Draft guidance for applying COSO’s Enterprise Risk Management Framework to environmental, social, and governance-related risks has been released by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the World Business Council for Sustainable Development (WBCSD).
The draft was released for review and comment by the public on February 8, 2018. COSO and the WBCSD will review comments, make changes, and plan to issue the final guidance later in the year.
Newly elected COSO Chairman Paul Sobel, who is Vice President and Chief Audit Executive for Georgia-Pacific, says “ESG-related risks are complex and becoming more widespread. The role of the ESG Guidance will be to serve as an application of COSO’s ERM Framework.”
COSO published the ERM Framework last fall, and Sobel sees ESG as one of many areas that could benefit from its application.
“The ERM Framework was designed for applications like ESG,” he says. “There are other areas, such as cybersecurity, that have similar needs.”
Something for Everyone
In fact, the structure of the ERM Framework, with its five components and 20 principles, makes it a source for a variety of users, from CEOs and CFOs to risk managers and internal auditors.
The executive summary, for instance, outlines how risk management can be applied to strategic planning, while the Performance component and the Information, Communication, and Reporting component feature guidelines for everything from prioritizing risks to leveraging technology.
“The executive summary is targeted for the board and C-suite,” Sobel says. “The rest, which is 100-plus pages, can be used in part by those who have specific responsibilities. That’s because people have many different roles in managing risk throughout the organization.”
The ERM Framework is now seeing wide acceptance around the world, notes Sobel. But he urges companies to investigate any and all types of risk management frameworks.
“You shouldn’t hitch your horses to just one wagon,” he says. “I encourage companies to look at all of the options out there—at the new update for ISO 3000, for instance. We recommend that you use one framework as the foundation and we think the COSO ERM Framework is well suited for that. But ultimately, you should customize risk management to fit your organization.”
Read our first issue of BlackLine Quarterly for more stories like this, including 'The Public Auditor's Role Will Expand in 2018.'