COSO releases updated enterprise risk management framework
The Committee of Sponsoring Organizations of the Treadway Commission released a long-awaited update Wednesday to its ERM Framework: Enterprise Risk Management–Integrating with Strategy and Performance, the first since 2004.
The updated framework, developed by PricewaterhouseCoopers under the direction of the COSO board, aims to help organizations improve their approach to managing risk. COSO is also responsible for the recently updated internal control framework used by many auditors, and the ERM framework can also be used by accountants, auditors and consultants. The revamped framework highlights the importance of enterprise risk management in strategic planning, stressing the need to embed ERM throughout an organization to influence both strategy and performance.
So far, there has been positive feedback on the new framework. “I’ve received a bunch of calls and a bunch of items in social media, all saying this is a big step in a direction that risk management needs to go,” said Dennis Chesley, PwC’s global risk and regulatory consulting leader and project partner for the COSO ERM effort. “It’s about better integrating enterprise risk management with an organization’s strategy through performance and implementation. I feel really good about what the team has been able to accomplish.”
He noted that the COSO board wanted his team to help create a more global framework than has been available in the past. “We’ve spoken to over 400 organizations in 11 countries that span five continents as part of creating this framework,” said Chesley. “That feedback helped shape this thinking. A lot of it validated some of our early theories that we had put out there and hypotheses that we created. It was a really exciting time to be able to talk to these organizations, understand their perspectives, share our perspectives, and roll all of that learning into this product.”
The first part of the revamped framework discusses some perspectives on current and evolving concepts and applications of ERM to meet business demands. The framework is split into five components with different viewpoints and operating structures for strategies and decision-making. The five components include governance and culture; strategy and objective-setting; performance; review and revision; and information, communication and reporting. The framework focuses on ERM challenges and expectations that business leaders and boards cope with, such as shifting economic markets, evolving technologies and changing demographics, to support their decision-making.
“The complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting,” said COSO chair Robert B. Hirth Jr., in a statement. “Our overall goal is to continue to encourage a risk-conscious culture. There is no doubt that organizations will continue to face a future full of volatility, complexity, and ambiguity. Enterprise risk management will be an important part of how an organization manages and prospers through these times.”
Chesley sees three primary advances in the updated ERM framework. “I think it’s going to take a fresh new look at the benefits that can be achieved from enterprise risk management,” he said. “Two, it lays out a very simple structure of five components and 20 principles that demystify risk a little bit, and also make it easier to swallow for any size organization. And the third thing is we come at the topic of culture. That’s a very hot topic around the world right now, as many organizations and regulatory agencies are struggling with what to do next in helping to drive a better risk-based culture or a culture that considers risks in its decision-making processes. Those are the things that I think will help a lot of organizations as they’re looking at enterprise risk management.”
He also believes the framework better defines the connection between ERM and strategic planning. “The relationship between ERM and performance is something that we dove deeper into in this framework,” said Chesley. “We think both of those have relevance, especially as businesses are becoming more complicated. Business ecosystems are changing. The environments in which these businesses exist are changing, with the effect of technology and social media and the speed of information flow. All of that adds up to the need for better connection between risk and performance, and a better consideration of risk and strategic planning.”
In talks with organizations around the world, he and his team found that risk management had surprisingly low priority during the strategic planning process.
“As we began looking at the strategic planning process, we realized there’s a level of effort that goes into strategic planning that risk is just not a part of today,” said Chesley. “Whether it’s from the beginning of generating different strategic alternatives and ideas, market assessments and understanding the markets and direction of things, risk wasn’t even at the table in most of the organizations that we talked to. Then when it came to actually deliberating on a set of strategic alternatives, risk was also not at the table. When it came time to select the strategy, risk considerations oftentimes were loosely coupled with the strategic decision being made."
What ended up happening in many organizations was that risk managers came in at the end to help interpret the company’s risk appetite out of the strategy itself. “What we changed in the framework was we said risk should be integrated into the strategic planning process such that it is a key consideration in making strategic decisions and then beginning the process of implementing those,” said Chesley.
Along the way, COSO heard plenty of feedback and positive comments on the proposed framework as the team worked on it. “We received over 2,000 independent comments, which was an incredible number of pieces of feedback that we got on the framework,” said Chesley. “In addition, we received 217 online surveys, which was again great feedback. In all of that feedback, the positive ratings outnumbered negative ratings by 4.5 to 1, so we knew we were going in the right direction. You’re never going to write a framework that everybody is 100 percent positive about. Everybody’s got different points of view, but to have that type of positive and negative ratio of 4.5 to 1, we knew we were heading in a really good direction. We’re also proud of the executive summary, which we think puts a line in the sand of what can be expected from the framework. I personally urge a lot of organizations to read that executive summary because it portrays risk very differently than it has been positioned in the past.”
The document is available in print and e-book formats,as well as through on-line subscription and PDF licensing for large organizations, accounting and consulting firms. COSO also offers software application licenses and a training license fee arrangement. In addition, COSO is planning to translate the framework into several languages, including Chinese, Japanese, Spanish and French. For more information, visit www.coso.org.