Committee of Sponsoring Organizations of the Treadway Commission
RE: Public Exposure Draft – Enterprise Risk Management / Aligning Risk with Strategy and Performance, June 2016 Edition
______________________________________________________________________________
On behalf of Financial Executives International (FEI), a working group of FEI members was formed to review and comment on the Public Exposure Draft (ED) for
Enterprise Risk Management, Aligning Risk with Strategy and Performance.
FEI is a leading international organization of more than 10,000 members, including Chief Financial Officers, Controllers, Treasurers, Tax Executives, Audit and Compliance Executives and other senior financial leaders. FEI is one of the five original sponsoring bodies of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The FEI working group that was established to review and provide feedback on the ED is comprised of volunteers with a strong and abiding interest in the topic of Enterprise Risk Management.
This letter represents the collective views of this working group and not specifically the views of FEI, or its members individually.
General Commentary:
Our working group commends your efforts to update the 2004 publication on Enterprise Risk Management and formally wishes to place on record our support of COSO’s publication of updated literature for guidance on this topic.
Specifically we would like to acknowledge:
- The COSO ERM Exposure Draft released on June 14, 2016, is a very comprehensive document. It represents a broad upgrade for today’s dynamic, changing, and complex business environment versus the current 2004 publication.
- The systematic effort to produce a principles-based framework accompanied by a clear outlining of the principles and the supporting concepts.
- We also want to express our appreciation to the individuals and groups involved in the development of Exposure Draft, particularly the core authoring team from PwC, for the level of thought, time and effort it devoted to assemble and publish this document in the ED form.
Specific Comments and Observations
Outlined below are specific comments and observations on the Exposure Draft.
- Expectations for Usage and Reporting: We understand this document is intended to describe and provide principles-based guidance for an ERM framework. Our working group felt it is important to be very clear this will not be prescriptive or mandatory. Our feedback in this area:
- How this guidance is used will likely be somewhat different based on entity type and size (Large Cap, Small Cap, Government, Not-for-Profit, etc.). In general, the principles tend to align more directly for larger organizations.
- Some entities may report in public filings or publicly available documents the usage of this ERM framework.
We recommend the language currently in the ED be enhanced further to highlight that these ERM principles are not mandatory, nor do they necessarily require or even contemplate an assessment from the Board of Directors or Executive Management. It may be useful to call out that smaller entities could benefit from the proposed COSO framework by scaling it down and adapting it to their needs. Further, it may be a proactive step to provide direction that when the usage of this framework is reported in public documents, no external validation is required on how the principles are applied.
- Innovation Risk / Opportunity to take Risk: The general tone of the ED came across to our working group as more of the traditional ERM practices of how to avoid or address risks that may lead to a loss (i.e., predominant focus on downside risk). While these elements are important, parts of the ED could be improved by ensuring further coverage of other, potentially upside risks (or opportunities). Our view on this point:
- The risk of disruption for an entity’s business model is one of the most significant risks given the pace of change across every industry. The impact of disruptive innovation is frequently noted in the reporting of risk factors.
We recommend the wording in the ED be enhanced to provide more dialogue on the risks associated with not addressing innovation and disruption. This should align with text that also highlights the opportunity to look for areas where the entity should embrace taking risk, and aggressively exploit the upside on taking these calculated risks.
- Outline of Accountability: The ED is very detailed and specific in various sections on the outline of accountability. While our working group is in general agreement with the ED on its approach, the direct manner in which these accountabilities are described may be excessive and potentially lead to undesirable conflict or disagreement within organizations. Some areas noted under this concern:
- The ED states (such as on page 27) “The organization holds individuals at all levels accountable for enterprise risk management.”
- The ED states (such as on page 49) “Risk Appetite is communicated by management, endorsed by the Board and disseminated through-out the entity.”
- The ED states (such as on page 28) “The BoD is responsible for risk oversight.”This responsibility will likely differ based on entity type, jurisdiction and local law.
We recommend the ED address and modify such overly specific language where the phrasing used is too strong or may not be applicable. The working group felt that many organizations would not agree that the existing wording in this draft aligns with either current business practices or even a discussion of best practices for their entity.
- Length of Document: While the FEI working group felt a strength of the ED was the comprehensive nature of the document, there was also consensus that there is an opportunity to meaningfully shorten the length. The document often stretches to include areas that are only tangentially related to ERM. Comments for this observation include:
- There are 27 pages in the introduction section prior to listing the details and associated concepts that comprise the first principle.
- In Principle #1 – There are three paragraphs covering Board Independence. While we agree Board Independence is an important governance practice, it is not necessarily an area of focus for a document devoted to articulating ERM principles.
- In Principle #4 – There are similar examples of good governance such as standards of ethical conduct, training programs on ethical conduct and channels for reporting ethical concerns that are detailed as key components of an ERM framework.
We recommend the document be reviewed with a clear objective of streamlining sections to avoid redundancy, reduce the introduction of basic concepts, remove elements not directly related to an ERM framework, and move certain information into the appendix (such as the acknowledgment of the individuals involved in the ED).
- Usage of Common Business Language: Our working group felt this document was written in a manner to be read and used by individuals with a solid, pre-existing knowledge of Enterprise Risk Management. Through examples and in the appendix, these sections do give the reader insight into ERM nomenclature. Our feedback on this area:
- Would terms such as Risk Appetite, Risk Tolerance, Risk Universe, etc. be understood by a general population of managers or executives?Is there an opportunity to better bridge the terms used in the ED to more common business language and practices and thus improve readability?
Our recommendation is to assess the intended audience for this document and potentially address if the wording used in the ED needs to better link common business language to the stated ERM principles.
Conclusion:
Thank you for your consideration on our FEI working group’s comments and observations. The working group would be happy to discuss how we may support you further in updating the guidance on this Enterprise Risk Management Framework. If you wish further input or clarification, please coordinate this discussion through Tom Thompson with FEI at
[email protected].
The comments expressed herein represent the views of the following individuals of this Working Group and do not necessarily represent the views of their employers.
Sincerely,
Phil Roush, Chairman of the FEI Working Group
FEI Members on the Working Group