Question
1.How would a company assess change in the world and know if it impacts them (COSO Principle 15)? Principle 15: Assesses Substantial Change The organization
1.How would a company assess change in the world and know if it impacts them (COSO Principle 15)?
Principle 15: Assesses Substantial Change The organization identifies and assesses changes that may substantially affect strategy and business objectives. Internal, External Environment.
2.What does current performance tell us about our risks?
Principle 15: Assesses Substantial Change
The organization identifies and assesses
changes that may substantially affect strategy
and business objectives.
Integrating Reviews into Business Practices:
Organizations typically anticipate many changes within setting of strategy and business objectives
and performance, but they need to also be aware of the potential for larger, substantial changes that
may occur and have a more pronounced effect. Substantial change may lead to new or changed
risks, and affect key assumptions underpinning strategy. Practices for identifying such changes
should be built into business activities and performed continually. Many management practices can
identify substantial changes in the ordinary course of running the business. For example, reviewing the plan for integrating a newly acquired joint business venture may identify the need for future
enhancements of information technology.
Substantial changes such as acquiring an entity or implementing a new system could potentially
change the entity's portfolio view of risk or affect how enterprise risk management functions. In
the case of an acquisition, integrating the acquired company's operations could affect the existing
culture and risk ownership. Implementing a new system could present new exposures related to
information security, which could influence how data is captured and managed.
Organizations consider how change can affect enterprise risk management and the achievement
of strategy and business objectives. This requires identifying internal and external environmental
changes related to the business context as well as changes in culture. Some examples of substantial
change in both the internal and external environment are highlighted below.
Internal Environment:
Rapid growth: When operations expand quickly, existing structures, business activities,
information systems, or resources may be affected. Information systems may not be able to
effectively meet risk information requirements because of the increased volume of transactions.
Risk oversight roles and responsibilities may need to be redefined in light of organizational and
geographical changes due to an acquisition. Resources may be strained to the point where
existing risk responses and actions break down. For instance, supervisors may not successfully
adapt to higher activity levels that require adding manufacturing shifts or increasing personnel.
Innovation: Whenever innovation is introduced, risk responses and management actions will
likely need to be modified. For instance, introducing sales capabilities through mobile devices
may require access controls specific to that technology. Training may be needed for users.
Innovation technology may also enhance enterprise risk management. For example, a new
system of using mobile devices that captures previously unavailable sales information gives
management the ability to monitor performance, forecast potential sales, and make real-time
inventory decisions.
Substantial changes in leadership and personnel: A change in management may affect enterprise risk management. A newcomer to management may not understand the entity's culture
and may have a different philosophy, or may focus solely on performance to the exclusion of
risk appetite or tolerance.
External Environment:
Changing regulatory or economic environment: Changes to regulations or in the economy
can result in increased competitive pressures, changes in operating requirements, and different risks. If a large-scale failure in operations, reporting, and compliance occurs in one
entity, regulators may introduce broad regulations that affect all entities within an industry.
For instance, if toxic material is released in a populated or environmentally sensitive area, new
industry-wide transportation restrictions may be introduced that affect an entity's shipping
logistics. If a publicly traded company is seen to have poor transparency, enhanced regulatory
reporting requirements may be introduced for all public companies. The revelation of patients
being treated poorly in one care facility may prompt additional requirements for all care facilities. And a more competitive environment may drive individuals to make decisions that are
not aligned with the entity's risk appetite and increase the risk exposures to the entity. Each of
these changes may require an organization to closely examine the design and application of its
enterprise risk management.
Identifying substantial changes, evaluating their effects, and responding to the changes are iterative
processes that can affect several components of enterprise risk management. It can be useful to
conduct a "post mortem" after a risk event to review how well the organization responded and to
consider what lessons learned could be applied to future events.
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started