Where companies might have a little trouble seeing how to embed an enterprise risk management framework into the business, the Committee of Sponsoring Organizations has published a new resource to help.
COSO released its updated ERM framework in 2017 to create a tighter link between an entity’s approach to ERM and its strategy and performance objectives. Now COSO has published a “compendium of examples” meant to give companies a little more insight into how to go about ERM with strategy and performance top of mind.
The compendium provides examples of how to apply the COSO ERM framework in a variety of settings, by sector, size, and geography. It provides illustrations for how to put the framework to use in sectors such as financial services, consumer products, energy, technology, healthcare, industrial products, and others, on local, national, and international scales.
Each example spotlights how to apply different components of the framework, which include governance and culture; strategy and the setting of objectives; performance; review and revision; and information, communication, and reporting. Each story is meant to show how a given entity scaled and adapted the principles to their particular circumstances, focusing on connecting the mission, vision, values, goals, and approaches to executing strategy.
As the update to the ERM framework developed, COSO amassed a great deal of research and case study information, said COSO Chairman Paul Sobel. “In some of that research, they came across examples that we felt were probably some pretty good practices,” he said.
Publishing all of it with the framework would have produced an unwieldy document, said Sobel. “It’s already a pretty meaty framework in terms of the amount of content in it,” he said. That led to a decision to publish the examples as a later installment, he said.
“ERM is not easy,” said Sobel. “Some organizations, maybe early on in their evolution or at more advanced stages, perhaps had gaps or opportunity to address.” The COSO board believed the compendium would give organizations a way to relate to other experiences and perhaps sharpen their focus on specific areas, he said.
COSO, best known for its Internal Control — Integrated Framework that is heavily used in the United States to achieve compliance with Sarbanes-Oxley, first published its ERM framework in 2004, then updated it in 2017. The overhaul occurred under the leadership of its former chairman, Robert Hirth, which led the board to publish the compendium under his name as well.