After three years in development, the Committee of Sponsoring Organizations of the Treadway Commission has released its finalized Enterprise Risk Management Integrated Framework.
"The ERM project came about before Enron. When we looked at what was missing in corporate life, we realized that there was no generally accepted framework for managing risk," COSO chairman John J. Flaherty told reporters at a recent luncheon, where the framework was unveiled.
COSO is a voluntary organization that was formed in 1985 by the private sector in an effort to address fraudulent financial reporting. The group's internal control framework, released in 1992, has been widely adopted by many businesses to comply with the requirements of Sarbanes-Oxley.
The principles-based framework, which is designed to apply to companies of all sizes, is intended to serve as a roadmap for management and company boards for identifying risk, avoiding pitfalls and seizing opportunities for growth.
"This isn't a response to Enron," Flaherty said. "It's a way to help companies better achieve their operational objectives." He noted that the new framework, which was developed by PricewaterhouseCoopers, isn't intended to replace the internal control framework upon which it is built. Rather, he said that the new framework goes beyond the internal control framework.
Toni Maki, chair of the COSO ERM Advisory Council and managing partner of Moss Adams Advisory Services, noted that PwC received input from more than 70 organizations during the public comment period on the draft framework that was released last year.
"Many companies look at risk on an ad hoc basis, or take a purely compliance focus," said Rick Steinberg, a retired PwC partner and founder of Steinberg Governance Advisors. "This framework provides the principles and components to help companies identify, assess, respond to and control risk. It goes beyond the internal control framework."
Steinberg added that the framework emphasizes the idea that "line management must be ultimately responsible, starting with the CEO."
"Every entity exists for the purpose of creating value for its stakeholders," added Miles Everson, one of the framework's authors and a partner at PwC. "This isn't about creating a risk-averse environment. It's about creating a balance between a company's growth, return, its objectives and the amount of risk a company is willing to take."
COSO's five member organizations are the American Institute of CPAs, the American Accounting Association, Financial Executives International, the Institute of Internal Auditors and the Institute of Management Accountants.
