Saturday, August 4, 2012

Enterprise Risk Management(ERM)Framework COSO-Internal Control

COSO is enterprise risk management (ERM) framework for Internal control. COSO has eight inter-related steps.


Control Environment

Internal control environment is the attitudes of management and employees towards risk management.


Event Identification

Event identification involves identification of number of events, which exposes enterprise to risks.


Objective Setting

Enterprise objectives are set taking account of risk appetite of the enterprise to ensure that enterprise will not be exposed to risk more than it can tolerate.


Risk Assessment

Risks are analysed into probability and impact and any other variable that management considers appropriate.

Risks are quantitatively measured; monetary value is placed; categorized into high, medium, low and ranked according to the level of exposure of each risk category to the enterprise .


Risk Response

Risk having higher rank will be allocated more resources and given higher priority when considering risk response than risk having lower rank.

Risk response should not be aimed at eliminating risk. Instead, risk should be reduced to risk appetite of the enterprise .

Any response to risk is only justifiable, if cost of responding to risk exceeds benefits. Therefore, some risk will unavoidably remain above the risk appetite of the enterprise.

Profit is the reward of risk taking. There would be no profit, if there were no risk.

Entrepreneurial risk must be accepted to earn profit. It cannot be eliminated in its entirety.


Control Activities or Procedures

Control activities are detail policies and procedures to implement internal controls.

Internal controls helps in managing (responding) risks.

One of the purposes of internal control is to manage risk in order to ensure the achievement of enterprise objectives. However, internal controls have some inherent limitations, which limit the effectiveness of risk management process.


Information & Communication

Information & communication is central to risk management and internal control system. Risks should be communicated at all levels and across the enterprise to all employees. This process is called risk embedding.



Risk should be monitored frequently and reviewed for changes in risk faced by the enterprise. It should take account of changing external circumstances and enterprise activities.

In addition, appropriate control actions (activities) should be taken to manage those risks.

Follow up is necessary to ensure the effectiveness of control actions and ensure corrective actions can be taken in time.