ERM 101: What’s COSO, and Why Should I Care?
When it comes to enterprise risk management, the leading voice is COSO. Read on for COSO FAQs to learn what COSO is and why you should care about what it has to say about ERM.
- What is COSO?
- What does COSO say about ERM?
- Give me a quick summary of COSO's ERM framework.
- How does today's COSO risk management framework differ from the old version?
- Why is COSO a good framework for tackling risk management in the real world?
- What size do you need to be for COSO's ERM framework to be a useful tool?
- You mentioned COSO has an internal controls framework. What's that?
- What do regulators have to say about COSO's internal controls framework?
What is COSO?
COSO is short for the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Founded in 1985, COSO is a private-sector initiative originally formed to combat fraudulent financial reporting but has expanded its mission over the years to include internal controls and enterprise risk management.
It’s sponsored by the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, The Institute of Internal Auditors, and the Institute of Management Accountants.
What does COSO say about ERM?
COSO provides a voluntary framework with best practices for ERM called: Enterprise Risk Management—Integrating with Strategy and Performance. Released in 2016, this is an update to COSO’s original 2004 document, Enterprise Risk Management—Integrated Framework.
COSO held meetings around the world, conducted an in-depth survey, and sought public comment before updating the framework. Organized into five parts, the framework offers a blueprint for ensuring risk is addressed on a continuum at every level of an organization and is a must-read for every business executive.
Give me a quick summary of COSO’s ERM framework.
The COSO framework divides the components and principles of an effective ERM into five categories:
- Governance & Culture
- Strategy & Objective-Setting
- Review & Revision
- Information, Communication and Reporting
Source: COSO’s Enterprise Risk Management—Integrating with Strategy and Performance.
COSO’s approach emphasizes how these five components are banded together in ribbons that wrap around the key steps of developing and executing a business strategy:
- Mission, Vision, and Core Values
- Strategy Development
- Business Objective Formulation
- Implementation and Performance
- Enhanced Value
It’s no accident that the design resembles the double helix structure of DNA. It’s a nod to the idea that ERM needs to be hard-wired and ingrained into an institution’s structure. It’s not an add-on but fundamental to the organization’s existence. Take one component away, and the whole structure unravels.
How does today’s COSO risk management framework differ from the old version?
Compared to the previous version, today’s COSO framework does much more to integrate risk into the strategic planning process. The framework “positions risk in the context of an organization’s performance, rather than as subject as an isolated exercise” and “enables organizations to better anticipate risk so they can get ahead of it, with an understanding that change creates opportunities, not simply the potential for crises,” according to its executive summary.
How does it do this? Let’s take a closer look at the diagram above to understand.
Risk plays an important role in ensuring that an institution’s mission, vision and values influence an institution’s strategy, strategic plan, and ultimately its strategic success. But ERM goes far deeper than that. As COSO explains, “Enterprise risk management is not a function or department. It is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with the purpose of managing risk in creating, preserving, and realizing value.”
When addressed properly, ERM should be entwined in every step of a strategic plan.
Why is COSO a good framework for tackling ERM in a more complicated world?
The 2017 ERM framework introduces concepts that are increasingly important including:
Explicitly Linking ERM with Strategy and Decision-Making. An institution’s mission, vision, and values don’t exist in a vacuum. ERM is an essential tool for ensuring these three components are fully integrated into an institution’s strategy and decisions. It explains why the risks of every strategy and its alternatives should be addressed. It helps understand why strategies are chosen and how resources should be allocated.
Culture. Culture plays a major role in the actions and performance of an institution. Unfortunately, there are too many institutions that don’t embrace a risk management culture and the transparency and risk awareness it brings. COSO’s updated framework demonstrates for the first time the role governance and culture play in ensuring strong ERM, providing insights into how to ensure that employees at all levels make risk management part of their job description. It makes clear the board’s role in developing an ERM culture and setting the institution’s risk tolerance. The name of the game is accountability.
The Relationship Between Risk Management, Performance, and Value. Many institutions view ERM as a cost when in reality identifying, assessing, and mitigating risks saves an institution untold sums. Just consider the financial and reputational damage of every cyber breach, enforcement action, or loan loss write-offs. COSO’s framework helps demonstrate why ERM makes fiscal sense by creating stronger, more resilient institutions poised to take early action to exploit opportunities and defend against threats. It’s not just about minimizing risk. It also understands how changes in risk impact decisions.
It Pushes Harder to Break Silos. The framework emphasizes that ERM connects to every department and function, allowing an institution to aggregate knowledge for a more complete picture. It helps an institution understand how truly interconnected its different areas are and can increase efficiencies. It also helps an institution align its actions with its mission, values, and goals, helping ensure everyone has the same marching orders.
What size do you need to be for COSO’s ERM framework to be a useful tool?
COSO’s ERM framework is not a one-size-fits-all solution. It’s designed to be useful to organizations and institutions of all sizes, from a $120 million-asset community bank to Bank of America.
The beauty of the framework is it provides flexibility when it's needed. For instance, it doesn’t demand a risk committee or a risk officer, just recommendations for the type of work that needs to be done. It’s also rigid when necessary, specifically when it comes to ensuring that ethics and core values are followed. It doesn’t offer loopholes when it comes to doing the right thing.
You mentioned COSO has an internal controls framework. What’s that?
In addition to its ERM framework, COSO also published the Internal Control – Integrated Framework in 1992. COSO’s internal control framework was a big deal when it was first published. It offered companies of all sizes a new way of looking at internal controls, one that shifted responsibility for these functions to the board and senior management. It was meant to be integrated and comprehensive, eliminating silos and adding transparency and greater oversight.
The framework has evolved since that time, with an update in 2015 to reflect changes in today's business and operating environment and our increased dependence on information technology, among other advances in governance, but it still comes down to five components for effective internal controls:
- Control environment. These are the “standards, processes, and structures” the board and senior management create to ensure internal controls are followed. These include oversight and responsibility, performance measures, and accountability.
- Risk assessment. Identifying and assessing risk and their impact on business objectives and their suitability.
- Control activities. Documented actions dictated by policy and procedure that ensure risks are mitigated.
- Information and communication. Enterprise-wide communication in all directions to ensure internal and external information is shared in a timely fashion.
- Monitoring activities. Evaluations to ensure the first four components are properly executed.
What do regulators have to say about COSO’s internal controls framework?
Many regulators have endorsed COSO, including the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve, and the OCC which have “encouraged [institutions] to evaluate their internal control against the COSO framework." The National Credit Union Administration (NCUA) describes it as “the internal control framework most often cited” by credit unions.
It’s not just popular in banking circles. With the support of entities like the Securities and Exchange Commission (SEC), the COSO report has seen widespread adoption. While COSO standards are optional, they are widely used at most publicly traded companies. One consulting firm’s study found that in 2015, 75 percent of publicly traded companies had adopted the 2013 COSO internal control framework, and 17 percent were still using the 1992 version.
Learn more about Risk Management, including how to create reliable Risk Assessments.