The COSO ERM guidance is one of two widely accepted risk management standards organizations use to help manage risks in an increasingly turbulent, unpredictable business landscape. We previously discussed the background and a general overview of the other commonly used ERM standard, ISO 31000.
COSO, which is short for the Committee of Sponsoring Organizations of the Treadway Commission, was initially established by five major accounting associations and institutes in the U.S. in the mid-1980s as part of the National Commission on Fraudulent Financial Reporting. The committee came to be known as the Treadway Commission in honor of its original chairman, James C. Treadway, Jr.
The initial mission of COSO was to study financial reporting and develop recommendations to prevent fraud.
Its first “standard,” Internal Control – Integrated Framework, was released in 1992 and provided comprehensive guidance for helping organizations assess and improve their internal control systems. It went on to become extremely popular; in a 2006 poll, 82% of respondents claimed they use the standard to guide their internal control and compliance activities.
In the years following its release, organizations soon began to realize there was a gap in the internal control guidance.
While it was helpful in reducing risks around fraudulent behavior and regulatory compliance, there was no way to identify and assess which risks the organization needed to put controls around.
This recognition, plus demands for better corporate governance and risk management standards after Enron and similar scandals, led COSO to create its Enterprise Risk Management – Integrated Framework in 2004.
COSO’s initial guidance placed a strong emphasis on audit as the driving force behind enterprise risk management.
Although the 2004 COSO guidance includes strategy setting in its definition of ERM, the reality is that the Sarbanes-Oxley Act (frequently referred to as SOX) and its requirements for public companies to test and certify financial reporting controls was a strong motivating factor in developing the guidance.
In the original guidance, ERM consisted of four categories – Strategic, Operations, Reporting, and Compliance – two of these directly relate to corporate governance.
As this summary of the ’04 guidance from NC State explains, the ERM standard is almost like an expanded version of the internal control guidance in that it goes beyond financial statements to include reports throughout the enterprise.
Although the original guidance includes strategic objectives as a category, the reason for including it was to ensure the organization’s strategies “align with operations, reporting, and compliance activities.”
In the end, the 2004 COSO ERM guidance focused more on what can be audited rather than identifying threats and opportunities, which is where the real value in ERM lies. The guidance was a comfortable fit for organizations where risk was driven by audit.
While the latest COSO ERM guidance retains many of the same characteristics as the original, it places greater emphasis on strategy.
In feedback, many practitioners explained that the original COSO ERM guidance was solely concerned with internal control.
To address this and other concerns, COSO, in partnership with PwC, released an updated standard in 2017 with the title Enterprise Risk Management – Integrating with Strategy and Performance.
The new COSO ERM guidance included some significant changes according to its authors. Dr. Mark Beasley, Director of the ERM Initiative at NC State and member of COSO’s Advisory Council, explains:
While the connection of risk management and strategy was emphasized in the original guidance, the 2017 update places greater emphasis on the importance of integrating risk considerations when designing and implementing strategies to accomplish the organization’s performance goals and objectives.
In its summary, PwC discusses significant differences between the 2004 and 2017 guidance.
For example, the structure is much different. Instead of using a cube to illustrate the link between the four categories and the eight components of the risk management process, the new standard uses ribbon-type diagram that intertwines now five categories throughout an organization’s lifecycle (see below). The standard explains that three ribbons in the diagram are there to represent common processes that “flow through the entity” (Strategy/Objective-Setting, Performance, and Review/Revision) while the other two ribbons represent the supporting mechanisms of ERM (Governance/Culture, Information and Communication, and Reporting).
COSO ERM Cube (2004)*
Components of ERM – 2017 COSO Standard**
Besides focusing more on strategic objectives, the new guidance places greater emphasis on culture and dives deeper into concepts like risk appetite and, as Dr. Beasley explained, integrating risk management throughout the organization.
COSO’s new ERM guidance now includes five components or categories with 20 principles spread throughout each component. Those components are:
- Governance and Culture – Forms the basis of the other components by providing counsel on board oversight responsibilities, operating structures, leadership’s tone, and attracting, developing, and retaining the right individuals. For more information, check out Why a Strong Governance Foundations is Vital to Successful ERM.
- Strategy & Objective-Setting – This component focuses on strategic planning and how the organization can understand the effect of internal and external factors on risk. This section provides guidance on analyzing business context, defining risk appetite, and formulating objectives.
- Performance – After an organization develops its strategy, it then moves on to identify and assess risks that could affect its ability to achieve these goals. This section not only helps guide the organization’s risk identification and assessment, but also how to prioritize and respond to risks. After all, an organization is only as good as its performance, which is bigger than just risk management.
- Review and Revision – At some point after risks have been prioritized and a course of action been chosen, the organization moves into the review and revision phase where it assesses any changes that have taken place. This is also the opportunity to understand how the ERM process in the organization can be improved upon.
- Information, Communication, and Reporting – The last component of the COSO ERM guidance involves sharing information from internal and external sources throughout the organization. Systems are used to capture, process, manage, and report on the organization’s risk, culture, and performance.
ERM uses an iterative process. Just because an organization has issued risk reports doesn’t mean the work is finished. With information about risk treatments and processes in hand, a review and refinement of governance, strategy, and risk management processes can and should take place.
Thought leaders and practitioners provide feedback on the new COSO ERM guidance.
Along with thought leaders like Norman Marks and others, I agree the new COSO ERM guidance is a dramatic improvement over the original standard from over 15 years ago. The ’04 version was certainly more audit focused and not so much on strategic objectives and adding value.
A common perception was that ERM was more of a documentation exercise than a system for ensuring objectives were being met and opportunities were being properly seized upon. Also, many felt the original guidance was long and cumbersome and was not useful for timely decision-making, hence the perception of ERM being a documentation exercise.
And while the new guidance provides better recommendations on defining objectives and developing plans to maximize value to stakeholders, it still has some gaps.
Norman Marks for example explains in his review of the guidance that it still does not provide adequate information for effective decision-making. The guidance also doesn’t adequately “move the practice of risk management away from only reviewing, periodically, a list of risks.”
For me, I believe the new COSO ERM guidance provides decent insights on the stages of the risk management process…
However, it seems to still consider risks individually and is reactive instead of proactive.
Also, if you obtain a copy of the standard, you will notice that it is quite long and not something busy executives and board members can use to understand how risk management is more than a compliance exercise.
And since the guidance was developed almost exclusively in the U.S., does it take international culture and regulatory factors into account? Integrating risk into the culture of the organization will certainly vary by region.
Considerations for implementing the COSO ERM guidance – where do I start?
Because of its roots in compliance, audit, and financial reporting, the COSO ERM guidance is the go-to standard for financial firms like credit unions, banks, and similar organizations. Simply looking at the list of principal contributors and COSO board members shows how the standard still leans heavily toward audit, accounting, and big consulting firms.
However, as we explained earlier, the newest version of the COSO ERM guidance expands its scope beyond audit, financial reporting, and compliance.
The challenge is determining where to start.
I think one important thing to recognize is that you are not going to implement the entire guidance at once.
The first step should be to see where your organization stands in relation to each of the principles outlined above. Some questions to ask can include:
- At a high level, what is your organization’s current culture and mindset towards risk?
- How does your organization make decisions?
- How do you know you have reached your goals or that trouble is brewing?
- Where is the organization being challenged?
- What problems is the organization facing and how can ERM help address these problems?
Once you have answered questions like this, you should then have a pretty good grasp as to where you should begin targeting your efforts.
Again, the goal shouldn’t be to try and implement the entire guidance at one time, but rather determining the most urgent needs and starting there.
Does your organization use the COSO ERM guidance to guide its risk management efforts?
Do you find it easy to navigate or do you find it difficult to apply to your organization’s needs?
Like other ERM standards, there are a variety of perspectives and experiences out there, which is why I am interested in hearing your thoughts about COSO.
Simply leave a comment below or join the conversation on LinkedIn.
And check out the ISO 31000 vs. COSO article for a comparison between the two leading risk management standards.
If your organization had identified the COSO ERM guidance as the best fit or you are simply trying to find the right standard to use, visit my consulting website (Strategic Decision Solutions) to learn more about how I help organizations overcome challenges and ensure long-term success.
* Enterprise Risk Management – Integrated Framework © 2004. Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.
** Enterprise Risk Management – Integrating Strategy with Performance © 2017. Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.