COSO Plans Update to Enterprise Risk Management Framework

The Committee of Sponsoring Organizations of the Treadway Commission, also known as COSO, is planning a project to review and update its decade-old Enterprise Risk Management–Integrated Framework.

The framework, which was originally published in 2004, is widely used by management to improve an organization’s ability to manage uncertainty and to consider how much risk to accept as it strives to increase stakeholder value.

COSO hopes to enhance the framework’s content and relevance so organizations around the world can get better value from their enterprise risk management programs. As part of the initiative, COSO also intends to develop tools to help report on risk information and review and assess the application of enterprise risk management. The framework will be updated to enhance concepts developed in the original framework and to reflect the evolution of risk management thinking and practices, as well as changing stakeholder expectations.

“When you look at the framework, it’s more than 10 years old, and there has been a lot of development in risk management—new thinking, an evolution of terms and some new ideas that have come out, “said COSO chair Robert B. Hirth Jr., in an interview Wednesday with Accounting Today. “We want to take advantage of all that good thinking, and challenge it against our framework, or challenge our framework against all that new thinking, and then ultimately come to a conclusion as to what parts of it should be revised and what parts should stay the same. We just want our material to be helpful to all organizations to help them improve their performance.”

As with the updated Internal Control Integrated Framework that COSO released last year, PricewaterhouseCoopers will be the principal author, and PwC will update the ERM integrated framework under the COSO board's leadership and direction. “They’ve got a lot of experience in the process with us,” said Hirth. “That’s why we chose them from an efficiency perspective.”

The original ERM framework was also authored by PwC in 2004. “We were talking to the COSO board about the enterprise risk management framework on the back end of the discussion about the internal control framework,” said PwC risk consulting leader Dennis Chesley, who is the project team leader for the ERM framework update project. “It’s coming up on about 10 years ago that it was first published. We were reflecting on what has changed in that timeframe. Not only the business and the overall operating environments that our clients and different companies and organizations exist in have changed, but everything has become more complicated and interconnected with the technology changes. Our goal in the framework update is to help organizations with this increasingly complex and fast-changing environment, to help them mitigate risk in the achievement or in the pursuit of specified strategic operational compliance and reporting objectives.”

Stakeholder Survey
As the project begins, PwC will survey interested parties to capture their views and concerns about the current framework and to collect suggestions for improvements. The comments will help shape PwC’s and the COSO board’s views on the nature and extent of the required update.

“We’re just embarking on the process, which will include a big stakeholder survey to get a lot of input from all kinds of relevant stakeholders about the existing framework,” said Hirth. “Do they use it? How do they use it? Do they like it? Do they not like it? Should certain things change or stay the same? That’s a really important part of what I call the COSO-patented framework process.”

Hirth estimates the entire process will take between 18 to 24 months, while Chesney estimates it will take 24 to 30 months to complete.

“We’ll have some drafts and there’s an exposure comment period where people will be able to see what we’ve come up with and give us their comments,” said Hirth.

Help for Accountants
He sees different ways in which the updated enterprise risk management framework will help various types of accountants. “For people in the industry as accountants, it’s going to help their organizations deal with their objectives,” said Hirth. “Hopefully they’ll be able to meet more of their objectives more of the time, whether they’re individual financial objectives, strategic objectives or company-wide objectives. When you don’t meet your objectives, or when you do meet your objectives, they all come to roost in the financial statements at the end of the day. For accountants, if the organization can use our guidance to meet more of its objectives more of the time, you’d think the financial statements would look better. You’d have a stronger bottom line, you’d have less write-offs and things like that.”

Accounting firms will also find benefits in the updated framework, Hirth predicts. “On the other side of the house, for accountants that are in public practice working with clients, hopefully this guidance will be material that they can use that’s updated and revised to help their clients have more effective risk management programs,” he said. “If they have more effective risk management programs, we think they will meet more of their objectives more of the time so they’ll be more successful. Accountants in public practice and consultants that are former accountants will be able to help their clients in a way that I think their clients will be very happy.”

PwC won’t be the only firm to benefit from the updated framework. “We certainly are encouraged that the accounting firms would see this as a valuable tool to talk to their clients about, to assist companies and to work with them,” said PwC director Frank Martens. “We know there are various tools in the marketplace and each of the firms have their own perspective. But we do see there being value in firms having one common view of risk, what it’s about and how to leverage that in the marketplace. We would encourage them to participate in the project, to provide feedback and content and relevance to us. Going forward, we certainly would encourage the firms to be on board with this.”

Hirth also hopes to get input in the stakeholder survey from accounting organizations, along with companies, chief risk officers and CFOs. “We hope that the AICPA, which is one of our sponsoring organizations, and the accounting firms large and small, will give us feedback as well,” he said. “A rich diversity of feedback is what we want, because with these frameworks we try to be helpful to every kind of organization, from the small owner-managed business to the not-for-profit organizations and the government entities and the big large public companies as well as the companies that want to go public. We want input from lots of people.”

Abundance of Risks
Besides technology changes, the new framework may reflect some of the lessons learned from the failure of risk managers to properly take into account risks in areas such as subprime mortgages before the financial crisis.

“The framework is intended to bring the thinking up to date, including lessons learned from those types of events, but also experiences where the framework has done extremely well in helping organizations identify, assess, manage and mitigate enterprise-level risks,” said Chesley. “I think it’s a combination of what’s worked well, what needs to work better, and what lessons learned do we have. Since the groundbreaking moment in 2004 when the ERM framework was first published, what have organizations learned, both positive and negative, and how do we bring that into the construct of the new framework to help industries in general move forward in their thinking about how to manage enterprise risk?”

Other areas that might come up in the feedback are risks such as fraud, cybercrime, over-leverage, and credit risk, but Martens does not want the framework to be too proscriptive. “One of the things that we’ve been cautious of in the framework is trying to get overly proscriptive around exactly how to manage individual risks,” he said. “We think it’s important that management have a framework that provides them with context and insights around what to do. We have always provided in frameworks illustrations and examples, but we’re not trying to make this proscriptive in terms of what management needs to do. It’s a framework. But certainly things like technology, cybercrime, fraud and other broad sweeping trends that we see around demographics and globalization are things that companies need to be aware of. We think the framework can help them be aware of those and develop mitigation strategies, but we need to leave control in the hands of management.”

For more information about the framework, the stakeholder survey and the process, visit www.coso.org. Questions and comments may be submitted to COSO-ERM_Update@us.pwc.com.

For reprint and licensing requests for this article, click here.
Audit Consulting Financial reporting
MORE FROM ACCOUNTING TODAY