LLSMS2090

Audit and Control

Anne-Catherine Provost
RISK MANAGEMENT
Academic year 2022-2023
 PRACTICAL

• COURSE SYLLABUS IS POSTED ON MOODLE

=> INCLUDES COURSE OBJECTIVES, FORMAT, PLANNING,
OVERVIEW OF ASSIGNMENTS

• CASES – TO BE PURCHASED VIA HBS PUBLISHING (SEE

LINK IN SYLLABUS)

• NOT REGISTERED IN GROUP - CONTACT ME ASAP

2
 SPECIFIC OBJECTIVES

• Understand, apply and analyze the issues involved in the risk management
management

process of an enterprise
Risk

• Assess the different risks faced by an organization

• Identify and assess key elements of a risk process
• Understand, apply, analyze, and evaluate the major ERM frameworks
• Communicate information about key risks in a structured way
• Understand the link between risk management , strategy and controls
Internal
control

• Understand the role of the internal audit function, senior management , the
board of directors and the external auditor in risk management
• Enumerate what the key competences, challenges and benefits in the career of
an internal auditor are
• Identify key information sources to help you to conduct internal audit activities
Internal
audit

• Enumerate and apply key steps to conduct an internal audit mission

• Formulate key audit findings and recommendations
• Summarize key insights from academic research

3
 CASE DISCUSSIONS

FOR EACH OF THE CASES (3):

• read the case carefully
• discuss the questions with your group members
before coming to class
• upload a summary of your group discussion
(“meeting notes”) via the correct assignment on
Moodle

DURING THE CLASS DISCUSSION:

• come prepared!
• participate actively
• there are usually no right or wrong answers

4
5
 WRITTEN REPORT

O NE WRITTEN REPORT (IN GROUP) ON RISK MANAGEMENT

AND INTERNAL CONTROL:

• Select two companies and check their (most recent) annual

report.

• Report should contain:

 Executive summary
 Brief description of the two companies
 Make an assessment of the company’s description of
their risk and control system; compare; make
recommendations for improv ements in reporting
 Discuss for each company the 5 most important risks;
make suggestions on how firms might act to anticipate
or respond; make suggestions for improvements or
additions to their internal controls

• Submit group assignment via Moodle before 10/28, 6 PM6

 LLSMS2090
Audit and Control

RISK MANAGEMENT

Anne-Catherine Provost
Risk management
Academic year 2022-2023
frameworks and processes
8
 RISK MANAGEMENT THINKING

Key questions to consider:

1. What are we trying to accomplish (objectives)? What are our value drivers?

2. What could stop us from accomplishing them (risks)?

3. What options do we have to make sure those things do not happen (risk
responses)?

4. Do we have the ability to execute those options?

5. How will we know that we have accomplished what we wanted to accomplish

(does information exist and can we monitor performance to verify that success)?
9
TRADITIONAL RISK MANAGEMENT VS ERM

10
 SHIFT TOWARDS ERM

The scope of ERM has changed because:

• Business models have fundamentally changed

• Companies are rapidly diversifying their product and

service portfolio

• Companies are expanding into new markets and

partnering with suppliers and vendors across the world

=> Exposure to new types of risk has increased

11
 SHIFT TOWARDS ERM
• Regulatory change triggered by broader geopolitical and
macroeconomic forces (EU GDPR regulation) which are steadily
increasing compliance risks

• New technologies are also leveling the playing field and

increasing the competition

• New digital technologies are changing consumer buying

patterns and behaviors

• Companies have to be where their customers are

• They have to worry about data privacy and security risks, as

well as other risks like reputational and brand damage that can
be caused 12
13
TWO MAJOR FRAMEWORKS

In banks (not covered in course):

• Basel III
• Solvency II: 2012
14
 TWO MAJOR FRAMEWORKS
ISO 31000
Risk management relates to coordinated activities to direct and control an
organization with regard to risk
• Issued by the International Organization for Standardization in 2009
 Consists of members who are from standards setting organizations
 Published 20,500 standards covering most industries
 Developed by experts from around the world
 Examples: ISO9000-Quality Control, ISO27000-Information Security
Management system
• First globally recognized standard related to risk management
• ISO 31000 articulates three sections:
 Principles
 Framework
 Process
15
 TWO MAJOR FRAMEWORKS
COSO ERM
The culture, capabilities, and practices, integrated with strategy-setting and
performance, that organizations rely on to manage risk in creating,
preserving, and realizing value.
A more in-depth look at the definition of enterprise risk management
emphasizes its focus on managing risk through:
 Recognizing culture
 Developing capabilities
 Applying practices
 Integrating with strategy-setting and performance
 Managing risk to strategy and business objectives
 Linking to value

Published by COSO in the US in 2004, revised in 2017

 Known as Enterprise Risk Management – Integrated Framework
 Expanded on Internal Control – Integrated Framework 16
 COSO ERM FRAMEWORK

Objectives
ERM Activities

17
COSO ERM FRAMEWORK

18
 COSO ERM FRAMEWORK

1. Governance and Culture:

Governance sets the organization’s tone, reinforcing the

importance of, and establishing oversight responsibilities for ERM.

Culture pertains to ethical values, desired behaviors, and

understanding of risk in the entity.

1. Exercises board risk oversight

2. Establishes operating structures
3. Defines desired culture
4. Demonstrates commitment to core values
5. Attracts, develops, and retains capable individuals
19
 COSO ERM FRAMEWORK

1. Exercises board risk oversight

 Accountability and Responsibility

 Suitability of Enterprise Risk Management

 Organizational Bias

 Competence

 Independence

2. Establishes operating structures

20
 COSO ERM FRAMEWORK
3. Defines desired culture

 Culture and desired behaviors

 Culture is an important element of control.
 Culture reflects organization’s core values.
 Culture affects the ERM.
 Board and CEO are both involved in defining the
culture.

21
 COSO ERM FRAMEWORK
4. Demonstrates commitment to core values

 Reflecting core values throughout the organization

 Tone at the top

5. Attracting, Developing and Retaining Capable Individuals

 Establishing and Evaluating Competence

 Attracting, Developing, and Retaining Individuals

 Rewarding Performance

 Addressing Pressure 22
 COSO ERM FRAMEWORK

2. Strategy and objective setting:

23
 COSO ERM FRAMEWORK
2. Strategy and objective setting:

ERM, strategy and objective-setting work together in the

strategic planning process. A risk appetite is established and
aligned with strategy; business objectives put strategy into
practice while serving as a basis for identifying, assessing,
and responding to risk.

6. Analyzes business context - PESTLE

7. Defines risk appetite

8. Evaluates alternative strategies

9. Formulates business objectives 24

 COSO ERM FRAMEWORK

2. Strategy and objective setting:

6. Analyzes business context – External: PESTLE

 Political: tax policies; competition regulation; tariffs;

political stability
 Economic: interest rates; inflation; minimum wages; GDP
growth
 Social: demographics; lifestyle changes; fashion; health and
welfare
 Technological: R&D; internet; automation
 Legal: laws (employment, labor,…)
 Environmental: climate change; attitudes towards the
environment; catastrophes
25
 COSO ERM FRAMEWORK

2. Strategy and objective setting:

6. Analyzes business context – Internal

 Capital

 People Process

 Technology

26
 COSO ERM FRAMEWORK
2. Strategy and objective setting:

7. Defining risk appetite

The amount of risk, on a broad level, an entity is willing to accept in

pursuit of value. It reflects the entity’s risk management philosophy,
and in turn influences the entity’s culture and operating style… Risk
appetite guides resource allocation.

… Risk appetite [assists the organization] in aligning the organization,

people, and processes in [designing the] infrastructure necessary to
effectively respond to and monitor risks.

≠ Risk tolerance: application of risk appetite to specific objectives

27
 COSO ERM FRAMEWORK
2. Strategy and objective setting:

7. Defining risk appetite

28
 COSO ERM FRAMEWORK
2. Strategy and objective setting:

7. Defining risk appetite

29
COSO ERM FRAMEWORK

30
 COSO ERM FRAMEWORK
2. Strategy and objective setting:

7. Defining risk appetite

The amount of risk, on a broad level, an entity is willing to accept in
pursuit of value. It reflects the entity’s risk management philosophy,
and in turn influences the entity’s culture and operating style.…Risk
appetite guides resource allocation

.…Risk appetite [assists the organization] in aligning the

organization, people, and processes in [designing the]
infrastructure necessary to effectively respond to and
monitor risks.

≠ Risk capacity: maximum amount of risk an entity is

able to absorb
31
 COSO ERM FRAMEWORK
2. Strategy and objective setting:

8. Evaluates alternative strategies

Organization’s resources and capabilities to create, preserve,

and realize value.

 the possibility that the strategy does not align with the
mission, vision, and core values of the entity, and
 the implications from the chosen strategy.

32
 COSO ERM FRAMEWORK

2. Strategy and objective setting:

9. Formulating business objectives

The organization needs to have a reasonable expectation that a

business objective can be achieved given the risk appetite and
capabilities and resources available to the entity.

33
 COSO ERM FRAMEWORK

3. Performance

34
 COSO ERM FRAMEWORK

3. Performance

10. Risk identification

Management identifies potential events that, if they occur, will

affect the entity, and determines whether these events represent
opportunities or whether they might adversely affect the entity’s
ability to successfully implement strategy and achieve objectives.

35
 COSO ERM FRAMEWORK

3. Performance

10. Risk identification

Risk Types

 Business risk: Wrong business strategy; competitive pressure

on price/market share; Regional economic problems
 Compliance risk: Breach of listing rules; Breach of financial
regulations; Litigation risk
 Financial risk: Credit risk; Unrecorded liabilities
 Operational risk: Business process not aligned; Stock-out of
raw materials; Loss of key people; Inability to reduce cost base
36
 COSO ERM FRAMEWORK
3. Performance

10. Risk identification

• Known Known : these are the risks that have been correctly identified and
properly measured -> Things we know that we know; our general knowledge
• Known Unknown : we know that we don’t know or we don’t know their
potential risks -> Things we thought we know but don’t really know
• Unknown Known : these are things that exist and have been influencing our
life and our approach to reality, but we are unaware of knowing them, or we
do not realize their value, or worst we refuse to acknowledge knowing them ->
Things we thought we knew but we do not
• Unknown Unknown : we don’t even know that we don’t know they exist and
they can hit us with serious unexpected impacts -> Things that we do not
know at all, are believed to be impossible to find or imagine in advance 37
 COSO ERM FRAMEWORK

3. Performance

10. Risk identification

• Grey and Black Swans

Black Swans: Events characterized by their rarity, extreme impact, and
retrospective (but not prospective) predictability
• The highly unexpected happening
• The highly expected not happening
• Examples: 9/11, Internet bubble, collapses of Enron, Lehman Brothers, …
• The combination of low predictability and high impact makes Black Swan events
highly problematic

Grey Swans: are Black Swans that we can somewhat take into account, but for
which it is impossible to completely figure out its properties and produce precise
38
calculations
 COSO ERM FRAMEWORK

3. Performance

10. Risk identification

Examples of Black Swans:
Digital disruption has already happened :
• World’s largest taxi company owns no taxis (Uber)
• Largest accommodation provider owns no real estate (Airbnb)
• Largest phone companies own no telco infrastructure (Skype, WeChat)
• Most popular media owner creates no content (Facebook)
•World’s largest moviehouse owns no cinemas (Netflix)
• Largest software vendors don’t write the apps (Apple & Google)
• Only 11% of the Fortune 500 companies from 1955 still exist today
• The average time that companies stay in the top 500 has fallen from 75 years to 15 years
• New York Times reported that the company’s digital transformation is projected to make
30% of current jobs obsolete by 2020 39
 COSO ERM FRAMEWORK

3. Performance

10. Risk identification

40
 COSO ERM FRAMEWORK

3. Performance

10. Risk identification

Interviews

• Open-ended questions (e.g. ‘What are the top three strategic risks that the
organization faces over the next two years?’) vs. Focused questions (e.g., ‘What are the
top 2-3 risks affecting the organization’s ability to retain the new talent that it needs
to execute its growth plans?’)
• Interviews with Board and/or Senior Management
• What keeps us up at night?
• What could go wrong?
• What must go right to succeed?
• What’s emerging that could impact our future performance…and are we prepared?41
 COSO ERM FRAMEWORK

3. Performance

10. Risk identification

Workshops

• Facilitated by ERM staff

• Brings together employees from various levels and functions to obtain a «bottom-up» view
• Must allow for a free exchange of ideas/concerns
• Can be a terrific team-building and educational exercise for participants
• Requires a skilled facilitator to ensure complete participation and to override dominant voices
• Consider using anonymous voting technology

42
 COSO ERM FRAMEWORK

3. Performance

10. Risk identification

War-gaming

• Assess vulnerabilities to competitors’ strategies

• Develop plausible near-term strategies that existing or potential competitors might
adopt in a 1 to 3 yeartime frame
• What would you do if you were your competitor?
• What are your vulnerabilities and how might they attack?
• What innovations might emerge that are disruptive technologies?

43
 COSO ERM FRAMEWORK

3. Performance

10. Risk identification

Post-mortem analysis

• Uses prospective hindsight to identify potential risks to strategy

• Instead of asking «what could go wrong», ask «what went wrong?»
• Can open whole new avenues of cause-effect observations that haven’t been considered

44
 COSO ERM FRAMEWORK

3. Performance

10. Risk identification

45
 COSO ERM FRAMEWORK

3. Performance

11. Risk assessment

46
 COSO ERM FRAMEWORK

3. Performance

11. Risk assessment

47
 COSO ERM FRAMEWORK
3. Performance

11. Risk assessment

Inherent Risk
Residual Risk
Target Residual Risk
Actual residual Risk

48
 COSO ERM FRAMEWORK
3. Performance

11. Risk assessment

49
 COSO ERM FRAMEWORK

3. Performance

12. Prioritize risks

• Adaptability
• Complexity
• Velocity
• Persistence
• Recovery

50
 COSO ERM FRAMEWORK
3. Performance

13. Risk responses

Management determines how it will respond to risks:

51
 COSO ERM FRAMEWORK
3. Performance

14. Develops Portfolio View

Management develops and evaluates a portfolio view of risk.

52
 COSO ERM FRAMEWORK
4. Review and revision

53
 COSO ERM FRAMEWORK
5. Information, communication and reporting

54
 COSO ERM FRAMEWORK
5. Information, communication and reporting

Risk reporting:

Data are «raw» observations (e.g., survey responses, website metrics)

• Information comes from processing the data (e.g., a survey can show the response to
a marketing campaign)
• Information is data that have been organized and processed into meaning to a user
• Information supports decision-making
• Transforming data into information is a crucial success factor for every entity
• Normally: more and better information translates into better decisions, but…

Less-is-More: less information, computation, and time can improve accuracy

55
 COSO ERM FRAMEWORK
5. Information, communication and reporting

Risk reporting:

• Communication is the continual, iterative process of providing, sharing,

and obtaining necessary information

• Essential in creating the «right» internal environment and to support

other enterprise risk management components

• Relevant information is identified, captured, and communicated in a

form and timeframe that enable people to carry out their responsibilities

56
 COSO ERM FRAMEWORK
5. Information, communication and reporting
Risk reporting:
Internal communication: Information is disseminated through the entity
• The importance and relevance of ERM
• The entity’s objectives
• The entity’s risk philosophy, risk appetite and risk tolerance
• A common risk language
• The roles and responsibilities of personnel

Communication between the Board and top executives is crucial

External communication:
Opportunity to manage stakeholders’ risk perception
Provides information to external stakeholders in response to requirements and
expectations
• The entity’s objectives
• The entity’s risk appetite and risk tolerance 57
 COSO ERM FRAMEWORK
5. Information, communication and reporting

Risk reporting:

Frequency and nature of reporting

• Most report to full Board at least annually; 50% report quarterly to a

committee

• Discussion typically led by CRO, VP Strategy or Chief Audit Executive

• Typically 30 minutes presentation

• Most report TOP10-15 risks

58
 COSO ERM FRAMEWORK
5. Information, communication and reporting

Risk monitoring:
To ensure the (continued) effectiveness of ERM, the process and components
of ERM itself are evaluated

• ERM is not a one-time special project

• Objectives change over time

• The environment (and associated risks) change over time

Assessing the presence and functioning of its components over time:

• Ongoing monitoring activities
• Separate evaluations
59
• Key risk indicators
 COSO ERM FRAMEWORK

ROLES AND RESPONSIBILITIES

Board of directors

• Strategic role
• Monitoring role
 Knowing the extent to which management has established effective ERM
 Being aware of and concurring with the organization’s risk appetite
 Being apprised of the most significant risks and whether management is
responding appropriately
• Part of the internal environment
• Composition
• Board subcommittee
60
 COSO ERM FRAMEWORK

ROLES AND RESPONSIBILITIES

Chief Executive Officer (CEO)

Ultimate responsibility for the effectiveness and success of ERM

• « tone at the top » (= ethical environment within the firm created

through management practices and espoused values)

• Establish ERM fundaments

• Follow-up, monitoring
61
 COSO ERM FRAMEWORK

ROLES AND RESPONSIBILITIES

Chief Risk Officer (CRO)
• Risk manager
• Establish, direct, and manage effective risk management function
• Establishing ERM policies and participating in setting goals for implementation
• Framing authority and accountability (roles and responsibilities) for ERM
• Promotes ERM and facilitates development of technical ERM expertise
• Guides integration between ERM and other management activities
• Establishes a common risk language throughout business units
• Reports to the CEO on ERM progress
• Assess all the risks
• Prepares the risk heatmap
• Takes actions if misalignments with risk criteria
• Follow-up, monitoring
=> He/She doesn’t own any risk!!! 62
 COSO ERM FRAMEWORK
ROLES AND RESPONSIBILITIES
Senior managers

• Operational responsibility for managing risks related to their specific units’

objectives
• Delegate to line management / Risk Owners (processes, functions,
departments) responsible for conducting ERM on a daily basis

Internal Audit

• Independent and objective

• Evaluation of adequacy and effectiveness of ERM
• Recommendations for improvement
• Supporting role vis à vis Board of Directors ( Risk Committee ) and senior
63
management (CEO)
 COSO ERM FRAMEWORK

Limitations of ERM

• No one can predict the future with certainty

• Certain events are outside management’s control

• Reasonable assurance vs. absolute assurance

• Human judgement (cf. risk assessment which can be based on

perceptions/ biases)

• Costs vs. benefits

64
 TENTATIVE PLANNING
Date Time Type of lecture and topic TO DO BEFORE CLASS
09/22 10.45-12.45 In-class lecture: Introduction Submit one-pager on individual reading 1 (ERM
13.30-16.30 Time to work on individual assignment 1: ERM and Strategy Agora 12 and Strategy) before 09/23 8 AM
09/29 10.45-12.45 In-class lecture: Risk management
13.30-16.30 Guest lecture: Risk management (Olga Yablunivska, EY)
Prepare for case 1 (Lego) and submit report
Time to work on group assignment: Case 1 – Lego before 10/05 2 PM
10/06 8.30-9.45/10.00- In-class discussion: Case 1 (Lego)
11.15/11.30-12.45
13.30-16.30 In-class lecture: Internal control
Submit one-pager on individual reading 2 (Internal
Time to work on individual assignment 2: Internal audit and risks audit and risks) before 10/07 8 AM
10/13 10.45-12.45 In-class lecture: Audit Watch video on Internal audit in preparation for
lecture
1. Make sure you are registered on Moodle to the course LLSMS 2090 and
13.30-16.30 Guest lecture: The role and challenges facing internal auditor (Dirk Debruyne) Prepare for case 2 (Société Générale) and submit
join a group onTime Moodle.
to work on group assignment: Case 2 – Société Générale report before 10/19 2 PM
10/20 8.30-9.45/10.00- In-class discussion: Case 2 (Société Générale) Watch video on Fraud in preparation for case 2
11.15/11.30-12.45
2. Stay in the class if you still don’t have a group.
13.30-16.30 Guest lecture: Internal audit (Mark Dekeyser, IIABel) Read IIA guidelines

Time to work on group assignment: Case 3 – Bharat Petroleum Prepare for case 3 (Bharat Petroleum) and submit
report before 10/26 2 PM
3. Guest
10/27 lectureIn-class
8.30-9.45/10.00- thisdiscussion:
afternoon at Petroleum)
Case 3 (Bharat 1:30 PM, AGOR 12.
11.15/11.30-12.45
13.30-16.30 Q&A - Wrap up: Discussion exam
4. Prepare for case 1 (Lego) and submit group report before 10/05
Submit 2PM (Written report) before
group assignment
Time to work on group assignment: Written reportPitch Deck 65
10/28 6 PM