links to Strategy Are Better Understood

The possibility of strategy and business objectives not aligning with mission, vision and values

The implications from the strategy chosen

Risk to executing the strategy

Explores strategy from three different perspectives:

5

Emphasis on Culture is Resonating

Addresses the growing focus, attention and importance of culture within enterprise risk management

Explores culture within the broader context of overall core values

Depicts culture behavior within a risk spectrum

Explores the possible effects of culture on decision making

6

Still Questions on Links to Internal Control

The document does not replace the 2013 Internal

Control – Integrated Framework

The two frameworks are distinct and complementary

Both use a components and principles structure

Aspects of internal control common to enterprise risk

management are not repeated

Some aspects of internal control are developed

further in this framework

7

Compendium of Examples The compendium illustrates:

• All principles

• A variety of entity sizes from global through to national, regional, and local entities

• Actual company practices and augmented with expected practices in select areas, as needed

• An ERM perspective from the business mindset

8

Principles Illustrated in Compendium

Primary examples

Secondary illustrations

9

Evaluating and Advancing ERM

• Start with education

–Components and principles

–Role of ERM in strategic planning and value creation

• Evaluate current and desired ERM states:

–Against 20 Principles

–Consider a maturity approach

• Build on a SOX 404 assessment

10

Assessing the Effectiveness of ERM

11

Assessing the Effectiveness of ERM

• Assess current state against 20 principles

–Questions on each principle

–Nature of evidence for each principle

• Identify gaps to desired level for each principle

• Determine actions to close gaps

–Short-term

–Long-term

12

2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019

Asset price collapse Extreme weather events

Slowing Chinese economy (<6%)

Failure of climate-change mitigation and adaptation

Chronic disease Natural disasters

Global governance gaps Data fraud or theft

Retrenchment from globalization

Cyberattacks

Asset price collapse Weapons of mass destruction

Retrenchment from globalization (developed)

Failure of climate-change mitigation and adaptation

Oil and gas price spike Extreme weather events

Chronic disease Water crises

Fiscal crises Natural disasters

To

p 5

Glo

ba

l R

isks:

like

liho

od

To

p 5

Glo

ba

l R

isks:

imp

act

Economic Environmental Geopolitical Societal Technological Source: WEF 2019

The Global Landscape Continues to Shift

13

Companies have been Impacted by the Changing Business Context

1970s 1980s 1990s 2000s 2010 2011 2012 2013 2014 2015 2016 2017 2018

14

Joint COSO/WBCSD Guidance on ESG Risks

15

How Can This Guidance Help?

• Enhanced resilience

• A common language for articulating ESG-

related risks

• Improved resource deployment

• Enhanced pursuit of ESG-related

opportunities

• Realized efficiencies of scale

• Improved disclosure

16

Potential Updates to Existing Guidance

• Monitoring Guidance

• Understanding and Communicating Risk Appetite

• Practical Approaches to Creating and Protecting

Organizational Value

• COSO in the Cyber Age

17

Potential New Guidance

• Using COSO ERM to Manage Compliance Risks

• Blockchain and its Impact on Internal Controls and Implications for

ERM

• Psychology and Sociology of Fraud

• Assessment Tools for Risk

• Robotic Process Automation and Artificial Intelligence (no known

authors at this time)

18

Summary

• COSO ERM seems to be getting traction in the marketplace

• The five components and 20 principles can help assess the

effectiveness of ERM

• New ESG guidance may be helpful

• Pipeline of guidance starting to fill up

19

Paul J. Sobel, CIA, QIAL, CRMA

COSO Chairman

paul.sobel@gapac.com

www.coso.org