Question

Chapter 12 Exercises12.47

You have just been hired as an accountant in a local bank. You are called to a meeting with the ERM director. He tells you that the bank is considering a new accounting system and mentions the risks associated with switching to a new system as well as the risks associated with the current accounting system. Then he asks you to come up with a short list of risks associated with both systems. Provide the requested list and include opportunities related to each decision.

What are risks associated with COSO ERM and ISO 31000? What are opportunities related to each decision?

Answer 1

The primary purpose of an enterprise risk management system is to provide processes to identify the potential risks to achieve company's objectives, and, to manage those risks to be within the company's risk appetite.

It is important to recognize that these systems have limitations during the implementation of an enterprise risk management system. All enterprise risk management systems rely on judgments about future events that may or may not occur. Also, while an enterprise risk management system provides risk related information to achieving the objectives of an enterprise, it does not provide complete assurance that the objectives will be achieved.Lastly, as with all control systems, an ERM system can break down for a number of reasons.These includes collusion among two or more individuals, bad judgments about risks and their impact, or override by management. Also,no enterprise risk management system can be perfect due to cost‐benefit constraints.

However, we can mitigate these risks by adopting a structured plan for assessing the need for and developing a high-quality ERM system in our enterprise.

The ISO 31000 framework was issued in 2009 and COSO in 2004. ISO 31000 is intended to provide guidance on the nature of the risk management process and how to implement it.COSO’s emphasis is on providing a flexible evaluation standard against which to evaluate the current ERM process as opposed to focusing on the specific activities of the risk management process itself.

In ISO 31000, risk appetite is the amount and type of risk that an organisation is willing to pursue or written ,thus it define this attitude and mention the risk tolerance . In the COSO ERM, the risk appetite is defined as a Board amount of risk and entity is willing to accept in pursuit of its mission or vision .This revised device Framework will also cover the risk tolerance as the acceptable variations in performance

Therefore we can say that for an effective risk management both of the above approaches need to clarify inadequate risk culture and the new revised COSO Framework will cover the significance of cultural influence of an enterprise risk management practices.