COSO proposes update to enterprise risk management framework

Changes that reflect the evolution of thinking and practices related to enterprise risk management (ERM) are among the most significant updates proposed to a new integrated framework devoted to ERM.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) will issue an exposure draft Wednesday and seeks public comment. The update, Enterprise Risk Management—Aligning Risk With Strategy and Performance, provides additional clarity on concepts introduced in the 2004 framework. Those updates are in response to growing complexity and speed of risk over the past decade.

“Risk cannot be viewed as a potential constraint or challenge to executing a strategy,” COSO Chairman Robert Hirth said in a news release. “Rather, how an organization copes with risk offers strategic opportunities. This update answers the call for improved culture, capabilities, and practices integrated with strategy setting and its execution.”

The updated framework proposes:

Adopting a structure of components and principles. The proposed framework would have five components supported by 23 principles. The five interrelated components are risk governance and culture; risk, strategy, and objective setting; risk in execution; risk information, communication, and reporting; and monitoring ERM performance.

Simplifying the definition of ERM. The proposed definition of ERM is “the culture, capabilities, and practices, integrated with strategy and execution, that organizations rely on to manage risk in creating, preserving, and realizing value.”

Emphasizing the relationship between risk and value. The proposed, updated definition aligns risk to value, which is a key driver of ERM. Previously, ERM’s main focus was preventing the erosion of value and minimizing risk to an acceptable level. Today, it is vital to strategy and identification of opportunities to create and maintain value.

Renewing the focus on the integration of ERM. The proposed framework encourages users to consider ERM as part of the management of an organization instead of a distinct or siloed activity.

Examining the role of culture. While risk governance sets an organization’s tone, culture encompasses an organization’s ethical value, desired behaviors, and understanding of risk. The relationship between culture and business context influences how strategies are chosen and executed.

Elevating discussion of strategy. The proposed update focuses on three concepts: the possibility of strategy and business objectives not aligning with mission, vision, and values; the implications of the chosen strategy; and the risk to executing the strategy.

Enhancing the alignment between performance and ERM. The proposed update focuses on the role of risk being integral to the establishment of business objectives.

More explicitly linking ERM to decision-making. Decisions on things such as selection of strategy, the establishment of business objectives and performance targets, and the allocation of resources are more informed when risk information such as severity and type of risk is shared.

Delineating between ERM and internal control. COSO updated its internal control framework in 2013 to reflect changes in technology and the business environment. The proposed framework on ERM neither replaces nor supersedes the internal control document, which was an articulation of 17 principles spread across five main components. The frameworks are designed to be distinct but complementary.

Refining risk appetite and acceptable variation in performance. Such acceptable variation in performance is often referred to as risk tolerance. Risk appetite is the amount of risk an entity is willing to accept in the pursuit of strategy and business objectives. Risk tolerance is not a more detailed version of risk appetite but is focused on determining the amount of risk that is acceptable for a given level of performance. Risk and performance are not considered static and separate but are constantly changing and influencing each other.

To better illustrate the alignment of risk, strategy, and performance, the proposed framework introduced an update to the “COSO cube,” which was part of the 2004 framework. The titles of the documents have been changed to recognize the alignment. The 2004 document is named Enterprise Risk Management—Integrated Framework.

COSO is a committee of five sponsoring organizations, including the AICPA. The organizations come together periodically to provide thought leadership on ERM, internal control, and fraud deterrence.

COSO is seeking public comment on the exposure draft through Sept. 30. Comments can be made by visiting coso.org.

—Neil Amato (namato@aicpa.org) is a JofA senior editor.