The Committee of Sponsoring Organizations (COSO) is a joint initiative of private sector organizations that provides thought leadership through the development of enterprise risk management, internal control, and fraud deterrence frameworks. It was organized in 1985 and developed several key frameworks for internal controls and enterprise risk management (ERM). This blog highlights some of the recent development of COSO’s ERM frameworks.
COSO defines risk as “the possibility that an event will occur and adversely affect the achievement of objectives.” In 2004, COSO issued Enterprise Risk Management – Integrated Framework after several high-profile business scandals and the passage of the Sarbanes-Oxley Act of 2002.
The “Enterprise Risk Management – Integrated Framework” is often pictured as a three-dimensional cube with:
- Four categories of entity objectives, which include strategic, operations, reporting, and compliance
- Eight components, which include internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring
- Activities from all levels of the organization, which can include enterprise-level, division or subsidiary, and business unit processes
2017 update: integrating with strategy and performance
In 2017, COSO updated the above framework with “Enterprise Risk Management: Integrating with Strategy and Performance.” The title of the new guidance highlights the greater emphasis linking strategy and performance to ERM. This is not a surprise to most ERM practitioners because AICPA’s 2017 State of Risk Oversight survey found that over one-third of the 432 organizations in its survey do no formal assessments of strategic, market, or industry risks.
The “Enterprise Risk Management: Integrating with Strategy and Performance” framework has five components, instead of the eight in the previous guidance. They include: governance and culture; strategy and objective setting; performance; review and revision; and information, communication, and reporting. The five components are supported by 20 new principles.
COSO has also teamed up with World Business Council, an organization of over 200 leading companies with a combined revenue of $8.5 trillion and 19 million employees, to release a new draft guidance on environmental, social, and governance-related risks.
Impact on ERM communities
So what does this mean to the ERM communities?
- While COSO’s ERM principles are not mandatory, they emphasize a greater need to tie ERM to strategy and performance.
- In “Enterprise Risk Management: Integrating with Strategy and Performance,” COSO included several trends: dealing with the proliferation of data, leveraging artificial intelligence and automation, and managing the cost of risk management. All of this points to managing risks in the new digital economy.
- Working with the business. The joint effort between COSO and the World Business Council to release a new draft guidance on environmental, social, and governance-related risks shows the ERM framework setters are working more closely with the business communities to address risks for the business.
On the technology side, we see changing business models and the new products and services driving digital transformation. The digital transformation pillars of mobile, cloud, Big Data, and analytics (accelerated by the Internet of Things, machine learning, and blockchain) offer new computing infrastructures for the business and ERM to transform digitally and to add value to the business.
In summary, the trends that are driving digital and ERM transformation are present and approaching. There is no better time to take the opportunity to embrace the future to create higher levels of values for the business.
- In our GRC Tuesday series of blogs, you can find posts about ERM, GDPR, the Three Lines of Defense, and more.
- Join us at the International SAP Conference on Internal Controls, Compliance, and Risk Management in Amsterdam March 15 and 16, 2018.