COSO Updates Enterprise Risk Management Framework

By Michael Cohn, Accounting Today

The Committee of Sponsoring Organizations of the Treadway Commission, also known as COSO, has unveiled a proposed update to its 2004 enterprise risk management framework.

PwC US, the author of the original framework, helped lead the project in producing the revised framework, which is open for public comment starting June 15. The updated framework, COSO Enterprise Risk Management – Aligning Risk with Strategy and Performance, addresses the need for an improved approach to managing risk as a way to help create, preserve, sustain and realize value.

COSO has expanded its website, www.COSO.org, with a section on the framework update that includes the proposed framework, survey and comment tools, and FAQs about the project, details of the most significant updates and how to respond to the survey. The site also includes a video that features four members of the Advisory Council addressing the ERM update process and the importance of obtaining input from a variety of risk professionals about the proposed changes.

Public comments will be accepted June 15 through Sept. 30, 2016. Written comments on the exposure draft will become part of the public record and will be available on the COSO website through Dec. 31, 2016.

The new framework has been in the works since October 2014 (see COSO Plans Update to Enterprise Risk Management Framework).

“Back in October 2014, we announced we were going to revise our ERM framework, which came out in 2004, so now 16 months later we’re at the point where this week we’ll be releasing the 90-day public exposure draft of the revisions,” COSO chair Robert Hirth Jr. told Accounting Today. “We’re really excited about it. We think we’ve got some great updated material and some new items. We’re looking forward to the comments we’ll get from around the world. We believe there’s a significant amount of interest from outside of the U.S. because of the way that they seem to be interested in risk management.”

The framework remains broad enough to fit the needs of different types of organizations. It also continues to focus on strategy. As with COSO's internal control framework, it provides a set of criteria for assessing enterprise risk management and its effectiveness. However, there are also many key differences in the new framework.

“We start with the mission, vision and values of the company, which really help guide the strategy-setting process, and then we talk about how that needs to create a certain kind of risk-aware culture throughout the organization,” said Hirth. “Another small, but important difference is we really try to get the ERM discussion started in the strategy-setting process, not after the strategy is done. We think that will really create a better risk-adjusted strategy. Once a better strategy is set, then the rest of the organization responds by setting their own objectives to meet the strategy.”

The new framework has changes in criteria. “We really like the way we structured the 2013 internal control framework, so you’ll have five major components of effective enterprise risk management and then we have 23 supporting principles,” said Hirth. “When you get the document, you’ll be able to see the criteria in the form of these components and principles. Another thing we tried to emphasize is how this all ties into the decision-making of an organization. Organizations make decisions throughout the organization, and each of those decisions has a degree of uncertainty surrounding it.”

The new framework is encapsulated in a new graphic. “We’ve always had a memorable graphic known as the COSO Cube, and we’ve changed that up a bit for the ERM framework,” said Hirth. “I like to refer to it as the COSO ERM Rainbow.”

Dennis Chesley, global risk consulting leader of PricewaterhouseCoopers, sees many positives in the new framework. “One of the biggest changes that people will see is the graphic,” he said. “We’re moving away from a cube graphic and moving to a graphic that really represents the application of enterprise risk management across the value chain of an organization, pretty much regardless of the size, structure or purpose of the organization.”

He highlighted the new structure. “We’re moving from what was eight components in the framework in 2004 to five components in the updated framework. This is really meant to improve the alignment of the ERM framework with strategy and performance, which is going to be underpinning the update to the framework.”

The new framework integrates risk with strategy. “The framework calls for explicit consideration of risk during the strategic planning process,” said Chesley. “This is an area that had been loosely touched on in the past in other frameworks as well, but this is now explicitly dealt with in this framework. This not only improves the strategy discussions, but it also enables the organization to get a leg up on the risks that are associated with this selected strategy when implementation begins. The framework considers the risk in executing the strategy and specifically what risk considerations and situations might drive the need to go back and revisit strategy. It really works in both directions. What are the risks coming out of the strategic planning process when the strategy has been selected, and what risks occurred during execution that would cause us to go back and revisit strategy?”

Jim DeLoach, managing director of the consulting firm Protiviti, sees some challenges in implementing the new framework. “The biggest challenge will likely arise in integrating risk and strategy," he commented. "Many organizations focus on identifying risks to the execution of the strategy. But COSO asserts that 'risks to the strategy' is only one dimension of strategic risk. There are two additional dimensions to applying ERM in strategy setting – the 'possibility of strategy not aligning' with an organization’s mission, vision and core values and the 'implications from the strategy,' meaning the risk profile arising from the strategy itself. These two dimensions reach beyond the usual focus on strategic execution risk.”

The new framework also considers the alignment of an organization’s mission and vision with its strategy, and it deals with newer risks such as cybersecurity.

“Different business strategies come with different risk profiles, and require different risk capabilities within the organization in order to implement that strategy,” said Chesley. “For example, a strategy that’s heavily dependent upon technology for expansion into emerging markets or use of third parties means the organization needs to be good at dealing with technology risks in cyber, geopolitical risk considerations, etc.”

The new framework also connects risk with performance. “One of the conversations that the framework is going to push forward is the conversation about how much risk are we taking in pursuit of our performance goals,” said Chesley. “That’s a really important consideration. If you rewind the clock back to 2008 and look at the mortgage industry and concentration risk in the mortgage business, it really is meant to drive that conversation, to understand where we are setting our performance goals against a given business objective, and what risks are we taking in pursuit of that. If we set the goal higher and more aggressively, how does that change the risks? If you set a lower goal, how does that change the risks? And do you bring that conversation to light to make better risk-based decisions when setting performance goals?”

Hirth estimates that tens of thousands of organizations around the world are using the COSO ERM framework, based on the number of publicly traded companies using COSO's internal control framework. The main competitor is the ISO 31000 framework. COSO plans to make the new framework available in eight different languages to facilitate its spread. In addition to English, it will be translated into Chinese, Japanese, Spanish, French, Portuguese, Arabic and Russian.

The public comment period starts this week and will run through September 30. Based on the reaction to the last framework, Chesley anticipates they will receive more than 10,000 comments. He said PwC will use the fourth quarter of this year and the first quarter of 2017 to integrate all of the comments and work with the COSO board to finalize the framework, probably in the second quarter of 2017.