COSO-ERM-FAQ-September-2017原版完整詳細(xì)

CommitteeofSponsoringOrganizationsoftheTreadwayCommissionEnterpriseRiskManagementIntegratingwithStrategyandPerformanceFrequentlyAskedQuestionsJune2017EnterpriseRiskManagement–IntegratingwithStrategyandPerformanceFrequentlyAskedQuestionsEnterpriseRiskManagement–IntegratingwithStrategyandPerformanceFrequentlyAskedQuestionsPAGEPAGE1TOC\o"1-1"\h\z\uProjectBackground 2ProjectGovernance 3AdditionalInformationabouttheDocuments 3UpdatestotheDocument 5KeyChanges 5EnterpriseRiskManagement–IntegratingwithStrategyandPerformanceFrequentlyAskedQuestionsEnterpriseRiskManagement–IntegratingwithStrategyandPerformanceFrequentlyAskedQuestionsPAGEPAGE8ProjectBackgroundWhyupdatethe2004EnterpriseRiskManagement–IntegratedFramework?InOctober2014,theCommitteeofSponsoringOrganizationsoftheTreadwayCommission(COSO)announcedaprojecttoreviewandupdatethe2004EnterpriseRiskManagement–IntegratedFramework(OriginalFramework).TheOriginalFrameworkiswidelyacceptedandusedbymanagementandboardstoenhanceanorganization’sabilitytomanageuncertaintyandtoconsiderhowmuchrisktoacceptastheystrivetoincreasestakeholdervalue.Since2004,thecomplexityofriskhaschanged,significantnewriskshaveemerged,andboardshaveenhancedtheirawarenessandoversightofriskmanagementwhileaskingforimprovedriskreporting.UpdatestotheOriginalFrameworkreflectcurrentandevolvingconceptsandapplicationsofenterpriseriskmanagement,sothatorganizationsworldwidecanattainbettervaluefromenterpriseriskmanagement.Specifically,itprovidesgreaterinsightintostrategyandtheroleofenterpriseriskmanagementinthesettingandexecutionofstrategy,enhancesthealignmentbetweenorganizationalperformanceandenterpriseriskmanagement,andaccommodatesexpectationsforgovernanceandoversight.Whatdocumentsarebeingupdated?The2004EnterpriseRiskManagement–IntegratedFramework:ExecutiveSummaryandOriginalFrameworkbothupdated.TheUpdatedDocumentistitledEnterpriseRiskManagement–StrategyandPerformance.ThisUpdatedDocumentconsistsoftwosections.Thefirstsectionoffersaperspectiveoncurrentandevolvingconceptsandapplicationsofenterpriseriskmanagement.Thesecondsectionofthedocument,theFramework,accommodatesdifferentviewpointsandorganizationalstructures,andenhancestheconsiderationofriskintheselectionandexecutionofstrategiesanddecision-making.Withthisupdatedstructure,thenewdocumentisreferredtoastheUpdatedDocument.Arethereanydocumentsfrom2004notbeingupdated?Yes,thevolumeofApplicationTechniqueswhichprovidedillustrationsoftechniquesusedatvariouslevelsofanorganizationinapplyingenterpriseriskmanagementcomponentsnotupdatedaspartofthisproject.WhatapproachisCOSOusingtoupdatetheoriginalFramework?TheProjectTeam,withCOSOBoardoversight,hascarefullyconsiderthemeritsoffeedbackandopinionsthroughouttheproject.Todoso,thePwCProjectTeamreviewedandembracedinputthathelpsinthedevelopmentofarelevant,logical,andinternallyconsistentdocumentinallphasesoftheproject.Thesephasesinclude:AssessandEnvision–Throughreviews,globalsurveys,publicroundtables,andforums,thisphaseidentifiedcurrentchallengesfororganizationsimplementingenterpriseriskmanagement.Duringthisphase,PwCanalyzedinformation,reviewedvarioussourcesofinput,andidentifiedcriticalissuesandconcerns.COSOlaunchedaglobalsurvey,availabletothegeneralpublic,forprovidinginputontheoriginalFramework,solicitingalmost900responses.andDesign–PwC,withCOSOBoardoversight,developedtheUpdatedDocument,whichwasreviewedbytheCOSOAdvisoryCouncilandObserverstogatherreactionsandsuggestions.Exposure–WithassistanceprovidedbytheAdvisoryCouncilandoversightoftheCOSOBoard,PwCpreparedexposuredraftsandanon-linequestionnairetofacilitateareviewbythegeneralpublic.AsummaryofpublicexposurefeedbackisnotedintheAppendicesvolume.Finalization–PwCanalyzedallcommentsreceivedandrefinedthedocumentsforneededmodifications.TheCOSOBoardconsideredwhethertheUpdatedDocumentissound,logical,andusefultomanagemententitiesalltypesandsizes.PwCfinalizedtheUpdatedDocumentandprovidetheupdatetotheCOSOforreviewandacceptance.ProjectGovernanceWhoisCOSO?TheCommitteeofSponsoringOrganizationsoftheTreadwayCommission(COSO)isajointinitiativeoffiveprivatesectororganizations:TheAmericanAccountingAssociation(AAA),theAmericanInstituteofCertifiedPublicAccountants(AICPA),FinancialExecutivesInternational(FEI),theInstituteofInternalAuditors(IIA),andtheInstituteofManagementAccountants(IMA).COSOprovidesthoughtleadershipthroughthedevelopmentofframeworksandguidanceonenterpriseriskmanagement,internalcontrolandfrauddeterrence.WhoisinvolvedwiththeFrameworkupdate?PwCservedastheauthorandprojectleaderforupdatingthepublication,preparedrelateddocuments,andreportedtotheCOSOBoardofDirectors.ThePwCProjectTeamincludedseniorresources,manywhomwereinvolvedinpreviousCOSOprojects,whobroughtin-depthunderstandingoftheoriginalFrameworkandtherationalefordecisionsmadeincreatingtheUpdatedDocument,aswellasadditionalseniorresourcesthatprovidecurrentmarketperspectives.Tocaptureviewsofabroadrangeofprofessionalsinthemarketplace,COSOformedanAdvisoryCouncilrepresentingindustrypractitioners,academia,governmentagencies,andnon-profitorganizations.Towhatextentareregulatorsandotheroversightbodiesinvolvedinthisinitiative?TheU.S.FederalDepositInsuranceCorporation(FDIC),U.S.GovernmentAccountabilityOffice(GAO),InternationalFederationofAccountants(IFAC),InformationSystemsAudit&ControlsAssociation(ISACA),andtheRiskManagementSociety(RIMS)havesentobserverstoattendtheAdvisoryCouncilmeetingsandprovideinputtotheproject.AdditionalInformationabouttheDocumentsIsadoptionoftheFrameworkmandatory?No,theCOSOBoardacknowledgesthattherearemanydifferingregulatory,stakeholder,andindustryrequirementsrelatingtoenterpriseriskmanagement.Assuch,itisincumbentonmanagementtodetermineifandhowtoadoptEnterpriseRiskManagement–IntegratingStrategyandPerformancetoenhancetheentity’sabilitytocreate,sustain,andrealizevalue.Hastheupdatebeenwrittenforaspecificregulationorregulatorybody?No,theCOSOBoardbelievestherearedifferingregulatoryandstakeholderexpectationsrelatingtoenterpriseriskmanagementanddirectedtheOriginalFramework’sprinciplesbeapplicabletoallentitiesregardlessofstatutes,regulation,andstandards.HowdoestheUpdatedFrameworkrelatetoCOSO's2013InternalControl–IntegratedFramework?InternalcontrolispositionedwithintheUpdatedDocumentasafundamentalaspectofenterpriseriskmanagement.ThetwoCOSOdocumentscomplementeachother,withneithersupersedingtheother.Theupdateddocumentwillfocusonrequisiteareasthatgobeyondinternalcontrol;however,theInternalControl–IntegratedFrameworkremainsaviableandsuitableframeworkfordesigning,implementing,andconductingandassessingtheeffectivenessofinternalcontrolandforreporting,asrequiredinsomejurisdictions.CanIstillusethe2004EnterpriseRiskManagement–IntegratedFramework?Yes.SincetheadoptionoftheUpdatedDocumentisnotmandatory,managementmaycontinuetoutilizetheOriginalFramework.However,COSOreservestherighttosupersedeorretirethe2004EnterpriseRiskManagement–IntegratedFrameworkinthefuture.WhatentitiesisEnterpriseRiskManagement–IntegratingwithStrategyandPerformanceapplicableto?TheEnterpriseRiskManagement–IntegratingStrategyandPerformanceprinciplesapplytoallentities,includingnot-for-profitandgovernmentalbodies,regardlessofsize.Whilesomesmallandmid-sizeentitiesmayimplementtheprinciplesofenterpriseriskmanagementdifferentlythanlargeentities,theyremainapplicabletoeverytypeofentity.WhoistheintendedaudiencefortheUpdatedDocument?EnterpriseRiskManagement–IntegratingStrategyandPerformancewasdraftedforadiverseaudiencedependingontheirenterpriseriskmanagementrolesandresponsibilities.TheExecutiveSummarywasdraftedforaboardlevelandexecutivemanagementaudiencewiththeintentofsummarizingtheimportanceandbenefitsofenterpriseriskmanagement.Specifically,ithighlightsgovernanceandoversightroleoftheboardasitrelatestoenterpriseriskmanagement.ItalsoprovidesasynopsisofthecomponentsandprinciplesoftheOriginalFramework.TheOriginalFrameworkisintendedtohelpriskpractitioners,businessleaders,andassuranceprovidersbyofferingacomprehensivediscussionofthecomponentsandprinciplesoftheFrameworkfromstrategysettingthroughtoexecution.Thesearesupportedbydetailedappendicesprovidingadditionalexamplesandinsightsintothedevelopingandmaintainingenterpriseriskmanagementpracticesthatarefitforpurpose.UpdatestotheDocumentWhychangethetitle?Thenewtitle-EnterpriseRiskManagement–IntegratingStrategyandPerformance,recognizestheimportanceoftheconnectionbetweenstrategyandentityperformancewithenterpriseriskmanagement.Whereisthe“COSOcube”?The“COSOcube”graphicisstillbeingutilizedintheCOSOInternalControl–IntegratedFramework.Inordertobetterillustratethealignmentofrisk,strategy,andperformanceEnterpriseRiskManagement–StrategyandPerformanceintroducesanewgraphics.Wasthedocumentmadeavailableforfeedbackpriortobeingfinalized?SimilartopreviousCOSOFrameworkupdates,thedraftFrameworkwasmadeavailableforpubliccommentpriortofinalization.Thepubliccommentperiodwasasignificantphaseoftheproject,intendedtogarnerglobalawarenessandengagementaswellassolicitdirectfeedbackonthedocumentduringthedraftingprocess.ThepubliccommentperiodwasheldforthreemonthsbetweenJuneandSeptember2016.Membersofthepublicwereinvitedtoreadthedocumentsandeithersubmitcommentlettersorcompleteashortonlinesurvey.Commentlettersreceivedduringtheperiodwerepostedonforthedurationofthepubliccommentperiodand90daysthereafter.Followingtheconclusionofthepubliccommentperiod,everycommentreceivedwascataloguedandevaluatedbythePwCProjectTeam.Duringpubliccomment,thedraftFrameworkwasdownloadedapproximately10,000timeswith46%ofdownloadsoccurringoutsideofNorthAmerica.Commentsreceivedaddressedallaspectsofthedocumentwithnoentitytype(public,private,notforprofit)orindustrygroupdominatingthefeedback.AsummaryofthefeedbackisprovidedinAppendixBofVolume2.KeyChangesTheUpdatedDocumentincorporatessignificantchangestoreflecttheevolutionofenterpriseriskmanagementthinkingandpractices,andtoprovideadditionalclarityonconceptsintroducedin2004.Someofthemostsignificantchangesareoutlinedbelow.Pleasenotethatthechangeshavenotbeenlistedinanypriorityorder.TheUpdatedDocument:AdoptsacomponentsandprinciplesstructureSimplifiesthedefinitionofenterpriseriskmanagementEmphasizestherelationshipbetweenriskandvalueRenewsthefocusontheintegrationofenterpriseriskmanagementExaminestheroleofcultureElevatesdiscussionofstrategyEnhancesthealignmentbetweenperformanceandenterpriseriskmanagementLinksenterpriseriskmanagementintodecision-makingmoreexplicitlyDelineatesbetweenenterpriseriskmanagementandinternalcontrolRefinesriskappetiteandtoleranceTheseareeachreviewedbelow.AdoptsastructureofcomponentsandprinciplesSimilartootherCOSOframeworks,theUpdatedDocumenthasbeenstructuredusingcomponentsandprinciples.ThefiveinterrelatedFrameworkcomponentsaresupportedbytwentythatcoverrangingfromandculture,strategyandobjective-setting,performance,reviewandrevision,andinformation,communication,andreporting.Eachoftherepresentafundamentalconceptassociatedwithacomponent,areuniversalintheirapplication,andformpartofenterpriseriskmanagement.TheFramework’sprincipalgraphicoutlinestherelationshipbetweenthecomponentsandprinciplesandservesasanavigationaltoolthroughoutthedocument.Thegraphicisusedtoenhancethedocument’sreadability,usability,andcreatesacohesivenessacrosstheFramework.SimplifiesthedefinitionofenterpriseriskmanagementThedefinitionofenterpriseriskmanagementintheUpdatedDocumentwasrevisedtomakeitmorememorableandreadable.FeedbackfromthesurveyconductedintheAssessandEnvisionphasesuggestedthatwhilethe2004versionwasrelativelyeasyforthoseinriskmanagementrolestounderstand,itsclaritywaslessevidenttothoseoutsideofariskfunction.Revisingthedefinitionisintendedtoimproveclarityforallusers.Therevisedversionrequiresthatthereaderconsiderthefulldefinitionofspecificwordsusedinthedefinition.Forinstance,thedefinitionofrisktiestotheachievementofstrategyandobjectives.Whilethedefinitionofenterpriseriskmanagementdoesnotdirectlyreferencestrategyandobjectives,itisincorporatedthroughthedefinitionofrisk.Lastly,theupdateddefinitionmorecloselyalignsrisktovalue,whichisnotedasakeydriverofenterpriseriskmanagement.EmphasizestherelationshipbetweenriskandvalueInrefiningthedefinitionofriskandelevatingthediscussionsofstrategyandperformance,theUpdatedDocumentemphasizestheroleofenterpriseriskmanagementincreating,preservingandrealizingvalue.Enterpriseriskmanagementisnolongerfocusedprincipallyonpreventingtheerosionofvalueandminimizingrisktoanacceptablelevel.Rather,itisviewedasintegraltostrategysettingandtheidentificationofopportunitiestocreateandmaintainvalue.Insteadofsimplyfocusingonreducingrisktoatargetstate,enterpriseriskmanagementbecomesadynamicandintegralpartofthemanaginganentitythroughoutthevaluechain.RenewsthefocusontheintegrationofenterpriseriskmanagementTheintegrationofenterpriseriskmanagementintoallaspectsofanorganization’soperationsishighlightedthroughouttheUpdatedDocument.Startingwiththeintegrationofenterpriseriskmanagementintothestrategy-settingprocess,thesettingofbusinessobjectives,andmanagingriskinexecution,theconsiderationofriskisnotpositionedasanadditionalorseparateactivity.Rather,theimportanceandroleofenterpriseriskmanagementispresentedthroughthelensofsupportinganorganization’soperations,managingperformanceandultimatelycreating,realizingandpreservingvalue.Asanexample,theUpdatedDocumentdoesnotrefertoriskreportingbutinsteadonthereportingofpotentialoractualmanifestationsofriskimpactingperformanceandtheachievementofstrategyandbusinessobjectives.ThisUpdatedDocumentencouragesuserstoconsiderenterpriseriskmanagementaspartofthemanagementofanorganizationasopposedtoadistinctorsiloedactivity.ExaminestheroleofcultureThesignificanceofculture’sinfluenceonenterpriseriskmanagementpracticesisoneofthefirstconceptsintroducedwithintheUpdatedDocument.TheimportanceofunderstandingandshapingthecultureisexploredinthecontextofriskgovernanceandoversightoftheentityandhowitinfluencesothercomponentsoftheFramework.Forexample,therelationshipbetweencultureandbusinesscontextisestablishedattheoutsetoftheFramework.Thisrelationshipinfluenceshowstrategiesarechosenandexecuted.Moreimportantly,itprovidesthecontextfortheidentificationandassessmentofrisksandtheallocationofresourcesinrespondingtothoserisks.ElevatesdiscussionofstrategyTheUpdatedDocumentrecognizesthatsomeofthemostsignificantorganizationalfailuresinrecenttimeshaveoccurredwhenastrategyisselectedthatdoesnotaligntothemission,visionandcorevaluesofanentity.Further,ifthatthatalignmentisestablished,manyorganizationsstilldonotunderstandtheimplicationsofaselectedstrategyontheirriskprofile.Moreover,manyorganizationsaresimplycaughtunawarewhenseeminglyminorfailuresatanoperationallevelescalateinmagnitudeandthreatenthelongtermviabilityofanentity.TheUpdatedDocumentelevatesandexpandsthediscussionofstrategyandriskestablishedin2004byfocusingonthefollowingthreeconcepts:Thepossibilityofstrategyandbusinessobjectivesnotaligningwithmission,visionandvalues;Theimplicationsfromthestrategychosen;andRisktoexecutingthestrategy.Bydistinguishingthethreepotentialmanifestationsofriskimpactingstrategy,theUpdatedDocumentprovidesforamoredetailedanalysisandrecognitionoftheroleandimportanceofenterpriseriskmanagement.Theconceptsareexaminedprogressivelythroughoutthedocument,exploringtheconsiderationsfortheidentification,assessmentandmanagementofriskandtheimpacttostrategyforeach.EnhancesthealignmentbetweenperformanceandenterpriseriskmanagementAsindicatedbyitsnewtitle,theUpdatedDocumentenhancestherelationshipbetweenriskandperformance.Itfocusesonhowriskisintegraltotheestablishmentofbusinessobjectives,andperformancetargetsthroughthefollowing:TheUpdatedDocumentexploreshowenterpriseriskmanagementpracticessupporttheidentificationandassessmentofrisksthatmayimpactperformance.Bydeterminingtheacceptabletolerance,UpdatedDocumentusersareabletounderstandhowchangesinperformancemayleadtochangesintheriskofabusinessobjectiveandversa.TheUpdatedDocumentemphasizesthatriskassessmentsandriskreportingarenotintendedtogeneratelongofpotentialrisks,butratherhighlightshowrisksmayimpacttheachievementofstrategyandbusinessobjectives.Tohighlighttheimportanceofthisrelationship,theUpdatedDocumentintroducesanewgraphicaldepictionreferredtoasariskprofile.Theriskprofilesdemonstratehowthetypeandseverityofriskcanchangeinresponsetochangesinthelevelofperformanceforagivenstrategyorbusinessobjective.Thedepictionalsotakesintoaccounttheentity’sriskappetiteandhelpsidentifywhereanorganizationmaybeassumingexcessiveriskorbeabletopursuefurtheropportunities.Byincorporatingtheconceptsofriskappetite,performance,andriskintoasinglegraphic,theriskprofilesofferadynamicandcomprehensiveviewofriskandenablemorerisk-awaredecisionmaking.Linksenterpriseriskmanagementintodecision-makingmoreexplicitlyAllorganizationsrecognizethatdecision-makingoccursateverystageofthevaluechain.Asentitiesseektocreate,realizeandpreservevalue,decisionsaremadearoundtheselectionofstrategy,theestablishmentofbusinessobjectivesandperformancetargets,andtheallocationofresources.Integratingenterpriseriskmanagementintothelifecycleofanentitysupportsrisk-awaredecision-making.TheUpdatedDocumentprogressivelyexploreshowinformationgatheredabouttheorganizat