The COSO ERM Framework one year later: What have we learned?

15 October 2018

By Hélène Katz, former Director and Frank Martens, Global Risk Framework and Methodology Leader

Just over a year ago, the board of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated enterprise risk management framework (formally titled Enterprise Risk Management: Integrating with Strategy and Performance), followed in early 2018 by the supporting Compendium of Examples. Both of us were very fortunate to play central roles in helping to update and author these documents and have a vested interest in learning how they have been received in the market. Since the release of those publications, we have travelled around the globe, engaging with board members, company leaders, business people and risk professionals in more than 10 countries across five continents.

We were warmly received everywhere we visited, despite feeling some apprehension that we might be seen as roving provocateurs, boldly challenging strongly held local concepts of risk management frameworks and standards. Most of our risk colleagues were really just interested in what we learned and how they can improve their risk management. 

Each country, of course, has its own distinctive culture and norms, but much of the feedback we heard, wherever we were, had strong points of commonality: People want more of ERM and are keenly interested in how the Framework might help them improve their own practices.

The flipside of this was that others believed that ERM had not delivered its promised value, despite their best efforts to change and improve. Case in point: one director who sits on three company boards told us, “If I cover up the logo at the top of the page, I can’t tell which company’s risk report I am reading.” But even those who expressed disappointment with ERM were eagerly looking for ideas about how to improve what they do. Half the people who responded to the informal survey we conducted as part of this process were already considering the role of risk in the strategy-setting process and exploring opportunities to boost the involvement of risk teams in that conversation. A slightly smaller percentage were exploring how to create more integrated risk and performance reporting.

When we drafted the Framework’s executive summary, we were careful to include a section on misconceptions about ERM, hoping to set the record straight. We did not entirely succeed. Many of those misconceptions persist among risk professionals, not least among those who cling to risk lists and heat maps as the go-to tools of their trade. We received a disheartening number of emails from people asking if we could share the new checklist. And then there were the folks who firmly believed that some form of maturity assessment was the answer. It isn’t. The way we see it, performing the same risk processes more frequently or introducing automation as a proxy for maturity will not meet the risk-management needs of any organization. Risk managers would better serve themselves and their organizations by weighing which practices will deliver greater value and benefits.

We also heard dispiriting comments at conferences and round-table meetings. There was, for example, the individual who asked us, “Are you saying that as a risk manager I need to understand my business?” Then there was the internal audit leader of a Fortune 100 company who said, “I don’t need to understand the strategy of the business to develop my audit plan—it’s not relevant to what I do.” And let’s not forget the risk manager who asked, “I have over a thousand risks in my risk register. What should I do next?”

We believe that risk management needs to serve the business and its stakeholders better. A long risk list that doesn’t connect to the business or its performance is not fit for that purpose.  Risk conversations are changing—we’ve seen and heard them in a variety of settings. And we have found some truly inspiring and delightful signs of progress. We heard from several organizations that had internalized the concept of risk curves and wrapped it into their thinking and vocabulary. We found organizations that were shifting their view of risk appetite, seeing it not merely as a compliance-driven evaluation exercise but instead as a way to expand their thinking when deliberating important decisions. Those organizations have learned—quite possibly the hard way—that by making more risk-informed decisions up front, they can more easily address evaluation concerns later. We also found organizations that were changing their strategic planning approach and engaging in projects that looked at their strategy-setting and risk-management practices in tandem. We also found a few whose risk reports to the board have evolved from a long, color-coded risk list to a narrative of how risks are shaping the entire business and its performance.

So what lies ahead?

One important lesson we took away from our travels was that though many organizations have begun their journey toward ERM, none of them started from exactly the same place. They picked one or two areas that were of most relevance for them.  If you are not yet sure where you might start, we offer a few suggestions:

  1. Have a candid conversation with your business partners about the value and benefits that ERM is delivering today and what they would like it to deliver.
  2. Evaluate your current range of risk management practices and tools in light of their integration with strategy and performance.
  3. Make a plan. Then execute it.

A lot can happen in a year and we can’t wait to see what changes and developments the next 12 months will bring.  What are your thoughts?


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment