We review the new COSO enterprise risk management framework and discuss its implications for the Risk Management profession.
In October 2014, The Committee of Sponsoring Organizations of the Treadway Commission (COSO ) announced a project to review and update its original Enterprise Risk Management–Integrated Framework. This original framework has been adopted by risk managers worldwide.
Since October, COSO has conducted new consultation and research and issued its draft for public comment in June, inviting risk professionals to provide input until September 30th. Both the executive summary and the original 120-page document are available by clicking on the links below.
The really significant factor in its first revision for over 12 years is an acknowledgement that risk should be used to help define strategy as well as its traditional use of managing risk within an already chosen strategy.
The document states “As we’ve seen the Framework applied in practice, we’ve recognized that it has the potential to be used more extensively. We realized that certain aspects would benefit from more depth and clarity, as well as greater insight into the links between strategy, risk, and performance.”
“Enterprise risk management is as much about understanding the implications of the strategy and the possibility of strategy not aligning as creating an inventory of all risks within the organization”
Following some research conducted by PwC, COSO concludes that: “Enterprise risk management, as it has typically been practiced, has helped many organizations identify, manage, and mitigate risks to the strategy. But the most significant causes of value destruction are embedded in the possibility of the strategy not supporting the entity’s mission and vision and the implications of the strategy.”
“Analyses of underperforming organizations reveal that they lost their way because of strategic blunders (possibility of and implications from), rather than operational errors, compliance faults, or external events. Enterprise risk management helps to make the evaluation of strategy rooted in the decisions made by senior management much clearer.
It clarifies how strategy selection can be enhanced. Choosing a strategy calls for structured decision-making that analyses risk and aligns budgets and activities with the mission and vision of the organization.”
The strategic Value of the COSO framework
Within a world of continuous change, every choice an organisation makes in the pursuit of objectives has its risks. Whether its daily operational decisions or major board-room choices, dealing with uncertainty is a critical aspect of decision-making. “When uncertainty is considered in the formulation of an organisation’s strategy and business objectives, enterprise risk management helps optimize outcomes”
COSO see the benefits of effective enterprise risk management as:
- Increasing the range of opportunities: By considering all possibilities—both positive and negative aspects of risk - management can identify new opportunities and unique challenges associated with current opportunities.
- Identifying and managing risk, entity-wide: Every entity faces myriad risks that can affect many parts of the organization. Sometimes a risk can originate in one part of the entity but impact a different part. Consequently, management identifies and manages these entity-wide risks to sustain and improve performance.
- Reducing negative surprises and increasing gains: Enterprise risk management allows entities to improve their ability to identify risks and establish appropriate responses, reducing surprises and related costs or losses, while profiting from advantageous developments.
- Reducing performance variability: Enterprise risk management allows entities to anticipate the risks that would impact performance and enable them to put in place the actions needed to minimize disruption.
- Improving resource deployment: Obtaining robust information on risk allows management to assess overall resource needs and enhance resource allocation.
- Response to change: Medium and long‑term viability depend on an entity's ability to anticipate and respond to change, not only to survive but also to evolve and thrive. Often referred to as “enterprise resilience”.
Aligning Risk with Strategy and Performance
Details of the suggested new framework are described within the documentation, however, in summary, it is focused on 5 key areas covering:
- Risk Governance and Culture: Encompassing oversight responsibilities, ethical values, desired behaviours, and understanding of risk in the entity.
- Risk, Strategy, and Objective-Setting: Establishing risk appetite and its alignment with strategy
- Risk in Execution: The impact of risk on the strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
- Risk Information, Communication, and Reporting: The continual process of obtaining and sharing information across the organisation, from both internal and external sources.
- Monitoring Enterprise Risk Management Performance: The monitoring of risk management performance.
These 5 areas are then broken down into 33 principles, a full listing of which can be found in the executive summary document.
Significance of the changes
The changes outlined clearly reflect the transformation that some organisations are already going through with respect to risk management. The move to use risk information across the organisation more strategically is being driven by changes in culture and regulation, however, it is also made possible by the development of a new era of supporting technology.
To enable the participation and usage of risk data across the business, risk systems have needed to change. The ability to easily tailored data entry and reporting to different users with intuitive interfaces is one major feature. Others include being able to use mobile devices, easy to understand dashboards as well as sophisticated data aggregation and automated workflow. One example of this is the use of Key Risk Indicator thresholds that can trigger automated alerts when risk tolerance limits are being reached.
The adoption of these features is helping risk managers to transform their role from data and reporting managers to champions of best practice. Having a software solution for risk management that easily integrates risks, KRIs, and thresholds frees the 2nd Line of defence from data gathering and chasing responses. Free from this burden, they can spend more time encouraging the organisation at every level to embed risk within decision making and so help to increase business value.