Textbook:COSO Enterprise Risk Management: Establishing Effective Governance, Risk, and Compliance Processes, Second Edition
Author(s): Robert R. Moeller

Descrition:
Chapter 1. Introduction: Enterprise Risk Management Today. This introductory chapter introduces the concept of enterprise risk management and the related concepts of enterprise governance and compliance standards. We start by looking at an important standard for defining internal control, the Committee of Sponsoring Organizations (COSO) internal control framework, a worldwide accepted set of guidance materials for defining internal control in enterprises today. From this internal controls framework the chapter then introduces the similar looking in appearance, but very different, COSO enterprise risk management (ERM) framework, the major topic of many of the chapters in this book. We should note here that the COSO materials are not really standards in the sense of an SEC-mandated standards requirement, but they are really very strong guidance materials. Because they are so pervasive today, we will frequently reference them as standard practices. The chapter will also introduce us to an example company, Global Computer Products, which will be referenced for many examples throughout the book. However, the major objective of this chapter is to introduce COSO ERM and related governance and compliance principles and how they have changed since our first edition.
& Chapter 2. Importance of Governance, Risk, and Compliance (GRC) Principles. Events such as the collapse of the energy trading firm, Enron, and its public accounting firm, Arthur Andersen, and the enactment of the Sarbanes-Oxley Act (SOx) in 2002 raised a whole series of enterprise GRC issues that had been previously all but ignored. The collapse of housing markets almost worldwide during our recent great recession has also focused on needs today for improved compliance processes. This chapter reviews the elements of effective GRC processes and discusses why past events such as Enron and the more recent financial crises have emphasized the growing importance of enterprise governance, risk, and compliance processes.
& Chapter 3. Risk Management Fundamentals. Key concepts and the terminology used in risk assessments are introduced here. These include some of the basic graphical and probability tools that have been used by risk managers over time as well as the terminology used for risk transfers and assessments. These concepts will be helpful in understanding risks in both a quantitative and qualitative sense and in using and understanding COSO ERM. This chapter also will introduce some of the basic concepts of probability and how they are used to measure and assess risks.
& Chapter 4. The COSO ERM Framework. This chapter discusses some of the events that led to COSO ERM including ongoing industry and public concerns about the lack of a consistent definition of internal controls and an uncertainty of the meaning and concept of risk on an overall enterprise level. We introduce the threedimensional model or framework for understanding enterprise risk, COSO ERM, with its eight vertical components or layers as one model dimension, a second dimension of four vertical columns covering key risk objectives, and a third dimension describing the enterprise units in the risk framework. An understanding of these framework components sets the stage for understanding and using COSO ERM. The chapter also highlights some of the recent guidance material released by COSO on how to more effectively implement and use COSO ERM.
& Chapter 5. Implementing ERM in the Enterprise. Risk management must be understood in terms of its strategic, operational, reporting, and compliance objectives as well how it should be implemented throughout the enterprise, from an individual business unit to the entire enterprise. Beyond the Chapter 3 discussion of risk management fundamentals and the introduction of COSO ERM, these are the other two dimensions of this risk management framework, this chapter discusses these other two elements and how all three relate together. The idea is to think of enterprise risk management as an overall structure that will allow managers to understand and manage risks throughout an enterprise.
& Chapter 6. Importance of Strong Governance Practices. We outline why all enterprises and public corporations, in particular, are expected to have some social and governance responsibilities. Governance principles can also be introduced at an overall stakeholder level through effective ethics programs and codes of conduct.
& Chapter 7. Enterprise Compliance Issues Today. Enterprises today face growing amounts of legal and regulatory requirements at national, local, and regional levels. The chapter discusses the multiple issues facing an enterprise and introduces processes for reviewing and assessing compliance at all levels of an enterprise today.
& Chapter 8. Integrating ERM with COSO Internal Controls. Prior chapters have only referenced the COSO internal controls framework in contrasting it to COSO ERM. This chapter will dig a bit deeper and provide a more detailed look at the components and objectives of the COSO internal controls framework as well as some background on its origins. Since the COSO internal controls framework has a risk component, we will also discuss its relationship to COSO ERM. An overall objective of this chapter will be to describe how managers can use and apply effective enterprise risk management practices when building strong COSO internal control practices.
& Chapter 9. Sarbanes-Oxley and Enterprise Risk Management Concerns. SOx has had a major impact on corporations whose securities are registered with the U.S. Securities and Exchange Commission (SEC) and has changed the financial reporting and public accounting regulatory landscape from one of self-regulation by external audit firms to quasi-governmental rules. Both SOx and COSO ERM have some important interdependencies on each other, and today’s enterprise manager must have a general understanding of both. This chapter provides general background on SOx and describes some of its enterprise risk–related attributes.
& Chapter 10. Corporate Culture and Risk Portfolio Management. This chapter looks at several important areas for implementing an effective enterprise risk management culture, including the help and support resources necessary for enterprise codes of conduct and the role of whistleblower functions both in support of SOx requirements and as an escape mechanism to manage enterprise risks. Enterprises need such a whistleblower facility where a stakeholder can independently report a problem without fear of retribution and can seek further information about some rule or procedure and ask for help.
Our second topic in this chapter is risk portfolio management. Any enterprise faces a wide range of different types of risks and potential consequences. In order to effectively manage them, an effective approach is to divide these many and diverse risks into separate portfolios and then to assess and manage the risks on a portfolio basis.
& Chapter 11. OCEG Capability Model GRC Standards. The Open Compliance and Ethics Group (OCEG) is an industry-led nonprofit organization that develops standards and helps enterprises enhance their governance, risk management,

and compliance processes. OCEG is a relatively new organization and certainly did not exist at the time of the first edition of this book. While the OCEG does not have the standards-setting authority that might be found in the American Institute of Certified Public Accountants’ (AICPA’s) standards or even in some of the ISO 31000 guidance discussed in Chapter 17, it has published several guidance standards such as a GRC capability model. This chapter reviews several of the currently published OCEG guidance materials, including their ‘‘Red Book’’ on a GRC capability model, what they call their ‘‘Burgundy Book’’ on GRC capability processes, and related materials. Many of these OCEG guidance materials are very similar to the GRC and ERM framework guidance information found in other chapters, but with a slightly different emphasis or approach.
& Chapter 12. Importance of ERM in the Corporate Board Room. This chapter will consider the importance of corporate boards of directors in subscribing to good GRC principles as well as introducing COSO ERM and effective GRC principles to today’s boards and their decision-making processes. It will suggest approaches for effectively implementing COSO ERM both for overall enterprise decision-making guidance and as a process for helping boards make decisions. While boards have a basic responsibility for the governance of their enterprises and related compliance issues, this chapter will emphasize the need for strong board-level GRC principles. The chapter will also discuss the importance of establishing a board-level risk committee operating in parallel with the audit committee. A broad enterprise-wide perspective of COSO ERM is an important tool for helping board members to better consider and evaluate the risks facing their enterprises.
& Chapter 13. Role of Internal Audit in Enterprise Governance, Risk, and Compliance. Internal audit plays an important role in monitoring and assessing all GRC processes in the enterprise. They may also act as internal consultants for helping to support GRC processes, internal controls implementations and maintenance. The chapter looks at important roles for internal audit in reviewing critical GRC systems and processes as well as techniques for building risk-based approaches for the overall internal audit process. Internal auditors have always considered risks in planning and performing audits, but COSO ERM as well as the recently updated Institute of Internal Auditors (IIA) internal audit standards suggest a greater need for emphasis on ERM.
& Chapter 14. Understanding Project Management Risks. Many enterprise efforts are organized as projects—limited duration activities that are managed as separate efforts within normal enterprise boundaries. The chapter introduces the Project Management Institute’s standard A Guide to the Project Management Book of Knowledge (PMBOK1Guide) with its own risk management component. This chapter will discuss how to integrate PMBOK1Guide risk guidance materials with the overall ERM framework to better manage and control project risks.
& Chapter 15. Information Technology and Enterprise Risk Management. Because of the complexity in building and maintaining computer systems and applications, risk management has been very important to information technology (IT) processes. The chapter will look at three important IT areas and how COSO ERM can help an enterprise to better understand those IT risks:& Chapter 16. Establishing an Effective GRC Culture throughout the Enterprise. Effective risk management needs to go beyond implementing COSO ERM or announcing a GRC program as an initiative with one or another enterprise functions. It should be an overall philosophy that is understood and used throughout the enterprise. The chapter discusses how to establish an ERM function and GRC culture in a larger enterprise as well as the roles and responsibilities of the chief risk officer who would lead such a function.
& Chapter 17. ISO 31000 and 38500 Risk Management Worldwide Standards. While COSO ERM was first introduced as a U.S.-based guidance standard, other risk management standards have now been released throughout the world. The chapter will look at both ISO 31000 and 38500,3 two related international risk management standards, and will discuss how these international standards relate to COSO ERM.
& Chapter 18. ERM and GRC Principles Going Forward. The concept of COSO ERM and GRC principles has changed very much since the first edition of this COSO ERM book was published in 2007. In today’s highly regulated environment, enterprises are increasingly pressured by governance, risk, and compliance concerns while at the same time they have strong needs to drive their business performance and to enhance stakeholder confidence. Underlying these GRC management issues, an enterprise must coordinate and manage a wide range of manual and IT infrastructure processes that directly support the tools and systems in a GRC business environment. This final chapter summarizes some of the current trends and issues that will continue to make GRC management increasingly important. In particular, it reviews some of the areas that several professional organizations are promoting to increase an awareness of GRC and ERM.