More than a year after it launched an effort to revise its Enterprise Risk Management framework, COSO now expects to publish an exposure draft for public comment in the first quarter of 2016.
COSO’s ERM integrated framework dates back to 2004 and suffers similar conditions that inspired COSO to update its Internal Control -- Integrated Framework in 2013. Much has changed since COSO first released its ERM framework more than a decade ago, so the board decided to give it a refresh in light of modern business conventions and practices.
“It will be a little different look and feel from the 2004 framework,” says Bob Hirth, chairman of COSO. “Consistent with the updated internal control framework, you’ll see the components, principles, and point of focus, but it will be much tighter than in the 2004 framework. It will be a more structured document, much like the updated internal control framework.”
Hirth says the new ERM framework will be a “standalone” risk management framework, not something that is based on “a lot of cutting and pasting” from the internal control framework. “That’s something people will look forward to,” he says. “My hope is to see some modernization, updating, and refinement of things to make a good document even better and even more useful.”
COSO updated its internal control framework in 2013, setting public companies on a journey to refresh their internal controls to the new framework so they would remain in compliance with Sarbanes-Oxley. The Securities and Exchange Commission doesn’t explicitly require companies to follow COSO’s internal control framework but the vast majority do to fulfill the SEC’s requirement for public companies to follow “a suitable framework.”
COSO put its old framework to pasture at the end of 2014, prompting SEC officials to wonder aloud how any company could regard a retired framework as “suitable.” Most companies updated to the new framework in 2015, but some elected to take an extra year.
Public companies are not facing the same regulatory imperative when the new ERM framework is issued, as no regulatory body explicitly requires public companies to follow an particular framework to manage and report on the ERM activities. Still, Hirth says companies will find it a useful tool to focus and direct their ERM initiatives. “This will help you meet move of your objectives more of the time,” he says. “It’s a little like exercise. Everyone who does it but with a program will do it better.”
The update framework is expected to better link risk management to risk governance and risk culture, to strategy formulation and the setting of objectives, and to decision-making, says Hirth. The objective is to facilitate the embedding of a risk management strategy into an organization rather than having it stand as a separate process, he says.