COSO Enterprise Risk
Management Framework-
Integrating Strategy and
Performance
October, 2017
www.pwc.com
PwC| COSO Enterprise Risk Management –Integrating with Strategy and PerformancePwC
Agenda
2
How to obtain a copy of
the new Framework
and obtain more
information
What does the new
Framework mean for
you and your
organization?
How does this compare
to the 2004 COSO
ERM Framework and
why where changes
introduced?
5
More
information
4
What does
it mean for
you?
3
What has
changed?
What prompted the
Framework update?
What was the feedback
received during Public
comment?
2
Why update
the
Framework
now?
1
Who is COSO and what
is the COSO ERM
Framework?
Introducing
COSO
COSO recognizes the growing expectation
of organizations to manage, in an
integrated and cohesive manner, risks
emanating from across an enterprise.
Robert B. Hirth Jr., COSO Chair
PwC| COSO Enterprise Risk Management –Integrating with Strategy and Performance
Introducing COSO
www.pwc.com
PwC| COSO Enterprise Risk Management –Integrating with Strategy and Performance
COSO and PwC have collaborated on
frameworks and publications for 25 years
COSO’s 2004
Enterprise Risk
Management-
Integrated
Framework
is one of the
world’s most
widely used risk
management
frameworks.
www.coso.org
2004
Other COSO publications authored by PwC
2017 Publication
4
2013 Internal Control –Integrated
Framework Executive Summary
2013 Internal Control –Integrated
Framework
2012 Understanding and
Communicating Risk Appetite
2006 Internal Control over Financial
Reporting Guidance for Smaller Public
Companies
1992 Internal Control –Integrated
Framework
PwC| COSO Enterprise Risk Management –Integrating with Strategy and Performance
What prompted the
Framework update?
www.pwc.com
PwC| COSO Enterprise Risk Management –Integrating with Strategy and PerformancePwC
32
6
CEO confidence is rising…..
83%
Pull out of an
important statistic
goes in this area
20pt Georgia (white)
Question 1: Do you
believe global
economic growth will
improve, stay the
same, or decline over
the next 12 months?
Question 2: How
confident are you
about your company’s
prospects for revenue
growth over the next
12 months and next 3
years?
Leaders are looking to ERM to give them greater confidence in managing the risks to the
achievement of their strategy and business objectives
15
18
44
37
27
29
31
41
52
50
21
31
48
40
36
39
39
35
38
0
10
20
30
40
50
60
70
1 2 3 4 5 6 7 8 9 10 11 12 13
%
Série1 Série2
Source: 2017 PwC 20th Annual CEO Survey
PwC| COSO Enterprise Risk Management –Integrating with Strategy and Performance
At the same time, many Boards
are not receiving the information
they need
58% of Boards do not
receive updates at
every meeting on the
amount of risk the
company is taking
7
Source: PwC, 2016 Annual Corporate Directors Survey, October 2016.
Question: How often does your board get updates and reports from
management on:
PwC| COSO Enterprise Risk Management –Integrating with Strategy and PerformancePwC
Boards recognize that there are opportunities for
ERM toadd greater value
8
Source: PwC, 2016 Annual Corporate Directors Survey, October 2016.
Question: How well do you believe management performs the following activities:
PwC| COSO Enterprise Risk Management –Integrating with Strategy and PerformancePwC
So what are risk and business professionals
saying?
9
When I develop
my strategy, I
want to have a
full picture of
the potential
risks and the
capabilities I
need to create
advantage
As an
innovative
company, I
want to use
risk to create
value and not
only to protect
value
I need insights
that help me
understand risks
and
opportunities
and evaluate
strategic options
I want an ERM
Framework that
drives
improvements to
business functions
beyond risk
avoidance
I want to reduce
performance
variability and
respond more
quickly to
opportunities
PwC| COSO Enterprise Risk Management –Integrating with Strategy and PerformancePwC
Why update the ERM
framework now?
10
•Boards are expecting more from their
organization’s ERM practices and capabilities
•Stakeholders are seeking greater transparency
and accountability
•Business environments are increasingly
complex,technologically driven, and global
•There is a need to incorporate lessons learned
from recent events and the bar is rising
•Risk professionals are looking for a more up to
date resourcedescribing ERM concepts
•The range of ERM practices continues to
evolve
Since 2004, the market has continued to
evolve and the COSO Framework is
evolving with it.
PwC| COSO Enterprise Risk Management –Integrating with Strategy and Performance
What’s changed?
www.pwc.com
PwC| COSO Enterprise Risk Management –Integrating with Strategy and Performance
A new framework with global input
12
Website visits
Over 24,000
website visits
1
Global
interest
46% of the
downloads
outside of
the US
2
Entity
interest
Wide spread
interest
across
industry
3
Engagement
Equal interest by
private & public
companies
4
As part of the drafting process, the Framework was made publicly available for review and comment
between June and September, 2016.
PwC| COSO Enterprise Risk Management –Integrating with Strategy and Performance
Key highlights from feedback received
13
Letters and
Surveys
•217 online surveys
submitted
•47 comment letters
received
•Relatively consistent
volume of feedback
compared to other COSO
Framework projects
Comments
•2,000 individual comments
•Comments covered every
section of the draft
Framework
•All comments reviewed by
the PwC Project Team and
categorized according to
nature (e.g., conceptual,
editorial, commentary etc.)
Themes
•Encouraging breadth of
themes addressed in
comments
•Comments ranged from the
highlighting conceptual
differences, requests for
clarity and suggested
editorial changes
Feedback
•Positive ratings
outnumbered negative
by 4.5:1
Feedback received was reviewed by the project team and informed the final updates to the
Framework prior to publication.
PwC| COSO Enterprise Risk Management –Integrating with Strategy and Performance
Introducing the 10 key changes to the
2017 Framework
Greater emphasis on culture–
reflecting the changing demands and
expectations of today’s markets, helping
your organization make responsible risk
decisions
Coming soon: Compendium of
Examples–highlighting the
implementation of principles across a
variety of industries and entity types
Explores management of risk at all
altitudes of the organization–from
entity level through to procedural level
risks, making ERM more than just an
isolated view of risk in the business.
Writtenfrom the perspective of the
business–risk management concepts
are discussed in terms of helping an
organization create value, enabling you
to realize true benefits from ERM
A focus on integrating risk
management–linking risk with
strategy setting and day-to-day activities,
helping you to use ERM principles to
support the creation, realization, and
preservation of value
A new framework structure–five
components and twenty principles that
align to the business lifecycle, making to
risk conversation more intuitive for you
Addresses the evolving role of
technology–in influencing an
organization’s strategy, business context
and how it manages risk
Deeper discussions on challenging
topics–such as risk appetite and the
portfolio view of risk
Explores the different benefits of
ERM–from loss mitigation through to
strategic advisor and how they inform the
design of a Framework
Suite of new graphics highlighting
the relationship between risk and
performance demonstrating a new way
identify and assess the relationship
between the amount of risk and the level of
performance
14
PwC| COSO Enterprise Risk Management –Integrating with Strategy and PerformancePwC
A new framework structure
15
Supporting principles
that collectively describe
the ERM Framework
20
Components that align
to the business life cycle
5
The graphic symbolizes the dynamic, integrated nature of ERM that begins with the mission,
vision and core values of the organization through to the creation of enhanced value.
PwC| COSO Enterprise Risk Management –Integrating with Strategy and PerformancePwC
The new Framework adopts a components
and principles structure
16
PwC| COSO Enterprise Risk Management –Integrating with Strategy and PerformancePwC
Explores the benefits of ERM
17
Management can
anticipate the
risks that would
affect
performance and
put in place the
actions needed to
minimize
disruption and
maximize
opportunity
Improve
management’s
ability to identify
risks and
establish
appropriate
responses,
reducing
surprises and
related costs or
losses
Management
identifies and
manages these
entity-wide risks
to sustain and
improve
performance
By considering all
possibilities, both
positive and
negative aspects
of risk,
management can
identify new
opportunities and
associated
challenges
Increasing the
range of
opportunities
Reducing
performance
variability
Increasing
positive
outcomes
Improving
resource
deployment
•Enterprise risk management frameworks are as varied as the
organizations they support.
•In their infancy, many frameworks focus on increasing
positive outcomes and identifying entity-wide risks.
•Boards, senior management and stakeholders are
increasingly expecting ERM to reduce performance
variability, improve resource deployment and enhance
enterprise resilience.
•This will often require that the capabilities and practices of
an organization to evolve in line with increasing expectations.
•The effectiveness of an enterprise risk management
Framework is founded on fostering, designing and
implementing the culture, capabilities and practices that
align to intended benefits.
•A more detailed discussion of the benefits of ERM can be
found in the COSO Executive Summary
Risk information
enables
management, in
the face of finite
resources, to
prioritize resource
deployment and
enhance
resource
allocation
Identify and
manage risks
entity-wide
Enhancing
enterprise
resilience
Enhance
management’s
ability to
anticipate and
respond to
change, not only
to survive but
also to evolve
and thrive
PwC| COSO Enterprise Risk Management –Integrating with Strategy and PerformancePwC 18
•Strategic blunders account for a
majority of the losses in shareholder
value compared to operational events,
incidents or compliance failures
•Research suggests that organizations are
looking to strengthen the integration
between strategy and enterprise risk
management
Studies have confirmed that the strategy setting
process is a critical area of integration for
enterprise risk management
81% of the greatest
losses in
shareholder value
since 2002 were
attributable to
‘strategic blunders’
*U.S. public companies around the world with at least US$1 billion in enterprise
value on January 1, 2002 (1,053 companies met these criteria). Dann, Le Merle
and Pencavel, “The Lesson in Lost Value” Strategy+Business, November, 2012
Focusing on integrating risk and strategy
OperationalComplianceStrategicExternal
PwC| COSO Enterprise Risk Management –Integrating with Strategy and PerformancePwC
Focusing on integrating risk
and strategy
The updated Framework elevates the discussion of integrating
strategy and risk through three different dimensions
1.The possibility of strategy not aligning with mission, vision and core values
2.The implications from the strategy chosen
3.Risk to strategy and performance
Where do your
ERM efforts
currently focus
and how closely
does it align to
value creation,
realization and
preservation?
PwC 21
PwC| COSO Enterprise Risk Management –Integrating with Strategy and Performance
New graphics depict the alignment between
risk and performance
20
Is the risk assumed by the
entity, when setting
performance targets,
understood?
What assumptions inform
the shape of the risk curve?
Do existing key indicators
demonstrate movement
along the curve?
Amount of Risk
Risk Curve
Risk Appetite
Business objective: Increase sales
Number of
Units Sold
Performance Target
Acceptable Variation
Where on the curve should
ERM focus?
What level of performance
is assumed when
assessing impact and
likelihood?
Questions for your organization
PwC| COSO Enterprise Risk Management –Integrating with Strategy and PerformancePwC
Explores managing risk at all
altitudes of the organization
21
The Framework highlights that risks
emanate and must be managed
at all levels of the organization.
The Framework explores how risks
can manifest at multiple levels within
an organization with some risks
directly impacting the entity strategy
while others impacting business
objectives.
The Framework also addresses how
risks can change in severity and
prioritization at different levels
of the organizationand how the
impacts of correlation and
diversification are considered when
analyzing the risk profile of portfolio
view of risk.
•Risk frameworks should ensure
existing risk identification and
assessment practices account for
risks occurring at different levels
of the organization
•Risk capabilities should account
for how risk ratings and
responses may exist and change
at different altitudes within an
organization
•Management should designate
appropriate roles and
responsibilities for the
management of risk and
execution of risk responses
Entity Level Business
Objective 1
Business
Objective 2
Business
Objective 1
Risk 1 Risk 3 Risk 4
Entity Strategy
Risk 2
Entity Level Business
Objective 2
Business
Objective 3
PwC| COSO Enterprise Risk Management –Integrating with Strategy and PerformancePwC
How the Framework
emphasizes technology
22
•Framework emphasizes how enterprise risk
management practices and capabilities need to align
with the velocity of changes to the business context,
emerging and changing risks
•Information, Communication and Reporting principles
now have a greater focus on integrated risk and
performance reporting
•Developments in data generation and analytics
including ‘big data’, artificial intelligence and social
media have been acknowledged
•Discussions on the accuracy, completeness and
timeliness of data have been retained in the COSO
Internal Control Integrated Framework
The Framework recognizes the importance of
enterprise risk management keeping pace with
technological developments
90% 0.5% 27%
Data
Generation
Proportion of data
that exists today
was created in the
past two years
Data Analysis
Only a small
fraction of
available data is
currently analyzed
Impact on
Industry
Percentage of
CEOs that believe
technology will
completely
reshape their
industry
Source: PwC Mega Trends –Technological
Breakthroughs
PwC| COSO Enterprise Risk Management –Integrating with Strategy and PerformancePwC
•Research has confirmed
that there is often a ‘siloed’
approach to risk that is
separate from the day to
day management of an
organization
•Risk management is
perceived as an
incremental activity
performed by those
independent of the
business
•The lack of integration can
contribute to difficulties
engaging with the business,
the ability to gain and offer
insight and ultimately curbs
the value that ERM can
offer
Written from the perspective
of the business
23
Quem graecis quali sque
no nam, cu enim necessi
tatibus usu. Aeque urb
anitas delicatissimi amet,
consect etu ipsum dolor.
•The Framework endeavors
to removes risk ‘jargon’ and
adopts the language of
business to discuss
concepts and practices
•By using the same
language, the Framework
hopes to promotes
acceptance and adoption of
ERM by the organization
Note: In practice, ERM often
refers to a team, department
or as a part of the ‘lines of
defense’ however, in the
Framework it is discussed in
the context of an
organization’s culture,
capabilities and practices used
to manage risk
The framework was written from the perspective of the
business to facilitate the integration of ERM and support
acceptance and adoption by the business
PwC| COSO Enterprise Risk Management –Integrating with Strategy and PerformancePwC
How the Framework addresses culture
24
COSO ERM Definition
The culture, capabilities and
practices, integrated with
strategy setting and its
execution, that organization rely
on to manage risk in creating,
preserving and realizing value
Discussions on the importance and commitment to integrity and ethics have
been retained in the COSO Internal Control Integrated Framework
Culture now features in the definition of ERM and is part of the
Framework’s Governance and Culture Component
Principles on culture are now more focused on decision-
making and the alignment to expected behaviors in line with the
core values of the organization
The importance of aligning the core values and risk
appetiteof the organization to promote consistent and risk-
based decision making
PwC| COSO Enterprise Risk Management –Integrating with Strategy and PerformancePwC
Deeper discussions on other
challenging topics
25
Enhanced discussions
on:
•Alignment of Risk
Appetite and Strategy
•Delineation between
risk appetite and
tolerance
•Consideration of risk
appetite as a evaluative
vs decision-making tool
•Alignment of risk
appetite to risk
assessment and the
portfolio view of risk
Additional focus on:
•Articulating risks
relative to business
objectives and
performance
•Developing severity
measures and
prioritization criteria
given the risk appetite
of the organization
•Risk assessments at
different levels
including new
illustrative graphics
relating to aggregation
Greater detail
provided on:
•Graphical
representations of
portfolio view
•Emphasis on an
business objective
centric view of risk
•Alignment to strategy
and resource
deployment
•Tie to integrated
performance
monitoring and
reporting
Risk Assessment
and Aggregation
Risk Appetite Portfolio View
Requests for
additional
guidance
represented some of
the most common
feedback the PwC
Project Team
received during the
Public Comment
Period
PwC| COSO Enterprise Risk Management –Integrating with Strategy and PerformancePwC
Compendium of Examples
26
A compendium of
examples is also being
developed. The proposed
compendium will
illustrate:
•All principles
•A variety of entity sizes
from global through to
national, regional, and
local entities
•A variety of industry types
•Actual company practices
and be augmented with
expected practices in select
areas, as needed
•Written from the
perspective of
the business
Examples:
•Governance in a higher
education institution
•Culture in a government entity
•Culture in a financial services
company
•Strategy and objective-setting
in an energy company
•Strategy and objective-setting
in a not-for-profit entity
•Performance in a consumer
products company
•Performance in a technology
company
•Review and revision in an
industrial products company
•Risk information in a
healthcare company
Coming Soon….
PwC| COSO Enterprise Risk Management –Integrating with Strategy and Performance
More information
www.pwc.com
PwC| COSO Enterprise Risk Management –Integrating with Strategy and Performance
Staying involved
Access the Framework at www.coso.org
28
Julien Muller
Senior manager
Tel: +33 (0)6 43 02 45 49
Julien.muller@pwc.com
View videos, blogs and articles at http://www.pwc.com/us/en/risk-
management/coso-erm-framework
COSO Enterprise Risk Management Framework-Integrating Strategy and Performance - Octobre 2017 - PWC
COSO Enterprise Risk Management Framework-Integrating Strategy and Performance - Octobre 2017 - PWC