When COSO unveils the draft update to its Enterprise Risk Management framework, it will propose companies take risk considerations to the highest level in an entity’s strategy-setting and decision-making processes.
“There’s going to be some notion that ERM is important at the top level of the organization,” says COSO Chairman Robert Hirth. COSO’s ERM framework, originally published in 2004, is undergoing a refresh that is expected to be published as a draft for exposure and public comment in the spring, perhaps late April, he says.
The framework update exercise is expected to advance the idea, says Hirth, that risk should be governed and controlled within companies much the way internal controls are governed under COSO’s Internal Control -- Integrated Framework. While the ERM framework is not required by any regulatory body for any compulsory reporting purpose, virtually all public companies follow COSO’s internal control framework as a means of complying with Sarbanes-Oxley internal control reporting requirements.
The draft ERM framework update will suggest companies should integrate ERM into their strategy-setting process, says Hirth. “In many places, you have someone who sets the strategy, then someone who identifies the risks,” he says. “We have this notion that as you set the strategy, you identify the risks, so that really drives ERM into the strategy-setting process. That’s new.”
In addition to driving ERM into strategy-setting, the framework update draft will propose entities make it standard practice to incorporate risk considerations into decision-making processes. “That’s what it is to be a risk-aware organization,” Hirth says. “As anyone is making important decisions, they would take a pause and think about the other side of the coin. Have we thought about all the possible consequences, positive or negative? After that discussion, do we go forward or modify some aspect of the decision?”
The draft will reflect a continued evolution of information technology, says Hirth, suggesting opportunities for organizations to leverage their existing information and information systems to better inform their ERM efforts. And as drafting of the revised framework continues, COSO is committed to assuring it contains plenty of examples that illustrate the framework’s applicability to a variety of organization types and sizes, says Hirth. “We want to be clear that this is not just for banks or just for the public sector,” he says.