GRC Tuesdays: New Guidance Highlights Need to Tie ERM to Strategy, Performance, and More
The Committee of Sponsoring Organizations (COSO) is a joint initiative of private sector organizations that provides thought leadership through the development of enterprise risk management, internal control, and fraud deterrence frameworks. It was organized in 1985 and developed the several key frameworks for internal controls and enterprise risk management (ERM). This blog will highlight some of the recent development of COSO’s ERM frameworks.
COSO defines risk as “the possibility that an event will occur and adversely affect the achievement of objectives.” In 2004, COSO issued Enterprise Risk Management—Integrated Framework after several high-profile business scandals and the passage of the Sarbanes-Oxley Act of 2002.
The Enterprise Risk Management—Integrated Framework is often pictured as a 3-dimensional cube with:
- Four categories of entity objectives, which include strategic, operations, reporting, and compliance
- Eight components, which included internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring.
- Activities from all levels of the organization, which can include enterprise-level, division or subsidiary, and business unit processes.
2017 Update to Enterprise Risk Management: Integrating with Strategy and Performance
In 2017, COSO updated the above framework with “Enterprise Risk Management: Integrating with Strategy and Performance.” The title of the new guidance highlights the greater emphasis linking strategy and performance to ERM. This is not a surprise to most ERM practitioners because the 2017 The State of Risk Oversight survey found over 1/3 of the 432 organizations in their survey do no formal assessments of strategic, market, or industry risks.
The “Enterprise Risk Management: Integrating with Strategy and Performance” framework has five components, instead of the eight in the previous guidance. They include: governance and culture, strategy and objective setting, performance, review and revision, and information, communication, and reporting. The five components are supported by 20 new principles. Below is a table that displays the components and their principles.
Two weeks ago, COSO also teamed up with World Business Council, which is an organization with over 200 leading companies with a combined revenue of $8.5 trillion and 19 million employees, to release a new draft guidance on environmental, social, and governance-related risks.
Impact on ERM Communities
So what does this mean to the ERM communities?
- While COSO’s ERM principals are not mandatory, it emphasizes a greater need to tie ERM to strategy and performance.
- In Enterprise Risk Management: Integrating with Strategy and Performance, COSO included several trends: dealing with the proliferation of data, leveraging artificial intelligence and automation, and managing the cost of risk management. All of this points to managing risks in the new digital economy.
- Working with the business. The joint effort between COSO and the World Business Council to release a new draft guidance on environmental, social, and governance-related risks shows the ERM framework setters are working more closely with the business communities to address risks for the business.
On the technology side, we see changing business models and the new products and services driving the digital transformation. The digital transformation pillars of mobile, cloud, Big Data, and analytics (accelerated by the Internet of Things (IoT), machine learning and blockchain) offer new computing infrastructures for the business and ERM to transform digitally and to add value to the business.
In summary, the trends that are driving digital and ERM transformation are present and approaching. There is no better time to take the opportunity to embrace the future to create higher levels of values for the business.
- In our GRC Tuesday series of blogs, you can find posts about ERM, GDPR, the Three Lines of Defense, and more.
- Join us at the International SAP Conference on Internal Controls, Compliance and Risk Management in Amsterdam on the 15th and 16th of March 2018.