On 6 September COSO launched its new framework for enterprise risk management. It places strong emphasis on embedding risk management across the whole enterprise and aligns it with corporate strategy. This is the end product of almost three years of work and systematic consultation among risk, audit and compliance executives.
The new framework replaces COSO’s original ERM framework from 2004. As you are about to discover in what follows next, the original version had minimal relevance to the intertwined business risks known in present times. In short, new risks have emerged, and both prudent boards and executives have had to increase their awareness and oversight of enterprise risk management while continuously seeking for improved risk reporting. This is what COSO Chairman, Robert Hirth, recently said when he referred to promoting an enterprise-wide risk-conscious culture.
The ERM framework is structurally similar to the COSO internal control framework from 2013: five major components, each one supported by multiple principles. The ERM framework has 20 principles, where the internal control framework has only 17. Nevertheless, many of the principles are similar, but only a few are identical.
More specifically, two components have new names: “risk in execution” is now “performance,” and “monitoring risk management performance” is “review and revision.” The final framework has only 20 principles rather than the originally proposed 23.
Here below is the full list of the components and principles:
Another interesting change is the principle graphic COSO uses for the ERM framework. Where the internal control framework has the famed the COSO cube, the ERM framework has:
Interestingly, this image is a “DNA-like structure” depicting the central concept that risk management principles should be embedded into all the parts of the enterprise. Could this be the ERM helix or the COSO code? Nevertheless, COSO produced the final framework in a way that is useful when evaluating corporate strategy.
How many times have we all ascertained that boards and CEOs adopted short-sighted strategies or missed the bigger picture in their choices? How many times have we come to realise that there was a misalignment of mission statements and core values? Hopefully, COSO will now help senior executives to avoid such mistakes by applying a disciplined process and testing more effectively the strategies under consideration. This will certainly help senior executives to align what they promise to deliver publicly.
The Challenges Ahead
The ECA will be holding a specialist course this winter to help you confront the first challenge. The new ERM framework does make good sense at the theoretical level. However, should your board and line of business heads be exhausted from internal control compliance, suggesting that the enterprise should now go for ERM may be a tough. We can help practitioners across different functions to master the concept that, intelligent risk management does lead to more disciplined performance.
This is precisely what makes regulatory compliance smoother, financial reporting effective, and corporate governance sustainable.
Here is your second challenge. If in-house compliance, audit, and risk executives wish to implement this ERM framework, the ECA can help you demonstrate that this incentive can build on earlier programmes to build a much stronger internal control. It is therefore all about how this ERM project is different from the internal control work you have been doing up to now.