New COSO ERM Framework Out for Comment

COSO, the oddly-named Committee of Sponsoring Organizations of the Treadway Commission, has released a new version of its enterprise risk management (ERM) framework. This is freely available to the public and they encourage risk professionals to provide feedback. The new framework can be downloaded from here. The public have until 30th September to comment; feedback should be submitted here.

This revision of the COSO ERM framework is long overdue. The original was published in 2004 and I found it almost impossible to use in practice. It was too focused on downside risk, too complicated, and too specific. This meant is was too difficult to adjust the contents to suit the actual circumstances of the risk manager and the business that he or she was working in, or to engage the support of fellow managers for the adoption of its more useful elements. COSO deserved credit for creating the first ERM standard, but its serious failings became obvious when ISO31000 was published in 2009, offering some long-overdue competition. Since then ISO31000 has raced ahead and become the leading ERM standard worldwide, though the American-written and American-oriented COSO framework continues to be popular in the USA. Informal surveys certainly suggest that ISO31000 is greatly preferred by risk professionals. That said, competition promotes improvement, so I expect the team of COSO authors, which was led by PwC, will have addressed some of the weaknesses in the original COSO framework and learned from the example of ISO31000. These are the areas they say they have improved.

1. Adopts a structure of components and principles

They have five interrelated framework components supported by twenty-three principles. However, the biggest difference will probably be graphical in nature. The infamous COSO cube has been killed, and has been replaced by a rainbow (pictured above).

2. Simplifies the definition of enterprise risk management

At first glance, this actually means: “copied the ISO31000 definition”. It is good that they copied the ISO31000 definition, but a shame they cannot admit to the reasons why they did.

3. Emphasizes the relationship between risk and value

The press release explains this by saying:

Enterprise risk management is no longer focused principally on preventing the erosion of value and minimizing risk to an acceptable level. Rather, it is viewed as integral to strategy setting and the identification of opportunities to create and maintain value. Instead of simply focusing on reducing risk to a target state, enterprise risk management becomes a dynamic and integral part of the managing an entity throughout the value chain.

Fair enough. The old framework was too focused on negatives and targets. However, making ERM ‘dynamic and integral’ is easier to write than to do, so their advice will deserve close scrutiny.

4. Renews the focus on the integration of enterprise risk management

Read: “try to avoid ERM being treated as a bureaucratic silo by the rest of the business.” The goal is laudable but the detail needs to be reviewed before reaching a conclusion on whether they succeeded. At first glance, I would question whether a 130-page framework is short enough to discourage the siloization of ERM. And many broken and overly bureaucratic elements of ERM continue to feature in the standard. For example, who but a paper-pushing niche ERM analyst would even care about determining an ‘inherent’ risk, which is a theoretical calculation not relating to the real life experience of risk and unlikely to be based on empirical data because it must ignore the risk management activities that already occur?

5. Examines the role of culture

As the press release states:

The significance of culture’s influence on enterprise risk management practices is one of the first concepts introduced within the updated document.

Culture is important, so they are right to do this. But because culture is so important, you have to wonder why this American team cannot identify their blind spot when attempting to write a standard that will be used around the world. Of the nine principle authors, only one is not American… and he comes from Canada. COSO chair Robert Hirth Jr. told Accounting Today:

We’re looking forward to the comments we’ll get from around the world. We believe there’s a significant amount of interest from outside of the U.S. because of the way that they seem to be interested in risk management.

Way to go, buddy. You mean there are businesses outside of the USA too? And they also have risks? And they greatly prefer to use ISO31000? So taking an interest in people “outside of the U.S.” might be good risk management for your own ERM standard-setting body, no? Maybe next time you will go even further, and appoint two authors who do not live on the East coast of the USA?

6. Elevates discussion of strategy

At long last. The biggest risks are almost always strategic risks. The failure to properly link risk management to strategy is a key reason why ERM gets treated as an irrelevant exercise performed by a bureaucratic silo.

7. Enhances the alignment between performance and enterprise risk management

Alignment between performance and risk management should be so obvious that it hardly needs saying. But saying it is a step in the right direction.

8. Links enterprise risk management into decision-making more explicitly

Ditto my previous comment. In what sense are you managing risks if the output of risk management never influences a business decision?

9. Delineates between enterprise risk management and internal controls

I suppose there is a need to address this issue because COSO’s ERM framework came after their internal controls framework, and most companies adopted the internal controls framework first. Certainly ERM should not be reduced to the implementation of a long list of controls. However, I need to read the detail to understand what this ‘delineation’ means in practice.

10. Refines risk appetite and acceptable variation in performance (risk tolerance)

They certainly needed to do more work on risk appetite, but my first skim read suggests they were too scared to make the most important correction. Risk appetite is ultimately an expression of the risk that it is desirable to take on behalf of investors so it is insufficient to assert that:

It is up to management to develop the risk appetite statement.

The responsibility for the risk appetite statement should be specifically placed at board level. Only the board will have the non-executive directors necessary to challenge the temptation for executives to take excessive risk in order to maximize their bonuses. Furthermore, executive remuneration should be aligned to the risk appetite for precisely this reason. It is hence inadequate to vaguely talk about ‘management’ developing the risk appetite statement when the people who oversee management have a crucial role to play in setting the appetite and ensuring that management act in accordance with that appetite.

I could speculate one reason why this version of the framework still refuses to pin responsibility for appetite statements on the board. This standard is mostly written by PwC, and they sell more consulting projects to executive management than to non-executive directors… or am I imagining a risk of bias where none could possibly exist?

What You Should Do

I am going to read the new version of the COSO ERM framework properly, from cover to cover. And then I will read it again. You should do the same. Despite my lack of confidence, some of it will be good. And even when it is not good, I want to understand what I like and dislike about this framework, and to think about what I could usefully take from it. Then I might write a proper review for Commsrisk. I may even provide feedback to COSO, and see if they take any notice.

Also, this framework is free. 130 pages of free advice is being given away by highly-paid professionals. Do not tell me you have no time to read such a long document: make the time. Professionals develop themselves, as well as demanding training and development from others.

A risk professional that will not read this framework no more deserves their role than a Christian can claim to be godly without ever reading the Bible. It may be easier to get lectures/sermons from consultants/priests but you should really go back to the authoritative text and not just rely on somebody else’s interpretation and advice. Nor does it matter what level you work at. If you do any kind of risk management it must be a subset of enterprise risk management. So even if you can do your job reasonably well whilst remaining totally ignorant of leading ERM frameworks, you will fall down when you start complaining to other people in the business about the value, impact and importance of the risks you identify and manage. Niche risk managers need to align their work to the priorities and values of the whole enterprise, not vice versa. The great challenge in writing an ERM framework is that it must deal with how organizations can consistently value and prioritize every different kind of risk.

So download it, read it, and provide feedback if you feel you have something to contribute. The worst that can happen is you might think differently about how you do your job…

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.