Update to COSO’s ERM Framework Update

COSO plans to simplify its forthcoming framework for enterprise risk management, paring back some of the 23 proposed principles and renaming some of the framework’s five components, according to a project summary PwC has been circulating lately.

A friend of the cause passed along that presentation to me earlier this week, and the framework’s development is no state secret anyway. PwC has been working with COSO to develop a new ERM framework since it was first proposed last summer. They received lots of public comment on the original draft and now are making the rounds to let the risk, audit, and compliance community hear the latest.

[Update to my update on the update: On Thursday morning PwC asked me to take down their presentation on framework’s progress since the material was proprietary. I don’t mind, and the PPT deck is circulating out on the Interwebs already. Work your contacts if you want to find it. We now resume our previously scheduled post.]

First, some history for anyone who hasn’t followed the ERM framework closely. COSO published its first ERM framework in 2004, and even COSO itself now admits that document never really went anywhere. What’s more, almost as soon as that framework arrived, it was swamped with profound changes to the business landscape: globalization, more aggressive regulatory enforcement, Big Data, social media and its attendant reputation risks, and so forth.

Hence COSO proposed a new ERM framework last summer. Its structure is conceptually similar to the COSO framework for internal control, adopted in 2013: five components, each one supported by several basic principles.

Many of the principles are identical across both frameworks, although the ERM version has 23 of them, the internal control version only 17. The five components of each framework are named differently, but they still correspond:

And above all, the ERM framework replaces the famed COSO cube in favor of this thing:

It represents an organization’s risk management journey. You begin with a mission and core values, run through a rainbow of COSO ERM components, and somewhere over the rainbow you achieve enhanced performance.

The rainbow bit was COSO’s idea. I called it “the speared donut” for weeks until COSO chairman Bob Hirth corrected me.

So What’s Changing

According to the PwC presentation, public comment last fall was extensive, robust, and generally positive. COSO received more than 2,000 individual comments. Positive ratings outnumbered negative ratings by a ratio of 4.5-to-1. Feedback came from a nice blend of public companies, private firms, U.S. organizations, and overseas parties. That’s great news; it’s just the sort of input this community wants to see.

The PwC project team came away with seven items on its To Do list:

• Reduce the number of principles;
• Update graphics;
• Refine linkages to internal control;
• Change component titles;
• Increase emphasis on integration and decision-making;
• Highlight culture and relationship to core values;
• Expand the conversation on information and technology.

The final ERM framework will also include a compendium of examples, showing how various types of organizations might implement the framework and its various principles.

The points about connecting ERM to internal control, increasing emphasis on decision-making, highlighting culture’s relationship to core values, and expanding the conversation on IT; they are all excellent ideas. My observation is that at this point, most boards know they should implement ERM, and grasp the idea that it operates on a higher plane of existence than internal control and regulatory compliance. They just don’t know how to do it well, or what assurance looks like for risks around strategy, reputation, or culture.

We should also remember that in even in this Trump Administration era, with deregulation allegedly sweeping the land—a risk doesn’t care whether it’s regulated or not. Many business risks (especially the most serious ones) exist separate from some regulatory requirement trying to govern it, and the risk won’t go away just because its compliance burden does. ERM is meant to be a business performance tool addressing that reality. It brings a more disciplined approach to what businesses already do today in mostly lurching, ad hoc ways. If the COSO framework can bring more order to that process, everyone should climb aboard the bandwagon.

What’s Next

What we don’t know from this presentation is exactly which principles might get pruned back, or how the components might be renamed, or—say it ain’t so, COSO—whether the speared donut might be replaced with another image. I’ll try to track down those answers and report back.

We also don’t know exactly when the final COSO framework will be presented to the world. COSO Chairman Bob Hirth has previously said he wants it done by this summer, a well-deserved capstone to his three years as COSO chairman.

Hirth, PwC, those 2,000 commenters, and many others have put lots of effort into the framework, and lord knows that the business world needs one. Let’s hope for the best.