Mapping Regulations and the COSO Framework             into your Risk Matrix

In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) (American Accounting Association, American Institute of Certified Public Accountants, Financial Executives International, Institute of Management Accountants and The Institute of Internal Auditors) published the Enterprise Risk Management (ERM) framework. Although no regulation forces you to use any particular framework, this has become the industry standard for Managing Risk and Internal Controls. As such it makes sense to structure your matrix to take advantage of this framework which is designed to help organizations by:

·         Aligning risk appetite and strategy – Management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.

·         Enhancing risk response decisions – Enterprise risk management provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing, and acceptance.

·         Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.

·         Identifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks.

·         Seizing opportunities – By considering a full range of potential events, management is positioned to identify and proactively realize opportunities.

·         Improving deployment of capital – Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation.”

The ERM Framework allows organizations to build a structure to identify and mitigate risk around business strategy, operations, financial reporting and compliance. So on one hand, the COSO ERM framework incorporates any kind of regulation. However, regulations are usually focusing on the end consumer or user of your services and /or the health of the overall infrastructure of an industry.

The FDA (Food and Drug Administration) regulations are largely focused on the ultimate consumer, while FERC (Federal Energy Regulatory Commission) and the FDIC (Federal Deposit Insurance Corporation) are also worried about the health of the overall industry. The FDA regulations do not necessarily take into account whether your organization can survive while meeting its requirements. However, having a utility or bank survive is ultimately in the best interest of the consumers. Because of this, one can say that those regulations would be more congruent with that of the ERM framework, however one can also say that risk is risk and control activities mitigate that risk regardless if the risk is internal, external or trying to protect the best interests of the consumer or the organization.

The biggest difference between meeting regulations and following the ERM framework is in the areas of:

·         Aligning Risks, Controls and Processes to Business Strategy (however one of your strategies should be to meet your compliance requirements in a cost effective manner)

·         Objective Setting – the regulation was kind enough to set our objectives for us (although it may not necessarily be obvious)

·         Risk Tolerance – again, the regulations the acceptable tolerance level.

The consistencies between the ERM framework and meeting a regulation is numerous, because in general, the regulation is either ensuring that you are paying your taxes (mitigating their risk) or mitigating some other risk that the agency thinks is important.

Because of the current financial crisis the FFIEC is mandating that banks perform non subjective Risk Assessments. The FFIEC  is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the FDIC, the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS), and to make recommendations to promote uniformity in the supervision of financial institutions. Although the FFIEC is targeting the financial community, most of their guidance can be applicable to other industries. Since COSO and FFIEC are both a group of member organizations, comparing and contrasting the different guidance is useful in comparing the framework with regulatory requirements.

In general, the guidance is fairly consistent, they are both worried about risk events, although COSO attempts to generically address all risks and the regulation identifies particular risks. They both focus on Risk Assessments, Control Activities, Monitoring Activities and Risk Responses and proof that a control is working. Since the regulation does not necessarily consider the framework, their requirements usually are a mixture of events, control or monitoring activities. Even if you do not use the COSO framework you will have to do some mapping with the regulation into your matrix to ensure all components of the regulation are addressed. The regulation will make references to certain Risk Events that should be in your matrix (rows), it will also mandate certain Control Activities, Monitoring events and Risk Responses (columns). It will sometimes also dictate best practices to be used (values in the scoring system).

In summary, you want to make sure that your regulatory requirements are included in your overall Risk Assessment Process. And although most organizations approach compliance as ‘doing the minimum to comply’, the real purpose of the Risk Assessment process (at least according to COSO) is to build a strong organization and be in a position to be prepared for the unexpected.

Our Team
Our team is comprised of experienced executives, managers and consultants who will assist your banking organization in the development, implementation and execution of comprehensive risk management and compliance strategies.  From the initial passage of  Sarbanes-Oxley in 2002, Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals. 

Our Value 

    • Utilizing our proprietary SingleVue™  and OpsAudit™ methodologies, we tailor comprehensive, cost-effective and flexible solutions to our clients.
    • Our solutions enhance your current business processes, rather than adding unnecessary overhead, thus creating measurable long-term value.
    • We involve your executive team, including your internal and external advisors, to guarantee solutions are absolutely consistent with your requirements.

    • We allow you to concentrate on managing your business.

            For More information, visit our home page:  www.visagesolutions.com
 


"The Visage Risk assessment tool and methodology allowed us to respond the risk assessment requirements of the FFIEC in a timely and cost effective manner ".
   Robert Kernodle, SVP and Risk Officer of Cornerstone Bank
 
"Although there is always a degree of subjectivity in any risk assessment, the Visage Risk Assessment tool and methodology is one of the best I've seen in removing subjectivity and providing the underlying support for the scoring system".
   Patrick Camblin Senior Partner in Camblin CPA, PLLC

f you would no longer like to receive periodic updates from VisageSolutions, please follow the unsubscription instructions at the bottom of the email.
Copyright © 2007 Visage Solutions, LLC.