It seems like the assumption behind the COSO Risk Management Framework is that there is no commonly accepted definition of "risk management," and no comprehensive framework for processes.
That is the assumption, and that is based on our research; we have not found anything out there that is a generally-accepted framework.
There are lots of articles and reports and books and so forth, but there's no framework.
Why is that the case?
It was the same thing with internal controls before '92.
There was much written and spoken about the concept, and there were auditing standards in place, and it had been discussed in many academic books and articles, but there was no comprehensive framework to define it in a way that could be accepted by all parties.
It took COSO to bring the clout, if you will, to bear in order to gain consensus.
Most companies are currently focusing on SOX 404 issues, specifically related to documentation, assessment and redesign if necessary. How does the new risk-management framework incorporate that internal control framework?
The internal control framework has been incorporated in its entirety into the new ERM framework.
The ERM framework builds on the internal control framework, expands on it, is more robust.
You might say it's internal control "turbocharged."
There's much more focus and emphasis and expansion on the risk management components, on elements of the internal control framework.
What does that mean insofar as adoption goes?
It means that any entity or organization that adopts the internal control framework from COSO pursuant to SOX 404 is going to have implemented the foundation for the ERM framework, and would be able to build on that in order to embrace the new principles in the new ERM framework.
Doesn't it throw a monkey wrench into the equation for companies already working on 404?
No. Not at all.
And that was done, frankly, on purpose — it was our intent not to create a conflict between the two, but to indeed build on the internal control framework.
So if a company adopts the internal control framework for 404 purposes, they'll be positioned to build on that to incorporate the additional concepts and principles in the ERM framework.
So there'll be no conflict at all. There's an expansion and making it more robust, but it's not a step back or a change in direction.
It seems like the new framework emphasizes the importance of managing risks across the enterprise from a "portfolio" perspective. If most companies now perform risk management by unit or subdivision, how do they migrate to a "portfolio of risk" vision?
Indeed, in this ERM framework, it does call on a company to identify and assess and manage risk on an individual business-unit basis.
This is necessary, but in addition to that, the framework calls upon the company to take a portfolio view of risk.
That's done because on an individual basis, the individual businesses might keep risk within their risk tolerances, but on an overall basis they might exceed the risk appetite of the company or organization as a whole.
There are also inter-relationships between risks, and it's important to take that portfolio perspective to make sure those risks are identified.
So it takes a summarization of the major risk areas across the organization and individual units in order to make sure they are within the risk appetite of senior management and the board.
Does that process require dedicated oversight from a specific executive or risk officer?
No, it does not.
The framework does speak to the importance of a risk officer, and suggests it can be useful as a facilitator and enabler to assist the line managers in effectively managing risk.
But it emphasizes the potential problems if you have that CRO ultimately responsible and accountable for managing risk. It's senior management cascading down through the line that needs to be first and foremost responsible for identification and management of risk.
How does this framework help companies make better and faster decisions regarding risk?
Yes [laughs].
It's an enabler, and it offers a discipline to help line managers achieve their basic businesses objectives. And an important part is that it enables them to identify opportunities in the process.
So it's not just to avoid the downside, but it's also to seize the upside opportunities.
How does it do that?
The framework calls for a manager to identify "events" that can impact on the achievement of their business objectives.
By events, there are some that could have a negative impact, and others that could have a positive impact. The framework simply identifies those that have a potentially negative impact as a risk, and those with a potential positive impact as an opportunity.
So they focus on both, and should act on both based on their objectives.
What about boards?
Boards have an important role in all this.
First, they should make sure that top management apprises them of the most significant risks, and that means before a problem become real and an issue — we're talking about potential problems.
So early on, they need to be apprised of issues where the company is most exposed.
And importantly, the board needs to determine the extent to which management has adopted and implemented an effective enterprise risk management process in the organization.
So they have a two-fold important responsibility.
And frankly, in practice, my experience thus far is that boards have been focusing on the former, but most have not been focusing on the latter.
What are some of the limitations of the framework?
Our ERM framework is not a "cure all" or a panacea.
It's a framework to enable management to have better information to make better decisions in managing risk.
But here are no guarantees.
Being a business by itself involves taking on risk. By definition, every entity, every company, none can see the future, and risk is inherent in the future.
But it does enable an entity's management to do a much better job, and to be more effective and disciplined in dealing with uncertainty and achieving their objectives.
The framework has no authority, correct?
Correct. There is no official legal authority of COSO.
But based on the acceptance and incorporation into rule, regulation and even law of the internal control framework, I think we can expect the next main output of COSO to be received similarly in the marketplace.
Have you gotten any feedback on the draft yet?
Not really.
I understand there were over 1,000 [users who downloaded the ERM draft] on the first day or two after it's release, but we really have no word yet except for some anecdotal feedback.
It is worth noting, however, that the project team certainly has interacted with many senior executives and leaders in government, law, academia, and various professions throughout the project, gaining their insights and reactions to various models and drafts, that we have put forth.
This column should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.
No comments yet