Sharpen your pencils, all enthusiasts of enterprise risk management: COSO has unveiled its new draft framework for ERM and is calling for public comment.
The exposure draft is available on the COSO website, and the comment period runs from now until Sept. 30. This is COSO’s first update to the ERM framework, which it originally published in 2004—so with all the change global business has seen since then, this overhaul is much needed.
The draft weighs in at 132 pages, and is roughly divided into two halves. First, COSO walks through various definitions to explain ERM and its key elements to the novice. (Given how difficult of a concept ERM can be even to people who’ve contemplated it for years, that first section is still worth a read.) The second portion of the book is where the action really is: the proposed new framework for enterprise risk management.
Broadly speaking, the ERM framework is modeled on the COSO internal control framework adopted in 2013: several basic components, each component explained by several core principles, and each principle supported by several points of focus. Compliance and audit executives who know the internal control framework will feel like they’re on familiar ground, which is a good thing, since you’ll probably be the ones explaining this framework to your board of directors.
The ERM framework is grouped into five components, just like the internal control framework. In fact, when you arrange those five ERM components in a certain order, I would argue that each one has an anologue in the internal control framework. Take a look:
|ERM Framework Component||Internal Control Framework Component|
|Risk governance and culture||Control environment|
|Risk, strategy, and objective-setting||Risk assessment|
|Risk in execution||Control activities|
|Risk information, communication, and reporting||Information and communication|
|Monitoring ERM performance||Monitoring|
Is each ERM component on the left an exact match to the internal control component on the right? No. But they all strike me as conceptually similar, and anyone who oversees the internal control framework won’t be able to implement those components fully unless the board also succeeds at implementing ERM. Each side needs the other.
One difference is that the ERM framework has 23 principles, compared to 17 for the internal control framework. And while we all know and love the famed COSO cube for internal control, the ERM framework’s primary visual seems to be this:
I’m not sure whether to call this “the ERM skewer” or “the speared doughnut.” Hopefully that debate gets resolved during the comment period.
Those 23 principles all seem sensible enough at first glance. Some are virtually identical across both frameworks. Principle 4 in the Risk Governance & Culture component, for example, is the same as Principle 1 the Control Environment component: “demonstrates a commitment to integrity and ethics.” Principle 10 in the ERM framework, “considers risk while establishing business objectives,” is a mirror image of Principle 6 in the internal control framework: “specifies business objectives with sufficient clarity to enable identification and assessment of risks relating to objectives.”
I’ll do deeper dives into individual ERM framework principles throughout the summer. For now, we should all give a big thanks to COSO for producing this exposure draft, and do our part to help by commenting on it.