More Details on COSO ERM Framework

More news on the COSO framework for enterprise risk management: the final framework will consist of 20 principles rather than the originally proposed 23; the “ERM rainbow” graphic will be replaced with a more DNA-like image; and yes, COSO intends to have the complete framework ready for public consumption by sometime in July.

That’s the word from COSO chairman Bob Hirth, who gave an update on the ERM framework while speaking at a conference in Boston last week. His points also echo the comments from Frank Martens, who heads the project team at PwC working with COSO to finish the framework. I interviewed Martens last week to get a better sense of what’s going on, and you can hear his comments in the podcast below.

We’ll start with Hirth, since he’s the boss. Here are the main points he mentioned last week.

COSO is streamlining the framework’s principles, not gutting them. The draft ERM framework published last summer had five primary components, supported by 23 underlying principles. Public feedback on the draft said some of the 23 principles seemed overlapping or redundant, so could COSO consolidate them? That’s how the final framework came to 20 principles.

Hirth did not say which principles would be consolidated; Martens didn’t either. But both stressed to me that this really is about eliminating redundancy, rather than removing principles of risk management wholesale. Or as Martens phrased it, “[Commenters] weren’t coming back and saying, ‘This principle doesn’t belong’.”

The “Risk in Execution” component will be renamed. Hirth said the word “execution” as English-speaking business executives understand it—about getting things done, and the “execution risk” of things not getting done—didn’t translate well to non-English audiences; it conjured up images of, well, getting executed. So that component will be renamed to focus more on performance, although I don’t know what the final new name will be.

The other four components of the ERM framework (risk governance and culture; risk, strategy, and objective-setting; risk information, communication, and reporting; and monitoring enterprise risk management performance) will all remain the same.

The rainbow will go away. It wouldn’t be a COSO framework with out a slightly strange graphic image to demonstrate the concept, so the original proposal was to include a rainbow demonstrating the ERM components—and then, somewhere over the rainbow, you would find enhanced performance. The image was this:

That rainbow will not survive into the final framework. Instead, Hirth said, the framework will use an image with “a more DNA-like structure,” which certainly teases the imagination. I look forward to seeing it.

Above all, however, Hirth said he prefers a DNA-like structure because…

The goal is to integrate ERM into everything the enterprise does. The original image of a rainbow suggested that ERM is a self-contained process; a phase that the company goes through, like early proto-typing or late-stage marketing. That’s not what COSO wants to achieve, Hirth said. Rather, enterprise risk management should be a constant effort, something that all business functions do at all times.

In the podcast below, Martens said the goal is to frame ERM “not as a function or a group, but as a business capability.” That can be tricky, because the normal habit is to approach risk using a cycle of identify, assess, respond—and “that tends to get done almost as a separate effort within an organization,” Martens said. “How do you build it into the day-to-day operations of a business?”

Hence the DNA concept, which is an excellent metaphor.

The focus is on strategy and integration. Audit, compliance, and risk executives should love this idea, because it helps you argue your way into the inner sanctum of your enterprise where all the strategic decisions are made. With framework in hand, you’ll have more standing to say you should be included in strategic planning since you can bring better principles of risk management to those plans, earlier in the process.

One example: I know the chief audit executive at a rather acquisitive company, which closed a deal several years ago that doubling the size of the enterprise by revenue, employees, and geography. Since closing, however, the integration of the two cultures and business operations has been rocky.

So this CAE is eager to take the new framework and tell senior management: “We tried integration your way, and it hasn’t gone well. When the next deal comes, let’s do it this way.” It’s a good idea and gets you, the audit or risk leader, into the strategic discussions where you belong.

The ERM Framework Podcast

And as promised, below is the podcast interview I did with Martens last week. It’s 12 minutes long.

Both Martens and Hirth say the final ERM framework should arrive by sometime in July, just as Hirth ends his three-year term as COSO chairman. He, Martens, and many others have worked hard to produce a useful framework, and we should be grateful for their devotion to the profession.


  1. […] More Details on COSO ERM Framework […]

  2. […] More Details on COSO ERM Framework […]

Leave a Comment

You must be logged in to post a comment.