On Tuesday COSO announced it has launched a project to update its 2004 Guidance on Enterprise Risk Management (ERM).
As noted in COSO’s press release, the new project has two distinct goals. Although not explicitly labeled “cost-benefit,” the first goal relates to enhancing the benefits to companies of use of the COSO ERM framework. Specifically, COSO aims “to enhance the Framework’s content and relevance in an increasingly complex business environment so that organizations worldwide can attain better value from their enterprise risk management programs.”
Disclosures, Assessment Considerations Part of Project
Significantly, the second goal may be seen by some as taking the 2004 ERM framework and building it out for future voluntary or mandatory regulatory requirements relating to risk disclosures. In addition, the project could be seen as an update in the assessment of the effectiveness of risk management, in a parallel realm to the requirements under Sarbanes-Oxley Section 404 and related SEC rules (Management’s Report on Internal Control) and PCAOB standards (AS5) concerning internal control over financial reporting. While the Sarbanes-Oxley requirements are mandatory, as noted by COSO, assertions on the effectiveness of ERM are “generally not required by statute, rules or standard-setters” to apply and assess the effectiveness of an particular “ERM” framework (or ‘risk management’ framework) per se.
Looking to update the 2004 framework for current needs and for the future, the second goal stated by COSO for the ERM update is to “develop tools to assist management in:
- reporting risk information and
- in reviewing and assessing the application of enterprise risk management.”
“Enhancements to the Framework are intended to facilitate a more robust and timely application of enterprise risk management,” continues COSO’s press release, adding, “The Framework will be updated to enhance concepts developed in the original Framework and to reflect the evolution of risk management thinking and practices, as well as changing stakeholder expectations.”
The question of potential future mandatory vs. best practice ERM or “risk management” disclosures and assessments is noted in a set of FAQs on COSO’s ERM Project that was also released Tuesday. Specifically, Item #6 and Item #2, respectively in the FAQs states (emphasis added):
The COSO Board believes there may be differing regulatory and stakeholder expectations relating to enterprise risk management. For instance, entities are generally not required by statute, rules, or standard setters to apply a risk management framework such as the [COSO] Enterprise Risk Management-Integrated Framework. However management may choose to do so to enhance their ability to create and sustain value. Conversely regulators and standard-setters often require entities to develop maintain, and report on effective internal control.
Although not yet confirmed, it is likely that the updated [ERM] Framework will incorporate a more formal set of principles and points of focus. These were developed during the update of the Internal Control – Integrated Framework and the market has been supportive of the clarity provided by this approach. In addition, the tools anticipated as part of this update will assist management in this evaluation.
Tie-in to COSO’s Internal Control Guidance
COSO’s announcement of its ERM update project comes on the heels of efforts for companies to implement COSO’s 2013 updated Internal Control-Integrated Framework.
Like the 2013 Internal Control framework update, a PwC team has been chosen to lead the ERM update, under the guidance of the COSO board and an advisory council. The advisory council will consist of members of the five COSO organizations – the AAA, AICPA, FEI, IIA and IMA – and other experts “represent[ing] various industries, academia, government agencies, and not-for-profit organizations,” as noted in FAQ #8.
Dennis Chesley, Risk Consulting Leader at PwC, will direct the project team.
The relationship between COSO’s updated Internal Control-Integrated Framework published in 2013 – which COSO previously announced will supersede its original (1992) internal control framework on Dec. 15, 2014 [See: Keeping Your Controls Under Control: COSO Turns One, and Implementing COSO: Evolutionary, Not Revolutionary) and COSO’s ERM framework will be addressed in this project. As noted in COSO’s press release and FAQ #7, respectively:
“The updated Framework is intended to help organizations be more resilient in the face of changing risk landscapes,” said Dennis Chesley, PwC’s Risk Consulting Leader and project team leader for the update project. “Additionally, it will explain the interconnections between governance and internal control, the latter set out in the Internal Control–Integrated Framework released in May 2013.”
[A]s noted in the Foreword of the updated Internal Control – Integrated Framework, these two COSO frameworks are intended to be complementary, and neither supersedes the other. Yet, while these frameworks are distinct and provide a different focus, they do overlap. The Enterprise Risk Management-Integrated Framework encompasses concepts common to both enterprise risk management and internal control. The Internal Control – Integrated Framework remains a viable and suitable framework for designing, implementing, and conducting and assessing the effectiveness of internal control and for reporting thereon as required in some jurisdictions.
COSO will be adding updated information about the ERM project during the course of the project at: www.coso.org/ermupdate . FEI has made available a COSO resources page at: www.financialexecutives.org/coso, which announces upcoming webcasts and recently published research relating to COSO’s Internal Control – Integrated Framework, and COSO ERM.