Earlier this week, the Committee of Sponsoring Organizations of the Treadway Commission, better known as COSO, released proposed changes to its 2004 Enterprise Risk Management – Integrated Framework. Comments are due Sept. 30.
The proposal is both an update that recognizes changes in the environment since the original ERM framework was published, and a substantive revision. COSO explicitly outlines a principles-based structure for ERM, consisting of five overarching components and 23 principles falling therein. There is also an expanded discussion of board oversight responsibilities in addition to those of management.
COSO, a private-sector organization that issues guidance and thought leadership on fraud deterrence, internal control, and ERM, is best known for its 10-year studies of fraudulent financial reporting and its two frameworks: the 2004 ERM framework and the Internal Control – Integrated Framework, which was last updated in 2013.
Although there is no regulatory requirement for a public assertion of the effectiveness of ERM, the latest proposal includes a discussion about using the framework to assess ERM. COSO’s member organizations include the American Accounting Association, the American Institute of CPAs, Financial Executives International, the Institute of Internal Auditors, and the Institute of Management Accountants.
Definitions of risk, ERM
COSO’s proposed ERM update provides a helpful glossary of terms, which are hyperlinked within related text in the proposed ERM framework. Here are the updated definitions of risk and ERM:
Risk: The possibility that events will occur and affect the achievement of strategy and business objectives.
Enterprise risk management: The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value.
I would strongly caution preparers, auditors, board members, and others to carefully read the complete Exposure Draft of the proposed ERM framework to understand the full breadth of what COSO says ERM could and should do.
For example, the Introductory section of the Exposure Draft, entitled “Applying the Framework, Putting it in Context,” which precedes the formal framework, states in paragraph 18:
“Enterprise risk management focuses on managing risks to reduce the likelihood that an event will occur, and on managing the impact when one does occur. ‘Managing the impact’ may require an organization to adapt as circumstances dictate. In some extreme cases, this may include implementing a crisis management plan.”
Principles-based framework follows that of Internal Control
COSO’s updated ERM framework follows a principles-and-components-based structure, a model incorporated in its 2013 internal control update. There are five components, supported by 23 principles.
Risk, Governance and Culture
- Exercises Board Risk Oversight
- Establishes Governance and Operating Model
- Defines Desired Organizational Behaviors
- Demonstrates Commitment to Integrity and Ethics
- Enforces Accountability
- Attracts, Develops, and Retains Talented Individuals.
Risk, Strategy and Objective-Setting
- Considers Risk and Business Context
- Defines Risk Appetite
- Evaluates Alternative Strategies
- Considers Risk while Establishing Business Objectives
- Defines Acceptable Variation in Performance
Risk in Execution
- Identifies Risk in Execution
- Assesses Severity of Risk
- Prioritizes Risks
- Identifies and Selects Risk Responses
- Assesses Risk in Execution
- Develops Portfolio View
Risk Information, Communication and Reporting
- Uses Relevant Information
- Leverages Information Systems
- Communicates Risk Information
- Reports on Risk, Culture, and Performance
Monitoring Risk Management Performance
- Monitoring Substantial Change
- Monitors Enterprise Risk Management
Although COSO generally does not require “checklists,” to satisfy its requirements (in the case of ERM, not “requirements.” per se), the list above provides a starting point for determining if ERM is effective.
Could ERM assertion become mandatory?
It is not a surprise that among the frequently asked questions about this COSO project are whether COSO’s ERM framework is mandatory (no, it is not, says COSO) or whether it was written for a specific regulation or regulatory body (no, says COSO). However, it is likely COSO had the possible use of its ERM framework as a reference point for any possible future regulation that could require an assertion of the effectiveness of ERM, akin to the SEC and PCAOB rules requiring management’s and the auditor’s assertions of the effectiveness of internal control over external financial reporting.
In fact, COSO devotes the entirety of page 24 in its proposal to the topic of Assessing Enterprise Risk Management, which says in part:
- An organization should have a means to reliably provide to the entity’s stakeholders a reasonable expectation that it is able to manage risk associated with the strategy and business objectives to an acceptable level.
- It does this by assessing the enterprise risk management practices that are in place. Such assessment is voluntary, unless required otherwise by legislation or regulation.
- The Framework (Chapters 6 through 10) does not require that an assessment of the overall effectiveness of enterprise risk management be completed, but it does provide criteria for conducting one and making reasoned conclusions.
During an assessment, the organization may consider whether:
- The components and principles relating to enterprise risk management are present and functioning.
- The components relating to enterprise risk management are operating together in an integrated manner.
- Controls necessary to effect principles are present and functioning.
The three points above, setting forth key points in assessing effectiveness of ERM, will feel like déjà vu to companies, auditors, and boards of directors that are already well-immersed in COSO’s updated internal control framework, also known as “COSO 2013.”
Curiously, the SEC and PCAOB are not listed among the “observers” on this COSO project (although the FDIC and GAO are); the SEC and PCAOB were observers on COSO’s projects over the past 10 years relating to COSO’s internal control framework. Although the SEC and PCAOB decided to sit this one out, they are no doubt following the project with interest.