COSO unveiled its new framework for enterprise risk management this morning, a trimmed down version of the original draft that still places a heavy emphasis on embedding risk management across the whole enterprise and tying it deeply to corporate strategy.
The framework is available at www.COSO.org. It’s the result of nearly three years’ work and plenty of consultation among risk, audit, and compliance executives. The new framework is also long overdue: it replaces COSO’s original ERM framework from 2004. Everyone now admits the original was pretty much a clunker, with little relevance to the complex, inter-related business risks we all know today.
“The complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting,” COSO chairman Robert Hirth said. “Our overall goal is to continue to encourage a risk-conscious culture.”
The ERM framework is designed to be structurally similar to the COSO internal control framework from 2013: five major components, each one supported by multiple principles. The ERM framework does have 20 principles, where the internal control framework has only 17; but many of the principles are similar, and a few are identical.
A few items have changed from the draft framework that emerged last summer. Two components have new names: “risk in execution” is now “performance,” and “monitoring risk management performance” is “review and revision.” And as we noted earlier this summer, the final framework has only 20 principles rather than the originally proposed 23—but that’s only because some principles were so similar they could be consolidated; none were cut because the idea itself didn’t belong.
A full list of the components and principles, below:
Another change was the principle graphic COSO wants to use for the ERM framework. Where the internal control framework has the famed COSO cube, the ERM framework will have this:
The image is a “DNA-like structure” intended to convey the idea that risk management principles should be woven into all parts of the enterprise. Superb concept, and the image captures the meaning—but I don’t know what we call this thing in shorthand. The ERM helix? The COSO code? Email your suggestions to [email protected] and we’ll publish a list next week.
COSO also crafted the final framework to be more useful when evaluating corporate strategy. We’ve all seen boards and CEOs adopt strategies that are short-sighted, miss the larger implications of their choices, or don’t align with those mission statements and core values framed in the break room. COSO hopes that this framework will help senior executives avoid those mistakes by giving them a disciplined process to ask probing questions about the strategies they’re considering—and then to adopt a strategy that actually, ya know, aligns with what they promise to do publicly.
Whither the ERM Framework Now?
I see two challenges ahead for this framework. First—organizations aren’t required to do anything with it. It may make good sense at a theoretical level, but if your board and business unit chiefs are exhausted from internal control compliance, suggesting that the company now shoot for ERM may be a tough sell.
I do hear lots of compliance and audit executives trying to achieve better ERM. Some may not even know that’s what they are trying to do, but they grasp the basic idea and its importance. Smarter risk management leads to more disciplined performance; that makes for smoother regulatory compliance, financial reporting, sustainability programs, and the like.
Cynics, however, will be able to take potshots at whether implementing the ERM framework is necessary. COSO led the effort, but PwC did the heavy lifting of drafting it. The framework is a production of the Big 4 and GRC advisory communities, period. That fact shouldn’t be used to dismiss the importance of risk management, and the need of a framework to help organizations implement ERM—but some people will use it that way, to argue that COSO ERM is another big idea, with big costs, and little tangible value.
Which brings us to challenge No. 2. If in-house compliance, audit, and risk executives want to implement this ERM framework, you’ll need to show how this effort builds on earlier programs to build stronger internal control.
That theme emerged strongly in comments about the draft framework, and the authors know they need to mount a charm offensive on that point. I’ve only read the framework’s executive summary so far, not the entire document—so I haven’t seen exactly how the full framework addresses the question. But it’s likely to be a question you face, if you bring an ERM project to your superiors: “How is this different than the internal control work we just spent the last five years doing?”