Now that its internal control framework is updated, COSO is gearing up to revise its enterprise risk management framework in a similar manner.
The Committee of Sponsoring Organizations is launching a project to update its 10-year-old Enterprise Risk Management -- Integrated Framework for the same reasons it refreshed the Internal Control -- Integrated Framework. “We’ve come to the preliminary conclusion that there’s probably been enough change from when the framework was issued in 2004 that we should start a questioning process just like we did with the internal control framework,” says COSO Chairman Robert Hirth. “We will be asking a wide group of stakeholders how they use it and what value they get or don’t get from it.”
Most public companies are nearing the finish line in refreshing their internal control environments based on COSO’s 2013 update of its internal control framework, which companies rely on to achieve compliance with Sarbanes-Oxley-required internal control reporting. Just as it did with the internal control framework update, PwC will work with COSO to revise the ERM framework as well. The ERM framework was developed right around the time of Sarbanes-Oxley, says Dennis Chesley, risk consulting leader at PwC who will lead the update project. “That really defined the perspective of how organizations were thinking about identifying, assessing, managing, and mitigating,” he says. “A lot has happened since then. Practices around risk have evolved, there have been a lot of lessons learned, and the bar has been raised with respect to ERM expectations.”
COSO is launching a survey that will serve as the starting point for gathering feedback on how the framework could benefit from a refresh. Hirth says the practice of risk management has changed considerable since it first entered the corporate scene, and some of the language of the framework could use some updating. “The two critical areas are around risk appetite and risk tolerance,” he says. “We want to assure we have the latest thinking around those issues.” Hirth estimates the process could take 18 to 24 months, depending on the extent of changes that are pursued and the nature of the feedback when a first draft is exposed for public comment.
When COSO proposed revisions to that framework, which was originally published in 1992, some internal control experts urged COSO to integrate the internal control and ERM frameworks into a single piece of guidance. COSO decided against it in part because many companies rely on the internal control framework to meet a specific regulatory mandate, but not so with the ERM framework, Hirth says, although companies are required to provide disclosures about their board oversight of risk. “The board risk oversight disclosures has been one impetus for this,” he says.
It’s too soon to say, in Hirth’s view, whether an update to the ERM framework could re-open yet another examination of internal controls down the line. “In the risk assessment section of the new internal control framework, we think there’s some good, updated thinking in there,” he says. Chesley says he doesn’t believe companies will have to look again specifically at their internal controls over financial reporting after the ERM framework update. “This isn’t going to change the perspective on internal control,” he says. “It’s going to add to that perspective in the way the original ERM framework added to the original internal control framework.”
Chelsey says he expects the refresh to take into account that regulators globally are evolving their expectations around risk management, whether looking for more transparency around risk practices or having a better understanding of how risk management is tied to an organization’s strategy, objectives, and governance structure. “We’re dealing with much more complicated issues regarding risk complexity and risk velocity,” he says.
No comments yet