The Committee of Sponsoring Organisations (COSO) released the Enterprise Risk Management – Aligning Risk with Strategy and Performance draft document for public comment during June 2014. This document, once all comments have been considered, will form the update to the familiar Enterprise Risk Management (ERM) Framework of 2004.

The final document is only expected later this year but will again provide for a best practice model against, which internal auditors can test and assess the governance of risk management in their various organisations.

The concepts in this updated framework might not be considered as entirely new but will rather focus in emphasis on making Enterprise Risk Management “work” in the organisation.

In the next few issues we will focus on different aspects of the new COSO framework and the potential implications for internal audit.

Why an Update?

Most organisations experienced certain challenges in implementing and establishing the 2004 ERM Framework. Some of these challenges included:

  • Attempts to implement ERM might not have focused on an enterprise-wide scope and was rarely integrated with strategy setting. The concept of “applied in strategy-setting and across the enterprise” as found in COSO’s definition of ERM was therefore either misunderstood or simply ignored in practice;
  • As indicated on the COSO Cube (on the right side of the cube) the ERM framework elaborated on the original Internal Control Framework’s application focus from references to activities and processes to a broader focus on the entity and its operating units and divisions. Many organisations however still attempted to implement COSO at too granular level than in strategy setting.
  • Some organisations tried to implement COSO ERM as an assurance initiative rather than as a management tool for better business management. This approach proved to be a non-starter when dealing with operating management especially if Internal Audit was tasked with the implementation lead.
  • The recession and financial crisis during 2008 caused a further distraction from COSO ERM as organisations went into crisis mode.

What’s new?

A principles based approach

Similar to the previous ERM framework, the new draft framework starts from the premises that every entity exists to provide value for its stakeholders and faces uncertainty in the pursuit of this “value”. “Risk” can be defined as an effect of such uncertainty on the formulation and execution of an organisations business strategy and the achievement of its objectives. The new framework therefore identifies one major challenge for organisations as being management’s ability to determine how much uncertainty (therefore risk) the organisation is prepared and able to accept. “Effective (ERM) allows management to balance exposure against opportunity, with the goal of enhancing capabilities to create, preserve and ultimately realize value.”

The new definition of ERM as per the proposed framework therefore reads:

  • “The culture, capabilities and practices integrated with strategy-setting and its execution, that organisations rely on to manage risk in creating, preserving and realizing value.”

According to COSO the new framework:

  • Provides greater insight into strategy and the role of ERM in setting and executing strategy;
  • Enhances alignment between organisational performance and ERM;
  • Accommodates expectations for governance and oversight;
  • Recognizes the continued globalisation of markets and operations and the need to apply a common, yet tailored, approach across geographies;
  • Present fresh ways to view risk in the context of greater business complexity;
  • Expands risk reporting to address expectations for greater stakeholder transparency; and
  • Accommodates evolving technologies and the growth of data analytics in supporting decision-making.

In the updated framework COSO introduces five interrelated components and outlines relevant principles for each component. The components are:

  • Importance of Risk Governance and Culture;
  • A multidimensional focus in Strategy-Setting;
  • Getting a Grip on Risk;
  • Maximising the Value of Risk Information and Reports; and
  • Monitoring what really matters.

In this issue we will focus on the first component “Importance of Risk Governance and Culture”. There are six principles underlying this foundational component.

  1. Exercises Board Oversight

Risk Governance and Culture starts at the top in the organisation with the influence and oversight of the Governing Body. The Governing Body must be accountable and responsible for risk oversight and possess the requisite skills, experience and business knowledge to provide that oversight. When the Governing Body is composed of an independent majority, it serves as an effective check and balance on executive management and institutional bias.

  1. Establishes Governance and Operating Model

An organisation’s strategy is executed by management’s organisation and execution of day-to-day activities aimed at achieving its objectives. How the organisation’s operating model, reflected by its legal and management structure and reporting lines, is executed, can introduce new and different risks that may affect strategy execution, management of risks and achievement of objectives. ERM must take the risk profile associated with the operating model into account.

  1. Defines Desired Organisational Behaviours

An organisation’s core values and attitudes towards risk are normally expressed in its desired behaviours. COSO encourages a risk awareness irrespective whether the organisations has a risk averse, risk neutral or risk aggressive culture. Such a culture is characterised by strong leadership, a participative management style, accountability for actions and results, an explicit embedding of risk management in the decision-making processes and open discussions and dialogues regarding risks in the daily operations and activities for the organisation.

  1. Demonstrates Commitment to Integrity and Ethics

COSO emphasises the “Tone” throughout the organisation. While tone-at-the-top is defined by the operating style and personal conduct of management and the Governing Body, it must be embedded deep in the organisation. The “Tone in the middle” and “Tone at the bottom” must therefore be aligned with the “Tone at the top”.

Standards of conduct should be developed and evaluated and deviations addressed in a timely manner.

  1. Enforces Accountability

Individuals at all levels of the organisation should be accountable for ERM. Likewise the organisation should hold itself accountable for providing the appropriate standards and guidance regarding ERM. Accountability starts at the top with the Governing Body and the CEO/Accounting Officer and is driven downward through the organisation through appropriate performance expectations, incentives and reward systems.

COSO states that excessive pressures that can result in irresponsible or even illegal behaviour and should be identified and managed.

  1. Attracts, develops and Retains Talented Individuals

Risk governance and culture recognize the importance of building the human capital and talent of individuals in alignment with business objectives. Management must define the knowledge, skills and experience needed to execute the strategy; set appropriate performance expectations; attract, develop and retain appropriate personnel and strategic partners; and arrange for succession.

Next month, we will elaborate further on the new COSO framework and the implications for Internal Audit.