COSO ERM Framework – Background & Overview

The COSO ERM framework is one of two widely accepted risk management standards organizations use to help manage risks in an increasingly turbulent, unpredictable business landscape. We previously discussed the background and a general overview of the other commonly used ERM framework, ISO 31000.

COSO, which is short for the Committee of Sponsoring Organizations of the Treadway Commission, was initially established by five major accounting associations and institutes in the U.S. in the mid-1980s as part of the National Commission on Fraudulent Financial Reporting. The committee came to be known as the Treadway Commission in honor of its original chairman, James C. Treadway, Jr.

The initial mission of COSO was to study financial reporting and develop recommendations to prevent fraud.

Its first “standard,” Internal Control – Integrated Framework, was released in 1992 and provided a comprehensive framework for helping organizations assess and improve their internal control systems. It went on to become extremely popular; in a 2006 poll, 82% of respondents claimed they use the standard to guide their internal control and compliance activities.

In the years following its release, organizations soon began to realize there was a gap in the internal control framework.

While it was helpful in reducing risks around fraudulent behavior and regulatory compliance, there was no way to identify and assess which risks the organization needed to put controls around.

This recognition, plus demands for better corporate governance and risk management standards after Enron and similar scandals, led COSO to create its Enterprise Risk Management – Integrated Framework in 2004.

COSO’s initial standard placed a strong emphasis on audit as the driving force behind enterprise risk management.

Signing of the Sarbanes-Oxley Act of 2002 by President George W. Bush

Although the 2004 COSO framework includes strategy setting in its definition of ERM, the reality is that the Sarbanes-Oxley Act (frequently referred to as SOX) and its requirements for public companies to test and certify financial reporting controls was a strong motivating factor in developing the standard.

In the original standard, ERM consisted of four categories – Strategic, Operations, Reporting, and Compliance – two of these directly relate to corporate governance.

As this summary of the ’04 standard from NC State explains, the ERM standard is almost like an expanded version of the internal control standard in that it goes beyond financial statements to include reports throughout the enterprise.

Although the original standard includes strategic objectives as a category, the reason for including it was to ensure the organization’s strategies “align with operations, reporting, and compliance activities.”

In the end, the 2004 COSO ERM framework focused more on what can be audited rather than identifying threats and opportunities, which is where the real value in ERM lies. The standard was a comfortable fit for organizations where risk was driven by audit.

While the latest COSO ERM framework retains many of the same characteristics as the original, it places greater emphasis on strategy.

In feedback, many practitioners explained that the original COSO ERM framework was solely concerned with internal control.

To address this and other concerns, COSO, in partnership with PwC, released an updated standard in 2017 with the title Enterprise Risk Management – Integrating with Strategy and Performance.

The new COSO ERM framework included some significant changes according to its authors. Dr. Mark Beasley, Director of the ERM Initiative at NC State and member of COSO’s Advisory Council, explains:

While the connection of risk management and strategy was emphasized in the original framework, the 2017 updated framework places greater emphasis on the importance of integrating risk considerations when designing and implementing strategies to accomplish the organization’s performance goals and objectives.

In its summary, PwC discusses significant differences between the 2004 and 2017 standards.

For example, the structure is much different. Instead of using a cube to illustrate the link between the four categories and the eight components of the risk management process, the new standard uses ribbon-type diagram that intertwines now five categories throughout an organization’s lifecycle (see below). The standard explains that three ribbons in the diagram are there to represent common processes that “flow through the entity” (Strategy/Objective-Setting, Performance, and Review/Revision) while the other two ribbons represent the supporting mechanisms of ERM (Governance/Culture, Information and Communication, and Reporting).

COSO ERM Cube (2004)*

Components of ERM – 2017 COSO Standard**

Besides focusing more on strategic objectives, the new framework places greater emphasis on culture and dives deeper into concepts like risk appetite and, as Dr. Beasley explained, integrating risk management throughout the organization.

COSO’s new ERM framework now includes five components or categories with 20 principles spread throughout each component. Those components are:

  1. Governance and Culture – Forms the basis of the other components by providing guidance on board oversight responsibilities, operating structures, leadership’s tone, and attracting, developing, and retaining the right individuals. For more information, check out Why a Strong Governance Foundations is Vital to Successful ERM.
  1. Strategy & Objective-Setting – This component focuses on strategic planning and how the organization can understand the effect of internal and external factors on risk. This section provides guidance on analyzing business context, defining risk appetite, and formulating objectives.
  1. Performance – After an organization develops its strategy, it then moves on to identify and assess risks that could affect its ability to achieve these goals. This section not only helps guide the organization’s risk identification and assessment, but also how to prioritize and respond to risks. After all, an organization is only as good as its performance, which is bigger than just risk management.
  1. Review and Revision – At some point after risks have been prioritized and a course of action been chosen, the organization moves into the review and revision phase where it assesses any changes that have taken place. This is also the opportunity to understand how the ERM process in the organization can be improved upon.
  1. Information, Communication, and Reporting – The last component of the COSO ERM framework involves sharing information from internal and external sources throughout the organization. Systems are used to capture, process, manage, and report on the organization’s risk, culture, and performance.

ERM uses an iterative process. Just because an organization has issued risk reports doesn’t mean the work is finished. With information about risk treatments and processes in hand, a review and refinement of governance, strategy, and risk management processes can and should take place.

Thought leaders and practitioners provide feedback on the new COSO ERM framework.

Along with thought leaders like Norman Marks and others, I agree the new COSO ERM framework is a dramatic improvement over the original standard from over 15 years ago. The ’04 version was certainly more audit focused and not so much on strategic objectives and adding value.

A common perception was that ERM was more of a documentation exercise than a system for ensuring objectives were being met and opportunities were being properly seized upon. Also, many felt the original standard was long and cumbersome and was not useful for timely decision-making, hence the perception of ERM being a documentation exercise.

And while the new standard provides better guidance on defining objectives and developing plans to maximize value to stakeholders, it still has some gaps.

Norman Marks for example explains in his review of the framework that it still does not provide adequate guidance for effective decision-making. The framework also doesn’t adequately “move the practice of risk management away from only reviewing, periodically, a list of risks.”

For me, I believe the new COSO ERM framework provides decent guidance on the stages of the risk management process…

However, it seems to still consider risks individually and is reactive instead of proactive.

Also, if you obtain a copy of the standard, you will notice that it is quite long and not something busy executives and board members can use to understand how risk management is more than a compliance exercise.

And since the standard was developed almost exclusively in the U.S., does it take international culture and regulatory factors into account? Integrating risk into the culture of the organization will certainly vary by region.

Considerations for implementing the COSO ERM framework – where do I start?

Because of its roots in compliance, audit, and financial reporting, the COSO ERM framework is the go-to standard for financial firms like credit unions, banks, and similar organizations. Simply looking at the list of principal contributors and COSO board members shows how the standard still leans heavily toward audit, accounting, and big consulting firms.

However, as we explained earlier, the newest version of the COSO ERM framework expands its scope beyond audit, financial reporting, and compliance.

The challenge is determining where to start.

I think one important thing to recognize is that you are not going to implement the entire framework at once.

The first step should be to see where your organization stands in relation to each of the principles outlined above. Some questions to ask can include:

  • At a high level, what is your organization’s current culture and mindset towards risk?
  • How does your organization make decisions?
  • How do you know you have reached your goals or that trouble is brewing?
  • Where is the organization being challenged?
  • What problems is the organization facing and how can ERM help address these problems?

Once you have answered questions like this, you should then have a pretty good grasp as to where you should begin targeting your efforts.

Again, the goal shouldn’t be to try and implement the entire framework at one time, but rather determining the most urgent needs and starting there.

Does your organization use the COSO ERM framework to guide its risk management efforts?

Do you find it easy to navigate or do you find it difficult to apply to your organization’s needs?

Like other ERM frameworks, there are a variety of perspectives and experiences out there, which is why I am interested in hearing your thoughts about COSO.

Simply leave a comment below or join the conversation on LinkedIn.

And check out the ISO 31000 vs. COSO article for a comparison between the two leading risk management standards.

If your organization had identified the COSO ERM framework as the best fit or you are simply trying to find the right standard to use, visit my consulting website (Strategic Decision Solutions) to learn more about how I help organizations overcome challenges and ensure long-term success.

Enterprise Risk Management – Integrated Framework © 2004. Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.

** Enterprise Risk Management – Integrating Strategy with Performance © 2017. Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.

Sign Up For Our Newsletter

Sign Up For Our Newsletter

SDS-Logo
about-sidebar-v2

Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More