COSO Framework - Enterprise Risk Management
(ERM) Verified Quizzes + Top-Scoring Assignments
| A+ Guaranteed| 100% correct
Enterprise Risk Management - Integrating with Strategy and Performance (COSO ERM
framework) - is a framework that complements, and incorporates some concepts of, the
COSO internal control framework.
The COSO ERM framework provides - a basis for coordinating and integrating all of an
organization's risk management activities.
Effective integration: - 1. Improves decision making and
2. Enhances performance.
ERM - is based on the premise that every organization exists to provide value for its
stakeholders.
is defined as 'The culture, capabilities, and practices, integrated with strategy-setting and
performance, that organizations rely on to manage risk in creating, preserving, and realizing
value.'
Governance - sets the organization's tone and establishes responsibilities for ERM.
Culture - - consists of "The attitudes, behaviors, and understanding about risk, both
positive and negative, that influence the decisions of management and personnel and reflect
the mission, vision, and core values of the organization."
- relates to the desired behaviors, values, and overall understanding about risk held by
personnel within the organization.
Mission - is the organization's core purpose.
Vision - is the organization's aspirations for what it intends to achieve over time.
Core values - are the organization's essential beliefs about what is acceptable or
unacceptable.
Capabilities - are the skills needed to carry out the entity's mission and vision.
Practices - are the collective methods used to manage risk.
,Integrating strategy setting and performance - - Risk must be considered in setting
strategy, business objectives, performance targets, and tolerance.
- The organization considers the effect of strategy on its risk profile and portfolio view.
Strategy - - communicates how the organization will
(a) achieve its mission and vision and
(b) apply its core values.
- must support the organization's mission, vision, and core values.
Business objectives - are the steps taken to achieve the strategy.
Tolerance - - is the range of acceptable variation in performance results.
- identical term in the COSO internal control framework is "risk tolerance"
Risk profile - - is a composite view of the types, severity, and interdependencies of risks
related to a specific strategy or business objective and their effect on performance.
- may be created at any level (e.g., entity, division, operating unit, or function) or aspect (e.g.,
product, service, or geography) of the organization.
Portfolio view - - is similar to a risk profile.
- The difference is that it is a composite view of the risks related to entity-wide strategy and
business objectives and their effects on entity performance.
Managing risk - Risk - is "[t]he possibility that events will occur and affect the
achievement of strategy and business objectives."
Managing risk - Opportunity - is any action or potential action that creates or alters goals
or approaches for the creation, preservation, or realization of value.
Managing risk - Reasonable expectation - - provided through effective ERM practices
- cannot provide absolute assurance that the risk assumed is appropriate
Managing risk - Risk Inventory - consists of all identified risks that affect strategy and
business objectives.
Managing risk - Risk Capacity - is the maximum amount of risk the organization can
assume.
, Managing risk - Risk appetite - consists of the amount and types of risk the organization is
willing to accept in pursuit of value.
Managing risk - Inherent risk - is the risk in the absence of management actions to alter
its severity.
Managing risk - Actual residual risk - remains after management actions to alter its
severity.
Managing risk - Risk response - is an action taken to bring identified risks within the
organization's risk appetite.
Managing risk - Residual Risk Profile - includes risk responses.
Managing risk - Target residual risk - is the risk the entity prefers to assume knowing that
management has acted or will act to alter its severity.
Value Created - when the benefits obtained from the resources used exceed their costs.
Value Preserved - when the value of resources used is sustained.
Value Realized - when benefits are transferred to stakeholders.
Value Eroded - when management's strategy does not produce expected results or
management does not perform day-to-day tasks.
ERM Roles and Responsibilities - The Board - provides risk oversight of ERM culture,
capabilities, and practices. Certain board committees may be formed for this purpose. Examples
are
1. An audit committee (often required by regulators),
2. A risk committee that directly oversees ERM,
3. An executive compensation committee, and
4. A nomination or governance committee that oversees selection of directors and executives.
ERM Roles and Responsibilities - Management - - has overall responsibility for ERM
- is generally responsible for the day-to-day managing of risk, including the implementation and
development of the COSO ERM framework.
- Within management, the CEO has ultimate responsibility for ERM and achievement of strategy
and business objectives.
(ERM) Verified Quizzes + Top-Scoring Assignments
| A+ Guaranteed| 100% correct
Enterprise Risk Management - Integrating with Strategy and Performance (COSO ERM
framework) - is a framework that complements, and incorporates some concepts of, the
COSO internal control framework.
The COSO ERM framework provides - a basis for coordinating and integrating all of an
organization's risk management activities.
Effective integration: - 1. Improves decision making and
2. Enhances performance.
ERM - is based on the premise that every organization exists to provide value for its
stakeholders.
is defined as 'The culture, capabilities, and practices, integrated with strategy-setting and
performance, that organizations rely on to manage risk in creating, preserving, and realizing
value.'
Governance - sets the organization's tone and establishes responsibilities for ERM.
Culture - - consists of "The attitudes, behaviors, and understanding about risk, both
positive and negative, that influence the decisions of management and personnel and reflect
the mission, vision, and core values of the organization."
- relates to the desired behaviors, values, and overall understanding about risk held by
personnel within the organization.
Mission - is the organization's core purpose.
Vision - is the organization's aspirations for what it intends to achieve over time.
Core values - are the organization's essential beliefs about what is acceptable or
unacceptable.
Capabilities - are the skills needed to carry out the entity's mission and vision.
Practices - are the collective methods used to manage risk.
,Integrating strategy setting and performance - - Risk must be considered in setting
strategy, business objectives, performance targets, and tolerance.
- The organization considers the effect of strategy on its risk profile and portfolio view.
Strategy - - communicates how the organization will
(a) achieve its mission and vision and
(b) apply its core values.
- must support the organization's mission, vision, and core values.
Business objectives - are the steps taken to achieve the strategy.
Tolerance - - is the range of acceptable variation in performance results.
- identical term in the COSO internal control framework is "risk tolerance"
Risk profile - - is a composite view of the types, severity, and interdependencies of risks
related to a specific strategy or business objective and their effect on performance.
- may be created at any level (e.g., entity, division, operating unit, or function) or aspect (e.g.,
product, service, or geography) of the organization.
Portfolio view - - is similar to a risk profile.
- The difference is that it is a composite view of the risks related to entity-wide strategy and
business objectives and their effects on entity performance.
Managing risk - Risk - is "[t]he possibility that events will occur and affect the
achievement of strategy and business objectives."
Managing risk - Opportunity - is any action or potential action that creates or alters goals
or approaches for the creation, preservation, or realization of value.
Managing risk - Reasonable expectation - - provided through effective ERM practices
- cannot provide absolute assurance that the risk assumed is appropriate
Managing risk - Risk Inventory - consists of all identified risks that affect strategy and
business objectives.
Managing risk - Risk Capacity - is the maximum amount of risk the organization can
assume.
, Managing risk - Risk appetite - consists of the amount and types of risk the organization is
willing to accept in pursuit of value.
Managing risk - Inherent risk - is the risk in the absence of management actions to alter
its severity.
Managing risk - Actual residual risk - remains after management actions to alter its
severity.
Managing risk - Risk response - is an action taken to bring identified risks within the
organization's risk appetite.
Managing risk - Residual Risk Profile - includes risk responses.
Managing risk - Target residual risk - is the risk the entity prefers to assume knowing that
management has acted or will act to alter its severity.
Value Created - when the benefits obtained from the resources used exceed their costs.
Value Preserved - when the value of resources used is sustained.
Value Realized - when benefits are transferred to stakeholders.
Value Eroded - when management's strategy does not produce expected results or
management does not perform day-to-day tasks.
ERM Roles and Responsibilities - The Board - provides risk oversight of ERM culture,
capabilities, and practices. Certain board committees may be formed for this purpose. Examples
are
1. An audit committee (often required by regulators),
2. A risk committee that directly oversees ERM,
3. An executive compensation committee, and
4. A nomination or governance committee that oversees selection of directors and executives.
ERM Roles and Responsibilities - Management - - has overall responsibility for ERM
- is generally responsible for the day-to-day managing of risk, including the implementation and
development of the COSO ERM framework.
- Within management, the CEO has ultimate responsibility for ERM and achievement of strategy
and business objectives.
