Nothing Special   »   [go: up one dir, main page]
Scribd Logo
Upload

Welcome to Scribd!

  • 93 views

    Appendix A COSO and ISO 31000 Framework Mapping

    Uploaded by

    juan carlos molano toro
    OK

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Appendix A COSO and ISO 31000 Framework Mapping

    Uploaded by

    juan carlos molano toro
    93 views6 pages
    OK

    Original Title

    9781119572794.app1

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    OK

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    93 views6 pages

    Appendix A COSO and ISO 31000 Framework Mapping

    Uploaded by

    juan carlos molano toro
    OK

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 6

    COSO and ISO 31000 Framework Mapping 39

    Appendix A
    COSO and ISO 31000 Framework Mapping

    The matrix in this appendix is a summary comparison of the elements found in the COSO ERM framework
    and the ISO 31000 framework and is referenced periodically in this publication. If the ISO 31000 framework
    includes similar concepts to the COSO ERM framework, cross-references to the specific section of the ISO
    31000 framework are included in the following table.

    COSO ERM Components and Principles ISO 31000 Framework—Elements


    1.0 Governance and Culture
    Copyright © 2018 Association of International Certified Professional Accountants

    Principle 1: Exercises Board Risk Oversight See ISO 31000, Risk Management—Guidelines, section
    The board of directors provides oversight of the strategy 5.2, ”Leadership and commitment.”
    and carries out governance responsibility to support See ISO 31000, Risk Management—Guidelines, section
    management in achieving strategy and business 5.4.3, ”Assigning organizational roles, authorities,
    Practice Aid: Enterprise Risk Management: Guidance for Practical

    objectives. responsibilities and accountabilities.”


    Topics covered include the following:
    • Accountability and Responsibility
    • Skills, Expertise, and Business Knowledge
    • Independence
    • Suitability of Enterprise Risk
    Management
    • Organizational Bias
    Principle 2: Establishes Operating Structures See ISO 31000, Risk Management—Guidelines, section
    Implementation and Assessment

    The organization establishes operating structures in the 5.2, ”Leadership and commitment.”
    pursuit of strategy and business objectives. See ISO 31000, Risk Management—Guidelines,
    section 5.3, ”Integration.” See ISO 31000, Risk
    By AICPA and CIMA

    Management—Guidelines, section 5.4.3, ”Assigning


    organizational roles, authorities, responsibilities
    and accountabilities.”
    Topics covered include the following:
    • Operating Structure and Reporting Lines
    • Enterprise Risk Management Structure
    • Authority and Responsibilities
    • Enterprise Risk Management within the
    Evolving Organization
    Principle 3: Defines Desired Culture See ISO 31000, Risk Management—Guidelines, section
    The organization defines the desired behaviors that 5.4.1, ”Understanding the organization and its
    characterize the organization’s desired culture. context.”

    (continued)

    © 2018, Association of International Certified Professional Accountants PRA-ERM


    40 Enterprise Risk Management

    COSO ERM Components and Principles ISO 31000 Framework—Elements


    Topics covered include the following:
    • Culture and Desired Behaviors
    • Applying Judgment
    • Effect of Culture
    • Aligning Core Values, Decision-Making,
    and Behavior
    • Shifting Culture
    Principle 4: Demonstrates Commitment to Core See ISO 31000, Risk Management—Guidelines, section
    Values 5.2, ”Leadership and commitment.”
    The organization demonstrates a commitment to the See ISO 31000, Risk Management—Guidelines, section
    organization’s core values. 5.4.2, ”Articulating risk management commitment.”
    See ISO 31000, Risk Management—Guidelines, section
    5.4.3, ”Assigning organizational roles, authorities,
    responsibilities and accountabilities.”
    See ISO 31000, Risk Management—Guidelines, section
    5.4.5, ”Establishing communication and
    consultation.”
    See ISO 31000, Risk Management—Guidelines, section
    6.2, ”Communication and consultation.”
    Topics covered include the following:
    • Reflecting Core Values throughout the
    Organization
    • Embracing a Risk-Aware Culture
    • Enforcing Accountability
    • Holding Itself Accountable
    • Keeping Communication Open and Free
    from Retribution
    • Responding to Deviations in Core Values
    and Behaviors
    Principle 5: Attracts, Develops, and Retains See ISO 31000, Risk Management—Guidelines, section
    Capable Individuals 5.4.4, ”Allocating resources.”
    The organization is committed to building human capital
    in alignment with the strategy and business objectives.
    Topics covered include the following:
    • Establishing and Evaluating Competence
    • Attracting, Developing and Retaining
    Individuals
    • Rewarding Performance
    • Addressing Pressure
    • Preparing for Succession
    2.0 Strategy and Objective Setting
    Principle 6: Analyzes Business Context See ISO 31000, Risk Management—Guidelines, section
    The organization considers the potential effects of 5.4.1, ”Understanding the organization and its
    business context on the risk profile. context.”
    See ISO 31000, Risk Management—Guidelines, section
    6.3.3, ”External and internal context.”

    PRA-ERM © 2018, Association of International Certified Professional Accountants


    COSO and ISO 31000 Framework Mapping 41

    COSO ERM Components and Principles ISO 31000 Framework—Elements


    Topics covered include the following:
    • Understanding Business Context
    • Considering External Environment and
    Stakeholders
    • Considering Internal Environment and
    Stakeholders
    • How Business Context Affects Risk Profile

    Principle 7: Defines Risk Appetite


    The organization defines risk appetite in context of
    creating, preserving, and realizing value.
    Topics covered include the following:
    • Applying Risk Appetite
    • Determining Risk Appetite
    • Articulating Risk Appetite
    • Using Risk Appetite
    Principle 8: Evaluates Alternative Strategies
    The organization evaluates alternative strategies and the
    potential impact on risk profile.
    Topics covered include the following:
    • The Importance of Aligning Strategy
    • Understanding the Implications from
    Chosen Strategy
    • Aligning Strategy with Risk Appetite
    • Making Changes to Strategy
    • Mitigating Bias
    Principle 9: Formulates Business Objectives
    The organization considers risk while establishing the
    business objectives at various levels that align and
    support strategy.
    Topics covered include the following:
    • Establish Business Objectives
    • Aligning Business Objectives
    • Understanding the Implications from
    Chosen Business Objectives
    • Categorizing Business Objectives
    • Setting Performance Measures and Targets
    • Understanding Tolerances
    • Performance Measures and Established
    Tolerances
    3.0 Performance
    Principle 10: Identifies Risk See ISO 31000, Risk Management—Guidelines, section
    The organization identifies risks that affect the 6.4.2, ”Risk identification.”
    performance of strategy and business objectives.

    (continued)

    © 2018, Association of International Certified Professional Accountants PRA-ERM


    42 Enterprise Risk Management

    COSO ERM Components and Principles ISO 31000 Framework—Elements


    Topics covered include the following:
    • Identifying Risk
    • Using a Risk Inventory
    • Approaches to Identifying Risk
    • Framing Risk
    Principle 11: Assesses Severity of Risk See ISO 31000, Risk Management—Guidelines, section
    The organization assesses the severity of risk. 6.4.3, ”Risk analysis.”
    Topics covered include the following:
    • Assessing Risk
    • Selecting Severity Measures
    • Assessment Approaches
    • Inherent, Target, and Residual Risk
    • Depicting Assessment Results
    • Identifying Triggers for Reassessment
    • Bias in Assessment
    Principle 12: Prioritizes Risk See ISO 31000, Risk Management—Guidelines, section
    The organization prioritizes risks as a basis for selecting 6.4.4, ”Risk evaluation.”
    responses to risks.
    Topics covered include the following:
    • Establishing the Criteria
    • Prioritizing Risk
    • Using Risk Appetite to Prioritize Risk
    • Prioritization at All Levels
    • Bias in Prioritization
    Principle 13: Implements Risk Responses See ISO 31000, Risk Management—Guidelines, section
    The organization identifies and selects risk responses. 6.5.1, ”Selection of risk treatment options.”
    See ISO 31000, Risk Management—Guidelines, section
    6.5.3, ”Preparing and implementing risk treatment
    plans.”
    Topics covered include the following:
    • Choosing Risk Responses
    • Selecting and Deploying Risk Responses
    • Considering Costs and Benefits of Risk
    Responses
    • Additional Considerations
    Principle 14: Develops Portfolio View
    The organization develops and evaluates a portfolio view
    of risk.
    Topics covered include the following:
    • Understanding a Portfolio View
    • Developing a Portfolio View
    • Analyzing the Portfolio View

    PRA-ERM © 2018, Association of International Certified Professional Accountants


    COSO and ISO 31000 Framework Mapping 43

    COSO ERM Components and Principles ISO 31000 Framework—Elements


    4.0 Review and Revision
    Principle 15: Assesses Substantial Change See ISO 31000, Risk Management—Guidelines, section
    The organization identifies and assesses changes that 5.6, ”Evaluation.”
    may substantially affect strategy and business objectives. See ISO 31000, Risk Management—Guidelines, section
    5.7.1, ”Adapting.”
    See ISO 31000, Risk Management—Guidelines, section
    5.7.2, ”Continually improving.”
    See ISO 31000, Risk Management—Guidelines, section
    6.6, ”Monitoring and review.”
    Topics covered include the following:
    • Integrating Reviews into Business
    Practices
    • Internal Environment
    • External Environment
    Principle 16: Reviews Risk and Performance See ISO 31000, Risk Management—Guidelines, section
    The organization reviews organization performance 6.6, ”Monitoring and review.”
    results and considers risk.
    Topics covered include the following:
    • Integrating Reviews into Business
    Practices
    • Considering Organization Capabilities
    Principle 17: Pursues Improvement in Enterprise See ISO 31000, Risk Management—Guidelines, section
    Risk Management 6.6, ”Monitoring and review.”
    The organization pursues improvement of enterprise risk See ISO 31000, Risk Management—Guidelines, section
    management. 5.7.1, ”Adapting.”
    See ISO 31000, Risk Management—Guidelines, section
    5.7.2, ”Continually improving.”
    Topics covered include the following:
    • Pursuing Improvement
    5.0 Information, Communication, and Reporting
    Principle 18: Leverages Information and
    Technology
    The organization leverages the organization’s
    information systems to support enterprise risk
    management.
    Topics covered include the following:
    • Putting Relevant Information to Use
    • Evolving Information
    • Data Sources
    • Categorizing Risk Information
    • Managing Data
    • Using Technology to Support Information
    • Changing Requirements

    (continued)

    © 2018, Association of International Certified Professional Accountants PRA-ERM


    44 Enterprise Risk Management

    COSO ERM Components and Principles ISO 31000 Framework—Elements


    Principle 19: Communicates Risk Information See ISO 31000, Risk Management—Guidelines, section
    The organization uses communication channels to 6.2, ”Communication and consultation.”
    support enterprise risk management. See ISO 31000, Risk Management—Guidelines, section
    6.7, ”Recording and reporting.”
    Topics covered include the following:
    • Communicating with Stakeholders
    • Communicating with the Board
    • Methods of Communicating
    Principle 20: Reports on Risk, Culture, and See ISO 31000, Risk Management—Guidelines, section
    Performance 6.2, ”Communication and consultation.”
    The organization reports on risk culture and performance See ISO 31000, Risk Management—Guidelines, section
    at multiple levels and across the organization. 6.7, ”Recording and reporting.”
    Topics covered include the following:
    • Identifying Report Users and Their Roles
    • Reporting Attributes
    • Types of Reporting
    • Reporting Risks to the Board
    • Reporting on Culture
    • Key Indicators
    • Reporting Frequency and Quality

    PRA-ERM © 2018, Association of International Certified Professional Accountants

    You might also like