What’s New in COSO Enterprise Risk Management (ERM)?
July 09, 2018
By Shimaa Ahmed
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission has released its first revision since 2004 to one of the most well-known risk management frameworks in the U.S., Enterprise Risk Management – Integrated Framework. The updated edition, Enterprise Risk Management – Integrating with Strategy and Performance, addresses the evolution of risks businesses face today.
“The complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of ERM, while asking for improved risk reporting,” said Robert B. Hirth Jr., COSO chair. “Our overall goal is to continue to encourage a risk-conscious culture.”
As Hirth stated, risk is evolving in today’s world, and business leaders and boards of directors need to be aware of this ever-changing business environment in order to be more strategic and competitive when striving to optimize outcomes. Some of these challenges include changing demographics in supporting decision-making, evolving technologies and shifts in economic markets. As risk influences and aligns strategy and performance across all departments and functions, the framework update illuminates the importance of ERM in strategic planning and circulates it throughout an organization.
The framework is a set of principles organized into five components: 1) Governance and Culture; 2) Strategy and Objective Setting; 3) Performance; 4) Review and Revision; and 5) Information, Communication and Reporting. These five components are supported by the following set of principles:
|Governance and Culture||Strategy and Objective Setting||Performance||Review and Revision||Information, Communication and Reporting|
1. Exercises board risk oversight
|6. Analyzes business context||10. Identifies risk||
15. Assesses substantial change
|18. Leverages information and technology|
2. Establishes operating structures
|7. Defines risk appetite||
11. Assesses risk severity
|16. Reviews risk and performance||19. Communicates risk information|
|3. Defines desired culture||8. Evaluates alternative strategies||12. Prioritizes risk||17. Pursues ERM improvement||
20. Reports on risk, culture and performance
|4. Demonstrates commitment to core values||
9. Formulates business objectives
|13. Implements risk responses|
|5. Attracts, develops and retains capable individuals||
14. Develops portfolio view
This framework accommodates diverse viewpoints and operating structures as well as enhances strategies and decision-making. By following the framework’s guidelines, ERM, in conjunction with data analytics and robotics/process automation, can change and adapt to the future. If data can be collected and analyzed efficiently, it will allow businesses to more readily identify trends and potential risks and then effectively react to them. Businesses at the forefront of digital innovation can position themselves to be industry leaders today and going forward.