BlackLine Home page BlackLine home page
Solutions
Solutions
Financial Close Management
Financial Close Management
Overview
Overview
Account Reconciliations
Account Reconciliations
Task Management
Task Management
Transaction Matching
Transaction Matching
Journal Entry
Journal Entry
Financial Reporting Analytics
Financial Reporting Analytics
Variance Analysis
Variance Analysis
Smart Close for SAP
Smart Close for SAP
Accounts Receivable Automation
Accounts Receivable Automation
Overview
Overview
Cash Application
Cash Application
Credit & Risk Management
Credit & Risk Management
Collections Management
Collections Management
Disputes & Deductions
Disputes & Deductions
Team & Task Management
Team & Task Management
AR Intelligence
AR Intelligence
Invoicing & Compliance
Invoicing & Compliance
Intercompany Financial Management
Intercompany Financial Management
Overview
Overview
Intercompany Non-Trade
Intercompany Non-Trade
Intercompany Balance & Resolve
Intercompany Balance & Resolve
Intercompany Net & Settle
Intercompany Net & Settle
By Organization Size
By Organization Size
Midsize Organizations
Midsize Organizations
Large Enterprises
Large Enterprises
By Industry
By Industry
Banking & Financial Services
Banking & Financial Services
Consumer Products & Services
Consumer Products & Services
Energy & Raw Materials
Energy & Raw Materials
Healthcare & Life Sciences
Healthcare & Life Sciences
Manufacturing
Manufacturing
Retail
Retail
Technology, Media & Communications
Technology, Media & Communications
See All Industries
By ERP
By ERP
SAP
SAP
Oracle
Oracle
Oracle NetSuite
Oracle NetSuite
Microsoft Dynamics
Microsoft Dynamics
See All ERPs
By Topic
By Topic
Environmental, Social, and Governance
Environmental, Social, and Governance
Recruiting & Retaining Top Talent
Recruiting & Retaining Top Talent
Enabling an ERP Transformation
Enabling an ERP Transformation
CFO & CIO Collaboration
CFO & CIO Collaboration
F&A Transformation
F&A Transformation
IPO Readiness
IPO Readiness
Mergers & Acquisitions
Mergers & Acquisitions
Revenue Cycle Optimization
Revenue Cycle Optimization
Regulatory Compliance
Regulatory Compliance
Customers
Customers
Customer Success
Success Stories
Success Stories
Community
Community
Services
Services
Overview
Overview
Professional Services
Professional Services
Training & Education
Training & Education
Customer Success
Customer Success
Transformation Services
Transformation Services
Global Support
Global Support
Resources
Resources
Events
Events
Upcoming Webinars
Upcoming Webinars
On-Demand Webinars
On-Demand Webinars
White Papers
White Papers
Blog
Blog
Accounting Glossary
Accounting Glossary
Developer Portal
Developer Portal
About
About
Company
Company
About BlackLine
About BlackLine
Leadership
Leadership
Diversity, Equity & Inclusion
Diversity, Equity & Inclusion
Environmental, Social & Governance
Environmental, Social & Governance
In the News
In the News
Press Releases
Press Releases
Investors
Investors
Awards & Recognition
Awards & Recognition
Careers
Careers
Partners
Partners
Consulting Alliances
Consulting Alliances
Solution Provider Partners
Solution Provider Partners
Software & Cloud Partners
Software & Cloud Partners
Business Process Outsourcers
Business Process Outsourcers

What to Expect from COSO’s Newest Framework

image

Now that its 2013 Internal Control Framework has been embraced and adopted by business, the Committee of Sponsoring Organizations of the Treadway Commission is in the process of following up with a second framework revision; this one for the Enterprise Risk Management Framework first produced in 2004.

The commission recently sent a draft version to its advisory council, and will soon release the draft for a 90-day public comment period. COSO expects the final version to be ready by the end of the calendar year, if not sooner.

According to COSO chair Bob Hirth, the new framework is likely to be titled “Enterprise Risk Management – Aligning Risk with Strategy and Performance.” He says it will feature some differences in format from the 2004 version, and will reflect changes in enterprise risk management since then.

One change will be the number and types of component categories. The 2004 framework used eight basic components, such as Objective Setting or Monitoring. The new framework will have just five, but they’ll be more encompassing:

  • Risk, governance and culture

  • Risk, strategy and objectives

  • Risk, management and performance

  • Risk, information, communication and reporting

  • Risk in execution

FINDING SOME DISCIPLINE

Those new components tell the story of how business and technology have changed since 2004, and why COSO decided the time was right to create its new framework.

“We want to move enterprise risk management from a process to a discipline, says Hirth, “To move the concept of risk management higher up in the decision-making chain. We want it to be more integral to planning, to become a discipline that is used throughout the organization.”

As with COSO’s Internal Control Framework, technology now makes it possible to do just that. Changes in the COSO 2013 Internal Control Framework were largely inspired by the fact that newer technologies, such as automation, had made it possible to improve the quality and effectiveness of controls. Newer technologies, available both in and outside the enterprise, now help bring more factual weight to strategic planning.

This is where so-called big data comes into play, Hirth notes. “Companies now have a wealth of information available, and that information can help them understand and manage risk more effectively.”

The goal for users of the new COSO ERM Framework will be a “risk-adjusted” strategy that can pay off at the bottom line. If, for instance, a business is planning to expand to a new geographical market, factoring risk into strategic planning could help the finance group get a head start on researching, testing and installing controls in advance of the move.

ADDING TOOLS

Another feature of the new framework will roll out more gradually. This will consist of tools in the form of templates that businesses can use to describe and report on the financial risks they’re likely to face in a given scenario.

As an example, a reporting tool might make it possible to show how a specific risk would play out for four levels of enterprise management. “The tool could show how a particular issue would impact each person in the reporting chain, from the accountant to the business unit manager, to the executive and even the board member,” Hirth says. “And the information would be consistent from level to level, to facilitate communication across all levels.”

You can more or less bear-hug an organization from an internal control perspective, but risk management is harder to pin down. There are many more outside variables and uncertainties.

HOW THEY FIT TOGETHER

The coming ERM Framework differs from COSO’s Internal Control Framework in the same way that risk management differs from internal control. Where internal control deals with specific problems, devices and strategies, risk management is more fluid, says Hirth.

“You can more or less bear-hug an organization from an internal control perspective, but risk management is harder to pin down. There are many more outside variables and uncertainties.”

That specificity is why the COSO Internal Control Framework is prevalent among public companies. Hirth says that every company that follows SOX (the Sarbanes-Oxley Act) now uses the COSO Internal Control Framework. But he expects the new ERM Framework to cast a wider net – to be used by organizations of all types and sizes, including not-for-profits, government agencies and state and local offices.

As for the two frameworks’ synergies, Hirth notes that the Internal Controls Framework will fit neatly into the Risk in Execution section of the ERM Framework.

“The two concepts really go hand-in-hand,” he says. “You likely need effective internal control to have good risk management. Effective internal control will free up management’s time to concentrate on strategy.”