©ivosar/ISTOCK/THINKSTOCK
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has released an update to its Enterprise Risk Management – Integrated Framework and is seeking public comment of the proposal. The update, Enterprise Risk Management — Aligning Risk with Strategy and Performance, is designed to help organizations create, preserve, sustain and realize value while improving their approach to managing risk.
The updated framework proposes:
- Adopting a structure of components and principles;
- Simplifying the definition of ERM;
- Emphasizing the relationship between risk and value;
- Renewing the focus on the integration of ERM; and
- Enhancing the alignment between performance and ERM.
Why has COSO released an updated framework? “As a result of the mixed implementation of the 2004 framework, dramatic risk management breakdowns and increasing complexity of the business environment,” explains Jim DeLoach, Managing Director, Protiviti, “COSO saw an opportunity to provide clarity by: (1) connecting ERM more clearly with a multitude of stakeholder expectations; (2) positioning risk in the context of an enterprise’s performance, rather than as the focus of an isolated exercise; and (3) enabling organizations to become more anticipatory. As companies position themselves as early movers, they will derive more leading (versus lagging) indicators and trending metrics.”
Leading companies know risk management depends on a number of key elements. “Effective risk management requires a fully engaged board, a bought-in chief executive, an open and transparent culture, a compensation structure that balances short- and long-term goals, an understanding of the risk implications of the strategy and a recognition that critical strategic assumptions can be invalidated by changes in the environment,” says DeLoach. “These elements are emphasized by COSO in its updated framework.”
“The COSO ERM update provides both a challenge and great opportunity for organizations in integrating ERM into an organization to help achieve growth and improved performance,” says Dr. Mark L. Frigo, Professor at DePaul University. “The framework includes 23 principles organizations can apply in strategic decision-making and strategy execution, which will help with this integration.”
“Organizations will want to consider the principles around risk governance and culture and ask if they have them covered,” adds Dr. Paul Walker, Executive Director, Center for Excellence in ERM at St. John’s University. “They should take a hard look at how things are set up.”
So what are the challenges that companies will face in implementing the new COSO ERM framework? “The biggest challenge companies will face will likely arise in integrating risk and strategy,” says DeLoach. “Many organizations focus on identifying risks to the execution of the strategy. But COSO asserts that ‘risks to the strategy’ is only one dimension of strategic risk. There are two additional dimensions to applying ERM in strategy setting – the ‘possibility of strategy not aligning’ with an organization’s mission, vision and core values, AND the ‘implications from the strategy,’ meaning the risk profile arising from the strategy itself. These two dimensions reach beyond the usual focus on strategic execution risk.”
Despite the challenges in implementation, risk also provides opportunities. “Risk cannot be viewed as a potential constraint or challenge to executing a strategy,” advises Robert B. Hirth Jr., COSO Chair, in the COSO press release. “Rather, how an organization copes with risk offers strategic opportunities. This update answers the call for improved culture, capabilities and practices integrated with strategy setting and its execution.”