The COSO ERM framework published in 2004 provided guidance for developing enterprise risk management programs.
This past summer, COSO unveiled a proposed update, Enterprise Risk Management – Aligning Risk with Strategy and Performance, and opened the floor for public comment. We reviewed the update and provided detailed feedback. Since the comment period is coming to a close, we’ve provided a summary of what to expect in the update, as well as my (shortened) opinion of what should be changed.
What Does the COSO ERM Framework Include, and Why is it Important?
Enterprise Risk Management – Aligning Risk with Strategy and Performance focuses on exactly that: the direct link between an organization’s strategy and its performance. Key points include:
- Updated definitions of risk, ERM, and the components of each
- Principles related to risk management trends
- Insights into the role of enterprise risk management, along with frequently asked questions
Although the COSO “cube” graphic is gone, a major emphasis in the new COSO framework is the criticality of embedding risk management across all departments and levels of an organization. Without an enterprise-wide approach, the lack of continuity and transparency impedes the prioritization of concerns.
The update delves into a few other topics that reflect important risk management principles:
- Managing risk is a science. Risk management is objective and can be quantified and prioritized. Tasks, such as the design of controls, don’t have one perfect answer; even so, identifying root causes makes it easier to create a mitigation activity that matches the risk, company, and industry.
- Goals bring risk. Performance management is key: Even positive surprises, like increased demand for your service offering, can cause problems. If you haven’t adequately prepared for such an influx, one effect might be reduced customer satisfaction. The same risk impacts different business areas in different ways. Linking risks to business areas and reducing their likelihood and impact is critical.
- Organizations of all sizes should implement ERM. Whether your organization is a small private company, a Fortune 500 organization, or somewhere in between, it needs to be using an enterprise risk management solution. All types of regulators have made it clear they’re willing to target small companies for risk management negligence, even if no incident occurs.
- ERM is more than insurance; it is forward-looking. Risk management is not just a necessary expense in case something “bad” happens. It helps proactively mitigate all surprises and accelerates organizational development. It’s even been made a federally mandated for government entities by the Office of Management and Budget.
Here’s What’s Missing in the New COSO ERM Framework
While the framework is an important step forward for the industry and provides a more accurate reflection of the current risk environment, its biggest shortcoming is that it is not actionable enough. Improvement can be achieved by:
- Providing more specific, quantifiable recommendations that can lead organizations to the concepts discussed throughout.
- Providing a hierarchical prioritization, by percent contribution to business value, of risk management principles.
In order for organizations to use the framework to guide their own processes and lead to a measurable benefit, the framework needs to be more quantifiable. For example, rather than simply explaining the importance of a risk-based culture, the update should provide advice about how to achieve that culture.
An independent, peer-reviewed report, “The Valuation Implications of Enterprise Risk Management Maturity,” proved that organizations with mature ERM programs realize up to a 25% market valuation premium over those that don’t. This study, based on industry data collected by the RIMS Risk Maturity Model, outlines seven basic attributes of effective enterprise risk management. It then measures how much each attribute contributes to the 25% market valuation premium discussed above.
In my opinion, the following recommendations would make Enterprise Risk Management – Aligning Strategy and Performance more measurable and in line with statistically proven business processes. They are ordered from largest to smallest contribution to business value. For more details about each recommendation, please visit the full document on COSO’s feedback page:
- The update needs to stress the crucial difference between risk outcome and root cause, as this distinction is vital to effective risk identification.
- The “performance” attribute should be expanded so the update provides more support for internal initiatives, rather than emphasizing external elements.
- The update should contain more actionable components regarding the integration of ERM into everyday activities.
- The emphasis on engaging front-line management across all business areas should be quantified.
- The framework should be substantiated with references/citations to established precedents: the SEC’s Proxy Disclosure Enhancement and the Yates Memo, for example. This would help educate management about the consequences of not effectively monitoring their risk management activities.
To learn more about both the COSO ERM framework and why I’m recommending the five above changes, check out the document on COSO’s feedback page. Also take the free, best-practice RIMS Risk Maturity Model assessment to determine how closely your organization’s ERM program aligns with this framework.