Five Takeaways from COSO’s Updated ERM Framework
Author: Charlie Wright
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its updated enterprise risk management (ERM) framework, Enterprise Risk Management—Integrating with Strategy and Performance, on September 6, 2017. This new document replaces its 2004 predecessor, Enterprise Risk Management—Integrated Framework. COSO’s ERM framework is one of the world’s most widely recognized risk management frameworks. The updated framework emphasizes strategy and performance as integral components of an organization’s approach to risk management. It also reinforces the focus on embedding risk management activities in the fabric of an organization’s day-to-day processes. A more integrated risk management approach is expected to help organizations create, preserve and realize value.
COSO has delivered helpful guidance at just the right time as more organizations struggle to manage an increasingly complex governance, risk and compliance environment driven by astounding advances in technology, the development of new media channels and mobility. The recent update repositions the framework in these five ways:
- Focuses on strategy
- Clarifies that ERM isn’t a standalone activity
- Advances the debate about risk appetite and tolerance
- Focuses on an organization’s value
- Provides a good mechanism for assessing an organization’s risk management practices
The framework focuses on strategy within the context of an organization’s mission, vision and core values. By focusing on the risk inherent in carrying out its strategy and achieving its business objectives, an organization can improve the likelihood of managing and mitigating risk at the core of its business. Paying attention to more important strategic risks points an organization toward the aforementioned value proposition of the new framework. While the ERM process doesn’t generate strategic risks, it can provide a good mechanism to evaluate strategic options.
Not a Standalone Activity
The updated framework clarifies that ERM shouldn’t be an isolated activity. An effective ERM process should leverage the processes, functions, departments and committees that already manage risk. By instilling a culture of risk awareness and transparency, organizations can create an environment where it’s understood that “everyone is a risk manager.” In an organization where the culture, capabilities and risk management processes are integrated into operational practices, decision making likely will be improved.
Risk Appetite & Tolerance
The framework provides a better understanding of risk appetite and tolerance. While there’s still much clarification needed, the updated framework dedicates a section to this topic and includes a visual graphic to help communicate the concepts. Many organizations have struggled to find a mechanism to express risk appetite and tolerance. Some have created high-level statements that attempt to capture and articulate risk at a summary level. Others have developed slightly more granular expressions of risk appetite. However, very few organizations have been successful at identifying helpful appetite and tolerance statements. The updated framework is a step in the right direction and will facilitate good discussions on working through this issue.
The updated framework focuses on value. Value is defined specific to each organization, but in general an organization’s purpose is to provide value to its stakeholders. Whether the organization is a for-profit or not-for-profit, value is created or preserved as a result of many decisions made throughout the organization. When those decisions are made as part of a risk-aware culture and opportunities are filtered through an optimized risk management process, the organization’s performance likely will trend positively. When discussing ERM, most management teams ask, “What’s the value of implementing an ERM process?” A structured process can allow decision makers to facilitate effective risk management, which helps them make better decisions at the strategic and operational levels.
Perhaps the most important takeaway is that the updated framework provides a means to assess an entity’s risk management practices. It articulates 20 understandable, logical risk management principles. As ERM matures, organizations need to be able to objectively assess their risk management practices. The 20 new principles can be integrated into a maturity model—this helps facilitate a tailored assessment that factors in the culture and complexity of its specific organization. BKD has developed a customized ERM maturity continuum revolving around the 20 principles in COSO’s updated framework.
COSO’s updated framework is a dramatic change from the prior version based on the COSO cube. It now focuses on specific concepts management teams find important: strategy, value and performance. It explains the importance of integrating risk management into day-to-day functions and how that can lead to better decision making, from strategic boardroom decisions to routine decisions made by anyone in the company. Organizations now have a better road map to implement an effective ERM process as well as a tool to assess where they are on the risk management maturity curve.
If you have questions about implementing ERM or assessing your current risk management practices, contact Charlie.
Get a free copy of the updated framework’s executive summary on COSO’s site. The entire updated framework also is available for purchase.