Earlier this week, the Committee of Sponsoring Organizations of the Treadway Commission, better known as COSO, released proposed changes to its 2004 Enterprise Risk Management – Integrated Framework. Comments are due Sept. 30.
The proposal is both an update that recognizes changes in the environment since the original ERM framework was published, and a substantive revision. COSO explicitly outlines a principles-based structure for ERM, consisting of five overarching components and 23 principles falling therein. There is also an expanded discussion of board oversight responsibilities in addition to those of management.
COSO, a private-sector organization that issues guidance and thought leadership on fraud deterrence, internal control, and ERM, is best known for its 10-year studies of fraudulent financial reporting and its two frameworks: the 2004 ERM framework and the Internal Control – Integrated Framework, which was last updated in 2013.
Although there is no regulatory requirement for a public assertion of the effectiveness of ERM, the latest proposal includes a discussion about using the framework to assess ERM. COSO’s member organizations include the American Accounting Association, the American Institute of CPAs, Financial Executives International, the Institute of Internal Auditors, and the Institute of Management Accountants.
Definitions of risk, ERM
COSO’s proposed ERM update provides a helpful glossary of terms, which are hyperlinked within related text in the proposed ERM framework. Here are the updated definitions of risk and ERM:
Risk: The possibility that events will occur and affect the achievement of strategy and business objectives.
Enterprise risk management: The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value.
I would strongly caution preparers, auditors, board members, and others to carefully read the complete Exposure Draft of the proposed ERM framework to understand the full breadth of what COSO says ERM could and should do.
For example, the Introductory section of the Exposure Draft, entitled “Applying the Framework, Putting it in Context,” which precedes the formal framework, states in paragraph 18:
“Enterprise risk management focuses on managing risks to reduce the likelihood that an event will occur, and on managing the impact when one does occur. ‘Managing the impact’ may require an organization to adapt as circumstances dictate. In some extreme cases, this may include implementing a crisis management plan.”
Principles-based framework follows that of Internal Control
COSO’s updated ERM framework follows a principles-and-components-based structure, a model incorporated in its 2013 internal control update. There are five components, supported by 23 principles.
Risk, Governance and Culture
Risk, Strategy and Objective-Setting
Risk in Execution
Risk Information, Communication and Reporting
Monitoring Risk Management Performance
Although COSO generally does not require “checklists,” to satisfy its requirements (in the case of ERM, not “requirements.” per se), the list above provides a starting point for determining if ERM is effective.
Could ERM assertion become mandatory?
It is not a surprise that among the frequently asked questions about this COSO project are whether COSO’s ERM framework is mandatory (no, it is not, says COSO) or whether it was written for a specific regulation or regulatory body (no, says COSO). However, it is likely COSO had the possible use of its ERM framework as a reference point for any possible future regulation that could require an assertion of the effectiveness of ERM, akin to the SEC and PCAOB rules requiring management’s and the auditor’s assertions of the effectiveness of internal control over external financial reporting.
In fact, COSO devotes the entirety of page 24 in its proposal to the topic of Assessing Enterprise Risk Management, which says in part:
During an assessment, the organization may consider whether:
The three points above, setting forth key points in assessing effectiveness of ERM, will feel like déjà vu to companies, auditors, and boards of directors that are already well-immersed in COSO’s updated internal control framework, also known as “COSO 2013.”
Curiously, the SEC and PCAOB are not listed among the “observers” on this COSO project (although the FDIC and GAO are); the SEC and PCAOB were observers on COSO’s projects over the past 10 years relating to COSO’s internal control framework. Although the SEC and PCAOB decided to sit this one out, they are no doubt following the project with interest.
Comments count; you can find links to the Executive Summary, FAQs, the online comment form, and more at erm.coso.org.