One of the sleeper issues this year, that could become a larger issue for risk and compliance officers next year, is the COSO draft framework for enterprise risk management. Compliance officers in the private sector might want to watch what your brethren in the government sector are saying about ERM, since the points they are raising could have a big influence on what you do in years to come.
In several comment letters to COSO about its draft framework, those government-sector brethren called on COSO to provide more guidance about how the impending ERM framework could be integrated with the COSO internal controls framework already in widespread use. The U.S. Government Accountability Office (essentially, the internal audit wing of the federal government) even raised the idea of publishing one consolidated framework for ERM and internal control sometime in the future.
Will any of this come to pass? Well, remember that compliance and risk officers working in government agencies have a strong incentive to see that it does: the feds have already begun their own campaign for all agencies to adopt an ERM program this fiscal year, and to tie those ERM programs to the agency’s internal control processes. Technically government agencies use a document known as “the Green Book” as their framework for internal controls, but the Green Book is a close cousin to the COSO framework. Little wonder, then, that the GAO also wants COSO to provide an ERM framework that it can easily adapt to its own goals.
Similar concerns were raised in a comment letter from the Association for Federal Enterprise Risk Management. AFERM (of course it has its own acronym) mostly raised more esoteric points about terminology, but it included this statement at the top: “This document fails to provide any meaningful understanding of the important linkage between internal control and risk management.”
Even the Ministry of Finance in China submitted a comment, asking the question: if we have separate frameworks for internal control and ERM, couldn’t that lead to duplicative efforts within one organization? Are separate frameworks really necessary?
The Chinese raise a good point. I suspect the GAO would agree with them.
What May Happen Next
None of this should leave compliance officers in the private sector fearful that the government sector will somehow hijack this process and foist some unified ERM-Internal Control framework on the rest of us. First, government agencies do have fundamental differences in how they operate. That means any guidance directed to them will probably take the form of an appendix to some COSO framework for organizations as a whole (one idea the GAO offered), or arrive as a GAO-supported framework for agencies that is similar COSO but still independent from it (such as the Green Book and COSO’s internal control framework).
That’s the practical reality. Second, however—compliance officers should not fear a unified ERM-internal control framework because it’s not a bad idea.
On the contrary, a clearer sense of how ERM and internal control support each other is something the compliance community sorely needs. As “the enterprise” grows more complex—with more third parties working on your behalf, more business processes relying on data rather than physical assets, more employees using more devices, to execute more transactions more quickly—all of that is going to drive organizations toward standardized business processes.
You’ll need internal controls to prevent those processes from fluctuating “out of range,” and you’ll also need enterprise risk management to define what the acceptable range actually is. Some of those efforts will be highly technical (say, automated matching of invoice and expense payment to police against fraud). Others will be more cultural (hiring staff with high ethical standards and creating compensation schemes that don’t pressure them to violate those standards).
At the end of the day, however, both efforts will need to support each other and drive the company toward the final goal. In our example above, the final goal is a payments process that reduces the risk of improper payments, but that’s only one example among many. Within the next 10 years, audit and compliance executives will need to deliver that same treatment to many.
So should we hold our breath and see whether the GAO and other voices in the federal government shape what COSO’s final ERM framework might look like? No. We should just remember that one large portion of the GRC community is moving ahead with the idea of integrated ERM and internal control, and that push is going to echo over to our side here in the private sector.
And we should also wish them well, because if government agencies can embrace an integrated system of ERM and internal control, that’s something the private sector should start copying as soon as we can.