What to Expect from COSO’s Newest Framework

The commission recently sent a draft version to its advisory council, and will soon release the draft for a 90-day public comment period. COSO expects the final version to be ready by the end of the calendar year, if not sooner.

According to COSO chair Bob Hirth, the new framework is likely to be titled “Enterprise Risk Management – Aligning Risk with Strategy and Performance.” He says it will feature some differences in format from the 2004 version, and will reflect changes in enterprise risk management since then.

One change will be the number and types of component categories. The 2004 framework used eight basic components, such as Objective Setting or Monitoring. The new framework will have just five, but they’ll be more encompassing:

• Risk, governance and culture

• Risk, strategy and objectives

• Risk, management and performance

• Risk, information, communication and reporting

• Risk in execution

Those new components tell the story of how business and technology have changed since 2004, and why COSO decided the time was right to create its new framework.

“We want to move enterprise risk management from a process to a discipline, says Hirth, “To move the concept of risk management higher up in the decision-making chain. We want it to be more integral to planning, to become a discipline that is used throughout the organization.”

As with COSO’s Internal Control Framework, technology now makes it possible to do just that. Changes in the COSO 2013 Internal Control Framework were largely inspired by the fact that newer technologies, such as automation, had made it possible to improve the quality and effectiveness of controls. Newer technologies, available both in and outside the enterprise, now help bring more factual weight to strategic planning.

This is where so-called big data comes into play, Hirth notes. “Companies now have a wealth of information available, and that information can help them understand and manage risk more effectively.”

The goal for users of the new COSO ERM Framework will be a “risk-adjusted” strategy that can pay off at the bottom line. If, for instance, a business is planning to expand to a new geographical market, factoring risk into strategic planning could help the finance group get a head start on researching, testing and installing controls in advance of the move.

Another feature of the new framework will roll out more gradually. This will consist of tools in the form of templates that businesses can use to describe and report on the financial risks they’re likely to face in a given scenario.

As an example, a reporting tool might make it possible to show how a specific risk would play out for four levels of enterprise management. “The tool could show how a particular issue would impact each person in the reporting chain, from the accountant to the business unit manager, to the executive and even the board member,” Hirth says. “And the information would be consistent from level to level, to facilitate communication across all levels.”

The coming ERM Framework differs from COSO’s Internal Control Framework in the same way that risk management differs from internal control. Where internal control deals with specific problems, devices and strategies, risk management is more fluid, says Hirth.

“You can more or less bear-hug an organization from an internal control perspective, but risk management is harder to pin down. There are many more outside variables and uncertainties.”

That specificity is why the COSO Internal Control Framework is prevalent among public companies. Hirth says that every company that follows SOX (the Sarbanes-Oxley Act) now uses the COSO Internal Control Framework. But he expects the new ERM Framework to cast a wider net – to be used by organizations of all types and sizes, including not-for-profits, government agencies and state and local offices.

As for the two frameworks’ synergies, Hirth notes that the Internal Controls Framework will fit neatly into the Risk in Execution section of the ERM Framework.

“The two concepts really go hand-in-hand,” he says. “You likely need effective internal control to have good risk management. Effective internal control will free up management’s time to concentrate on strategy.”