The top changes to the COSO ERM Framework you need to know now
05 September 2017
By Dennis Chesley, Global, Asia Pacific and Americas (APA) Risk Consulting Leader
When the Committee of Sponsoring Organisations of the Treadway Commission (COSO) decided to update one of the most widely recognised and applied risk management frameworks in the world, they engaged PwC to author the new COSO ERM Framework.
Why update the COSO ERM Framework?
Several reasons: The complexity of doing business is changing, and new risks continue to emerge at a faster pace than has been seen in the past. Shifting customer behaviour is exerting considerable influence on an unpredictable global economic landscape.
Meanwhile, technology evolution and a greater call for transparency are straining strategic planning processes and operational capabilities. Addressing these challenges requires that organisations take a new approach to managing risk: one that helps to create, preserve and realise value now and in the future.
A draft of the Framework was made public during a comment period, garnering widespread global and cross-sector interest and support by both private and public companies. That feedback helped to shape the updated Framework – now titled Enterprise Risk Management–Integrating with Strategy and Performance.
Here are some of the key changes to the Framework.
- Introduces a new structure: With just five components and twenty principles aligned to the business cycle, the Framework’s key principles cover processes from governance to day-to-day activities. They are manageable in number and applicable for all organisations regardless of size, type, or sector and allow for a more fulsome conversation about risk between the board and management.
- Explores the different benefits of ERM: The Framework presents a clear case for integrating enterprise risk management practices with strategy-setting and performance management practices to help realise benefits related to value. Bringing a focus to these benefits enhances conversations about why ERM matters.
- Provides a focus on integrating risk management: The Framework offers guidance on how to better integrate enterprise risk management: linking risk with strategy setting and day-to-day activities, embedding it throughout an organisation’s culture, capabilities and practices, and fostering better decision-making.
- Is written from the perspective of business: The Framework’s language makes conversations about risk relevant and universal by setting out core definitions, components and principles for all levels of management involved in designing, implementing and conducting ERM practices.
- Features a suite of new graphics: The Framework utilises new conceptual graphics. The core graphic brings to life the relationship between risk management and the business model. Other graphics, such as risk curves, highlight the relationships between risk, strategy, and performance further embedding the management of risk into day-to-day conversations.
- Explores risk management at all altitudes of the organisation: From entity-level to process-level risks, the Framework explores how the identification, assessment and management of risk changes from the transactional to the strategic.
- Dives into deeper discussions on challenging topics: The Framework examines such topics as risk appetite and the portfolio view of risk, and addresses some misconceptions that exist today, providing deeper insight.
- Includes greater emphasis on culture: The Framework explores how enterprise risk management practices can instill more transparency and risk awareness into an organisation’s culture, helping people make decisions while understanding the importance of culture in shaping those decisions.
- Addresses the evolving role of information technology: The Framework sheds light on how business trends, such as the proliferation of data, artificial intelligence and automation; influence an organisation’s strategy, business context, and risk management.
To complement the new Framework, we have also created a series of case studies to illustrate the application of all of the publication’s principles across different industries, entity sizes and types, and actual and expected company practices. This compendium will be released in late fall this year.
Together with the Framework, both documents are designed to turn a preventative, process-based risk monologue into a proactive, opportunities-focused conversation to uncover how risk management can create, preserve and realize quality and value.
Explore our points of view on some of the key concepts covered in the Framework by visiting our COSO ERM Framework microsite and sign up for updates.
As always, I love to know what you think @Dchesl