Now that its 2013 Internal Control Framework has been embraced and adopted by business, the Committee of Sponsoring Organizations of the Treadway Commission is in the process of following up with a second framework revision; this one for the Enterprise Risk Management Framework first produced in 2004.
The commission recently sent a draft version to its advisory council, and will soon release the draft for a 90-day public comment period. COSO expects the final version to be ready by the end of the calendar year, if not sooner.
According to COSO chair Bob Hirth, the new framework is likely to be titled “Enterprise Risk Management – Aligning Risk with Strategy and Performance.” He says it will feature some differences in format from the 2004 version, and will reflect changes in enterprise risk management since then.
One change will be the number and types of component categories. The 2004 framework used eight basic components, such as Objective Setting or Monitoring. The new framework will have just five, but they’ll be more encompassing:
- Risk, governance and culture
- Risk, strategy and objectives
- Risk, management and performance
- Risk, information, communication and reporting
- Risk in execution
FINDING SOME DISCIPLINE
Those new components tell the story of how business and technology have changed since 2004, and why COSO decided the time was right to create its new framework.
“We want to move enterprise risk management from a process to a discipline, says Hirth, “To move the concept of risk management higher up in the decision-making chain. We want it to be more integral to planning, to become a discipline that is used throughout the organization.”
As with COSO’s Internal Control Framework, technology now makes it possible to do just that. Changes in the COSO 2013 Internal Control Framework were largely inspired by the fact that newer technologies, such as automation, had made it possible to improve the quality and effectiveness of controls. Newer technologies, available both in and outside the enterprise, now help bring more factual weight to strategic planning.
This is where so-called big data comes into play, Hirth notes. “Companies now have a wealth of information available, and that information can help them understand and manage risk more effectively.”
The goal for users of the new COSO ERM Framework will be a “risk-adjusted” strategy that can pay off at the bottom line. If, for instance, a business is planning to expand to a new geographical market, factoring risk into strategic planning could help the finance group get a head start on researching, testing and installing controls in advance of the move.
Another feature of the new framework will roll out more gradually. This will consist of tools in the form of templates that businesses can use to describe and report on the financial risks they’re likely to face in a given scenario.
As an example, a reporting tool might make it possible to show how a specific risk would play out for four levels of enterprise management. “The tool could show how a particular issue would impact each person in the reporting chain, from the accountant to the business unit manager, to the executive and even the board member,” Hirth says. “And the information would be consistent from level to level, to facilitate communication across all levels.”