1.How would a company assess change in the world and know if it impacts them (COSO Principle 15)?

Principle 15: Assesses Substantial Change The organization identifies and assesses changes that may substantially affect strategy and business objectives. Internal, External Environment.

2.What does current performance tell us about our risks?

Principle 15: Assesses Substantial Change

The organization identifies and assesses

changes that may substantially affect strategy

and business objectives.

Integrating Reviews into Business Practices:

Organizations typically anticipate many changes within setting of strategy and business objectives

and performance, but they need to also be aware of the potential for larger, substantial changes that

may occur and have a more pronounced effect. Substantial change may lead to new or changed

risks, and affect key assumptions underpinning strategy. Practices for identifying such changes

should be built into business activities and performed continually. Many management practices can

identify substantial changes in the ordinary course of running the business. For example, reviewing the plan for integrating a newly acquired joint business venture may identify the need for future

enhancements of information technology.

Substantial changes such as acquiring an entity or implementing a new system could potentially

change the entity's portfolio view of risk or affect how enterprise risk management functions. In

the case of an acquisition, integrating the acquired company's operations could affect the existing

culture and risk ownership. Implementing a new system could present new exposures related to

information security, which could influence how data is captured and managed.

Organizations consider how change can affect enterprise risk management and the achievement

of strategy and business objectives. This requires identifying internal and external environmental

changes related to the business context as well as changes in culture. Some examples of substantial

change in both the internal and external environment are highlighted below.

Internal Environment:

Rapid growth: When operations expand quickly, existing structures, business activities,

information systems, or resources may be affected. Information systems may not be able to

effectively meet risk information requirements because of the increased volume of transactions.

Risk oversight roles and responsibilities may need to be redefined in light of organizational and

geographical changes due to an acquisition. Resources may be strained to the point where

existing risk responses and actions break down. For instance, supervisors may not successfully

adapt to higher activity levels that require adding manufacturing shifts or increasing personnel.

Innovation: Whenever innovation is introduced, risk responses and management actions will

likely need to be modified. For instance, introducing sales capabilities through mobile devices

may require access controls specific to that technology. Training may be needed for users.

Innovation technology may also enhance enterprise risk management. For example, a new

system of using mobile devices that captures previously unavailable sales information gives

management the ability to monitor performance, forecast potential sales, and make real-time

inventory decisions.

Substantial changes in leadership and personnel: A change in management may affect enterprise risk management. A newcomer to management may not understand the entity's culture

and may have a different philosophy, or may focus solely on performance to the exclusion of

risk appetite or tolerance.

External Environment:

Changing regulatory or economic environment: Changes to regulations or in the economy

can result in increased competitive pressures, changes in operating requirements, and different risks. If a large-scale failure in operations, reporting, and compliance occurs in one

entity, regulators may introduce broad regulations that affect all entities within an industry.

For instance, if toxic material is released in a populated or environmentally sensitive area, new

industry-wide transportation restrictions may be introduced that affect an entity's shipping

logistics. If a publicly traded company is seen to have poor transparency, enhanced regulatory

reporting requirements may be introduced for all public companies. The revelation of patients

being treated poorly in one care facility may prompt additional requirements for all care facilities. And a more competitive environment may drive individuals to make decisions that are

not aligned with the entity's risk appetite and increase the risk exposures to the entity. Each of

these changes may require an organization to closely examine the design and application of its

enterprise risk management.

Identifying substantial changes, evaluating their effects, and responding to the changes are iterative

processes that can affect several components of enterprise risk management. It can be useful to

conduct a "post mortem" after a risk event to review how well the organization responded and to

consider what lessons learned could be applied to future events.