Guest Column: COSO at a Tipping Point?

Nearly 30 years ago as young bank auditor, I learned about a private sector initiative known as “The Committee of Sponsoring Organizations of the Treadway Commission,” or more simply, “COSO.” It was the mid-1980s. The savings & loan crisis was raging.

COSO was, and continues to be, a joint effort of five private sector organizations dedicated to providing thought leadership by developing frameworks and guidance on enterprise risk management, internal control, and fraud deterrence. In 1992, COSO published its first framework, Internal Control – Integrated Framework, to establish a common internal control model against which companies and organizations could assess their control systems.

Lock Nelson

In trying to apply COSO’s Internal Control – Integrated Framework, my aspirations were humble. I wanted to explain succinctly to bank presidents, audit committees, and bank tellers what effective internal control is. I never did that job well. It seemed that the bankers were from Venus, me from Mars. We spoke different languages. Eventually those barriers proved too great, so I transitioned to a career in product development and marketing. I’ve followed the evolution of COSO ever since. I remain convinced business executives still come from Venus, while governance, risk and compliance (GRC) professionals from Mars – and nobody is bi-lingual!

COSO at Tipping Point?

COSO has a strong reputation among GRC professionals, external auditors, and regulatory bodies (the GRC community). The same can’t be said for business executives and P&L managers. While Section 404 of the Sarbanes-Oxley Act requires executives to report on internal controls in their annual reports, executives often find COSO’s frameworks and guidance somewhat technical and foreign. Worse, some view COSO as the domain of auditors and regulators, disconnected from (and less than useful to) business decision-making.

COSO is at a tipping point. Accelerating change and innovation means COSO must either move quickly to gain greater credibility and relevance to business decision-makers, or continue its focus on the needs of the GRC community. It’s a choice COSO and its leaders must make.

Some questions COSO’s leaders might consider include:

• Is COSO’s strong reputation in the GRC community enough? Assuming continued quality efforts and investments, COSO likely will remain relevant in the GRC community. That alone is an admirable goal.
• Or does COSO aspire to increase awareness, practicality, and use of its content to business decision-makers? If so, what is it willing to change to balance the scales?
• What is the perception versus reality? Is it valid to say that COSO is the domain of GRC professionals, auditors and regulators? Is reality that COSO suffers more from a “content marketing” issue than a “useful content” issue?

Balancing the Scales

If COSO seeks to extend awareness, practicality, and use more deeply into the business decision-making community, some possible actions include:

• Revisit COSO’s audience definitions and priorities. Beyond the known (and well penetrated) constituencies, what other stakeholder groups does COSO want to influence? How can COSO tap the necessary marketing channels to engage these audiences?
• Avoid myopia in defining audience needs. Don’t rely too heavily on GRC professionals talking to GRC professionals to understand what business decision-makers perceive or want. Consider research to gain objective perspectives from business executives. Design the research to understand the viability of market expansion and the investment necessary.
• Start with the end in mind. Developing new content may not be necessary. Consider repurposing existing content. Ensure that content (either new or repurposed) is consistent with audience definitions, needs, relevance, and usability. Before content is developed, identify its value proposition, call to action, and desired audience responses. Do the same for the methodologies used to measure results.
• What’s in it for the reader? Tailor content directly to that business executive audience. Communicate reader benefits clearly. Avoid lengthy content, keeping it short and digitally friendly. If complimentary messages are needed, design a campaign to include a series of short targeted messages. Think of it as serving COSO’s content to business executives in appetizer bites rather than a single, full-course meal.
• Consider marketing synergies when evaluating collaboration partners. A good collaboration partner will not only provide technical expertise and content; it will provide COSO access to new and targeted audiences, including business executives. This consideration should be at the beginning of the partner selection process, not an assumption or an afterthought.

What Do COSO Stakeholders Get?

Over its history, COSO has not only addressed the recommendations of the Treadway Commission; its frameworks, guidance, and thought leadership have become cornerstones for GRC professionals, external auditors, and yes, many high-performing businesses.

By considering the issues discussed and balancing the scales between GRC and business executive constituents, COSO and its stakeholders (its sponsoring organizations) will benefit through:

• Increased awareness, acceptance, and use of COSO’s work in the business executive constituencies;
• Enhanced value and relevance to existing GRC constituencies;
• Continued demonstration of leadership, relevance, and value to constituencies of each individual sponsoring organization in COSO;
• Timely, innovative, and high-quality thought leadership, practical guidance — and, when necessary, framework development to address business and technical users.

Lock Nelson is a former marketing executive at PwC, where he worked for nearly 20 years. Among other assignments, he was marketing director for the firm’s internal audit practice and a senior marketing manager in its GRC practice. And as he notes in the column above, Nelson also worked as an internal auditor for several years before that. He lives in suburban Chicago.