Operational Risk Management (ORM)

and Key Indicators

Study Unit 2.1: Introduction to Operational Risk
Management (ORM)
Definition of Risk and Operational Risk
• Risk: The possibility of a negative outcome or loss due to uncertainty.
• Operational Risk (Basel Committee, 2003): The risk of loss resulting from
inadequate or failed internal processes, people, systems, or external events.
• Operational risk was traditionally a broad term covering non-financial risks, but its
definition has become more specific due to increased focus.

Key Elements of Operational Risk

1. People Risk:
o Employee mistakes (e.g., data entry errors, teller miscalculations).
o Employee fraud and misconduct (e.g., insider trading, invoice fraud).
o Absenteeism (e.g., key personnel shortages).
o Employer malpractices (e.g., discrimination, wrongful termination).
2. Process Risk:
o System malfunctions.
o Inadequate control procedures and decision-making.
o Errors in transaction processing.
o Non-compliance with risk surveillance.
3. Technology Risk:
o Software failures and outdated technology.
o Cybersecurity breaches and data loss.
o External disruptions (e.g., third-party system failures).
4. Physical Risk:
o Natural disasters (e.g., earthquakes, floods).
o Unnatural disasters (e.g., explosions, fires).
o Crime and vandalism.

Types of Operational Risk

• Internal Operational Risk: Failures within the organisation (e.g., process
breakdowns, staff errors).
• External Operational Risk: Environmental risks beyond the organisation's control
(e.g., regulatory changes, economic instability).

Operational Risk Management (ORM) Framework

1. Risk Identification:
o Methods: Workshops, checklists, scenario analysis, audit reports.
o Risk Register: A document listing all identified risks, causes, impact, and
mitigation strategies.
 2. Risk Evaluation:
o Qualitative Assessments: Surveys, expert judgment.
o Quantitative Models:
▪ OpVaR (Operational Value at Risk): Statistical analysis of
operational loss distribution.
▪ Scenario Analysis: Identifies risk impact based on potential future
scenarios.
3. Risk Control:
o Implement controls to reduce inherent risks.
o Monitor effectiveness of controls and refine as needed.
4. Risk Financing:
o Regulatory capital requirements (Basel standards).
o Internal capital allocation and insurance.
5. Risk Monitoring:
o Key Risk Indicators (KRIs) as early warning signals.
o Reporting via dashboards, benchmarking, and audit reviews.

Study Unit 2.2: Key Performance Indicators (KPIs) and

Key Risk Indicators (KRIs)
Understanding KRIs and KPIs
• Key Performance Indicators (KPIs): Measure success in achieving targets.
• Key Risk Indicators (KRIs): Measure exposure to risks and provide early warnings.

Importance of Risk Indicators

• Helps in risk identification, risk assessments, and risk governance.
• Supports the establishment of risk appetite frameworks.
• Enables proactive risk mitigation strategies.

Key Risk Indicators (KRIs)

Definition

• Metrics indicating exposure levels to operational risks.

• Example: A rise in customer complaints may signal increasing process errors.

Types of KRIs

1. Firm-Wide vs. Business-Specific KRIs:

o Business-Specific: Unique to a sector (e.g., failed trades in banking).
o Firm-Wide: Applicable across the organisation (e.g., training costs).
2. KRIs by Risk Class:
o Risks related to people, processes, technology, external factors.
3. KRIs by Type:
o Inherent Risk Indicators: Measure natural exposure (e.g., transaction
volume).
o Control Risk Indicators: Measure management actions (e.g., training
hours).
o Composite Risk Indicators: Combine multiple risk
 o factors (e.g., ROE using DuPont analysis).

Best Practices for KRIs

• Must be quantifiable (e.g., % errors, number of fraud cases).

• Should be predictive, rather than reactive.
• Use both internal and external data for context.
• Avoid excessive complexity—simple KRIs improve usability.

Key Performance Indicators (KPIs)

Definition

• Metrics that measure business performance in key areas.

• Can be financial or non-financial.

Types of KPIs

1. Financial KPIs:
o Return on Assets (ROA), Return on Equity (ROE).
o Profitability per product/customer.
o Revenue growth and inventory turnover.
2. Operational KPIs:
o Employee performance (e.g., assets under management).
o Exception reporting (e.g., failed audits).
o Risk management performance (e.g., % of fraud incidents prevented).
3. Customer-Related KPIs:
o Customer retention rate.
o Market share growth.
4. Marketing KPIs:
o Blog posts or e-books published.
o Engagement rate on digital platforms.

Risk vs. Return Framework

• Risk-adjusted loan pricing: Higher interest rates for high-risk loans.

• Risk-based capital requirements: Ensuring enough capital to cover potential
losses.

Comparison: KRIs vs. KPIs

Feature KRIs (Key Risk Indicators) KPIs (Key Performance Indicators)

Purpose Measures risk exposure Measures performance

Focus Potential future risks Current success in achieving targets

Examples Fraud incidents, IT failures, Sales growth, customer satisfaction,
process errors profit margins

Usage Risk management Performance assessment

Other Key Considerations

How Many Indicators Are Enough?
• Too few: May not provide a comprehensive risk picture.
• Too many: Can be overwhelming and dilute focus.
• Best practice: Consider key risks, data availability, cost of tracking, and audience
(e.g., executive vs. operational managers).

Good Sources for KRIs

• Regulatory policies and compliance requirements.
• Previous loss databases and risk assessments.
• Stakeholder expectations (e.g., customer feedback, market ratings).

Good KRI Characteristics

• Consistent methodologies.
• Measurable in monetary values, percentages, or counts.
• Tied to clear organisational objectives.
• Timely and cost-effective to track.

Thresholds and Limits

• Establish predefined limits for KRIs (e.g., acceptable % of fraud cases).
• Implement escalation structures for high-risk deviations.

Study Unit 3.1: Introduction to Corporate Governance

1. Introduction to Corporate Governance

Learning Outcomes:

• Understand how corporate failures led to governance reforms.

• Define corporate governance and its importance.
• Explain board composition, size, and committees.
 • Identify common board mistakes and effective governance elements.
• Differentiate between independence, conflict of interest, and non-executive directors.
• Understand the role of the company secretary.
• Explain employees' role in whistleblowing.
• Understand authority flow and the distinction between responsibility and
accountability.

2. The Governance Problem: Origins & History

• First major corporate governance dispute (1922) – Shareholders complained
about poor disclosure and low dividends.
• Corporate scandals over the years highlighted governance failures:
o Issues: Lack of ethics, creative accounting, excessive executive power,
unbalanced compensation, and greed.
o Notable scandals: Enron, WorldCom, Waste Management, Tyco, Barings
Bank, Steinhoff.
• Governance reforms:
o Cadbury Report (1992, UK) introduced the first Code of Best Practice,
focusing on financial governance.

3. What is Corporate Governance?

Definition:

• "The practice by which companies are managed and controlled" – Cadbury Report
(1992)
• Involves risk management, ethical performance, sustainable business practices, and
accountability.
• Ensures investor confidence in corporate management and resource allocation.

Importance of Good Corporate Governance:

• Attracts investments (institutional and foreign).

• Improves profitability, sustainability, and stakeholder value.
• Manages business risks and minimises legal liabilities.
• Enhances share value and reduces capital costs for listed companies.
• King IV Report (SA) provides governance guidelines, though not legally binding.

4. Corporate Governance Structure: The Board of Directors (BOD)

Definition:

• A group responsible for overseeing company affairs.

Roles of the Board:

1. Steering and Strategic Direction: Approves company strategies.

2. Policy Approval: Reviews and approves policies and operational plans.
 3. Oversight & Monitoring: Ensures strategy execution aligns with plans.
4. Accountability: Ensures transparency via reporting and disclosure.

5. Board Composition & Size

Composition:

• Balanced skills, knowledge, experience, and diversity.

• Majority should be independent non-executive directors.
• Chairperson must be independent and not the CEO (to avoid conflicts of interest).

Size:

• No universal "optimal" size; ranges between 3 to 31 members.

• SA large companies' average size: 12.3 directors.
• Companies Act requirements:
o Private/Public Companies: 1-3 directors.
o JSE-listed companies: Minimum 4 directors.
• Challenges:
o Too large: Slow decision-making.
o Too small: Lacks expertise for effective decisions.

6. Key Board Roles

Non-Executive Director (NED):

• Not involved in daily operations.

• Participates in policymaking and long-term planning.

Independent Director:

• Has no substantial financial or business ties with the company.

• Enhances shareholder value, oversight, and management accountability.
• Cannot have been an executive or related to major shareholders in the past 3 years.

Conflict of Interest:

• Any financial/economic relationship that affects objectivity.

• Can create unfair advantages for certain parties.

Chairperson vs. CEO:

• CEO: Manages company operations.

• Chairperson: Oversees board functions and governance.
• Must be separate roles to avoid concentration of power.
• JSE Listing Requirements (post-King II): Mandates CEO-Chairperson separation.

7. Elements of an Effective Board

✅ Independent directors form the majority.
✅ Regular director evaluations and removal of non-performers.
✅ Separation of Chairperson and CEO roles.
✅ Stakeholder communication with the board.
✅ Annual CEO performance evaluations.
✅ Board members engage with senior management.
✅ Regular assessment of director independence.
✅ Diversity in board composition.

8. Common Mistakes by Boards

❌ Avoiding difficult discussions.

❌ Misalignment with shareholder interests.
❌ Overcommitted directors who fail to contribute effectively.
❌ Overcautious risk management (missed opportunities).
❌ Lack of trust between board and management.
❌ Poor leadership from the Chairperson.

9. Board Committees & Their Functions

• Boards delegate specific responsibilities to committees for better oversight.
• Committees should have charters defininag roles, responsibilities, and structure.
• Should be led by independent directors to avoid conflicts of interest.

Critical Committees:

1. Audit Committee – Oversees financial reporting and internal controls.

2. Remuneration/Compensation Committee – Determines executive pay and
incentives.

Additional Committees:

3. Nomination Committee – Selects and evaluates board members.

4. Social & Ethics Committee – Ensures corporate social responsibility.
5. Risk Management Committee – Manages enterprise-wide risks.
6. Compliance Committee – Ensures adherence to laws and regulations.

10. The Role of the Company Secretary

Definition:

• Ensures regulatory compliance, governance best practices, and board

communication.
• Acts as the company’s "conscience" and an independent advisor.

Key Responsibilities:
 • Manages governance frameworks.
• Conducts director induction programmes.
• Communicates between the board and management.

• Facilitates shareholder relations and meetings.

Detailed Notes on Corporate Governance and the King Reports (King I,

II, III)

1. Corporate Governance and King I

Background
• Corporate governance in South Africa (SA) developed not due to corporate failures
(unlike other countries) but due to unhealthy competition after SA’s transition to
democracy.
• The King Committee on Corporate Governance was established by the Institute
of Directors in Southern Africa (IoDSA) in 1992.

King I Report (1994)

• Compiled by: Former Judge Mervyn King and Geoffrey Bowes.
• Purpose: To promote the highest standards of corporate governance in SA.
• Applicability: Voluntary adoption by companies and state-owned enterprises.
• Main Contribution:
o Introduced 15 principles for corporate governance, focusing on the
responsibilities of boards of directors.
o Emphasized ethical leadership, accountability, and transparency.

2. King II Report (2002)

Context & Need for King II
• Developed in response to corporate governance crises in both public and private
sectors.
• Aimed to provide best practices for boards, directors, and companies.
• Focused primarily on:
o JSE-listed companies
o Public sector enterprises
o Financial institutions and national/provincial agencies.

Key Changes in King II

1. Sustainability Reporting
o Required companies to report on their impact on society, nature, and
business (Triple Bottom Line).
2. Risk Management
o Core element of corporate governance.
 o Introduced board-level accountability for risk management.

Risk Management Recommendations in King II

• Board's Role:
o Responsible for overseeing the entire risk management process.
o Evaluate the effectiveness of risk management.
• Management's Role:
o Design, implement, and monitor the risk management strategy.
o Work with the board to set risk strategy policies.
• Effective Risk Management Requires:
o Integration into daily company activities, language, and culture.
o Regular reporting from management to the board.
o Disclosure in annual reports that the board is accountable for risk
management and ensures regular reviews.

Role of Internal Audit in Risk Management

• Provides independent assurance on the effectiveness of:
o Risk management processes.
o Internal controls.
• Verifies board assertions on governance.

Characteristics of Good Corporate Governance (King II)

(Still applicable in King IV)

1. Discipline – Commitment to ethical business behavior.

2. Transparency – Clear and accessible company information.
3. Independence – Avoidance of conflicts of interest.
4. Accountability – Decision-makers held responsible.
5. Responsibility – Corrective action and penalties for mismanagement.
6. Fairness – Balanced treatment of all stakeholders.
7. Social Responsibility – Ethical awareness and response to social issues.

Corporate Governance Failure Example: Enron Scandal

• Company: Enron (Houston-based energy company).
• Scandal:
o Engaged in accounting fraud.
o Misrepresented earnings and manipulated balance sheets.
o Led to bankruptcy in 2001.
o Thousands of employees lost jobs.
• Consequences:
o Arthur Andersen (audit firm) was dissolved for document destruction.
• Failed Governance Principles:
o Lack of transparency, accountability, and discipline.

3. King III Report (2009)

Context & Necessity for King III
• Issued during the global financial crisis and recession.
• Needed due to:
o The introduction of South Africa’s Companies Act (2008).
o International governance trends evolving.

Applicability
• Applies to all entities, regardless of:
o Incorporation or establishment.
• Compliance:
o A JSE listing requirement.
o Required companies to disclose adherence to 75 governance principles.

Key Differences: King II vs. King III

King II King III

Focused on business corporations. Applies to all entities (not just

companies).

Required companies to comply or explain Introduced "apply or explain"

deviations. approach.

Limited focus on IT governance. Introduced IT Governance as a core

aspect.

• "Apply or Explain" Approach:

o Companies must apply King III principles.
o If they don’t, they must justify their alternative governance practices.

Key Aspects of King III

1. Defining Roles and Inclusivity
o Risk management is not assigned to one person but is an inclusive process
across the company.
o Stakeholder inclusivity is key to sustainability.
2. Leadership
o Governance requires effective leadership characterized by:
▪ Ethical values (responsibility, accountability, fairness, transparency).
▪ Leaders should align strategies with economic, social, and
environmental performance.
3. Sustainability
o Defined as meeting present needs without compromising future
generations.
 o Emphasizes the interconnection of nature, society, and business.
4. Integrated Reporting
o Combines financial and sustainability reporting.
o Previously, financial and sustainability reports were separate.
o Now, integrated reporting is a core corporate governance requirement.

Corporate Governance & King IV

1. General Background of King IV
• Published: 1 November 2016, effective from 1 April 2017.
• Purpose: Balances conformance (compliance) and performance (value
creation).
• Key Theme: Transparency – aligns with global governance trends, ensuring
accountability.
• Changes from King III: Reduced 75 principles to 16 principles (+1 for
institutional investors).
• Universal Applicability: Can be applied across all organisations, regardless of
size/type.
• Retained Elements: Sustainable development, integrated annual reports, and
corporate responsibility, but with refinements.

2. Why the Need for King IV?

• Updates governance codes to global best practices.
• Addresses challenges like:
o Political & social tensions
o Climate change
o Technological advancements
o Regulatory changes
o Radical transparency & ethical leadership
• Encourages corporate sustainability (Triple Context: Economy, Society,
Environment).

3. King IV and Integrated Thinking

Integrated Thinking is decision-making that considers value creation over short,
medium, and long term.
It removes the separation between financial and non-financial performance.

The Six Capitals of Integrated Thinking:

1. Financial – Funds for operations (equity, debt, or reinvestments).

 2. Manufactured – Physical assets (buildings, machinery, infrastructure).
3. Intellectual – Knowledge assets (patents, brand reputation, copyrights).
4. Human – Employee skills, leadership, ethics, motivation, and values.
5. Social & Relationship – Business networks, community engagement, brand trust.
6. Natural – Environmental resources (water, air, minerals, biodiversity).

✅ Trade-offs: These capitals interact. Example: Maximising profit (financial capital) at

the cost of unethical HR practices (human capital) can reduce long-term
sustainability.

Value Creation Process:

Inputs → Business Activities → Outputs → Outcomes

• Inputs: Six capitals

• Business activities: Research, Design, Production, Marketing
• Outputs: Products, Services, Waste
• Outcomes: Company culture, brand reputation, control, legitimacy

Principles of Integrated Thinking:

1. Organisations are Corporate Citizens – Must act responsibly towards society.

2. Stakeholder Inclusivity – Boards must consider all stakeholders (not just
shareholders).
3. Sustainable Development – Companies should protect People, Planet, Profit
(Triple Context).
4. Integrated Reporting – A holistic approach to company performance.

4. Integrated Reporting (IR) & Its Benefits

A report detailing both financial and non-financial activities (sustainability, ethics,
governance).

✅ Benefits of Integrated Reporting:

• Breaks Silos – Encourages inter-departmental collaboration.

• Senior Management Engagement – Improves decision-making.
• Better Stakeholder Engagement – Investors, employees, and regulators gain a
fuller picture of company value.
• Stronger Risk Management – Helps identify long-term risks & opportunities.
• Lower Capital Costs – Transparency reduces investor uncertainty.
• Better Internal Processes – Enhances efficiency and accountability.

5. Corporate Governance (King IV Definition)

Corporate Governance = Ethical & effective leadership by a governing body to achieve:

1. Ethical Culture – Acting with integrity, transparency, and responsibility.

 2. Good Performance – Sustainable financial & operational success.
3. Effective Control – Board oversight, accountability, risk management.
4. Legitimacy – Gaining trust & maintaining stakeholder support.

✅ Ethical Leadership vs. Effective Leadership:

• Ethical Leadership → Integrity, fairness, transparency.

• Effective Leadership → Strategy execution & organisational performance.

6. Key Differences: King III vs. King IV

Feature King III King IV

Approach Rules-based Outcomes-based

Disclosure "Apply OR "Apply AND Explain"

Explain"

Principles 75 principles 16 principles (+1)

Scope Mainly All organisations

companies

Sector Not included Covers Municipalities, NPOs, SMEs, State-

Supplements Owned Entities, Retirement Funds

✅ King IV is more principles-based and flexible compared to the rigid compliance

approach of King III.

7. Disclosure of King IV
• Can be disclosed in Integrated Reports, Sustainability Reports, Social & Ethics
Committee Reports.
• Must be updated annually and be publicly accessible.

8. The Five Objectives of King IV

1. Governance as an Integral Part of Business – Ethical culture & value creation.
2. Broaden Acceptance – Flexible for all organisational types.
3. Holistic Approach – Governance = Interrelated practices.
4. Transparent Reporting – Meaningful disclosures to stakeholders.
5. Ethical Consciousness – Focus on conduct, not just compliance.
9. Additional Important Aspects of King IV
(a) Performance Evaluation of the Board

• Conducted in-house, externally, or combined.

• In-house: Quick & easy but risk of bias.
• External: Independent but expensive.
• Outcome: Chairperson ensures weaknesses are addressed via an action plan.

(b) Internal Audit & Combined Assurance

• Internal Audit: Provides independent assessment of risk management.

• Combined Assurance: Internal + External audits ensure accountability.
• Internal Assurance Providers: Internal auditors, fraud examiners.
• External Assurance Providers: External auditors, regulatory inspectors.

(c) Technology & Information Governance

• Technology creates OR erodes value (e.g., cybersecurity risks).

• Board Role: Must oversee data security, digital transformation, and compliance.
• Board Portals: Digital platforms for efficient governance (e.g., Nasdaq
Boardvantage).

10. Self-Evaluation Questions

1. Discuss the background of King IV.
2. Explain why King IV was introduced.
3. Define Integrated Thinking & explain its six capitals.
4. What is the Triple Context (People, Planet, Profit) in sustainability?
5. List advantages of Integrated Reporting.
6. Define Corporate Governance according to King IV.
7. Compare King III vs. King IV.
8. Where should King IV be disclosed?
9. What are the five objectives of King IV?
10. Explain:
• Board performance evaluation
• Internal audit & combined assurance
• Technology & information governance

Summary: King IV in a Nutshell

✅ Transparency is key.
✅ Focuses on outcomes-based governance (ethical culture, performance, control,
legitimacy).
✅ Integrated financial & sustainability reporting.
✅ Promotes stakeholder inclusivity and sustainable development.
✅ More flexible and universal than King III.
For further insights, watch this King IV summary video: 🔗 Link.

Enterprise Risk Management (ERM) & COSO Framework – Detailed

Notes

1. Introduction to Enterprise Risk Management (ERM)

1.1 Background
• Companies have developed risk management processes, but there was no
universally accepted framework.
• The Committee of Sponsoring Organisations of the Treadway Commission (COSO)
created a framework to guide ERM.
• COSO ERM provides structured principles to manage risks effectively across an
organisation.

1.2 About COSO

• Formed in 1985 as a joint initiative of five private sector organisations.
• It is a generic ERM framework applicable to all entity sizes and types.
• Primary purpose:
o Provide guidance on Enterprise Risk Management (ERM), Internal
Control, and Fraud Prevention.
• Fundamental Principle:
o Effective risk management is essential for long-term organisational
success.

1.3 Why Was COSO ERM Updated in 2017?

• The business environment has evolved due to:
o Globalisation and increased technological advancements.
o Greater stakeholder engagement demanding transparency.
o Increased complexity in operating and regulatory environments.
• The update aimed to enhance protection and stakeholder value.

2. Relevance of ERM
2.1 ERM's Core Premise
• Every organisation exists to create value for its stakeholders.
• ERM helps in strategy setting and managing risks across all activities.
• ERM enhances the organisation’s ability to create, preserve, and realise value.

2.2 ERM’s Impact on Value

ERM affects value in four ways:

1. Value Creation
o When benefits derived from resources exceed the costs of those resources.
o Example: Successful product launch with a positive profit margin.
2. Value Preservation
o Ensuring sustainable value through efficient resource use.
o Example: Delivering high-quality services/products, leading to customer
loyalty.
3. Value Erosion
o Results from poor strategy or execution, causing a negative impact.
o Example: Investing heavily in a failed product development.
4. Value Realisation
o When stakeholders receive tangible or intangible benefits.
o Example: Shareholders gaining dividends from increased profits.

2.3 Why Is ERM Important?

• Helps achieve organisational performance and profitability targets.
• Minimises unexpected losses or resource depletion.
• Ensures regulatory compliance to avoid reputational damage.
• Enhances competitive advantage by managing risks proactively.
• Builds stakeholder confidence.

2.4 ERM’s Link to Key Business Areas

1. Governance
o Defines roles, responsibilities, and risk management strategies.
2. Performance Management
o Measures and evaluates actions against set targets.
3. Internal Control
o Identifies, analyses, and manages risks.
o Includes fraud risk, compliance risk, and financial reporting risk.

3. Understanding ERM: Definition & Key Concepts

3.1 Definition of ERM (COSO 2017)
"The culture, capabilities, and practices integrated with strategy-setting and
performance that organisations rely on to manage risk in creating, preserving, and
realising value."

3.2 Breakdown of ERM Definition

• Culture:
o Shaped by people within the entity.
o Influences how risks are identified, assessed, and managed.
• Capabilities:
o Organisations with strong ERM are more resilient and adaptable to
change.
o ERM enhances skills for achieving business objectives.
 • Practices:
o ERM is not a one-time process; it is a continuous application across all
levels.
• Strategy Integration:
o ERM aligns with the organisation’s mission, vision, and goals.
o Reduces costs and helps identify opportunities.
• Managing Risk in Business Objectives:
o ERM ensures reasonable expectations about risk and strategy success.
o Requires regular review to respond to new risks.
• Link to Value & Risk Appetite:
o Risk appetite: The level of risk an entity is willing to accept in pursuit of
value.
o Needs to be flexible to adapt to changing business conditions.

4. Benefits of ERM
1. Increases Opportunity Range
o Helps identify both positive and negative possibilities in decision-making.
2. Reduces Performance Variability
o Ensures more consistent outcomes.
3. Improves Resource Allocation
o Identifies risks early, allowing optimal use of resources.
4. Enhances Organisational Resilience
o Increases an entity’s ability to anticipate and respond to changes.
5. Reduces Negative Surprises
o Establishes proactive risk responses to minimise losses.

5. Clearing Up Misconceptions About ERM

• ERM is NOT a separate department/function.
o It is integrated into business strategy and operations.
• ERM is NOT a checklist or static process.
o It is continuous and focuses on learning, monitoring, and improving.
• ERM is NOT only for large corporations.
o It is applicable to all organisations, including small businesses and
government bodies.

6. COSO ERM Framework: Components & Principles

6.1 Five Components of COSO ERM
1. Governance & Culture
o Establishing roles, risk oversight, and ethics.
2. Strategy & Objective-Setting
o Aligning risk management with strategic goals.
3. Performance
 o Identifying, assessing, and responding to risk.
4. Review & Revision
o Evaluating performance and adjusting risk strategies.
5. Information, Communication & Reporting
o Ensuring relevant risk-related data is shared effectively.

6.2 Principles within the COSO Framework

• There are 20 principles distributed across the five components.
• Each principle provides a structured approach to risk management.

7. Alternative ERM Framework: ISO 31000

7.1 Overview of ISO 31000
• International standard for risk management.
• Provides a framework, principles, and processes to manage risks.

7.2 Comparison: COSO ERM vs. ISO 31000

Feature COSO ERM ISO 31000

Focus Integrated Risk Management Broad Risk Management

Structure 5 Components, 20 Principles General principles & process

Application More detailed framework Simpler and more flexible

Best Use Organisations with structured Organisations wanting risk

ERM adaptability

7.3 Why Implement ISO 31000 If Using COSO?

• ISO 31000 enhances international recognition.
• Easier to integrate with other management systems (e.g., ISO 9001 for quality
management).
• More practical and simpler to understand for risk professionals.

trategy, Business Objectives, and Performance & Integrating ERM

1. Enterprise Risk Management (ERM) and Strategy

Definition of Strategy
 • Strategy refers to an organisation’s plan to achieve its mission, vision, and core
values.
• A well-defined strategy provides a framework for:
o Efficient resource allocation
o Effective decision-making
o Establishing business objectives

Relevance of Strategy in an Organisation

• Strategy acts as a roadmap for business objectives.
• Helps in determining the organisation’s risk appetite.
• ERM does not create strategy but plays a critical role in shaping it by evaluating
risks associated with different strategic choices.

How ERM Affects Strategy

• Ensures alignment between business objectives and the organisation’s mission,
vision, and core values.
• Assesses risks in implementing the chosen strategy.
• Helps decision-makers understand trade-offs (e.g. risk vs reward, cost vs
efficiency).

2. Mission, Vision, and Core Values

• Mission: Defines the organisation’s purpose and why it exists.
• Vision: Describes what the organisation aims to achieve in the long term.
• Core Values: Principles that define what is acceptable/unacceptable within the
organisation, shaping its culture and behaviour.

Importance in Strategy Development

• The mission and vision provide boundaries for strategic decision-making.
• If a strategy does not align with the mission and vision, it may lead to value
destruction.
• Core values influence how strategy is implemented and how risks are managed.

3. Implications of the Chosen Strategy

• Strategy selection involves making trade-offs such as:
o Time vs Quality
o Efficiency vs Cost
o Risk vs Reward
• Each strategy has a unique risk profile, which must align with the organisation’s
risk appetite.
• The board and management must evaluate whether the chosen strategy is
compatible with the organisation’s overall objectives and risk tolerance.

Evaluating Strategy Using ERM

 • ERM does not create strategy but assesses risks associated with different
strategic choices.
• The entity must:
1. Assess how the chosen strategy impacts risk exposure.
2. Determine if the risks are within the acceptable risk appetite.
3. Re-evaluate or modify the strategy if necessary.

Example: Healthcare Provider (Hospital)

• Mission: Provide high-quality patient care with comprehensive medical services.
• Vision: Be the preferred healthcare provider for doctors and patients.
• Core Values: Honesty, respect, accountability, and compassion.
• Strategy:
o Improve service quality.
o Develop new medical innovations.
o Form new partnerships.
• Risks Associated with this Strategy:
o Increased costs due to high-quality service requirements.
o Challenges in managing new partnerships.
o Uncertainty in medical innovation success.
• Key Decision: The organisation must assess whether the chosen strategy helps
achieve its mission and visionwhile managing the associated risks.

4. Risk Profile and Performance

Definition of Risk Profile
• A risk profile is a composite view of risks across different levels of an
organisation, such as:
o Entity level
o Business unit level
o Functional level

Understanding the Relationship Between Risk and Performance

• The relationship between risk and performance is not always linear.
• Increasing performance targets does not always lead to higher risk, and vice
versa.
• Risk assessment allows management to:
o Evaluate the type and severity of risks.
o Determine how risks affect overall performance.
o Align business objectives with an acceptable level of risk.

Graphical Representation of Risk and Performance

• Figure A (not included but referenced in the slides):
o Shows the aggregate amount of risk for different levels of performance.
o Helps in setting target performance levels while managing risk.
5. Integrating ERM into the Organisation
Why is ERM Integration Important?
ERM should not be seen as a separate function but should be integrated into the culture,
capabilities, and practices of the organisation.

Key Benefits of ERM Integration:

1. Anticipate risks earlier → Provides more options for risk management.
2. Minimise performance deviations → Reduces unexpected losses and failures.
3. Identify new opportunities → Ensures alignment with risk appetite.
4. Respond quickly to changes → Improves adaptability.
5. Enhance collaboration and trust → Encourages information sharing across
departments.
6. Optimise resource allocation → Allows better decision-making.

6. How Organisations Can Fully Integrate ERM

1. Culture
• Organisations should create a risk-aware culture by:
o Promoting transparency and open discussions about risks.
o Clarifying roles and responsibilities in risk management.
o Aligning incentives and remuneration with risk-aware behaviours.
o Ensuring employees understand how value is created and protected.

2. Capabilities
• Management should:
o Have access to the right skills and experience to make risk-informed
decisions.
o Continuously update risk assessments as business conditions change.
o Consider external vendors and third parties when evaluating risks.

3. Practices
• ERM must be embedded in everyday decision-making and strategy development:
o Strategies should consider risk implications from the outset.
o Risks should be actively monitored and adjusted.
o Performance metrics should be linked to risk management outcomes.
o Management should be prepared to respond to changes in risk exposure.

Example of ERM Integration in Practice

• A large organisation integrates ERM into its monthly performance meetings.
• During these meetings, they:
o Analyse performance trends.
o Discuss emerging and changing risks.
o Adjust risk management strategies accordingly.
 • This approach improves responsiveness and transparency in decision-making.

7. Self-Evaluation Questions
To test your understanding, try answering these questions:

1. Define strategy and explain how ERM influences it.

2. How does ERM help organisations align strategy with their mission, vision, and
core values?
3. What are the implications of a chosen strategy, and how does ERM assist in
evaluating these implications?
4. Define risk profile and explain its role in assessing risk and performance.
5. Why is integrating ERM into business processes important?
6. What steps can an organisation take to fully integrate ERM into culture, capabilities,
and practices?

Summary of Key Takeaways

• ERM and Strategy: ERM helps organisations ensure their strategy aligns with their
mission, vision, and core values while managing risks.
• Risk Profile and Performance: The relationship between risk and performance is
complex, requiring careful evaluation.
• ERM Integration: ERM should be embedded in an organisation’s culture,
capabilities, and daily practices.
• Strategic Decision-Making: ERM aids in evaluating alternative strategies,
ensuring they align with business objectives and risk appetite.

These detailed notes should help you grasp the core concepts of Strategy, Business
Objectives, Performance, and ERM Integration. Let me know if you need any further
explanations

Overview of the COSO ERM Framework

The COSO (Committee of Sponsoring Organizations of the Treadway Commission) ERM
(Enterprise Risk Management) Framework consists of five interrelated components
designed to help organisations manage risk in alignment with their mission, vision, and core
values. The framework is an integral part of day-to-day decision-making and aims to
enhance value through effective risk management.

1. Governance and Culture

Foundation for All Other Components
 • Establishes the tone at the top and the overall risk culture.
• Sets out responsibilities and expectations for risk management.
• Culture influences decision-making, behaviours, and how risk is perceived.
• Strong governance ensures accountability, ethical conduct, and alignment with
strategic objectives.

2. Strategy and Objective-Setting

Integration of ERM into Strategy

• Aligns risk management with the entity’s mission, vision, and strategy.
• Helps understand the business context, considering internal and external risk
factors.
• Sets risk appetite in conjunction with strategy, determining the level of risk the
organisation is willing to accept.
• Objectives are established to align with risk appetite and strategic goals.

3. Performance
Risk Identification, Assessment, and Response

• Identifies risks that could impact objectives.

• Assesses severity and probability of risks.
• Categorises risks and selects an appropriate risk response: accept, avoid, reduce,
share, or pursue.
• Monitors performance and risk levels, providing a portfolio view of risks.
• Ensures risk management contributes to achieving business objectives.

4. Review and Revision

Ongoing Evaluation and Adaptation

• Regularly reviews ERM performance relative to targets.

• Evaluates the effectiveness and value of ERM.
• Identifies areas for improvement and adapts risk management strategies.
• Ensures ERM remains relevant and responsive to changing conditions.

5. Information, Communication, and Reporting

Effective Flow of Information

• Ensures continuous communication to obtain, share, and report risk information.

• Supports decision-making with timely, accurate, and relevant information.
• Internal and external reporting on risk, culture, and performance.
• Promotes a culture of transparency and accountability.
Principles of ERM
Each of the five components has a subset of principles that represent the fundamental
concepts of each component.

• These principles are universal and outline what an entity should do as part of
effective ERM practices.

Assessing ERM
Purpose and Approach

• Provides reasonable assurance that objectives are achievable, not absolute

assurance.
• Assessment is voluntary or can be legally required.
• Focuses on ensuring components and principles are present, functioning, and
integrated.

Approaches to ERM Assessment:

1. When assessing ERM for external stakeholders, use COSO’s principles.

2. For internal assessments, use a maturity model tailored to the entity’s complexity.
o Complexity factors: Geography, industry, nature, technology, regulatory
oversight, etc.

Governance and Culture Overview

• Governance and Culture form the foundation for all ERM components.
• Culture reflects the core values, beliefs, attitudes, and desired behaviors within
an organization.
• A risk-aware culture encourages transparency and effective risk management.

Principle 1: Exercises Board Risk Oversight

• Board of Directors (BOD) oversees strategy and governance responsibilities.
• Accountability & Responsibility:
o BOD is primarily responsible for risk oversight.
o Management handles day-to-day risk management.
o BOD can delegate risk management responsibilities to committees.
o A clear statement must define BOD vs. management roles.
 • Skills, Experience, and Business Knowledge:
o BOD must possess expertise and industry knowledge.
o Board members must challenge management on strategy and performance.
o Risk areas like cybersecurity require specialized board expertise.
• Independence of the Board:
o Essential for objectivity in decision-making.
o Serves as a check and balance on management.
• Factors That Hinder Board Independence:
o Long tenure on the board.
o Financial interest in the entity.
o Conflicts of interest (e.g., serving on multiple boards).
o Business relationships with the organization.
• Suitability of ERM:
o BOD must understand how ERM integration creates value.
o Organizational Bias affects decision-making (e.g., favoritism, risk
aversion).

Principle 2: Establishes Operating Structures

• Operating structures define how an entity carries out operations.
• Reporting lines should be clearly designed.
• Legal & management structures influence operations.
• External parties (e.g., outsourcing, joint ventures) may impact reporting lines.
• Different structures lead to different risk profiles.
• Factors to Consider When Establishing an Operating Structure:
o Strategy & objectives.
o Size, nature, and geographical reach.
o Risk exposure and reporting structures.
o Financial, tax, and regulatory considerations.
• ERM Structures:
o Larger organizations delegate risk oversight to committees.
o Smaller entities involve management more directly in risk oversight.

Principle 3: Defines Desired Culture

• Culture & Desired Behaviors:
o Culture reflects values, behaviors, and decisions.
o Decisions are shaped by information, judgment, experience, and risk
appetite.
o BOD defines desired culture.
o Culture must align with mission, vision, and daily activities.
• Internal Factors Influencing Culture:
o Employee autonomy and judgment.
o Interactions among personnel.
o Organizational rules, standards, and reward systems.
• External Factors Influencing Culture:
o Regulatory requirements.
o Investor and customer expectations.
o External pressures shape risk appetite (risk-averse vs. risk-aggressive).
 • Applying Judgment:
o Judgment is crucial for risk management and decision-making.
o Bias in judgment can occur due to overconfidence or lack of data.
o Good judgment enables crisis management.
• Effects of Culture on ERM:
o Culture impacts risk identification, assessment, and responses.
o Risk-averse vs. risk-aggressive attitudes affect resource allocation,
strategy, and performance reviews.
• Misalignment of Core Values & Decisions:
o Inconsistent leadership tone leads to misalignment.
o BOD failing to oversee management adherence to values.
o Unrealistic performance targets encourage unethical behavior.
• Shifting Culture:
o Changes in leadership, mergers, acquisitions can shift culture.
o Requires adaptation to maintain alignment with core values.

Principle 4: Demonstrates Commitment to Core Values

• Core Values & Organizational Tone:
o Core values guide decisions.
o A consistent tone ensures core values are understood across markets.
• Embracing a Risk-Aware Culture:
o Leadership drives risk awareness.
o Participative management ensures employee engagement in decision-
making.
o Accountability is key—mismanagement is not tolerated.
• Embedding Risk Awareness in Decision-Making:
o Align behaviors with remuneration and incentives.
o Open discussions on risk.
o Employees are reminded of risk responsibilities.
• Enforcing Accountability:
o BOD holds CEO accountable for risk management.
o Expectations are clearly communicated.
o Deviations result in corrective actions (e.g., termination).
• Holding the Board Accountable:
o Performance evaluation cascades from BOD to employees.
o Adherence to culture & values is regularly assessed.
• Open Communication Without Retribution:
o Transparency in risk communication improves:
▪ Objective setting.
▪ Incident reporting.
▪ Performance tracking.
▪ Deviation from core values.
• Responding to Deviations in Core Values:
o Issues arise due to mistakes, weakness, or intentional harm.
o Responses include probation, termination, or corrective action.
Principle 5: Attracts, Develops, and Retains Capable
Individuals
• Building Human Capital:
o Align talent with business objectives and ERM strategy.
o HR helps with job descriptions, training, and performance evaluation.
• Key Areas in Talent Management:
o Attract individuals aligned with risk culture.
o Train employees in ERM competencies.
o Mentor for adaptation to changes.
o Evaluate employee performance.
o Retain talent through incentives and rewards.
• Addressing Workplace Pressure:
o Pressure can either motivate or create fear.
o Excessive pressure leads to unethical behavior and fraud.
o Associated with:
▪ Unrealistic performance targets.
▪ Conflicting stakeholder objectives.
▪ Short-term financial pressure over long-term stability.
o Organizations must manage pressure positively (e.g., balancing
workloads).

COSO ERM Component 2: Strategy and Objective Setting

1. Introduction to Strategy and Objective Setting

• Strategy transforms an entity’s mission and vision into actionable plans.

• Integrating Enterprise Risk Management (ERM) with strategy-setting helps
organisations understand their risk profile and sharpen their strategy.
• This alignment identifies tasks and objectives necessary for successful execution.

2. Principles of Strategy and Objective Setting

Principle 6: Analyses Business Context

• Organisations consider the effects of business context on risk profiles.

• Business Context includes:
o Dynamic Context: New risks disrupt the status quo (e.g., new competitors
reduce sales).
o Complex Context: Interconnected and interdependent environments (e.g.,
multiple operational units with unique regulations).
o Unpredictable Context: Rapid, unexpected changes (e.g., currency
fluctuations, political instability).

External Environment & Stakeholders:

 • External factors influence strategy and objectives, such as:
o Stakeholders affected by the entity: Customers, suppliers, competitors.
o Entities influencing the business environment: Government, regulators.
o Entities influencing reputation and trust: Communities, interest groups.

Internal Environment & Stakeholders:

• Internal factors influencing strategy and objectives include employees, management,

internal processes, and company culture.

How Business Context Affects Risk Profile:

• Business context impacts risk profiles across three stages:

o Past: Provides insights into historical risk management.
o Present: Highlights current trends and relationships.
o Future: Projects the evolution of risk profiles.

3. Principle 7: Defines Risk Appetite

• Risk appetite reflects the types and amount of risk an organisation is willing to accept
in pursuit of value.
• The process involves defining risk appetite relative to the mission and vision.
• Risk appetite can be qualitative (descriptive) or quantitative (measurable).
• Optimal balance between risk and opportunity is crucial.

Key Terms:

• Risk Appetite: The level of risk an organisation is prepared to accept.

• Risk Capacity: Maximum risk an entity can absorb.
• Risk Profile: Current level of risk faced by the entity.

Determining Risk Appetite:

• There’s no universal or “right” risk appetite.

• Management and the board evaluate risk vs. reward.
• Approaches include performance reviews, decision facilitation, and modelling.

Parameters for Determining Risk Appetite:

• Strategic: Product development, M&A activity.

• Financial: Performance variation limits, return on assets, risk-adjusted return on
capital.
• Operational: Safety, quality, environmental targets.
• Risk Capacity & ERM Capability: Maturity of ERM and capacity to handle risks.

Articulating Risk Appetite:

• Can be expressed as a point or range (continuum).

• Statements are tied to strategy, business objectives, and performance targets.
• Management communicates risk appetite, endorsed by the board and disseminated
throughout the entity.

Using Risk Appetite:

 • Guides resource allocation to align with mission, vision, and core values.
• Management monitors and adjusts risk appetite in response to changes.
• Risk appetite must align with tolerance and Key Risk Indicators (KRIs).

4. Principle 8: Evaluates Alternative Strategies

• Evaluating alternative strategies involves assessing their impact on the risk profile.
• Strategy must align with mission and vision; misalignment can result in failure or
reputational damage.
• For example, a telecommunications company’s decision to limit service availability for
financial gains could harm community relations and reputation.

Approaches for Strategy Evaluation:

• SWOT analysis, valuation, revenue forecasts, competitor analysis, and scenario

analysis.

Aligning Strategy with Risk Appetite:

• If the risk of a strategy exceeds risk appetite, the strategy must be revised.
• Changes are necessary if current strategy fails to create, realise, or preserve value.

5. Principle 9: Formulates Business Objectives

• Business objectives support the strategy and should be specific, measurable,

attainable, and relevant (SMART).
• Objectives relate to:
o Financial Performance: Profitability and returns.
o Customer Excellence: Customer care and accessibility.
o Operational Excellence: Efficiency and productivity.
o Compliance Obligations: Legal and regulatory adherence.
o Efficiency Gains: Cost control and environmental management.
o Innovation Leadership: Frequent product launches.

Aligning Business Objectives with Risk Appetite:

• Misalignment can lead to ineffective resource allocation or inappropriate risk-taking.

• Periodic reviews ensure business objectives remain aligned with strategy.

Understanding Implications of Chosen Objectives:

• Objectives must be achievable within risk appetite.

• If objectives exceed risk appetite, changes may include increasing resources or
adjusting objectives.

Setting Performance Measures and Targets:

• Targets enable performance monitoring and risk profile management.

• Aggressive targets increase risk, while conservative targets may hinder financial
goals.
6. Understanding Tolerance

• Tolerance indicates acceptable risk levels and focuses on performance rather than
risk appetite.
• It defines boundaries of acceptable variation in performance.
• Performance measures may be qualitative or quantitative.
• Tolerance is tactical, unlike risk appetite, which is strategic.

Relationship Between Costs and Tolerance:

• Narrower tolerance requires more resources to maintain performance.

• Excessive tolerance can result in inefficiencies and missed opportunities.

Risk Appetite, Risk Tolerance, and Risk Capacity:

• Risk Appetite: Level of risk an entity is willing to take.

• Risk Tolerance: Level of risk an entity can take within appetite.
• Risk Capacity: Maximum risk an entity can sustain without a strategy change.

SU 5.6: Component 3 – Performance (COSO – ERM)

🎯 Overall Outcome:
Understand how an entity:

• Creates, preserves, and realises value by:

1. Identifying risk
2. Assessing risk
3. Prioritising risk
4. Responding to risk

🔹 Introduction to Performance Component

Performance supports entity strategy by:

• Identifying new, emerging, and changing risks

• Assessing severity and changes in risks
• Prioritising risk to optimise resources
• Selecting appropriate responses
• Developing a portfolio view of risk
🧩 Principle 10: Identifies Risk
✅ Key Concepts:
• Risk identification ensures a complete inventory of risks, including:
o Risks from changing objectives, contexts, or unknowns
o Emerging risks (e.g., new tech, regulations)
o Risks impacting strategy and objectives

🔍 Examples of Risk Events:

• Emerging tech affecting product relevance
• Big data challenges
• Resource scarcity
• Rise of virtual entities
• Workforce mobility
• Labour shortages
• Political shifts and new regulations

📘 Risk Inventory:
• A categorised list of all risks (e.g., financial, compliance)
• Enables entity-wide identification

🔧 Approaches to Identify Risk:

• Cognitive computing (trend detection)
• Data tracking (predictive modelling)
• Interviews/Surveys
• Key indicators (metrics)
• Process analysis
• Workshops (collective insights)

🧩 Principle 11: Assesses Severity of Risk

✅ Purpose:
• Determines how serious a risk is
• Informs response strategies
• Ensures risks remain within appetite

🏢 Severity at Entity Levels:

• Risks assessed across functions/units
• Severity can vary depending on impact level
• Common risks may be grouped for consistent evaluation

📏 Severity Measures:
 • Impact: Effect of a risk (positive or negative)
• Likelihood:
o Qualitative: remote, possible
o Quantitative: probability (e.g. 80%), frequency

⚙️ Approaches to Assess Risk:

• Qualitative: interviews, workshops
• Quantitative: simulations, models, decision trees
o Probabilistic: value at risk, loss distribution
o Non-probabilistic: scenario analysis

📊 Inherent vs Target vs Actual Residual Risk:

• Inherent: Risk without any action
• Target residual: Desired post-response level
• Actual residual: Risk after management response

🗺️ Visualising Results:
• Use heat maps
• Show risk severity with colour coding
• Compare risk curves to tolerance/appetite

🔔 Reassessment Triggers:
• Change in business context/risk appetite
• Signs like customer complaints or sales drops
• Frequency depends on severity (daily/annually)

⚠️ Bias in Assessment:
• Can lead to under/overestimating severity
• Affects response effectiveness

🧩 Principle 12: Prioritises Risks

✅ Goal:
• Use criteria to focus on high-priority risks

📊 Prioritisation Criteria:
1. Adaptability
2. Complexity
3. Velocity (speed of impact)
4. Persistence (duration)
5. Recovery ability
🔄 Example:
• A restaurant may prioritise negative social media attention over slow vendor
negotiations – due to speed and impact on reputation

🧩 Principle 13: Implements Risk Responses

✅ Types of Responses:
1. Accept – No action needed (within appetite)
2. Avoid – Eliminate risk entirely
3. Pursue – Take on risk to gain benefit
4. Reduce/Mitigate – Decrease risk severity
5. Share – Transfer risk (insurance, outsourcing)

⚙️ Deployment Considerations:
• Business context
• Cost vs benefit
• Stakeholder expectations
• Risk appetite
• Risk severity

🔁 Combination of responses gives optimal results

❗ Unintended Consequences:
• Responses can create new risks
• E.g. Insurance → lower liquidity

🧩 Principle 14: Develops Portfolio View

✅ Purpose:
• View of all risks across the entity
• Helps see interdependencies and aggregated impact
• Compare to risk appetite

🧱 Development Methods:
• Categorise by risk type or use metrics (e.g. risk-adjusted capital)
• Use graphs to show portfolio vs risk appetite

🔍 Portfolio Characteristics:
 • Aggregated risks increase severity (e.g. tech risks)
• Offsetting risks reduce severity (e.g. sales losses balanced by other units)
• Correlation of risks may increase priority

📈 Analysing Portfolio:
• Quantitative: regression, stress testing
• Qualitative: scenario analysis, benchmarking

SU 5.7 – Review and Revision

Outcome
• Understand why entities must assess changes from internal and external
environments that impact strategy and objectives.
• Understand how entities integrate reviews into business practices and what reviews
are needed when performance is unacceptable.
• Identify opportunities for pursuing improvement.

Introduction
• Entities' strategy, objectives, ERM practices, and capabilities may change over
time.
• Business context can change, making current practices ineffective or obsolete.
• Risk reactions may become irrelevant.
• Entities must revise or supplement practices and capabilities as necessary.
• Responding to change is iterative:
o Response is continuous and repetitive.
o Includes evaluating past responses and lessons learned for future
application.

Principle 15: Assesses Substantial Change

• Organisations must identify and assess changes that substantially affect strategy
and objectives.

Integrating Reviews into Business Practices:

• Changes may alter risks and impact strategy.
• Practices for identifying change must be built into everyday activities and
reviewed continually.
• Examples of changes:
o Internal Environment:
▪ Rapid growth (operations expansion impacting resources)
▪ Innovation (new actions/training required)
 ▪ Leadership/personnel changes (newcomers misunderstanding culture
or having different risk philosophies)
o External Environment:
▪ Changing regulations or economic conditions (e.g., new transparency
reporting standards for public companies)

Principle 16: Reviews Risk and Performance

• Organisations must review performance and consider risks.

Key Performance Questions:

• Did the entity perform as expected?
• Were targets achieved?
• What risks affected performance?
• Did the entity take sufficient risk to achieve targets?
• Was the estimated amount of risk accurate?

If Performance is Unacceptable:
Management must consider:

• Reviewing business objectives (change/abandon if necessary).

• Reviewing strategy (consider alternatives).
• Reviewing culture (promote a risk-aware culture).
• Revising target performance (better reflect realistic outcomes).
• Reassessing severity of risk results (new data may refine risk assessments).
• Revising risk responses (add/change responses).
• Revising risk appetite (reallocate resources, revise strategies to align risk profile
with appetite).

Principle 17: Pursues Improvement in ERM

• Organisations must actively pursue ERM improvement.

Opportunities for Improvement:

• New technology:
o Example: Implementing data-mining tools for rapid customer feedback
analysis.
• Historical shortcomings:
o Example: Identifying past failures and making improvements.
• Organisational change:
o Example: Adjusting governance structures.
• Risk appetite adjustments:
o Example: Increasing risk appetite if market conditions are more favourable
than expected.
• Risk categories:
 o Example: Including new categories like cyber risk.
• Communications:
o Example: Replacing ineffective emails with blogs/instant messaging to suit
workforce preferences.
• Peer comparison:
o Example: Boosting competitiveness where performance lags behind
competitors.
• Rate of change:
o Example: Frequent tech changes providing continual improvement
opportunities.

SU 5.8: COSO – ERM Component 5:

Information, Communication, and
Reporting
Outcome Goals
• Understand the importance of timely, relevant information.
• Learn how entities leverage technology for ERM.
• Understand how data becomes actionable knowledge.
• Recognize communication methods with stakeholders and the board.
• Identify report users and explore types, frequency, and quality of reporting.

Introduction
• Entities handle large volumes of data requiring organization, processing,
storage.
• Transformation of data (stakeholders, markets, products, competition) into timely,
relevant information is crucial.
• Key objective: Right information → right person → right time → right form → right
level → avoiding information overload.

Principle 18: Leverages Information and Technology

• Organisations must use IT systems to support ERM (Enterprise Risk
Management).

Putting Relevant Information to Use

• Information must be timely and high-quality.
• Poor quality information → bad decisions, inaccurate estimates.
• To maintain quality:
o Implement data management systems.
 o Develop information management policies.
• Information supports ERM across areas like:
o Governance & Culture: Standards of conduct.
o Strategy & Objective Setting: Stakeholder expectations, risk appetite.
o Performance: Competitor information.
o Review & Revision: Emerging ERM trends.

Evolving Information
• Structured Data: Organized (e.g., databases, spreadsheets).
• Unstructured Data: Unorganized (e.g., emails, videos, photos).
• Use data mining, AI to transform data into insights for better decisions.
• Benefits of Advanced Data Analytics:
o Avoid information overload.
o Detect unseen correlations.
o Identify early trends.
o Reduce dependence on subjective judgement.

Data Sources
• Data → Information → Knowledge (e.g., analyzing social media comments for
brand risk).
• Sources:
o Structured: Surveys, public indexes, databases.
o Unstructured: Emails, social media, meetings.

Managing Data: Three Elements

1. Data and Information Governance:
o Assign roles for data ownership.
o Ensure delivery of high-quality data.
2. Processes and Controls:
o Reinforce data reliability.
o Prevent quality issues.
3. Data Management Architecture:
o Models, policies, rules guiding data collection, storage, usage.

Using Technology to Support Information

• Technology manages specific risks (e.g., robotics, smart appliances, wearables).
• Technology can introduce new risks.
• Selection based on:
o Organizational goals.
 o Marketplace needs.
o Competitive requirements.
o Cost-benefit analysis.

Principle 19: Communicates Risk Information

• Entities must use communication channels effectively.

Communicating with Stakeholders

• Internal/External Channels:
o Communicate importance of ERM.
o Share culture values, business objectives, risk appetite.
o Manage expectations for ERM adherence.
• Two-way communication:
o Management to stakeholders.
o Stakeholders to management (e.g., customer feedback).

Communicating with the Board

• Critical to achieve strategies and objectives.
• Define responsibilities and governance structures.
• Shared understanding of risk and its strategic impact.

Methods of Communication
• Electronic messages (emails, texts, social media).
• External materials (media, peer websites).
• Informal communications (meetings, discussions).
• Public events (roadshows, conferences).
• Training/Seminars (online, workshops).
• Internal documents (dashboards, evaluations, policies).

Principle 20: Reports on Risk, Culture, and

Performance
Identifying Report Users
• Management and Board: Governance and oversight.
• Risk Owners: Managing specific risks.
• Assurance Providers: Insight into performance and risk response.
• External Stakeholders: Regulators, community groups.
• Other Parties: Fulfill specific roles.
Types of Reporting
• Portfolio View of Risk: Entity-level highest risks (Board level).
• Profile View of Risk: Risk severity at various levels.
• Root Cause Analysis: Understand assumptions behind risks.
• Sensitivity Analysis: Impact of changes in assumptions.
• Emerging Risk Analysis: Forward-looking risk trends.
• Key Performance Indicators (KPI): Strategy alignment and tolerance.
• Trend Analysis: Risk and performance evolution over time.
• Incident Disclosure: Breaches and losses.
• ERM Plan Tracking: Monitoring initiatives.

Reporting Risk to the Board

• Informal: Strategic discussions.
• Formal: Strategy execution and risk appetite review.
• Focus on linking strategy, objectives, risk, and performance.

Reporting on Culture
• Analytics of cultural trends.
• Benchmarking.
• Compensation schemes’ impact.
• Behavioral trend reviews.
• Surveys of risk attitudes/awareness.

Key Indicators (KRI & KPI)

• KRIs: Predictive measures of risk (can be quantitative/qualitative).
• Integration with KPIs:
o E.g., Production volumes above or below target → risk signals (quality risk,
supplier delays, etc.).
• Support proactive performance management.

Reporting Frequency and Quality

• Frequency aligned with risk severity:
o High volatility (e.g., stock prices): Daily reporting.
o Strategic project risks: Monthly or quarterly reporting.
• Controls must ensure reporting is:
o Accurate.
o Clear.

o Complete.