Just as corporate managements are working diligently to deal with COSO’s updated internal control framework, particularly in connection with assessing their control systems for reporting under Section 404 of Sarbanes-Oxley Act, we hear that COSO is embarking on another project: to update the enterprise risk management framework.
COSO says the update aims “to enhance the Framework’s content and relevance in an increasingly complex business environment, so that organizations worldwide can attain better value from their enterprise risk management programs.” It adds that since the framework was issued in 2004, we’ve seen practice evolve, lessons learned, business environments become more complex and technologically driven, and stakeholders more engaged. There’s no question this is the reality.
That being said, other voices in the corporate risk and compliance world do wonder what else might be behind the scenes driving this initiative. Cynics and skeptics might ask whether the update is tied to requirements by regulators for boards to disclose what they’re doing to oversee companies’ risk-management programs. Or perhaps attention has been focused so much on the internal control framework that the ERM framework has been overshadowed. Or is the project really driven by a secret dream for future required reporting on ERM?!
For readers looking to know where enterprise risk management is headed, it’s worth understanding what’s driving this new COSO project.
Having looked over COSO’s published Frequently Asked Questions about the project, I decided to contact the top guy, namely Bob Hirth, the COSO chairman, to learn more. And guess what? I found that there’s an element of reality behind those questions.
Having always found Hirth to be forthcoming and a straight shooter, I wasn’t disappointed when we recently spoke about the ERM update. Beginning with the most pragmatic, Hirth noted that since the internal control framework update has now been completed, the COSO board has the time to focus on other areas related to its mission. The reality is that COSO is a virtual organization, with no employees and with the five board members already having day jobs. So with these constraints, the board generally focuses on one major project at a time.
Looking back at its mission—“to provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations”—the board concluded that it should devote its energies to the ERM framework.
Why? In addition to the above stated reasons, Bob Hirth elaborated on the board’s thinking.
As a backdrop to its deliberations, the board recognized that the topic of internal control has been around for decades and has been more established and better understood. Enterprise risk management is a newer concept. And while internal control concepts had evolved in the 20 years between the original framework and the update of 2013, even more change has happened around ERM in the 10 years since its 2004 framework debut.
The evolution of risk-management processes and increased attention is occurring not only in the United States, but also in many other venues around the world.
Having overseen development of the internal control update, the board now has experience with the time needed to update an existing framework—which is more than a full year of effort. With this insight, and based on the rate of change in business’ risk-management processes, the board decided that now is the right time to embark on the update.
The Secret Dream?
Now, the question on many observers’ minds: Is the ERM framework update being done to provide a basis for future regulatory requirements for reporting on the effectiveness of ERM systems? We saw what happened after the internal control framework was issued; although it took 10 years between the framework’s issuance in 1992 and enactment of SOX, the main reason Section 404 could be written is that there was indeed an existing framework as a basis for management’s reporting on internal control effectiveness and auditor attestation.
A number of companies are concluding that its stakeholders are better served by having information on the company’s risk-management process as a basis for understanding what the board is doing in its oversight role.
Regarding the question surrounding the ERM update, COSO’s FAQs shed some light, saying: “…entities are generally not required by statute, rules, or standard setters to apply a risk-management framework such as the Enterprise Risk Management – Integrated Framework. However, management may choose to do so to enhance their ability to create and sustain value. Conversely regulators and standard-setters often require entities to develop, maintain, and report on effective internal control.”
Aah, note that word “report.” Does this imply some scheme designed to lead us down the path of required reporting on ERM? I posed that question to Hirth. His answer was “no,” and he then elaborated.
Noting that all U.S.-listed companies must disclose information related to the board of director’s oversight of a company’s risk-management process, more companies also are moving to develop and disclose relevant information about their risk-management systems. That is, does it make sense to disclose what the board does to oversee risk management, without disclosing what risk management process exists in the first place? A number of companies are concluding that its stakeholders are better served by having information on the company’s risk-management process as a basis for understanding what the board is doing in its oversight role.
This certainly makes sense to me. For context, when I was leading the core project team developing the original internal control framework in 1992, my colleagues and I recognized that the Securities and Exchange Commission had already made formal proposals for required reporting on internal control—and then withdrew them, with the principal reason being no established framework to serve as a basis for reporting.
So in the back of our team’s mind was the idea that it would be possible, if not probable, that down the road the SEC would revisit such a requirement. Well, it turns out the requirement came in the form of legislation, namely SOX. When I served as an adviser to the PwC team updating the internal control framework in 2013, it was clear that sharpening the criteria for reporting in the form of principles and points of focus would better enable registrants to comply with the reporting requirement.
By contrast, when I was the PwC partner leading the ERM framework project, we had no expectation that the framework would ever serve as a basis for required reporting, and we did not believe that the framework would be used for such a requirement. And I believe that with the update project, COSO indeed has no hidden agenda to move toward an ERM reporting requirement.
At the same time, with the expectation that the updated ERM framework will also be recast with principles and points of focus, COSO seeks to put a framework in place enabling companies to gain better value from their enterprise risk management programs. And if companies decide to enhance disclosures about their ERM programs, the updated framework will serve that purpose as well. My sense is that there will be more such disclosure on a voluntary basis, and the framework will be well served. What regulators around the world might do years down the road remains to be seen.
A Look Behind the Scenes at COSO
By the way, for readers interested in learning more about COSO and its inner workings, you might want to tune in on April 16 to the SEC Historical Society’s live audio broadcast, when I’ll join four people I’m proud to call my colleagues: COSO Chair Bob Hirth, former chairs Larry Rittenberg and Dave Landsittel, and moderator Mark Beasley. You can tune in from 2:00 to 3:00 Eastern time at www.sechistorical.org. I suspect there might just be some good inside scoop shared with the listeners!