New guidance on enterprise risk management released earlier this month by the Committee of Sponsoring Organizations (or COSO) of the Treadway Commission has received the support of a key group of constituents: risk managers.

Similar in format to COSO’s 2013 internal control update, also authored by PwC under the oversight of an advisory council, COSO’s 2017 ERM framework has a principles-based approach.

RIMS, an international organization of chief risk officers and other risk managers, announced its support of COSO’s new ERM framework.

“RIMS members took advantage of the unique opportunity to influence one of the industry’s major guidance documents,” said Carol Fox, vice president of strategic initiatives at RIMS, in a post earlier this month on the RIMS blog.  

COSO’s ERM project marks the first time risk management professionals have participated formally on an advisory task force, with Fox serving as RIMS’ observer on the group. COSO’s five sponsoring organizations represent key sectors of the financial reporting and auditing profession, including the AICPA, the American Accounting Association, Financial Executives International, the Institute of Internal Auditors, and the Institute of Management Accountants.

Principles-based approach
The new ERM framework focuses on five interrelated components:

  • Governance and culture
  • Strategy and objective-setting
  • Performance
  • Review and revision
  • Information, communication, and reporting

The framework also identifies 20 principles which further define the components. The principles, components, and additional information can be found in the full ERM framework, available for purchase from the AICPA,, and in the executive summary available to the public at no charge.

Key changes to 2017 ERM framework
In addition to adopting a more principles-based approach, other key changes to COSO’s 2017 ERM framework vs. the 2004 ERM framework include the following:

  • It simplifies the definition of enterprise risk management.
  • It emphasizes the relationship between risk and value.
  • It renews the focus on the integration of enterprise risk management.
  • It examines the role of culture.
  • It elevates the discussion of strategy.
  • It enhances the alignment between performance and enterprise risk management.
  • It links enterprise risk management into decision-making more explicitly.
  • It delineates between enterprise risk management and internal control.
  • It refines risk appetite and tolerance.

Relationship to COSO 2013 internal control framework
One important distinction between COSO’s 2017 ERM framework and COSO’s 2013 internal control-integrated framework is that COSO 2013 is the de facto standard for regulatory reporting purposes to comply with Sarbanes-Oxley Section 404(a) and 404(b) reporting on internal control over financial reporting by management and auditors. De facto acceptance of COSO’s 2013  internal control framework traces to its widespread use in practice, as amplified in the explicit acknowledgement of the acceptability of COSO’s internal control framework in the SEC’s rule on management reporting on internal control. AICPA rules relating to internal control engagements for private companies similarly reference COSO.

Internal control is a component of ERM, subsumed within the ERM framework. However, COSO’s internal control framework is not superseded by the COSO 2017 ERM framework.

COSO says as much in the forward to its ERM framework: “The two publications are distinct and have different focuses; neither supersedes the other.” This point is detailed further in COSO’s FAQs, which note that internal control over financial reporting is a fundamental aspect of ERM, and that the two documents complement each other, but neither document supersedes the other.

Read more in “The top changes to the COSO ERM framework you need to know now,” by PwC.

How CFOs can best work with CROs
In comments sent to the MACPA blog, RIMS’ Carol Fox addressed the question of how CROs can best work with CFOs and the finance function  in coordinating the risk management function.

“The roles of CFO and CRO are complementary,” says Fox. “Both are accountable for setting and reinforcing expectations – along with the entire management team — as to how deeply and broadly ERM is integrated into decision-making for strategic, tactical and operational activities.”

“CROs are seen as strategic advisors that ‘think about risk differently’ while leading the risk management plan, processes and practices to build organizational competencies,” she added. “CFOs, who are stepping into the role of strategic decision-maker as well as finance leader, tend to be quite knowledgeable about cross-functional risks, economic trends and emerging issues.”

The collaboration between CROs and CFOs, Fox said, “leads to greater insights and overall performance improvement.”

Loading