Update to COSO’s ERM Framework Update

COSO plans to simplify its forthcoming framework for enterprise risk management, paring back some of the 23 proposed principles and renaming some of the framework’s five components, according to a project summary PwC has been circulating lately.

A friend of the cause passed along that presentation to me earlier this week, and the framework’s development is no state secret anyway. PwC has been working with COSO to develop a new ERM framework since it was first proposed last summer. They received lots of public comment on the original draft and now are making the rounds to let the risk, audit, and compliance community hear the latest.

[Update to my update on the update: On Thursday morning PwC asked me to take down their presentation on framework’s progress since the material was proprietary. I don’t mind, and the PPT deck is circulating out on the Interwebs already. Work your contacts if you want to find it. We now resume our previously scheduled post.]

First, some history for anyone who hasn’t followed the ERM framework closely. COSO published its first ERM framework in 2004, and even COSO itself now admits that document never really went anywhere. What’s more, almost as soon as that framework arrived, it was swamped with profound changes to the business landscape: globalization, more aggressive regulatory enforcement, Big Data, social media and its attendant reputation risks, and so forth.

Hence COSO proposed a new ERM framework last summer. Its structure is conceptually similar to the COSO framework for internal control, adopted in 2013: five components, each one supported by several basic principles.

Many of the principles are identical across both frameworks, although the ERM version has 23 of them, the internal control version only 17. The five components of each framework are named differently, but they still correspond:

And above all, the ERM framework replaces the famed COSO cube in favor of this thing:

erm framework

It represents an organization’s risk management journey. You begin with a mission and core values, run through a rainbow of COSO ERM components, and somewhere over the rainbow you achieve enhanced performance.

The rainbow bit was COSO’s idea. I called it “the speared donut” for weeks until COSO chairman Bob Hirth corrected me.

So What’s Changing

According to the PwC presentation, public comment last fall was extensive, robust, and generally positive. COSO received more than 2,000 individual comments. Positive ratings outnumbered negative ratings by a ratio of 4.5-to-1. Feedback came from a nice blend of public companies, private firms, U.S. organizations, and overseas parties. That’s great news; it’s just the sort of input this community wants to see.

The PwC project team came away with seven items on its To Do list:

  • Reduce the number of principles;
  • Update graphics;
  • Refine linkages to internal control;
  • Change component titles;
  • Increase emphasis on integration and decision-making;
  • Highlight culture and relationship to core values;
  • Expand the conversation on information and technology.

The final ERM framework will also include a compendium of examples, showing how various types of organizations might implement the framework and its various principles.

ERMThe points about connecting ERM to internal control, increasing emphasis on decision-making, highlighting culture’s relationship to core values, and expanding the conversation on IT; they are all excellent ideas. My observation is that at this point, most boards know they should implement ERM, and grasp the idea that it operates on a higher plane of existence than internal control and regulatory compliance. They just don’t know how to do it well, or what assurance looks like for risks around strategy, reputation, or culture.

We should also remember that in even in this Trump Administration era, with deregulation allegedly sweeping the land—a risk doesn’t care whether it’s regulated or not. Many business risks (especially the most serious ones) exist separate from some regulatory requirement trying to govern it, and the risk won’t go away just because its compliance burden does. ERM is meant to be a business performance tool addressing that reality. It brings a more disciplined approach to what businesses already do today in mostly lurching, ad hoc ways. If the COSO framework can bring more order to that process, everyone should climb aboard the bandwagon.

What’s Next

What we don’t know from this presentation is exactly which principles might get pruned back, or how the components might be renamed, or—say it ain’t so, COSO—whether the speared donut might be replaced with another image. I’ll try to track down those answers and report back.

We also don’t know exactly when the final COSO framework will be presented to the world. COSO Chairman Bob Hirth has previously said he wants it done by this summer, a well-deserved capstone to his three years as COSO chairman.

Hirth, PwC, those 2,000 commenters, and many others have put lots of effort into the framework, and lord knows that the business world needs one. Let’s hope for the best.


  1. rob newsome on May 4, 2017 at 10:42 am

    Thanks for the update Matt. I also had a chuckle re your speared doughnut “thing”.

    I hope the ERM COSO links well with Internal Control COSO. Control is a response to risk exposures and the obvious link is in the second IC COSO Component on risk assessment.

    Let us see soon what surprises Bob Hirth has for us.

  2. Mike Corcoran on May 4, 2017 at 11:08 am

    We already have ISO 31000 across the globe.

  3. Tim Leech on May 8, 2017 at 3:28 pm

    Matt: I think PwC’s assessment of how many comments to the ED were positive needs to be audited. IFAC, myself, and many others challenged the draft on the basis they say in many places risk management is about managing uncertainty to objectives but nowhere do they suggest a logical starting point is to document the organization’s most important objectives for value creation and preservation as a starting point and then decide which objectives warrant the cost of a formal risk assessment. The draft was also very confused on how to integrate ERM and internal control assessments related to financial reporting. If one was to read the ED it appears ERM can not be used to assess risks to the objective of reliable external reporting.

  4. […] is streamlining the framework’s principles, not gutting them. The draft ERM framework published last summer had five primary components, supported by 23 underlying principles. Public feedback on the draft said some of the 23 principles seemed overlapping or redundant, so […]

Leave a Comment

You must be logged in to post a comment.