COSO Chairman Robert Hirth visited Boston yesterday, speaking to the CAE Leadership Forum about COSO’s proposed new framework for enterprise risk management. I was lucky enough to attend and Hirth raises some excellent points about how COSO wants to help companies implement ERM, so let me recap the highlights here.
First, we mentioned in this blog last week, the draft ERM framework was published last week and is now open for public comment until Sept. 30. That’s something every compliance, audit, and risk professional should do. COSO works hard to provide useful guidance to the community, and it needs our help to do that. Even better, the draft framework is free.
The plan is to collect all that public comment through the end of September, and then spend the fall and winter digesting all that feedback. Ideally, Hirth said, a final ERM framework will be ready sometime next spring. In fact, he said he plans to stay a final year as chairman of COSO, until mid-year 2017, specifically to see the new framework through to completion. That implies we’ll have final ERM framework roughly one year from now.
The framework itself consists of five basic components, supported by 23 underlying principles. That’s structurally similar to the COSO Internal Control framework adopted in 2013, which also has five basic components and 17 underlying principles. One key difference: the 17 principles of the internal control framework are supported by several dozen “points of focus”—and the ERM framework currently does not have anything as granular as that.
Hirth said that’s because COSO doesn’t want to “over-legislate” how companies implement ERM. That may be so. Then again, omitting points of focus also prevents audit firms from demanding that you to map your ERM program to those points. I’ve heard numerous stories of audit firms demanding companies do exactly that for internal control over financial reporting: map your controls to specific points of focus within the internal control framework. Nobody tells me those stories with joy in their voice. So I wonder whether omitting ERM points of focus is simply to make the framework more palatable.
Along similar lines, Hirth also stressed that COSO has no authority to force companies to use its framework, and that at least in the United States, no regulators are talking about making ERM mandatory. He did say that Germany is considering a possible requirement for auditors to review ERM at listed companies in that country, which off my “uh-oh, this is how it starts” radar.
Still, let’s be honest: the only regulator that could force the issue of ERM adoption is the Securities and Exchange Commission, and it has zero appetite in touching this subject. Perhaps the audit firms could try to force clients to adopt ERM anyway, under the logic that good ERM helps reduce risks in cybersecurity and other non-financial risks that do carry financial consequences should they come to pass. That would be baloney, of course; the firms would want to force ERM to keep the billable hours rolling for audit partners and staff. It would likely incite strong pushback from companies exasperated with firms’ demands. I’m not expecting mandatory ERM any time soon.
A few other random thoughts…
Good riddance to “risk tolerance.” Hirth said the draft framework replaces the phrase “risk tolerance” with “acceptable variation in performance”—and that might be the best idea I’ve heard in ages. Risk tolerance has always been a rather vague concept, and that’s probably why boards do such a poor job articulating it.
On the other hand, acceptable variation in performance is a much more concrete concept that actual human beings can understand. You can set performance targets, and measure divergence from it, much more easily. You can set upper and lower limits on how much variation the company will stomach. (For example, $100 million in sales is good, $90 million will lead to a spending freeze, $125 million sets off alerts that internal audit should investigate why sales are so good, and so forth.)
Building feedback mechanisms into your processes, setting objectives and understanding the risks to achieving them (which is Principle 6 in the COSO internal control framework)—lots of things get easier when you start from the idea of acceptable variation. Bravo.
Parallels in frameworks. In my post last week, I speculated that the ERM and Internal Control frameworks were deliberately designed to have five components meant to complement each other. Hirth said that takes things a bridge too far. Yes, structurally they’re similar, but that’s more because good, disciplined thinking about operations tends to involve a few universal themes. Information & Communication, for example, would probably be a component of any framework for governance, internal control, fraud management, or anything else.
It’s not a doughnut. My other question last week was whether the ERM’s primary visual image is a speared doughnut, a skewer, or something else:
Hirth’s verdict: the image is a rainbow. And at the end of a rainbow you always find a pot of gold, which in this case is enhanced performance.
Well, I hold a torch for the speared doughnut regardless. The rest of the framework deserves your full attention.