The COSO ERM framework is one of two widely accepted risk management standards organizations use to help manage risks in an increasingly turbulent, unpredictable business landscape. We previously discussed the background and a general overview of the other commonly used ERM framework, ISO 31000.
COSO, which is short for the Committee of Sponsoring Organizations of the Treadway Commission, was initially established by five major accounting associations and institutes in the U.S. in the mid-1980s as part of the National Commission on Fraudulent Financial Reporting. The committee came to be known as the Treadway Commission in honor of its original chairman, James C. Treadway, Jr.
The initial mission of COSO was to study financial reporting and develop recommendations to prevent fraud.
Its first “standard,” Internal Control – Integrated Framework, was released in 1992 and provided a comprehensive framework for helping organizations assess and improve their internal control systems. It went on to become extremely popular; in a 2006 poll, 82% of respondents claimed they use the standard to guide their internal control and compliance activities.
In the years following its release, organizations soon began to realize there was a gap in the internal control framework.
While it was helpful in reducing risks around fraudulent behavior and regulatory compliance, there was no way to identify and assess which risks the organization needed to put controls around.
This recognition, plus demands for better corporate governance and risk management standards after Enron and similar scandals, led COSO to create its Enterprise Risk Management – Integrated Framework in 2004.
COSO’s initial standard placed a strong emphasis on audit as the driving force behind enterprise risk management.
Although the 2004 COSO framework includes strategy setting in its definition of ERM, the reality is that the Sarbanes-Oxley Act (frequently referred to as SOX) and its requirements for public companies to test and certify financial reporting controls was a strong motivating factor in developing the standard.
In the original standard, ERM consisted of four categories – Strategic, Operations, Reporting, and Compliance – two of these directly relate to corporate governance.
As this summary of the ’04 standard from NC State explains, the ERM standard is almost like an expanded version of the internal control standard in that it goes beyond financial statements to include reports throughout the enterprise.
Although the original standard includes strategic objectives as a category, the reason for including it was to ensure the organization’s strategies “align with operations, reporting, and compliance activities.”
In the end, the 2004 COSO ERM framework focused more on what can be audited rather than identifying threats and opportunities, which is where the real value in ERM lies. The standard was a comfortable fit for organizations where risk was driven by audit.
While the latest COSO ERM framework retains many of the same characteristics as the original, it places greater emphasis on strategy.
In feedback, many practitioners explained that the original COSO ERM framework was solely concerned with internal control.
To address this and other concerns, COSO, in partnership with PwC, released an updated standard in 2017 with the title Enterprise Risk Management – Integrating with Strategy and Performance.
The new COSO ERM framework included some significant changes according to its authors. Dr. Mark Beasley, Director of the ERM Initiative at NC State and member of COSO’s Advisory Council, explains:
While the connection of risk management and strategy was emphasized in the original framework, the 2017 updated framework places greater emphasis on the importance of integrating risk considerations when designing and implementing strategies to accomplish the organization’s performance goals and objectives.
In its summary, PwC discusses significant differences between the 2004 and 2017 standards.
For example, the structure is much different. Instead of using a cube to illustrate the link between the four categories and the eight components of the risk management process, the new standard uses ribbon-type diagram that intertwines now five categories throughout an organization’s lifecycle. The standard explains that three ribbons in the diagram are there to represent common processes that “flow through the entity” (Strategy/Objective-Setting, Performance, and Review/Revision) while the other two ribbons represent the supporting mechanisms of ERM (Governance/Culture, Information and Communication, and Reporting).
(NOTE: We are seeking permission to use the diagram from the COSO standard itself so you can better visualize the structure of the 2017 framework. This article will be updated once we receive approval.)
Besides focusing more on strategic objectives, the new framework places greater emphasis on culture and dives deeper into concepts like risk appetite and, as Dr. Beasley explained, integrating risk management throughout the organization.
COSO’s new ERM framework now includes five components or categories with 20 principles spread throughout each component. Those components are:
- Governance and Culture – Forms the basis of the other components by providing guidance on board oversight responsibilities, operating structures, leadership’s tone, and attracting, developing, and retaining the right individuals.
- Strategy & Objective-Setting – This component focuses on strategic planning and how the organization can understand the effect of internal and external factors on risk. This section provides guidance on analyzing business context, defining risk appetite, and formulating objectives.
- Performance – After an organization develops its strategy, it then moves on to identify and assess risks that could affect its ability to achieve these goals. This section not only helps guide the organization’s risk identification and assessment, but also how to prioritize and respond to risks. After all, an organization is only as good as its performance, which is bigger than just risk management.
- Review and Revision – At some point after risks have been prioritized and a course of action been chosen, the organization moves into the review and revision phase where it assesses any changes that have taken place. This is also the opportunity to understand how the ERM process in the organization can be improved upon.
- Information, Communication, and Reporting – The last component of the COSO ERM framework involves sharing information from internal and external sources throughout the organization. Systems are used to capture, process, manage, and report on the organization’s risk, culture, and performance.
ERM uses an iterative process. Just because an organization has issued risk reports doesn’t mean the work is finished. With information about risk treatments and processes in hand, a review and refinement of governance, strategy, and risk management processes can and should take place.
Thought leaders and practitioners provide feedback on the new COSO ERM framework.
Along with thought leaders like Norman Marks and others, I agree the new COSO ERM framework is a dramatic improvement over the original standard from over 15 years ago. The ’04 version was certainly more audit focused and not so much on strategic objectives and adding value.
A common perception was that ERM was more of a documentation exercise than a system for ensuring objectives were being met and opportunities were being properly seized upon. Also, many felt the original standard was long and cumbersome and was not useful for timely decision-making, hence the perception of ERM being a documentation exercise.
And while the new standard provides better guidance on defining objectives and developing plans to maximize value to stakeholders, it still has some gaps.
Norman Marks for example explains in his review of the framework that it still does not provide adequate guidance for effective decision-making. The framework also doesn’t adequately “move the practice of risk management away from only reviewing, periodically, a list of risks.”
For me, I believe the new COSO ERM framework provides decent guidance on the stages of the risk management process…
Also, if you obtain a copy of the standard, you will notice that it is quite long and not something busy executives and board members can use to understand how risk management is more than a compliance exercise.
And since the standard was developed almost exclusively in the U.S., does it take international culture and regulatory factors into account? Integrating risk into the culture of the organization will certainly vary by region.
Considerations for implementing the COSO ERM framework – where do I start?
Because of its roots in compliance, audit, and financial reporting, the COSO ERM framework is the go-to standard for financial firms like credit unions, banks, and similar organizations. Simply looking at the list of principal contributors and COSO board members shows how the standard still leans heavily toward audit, accounting, and big consulting firms.
However, as we explained earlier, the newest version of the COSO ERM framework expands its scope beyond audit, financial reporting, and compliance.
The challenge is determining where to start.
I think one important thing to recognize is that you are not going to implement the entire framework at once.
The first step should be to see where your organization stands in relation to each of the principles outlined above. Some questions to ask can include:
- At a high level, what is your organization’s current culture and mindset towards risk?
- How does your organization make decisions?
- How do you know you have reached your goals or that trouble is brewing?
- Where is the organization being challenged?
- What problems is the organization facing and how can ERM help address these problems?
Once you have answered questions like this, you should then have a pretty good grasp as to where you should begin targeting your efforts.
Again, the goal shouldn’t be to try and implement the entire framework at one time, but rather determining the most urgent needs and starting there.
Does your organization use the COSO ERM framework to guide its risk management efforts?
Do you find it easy to navigate or do you find it difficult to apply to your organization’s needs?
Like other ERM frameworks, there are a variety of perspectives and experiences out there, which is why I am interested in hearing your thoughts about COSO.
Simply leave a comment below or join the conversation on LinkedIn.
And check back again in a few weeks for a comparison between COSO and the other major ERM framework, ISO 31000.
If your organization had identified the COSO ERM framework as the best fit or you are simply trying to find the right standard to use, please don’t hesitate to contact me to discuss your organization’s needs or complete the form below to be added to my coaching and consulting waitlist today!