The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released the final version of its revised enterprise risk management (ERM) Framework, Enterprise Risk Management–Integrating with Strategy and Performance, in September 2017. In the Framework, COSO has come a long way since its initial exposure draft. The Framework takes important steps toward breaking down the siloed nature of managing risk and integrating the responsibly throughout the organization.
In IFAC’s response to the 2016 exposure draft, we noted that, while the Executive Summary stressed the importance of integration of risk management, the draft Framework itself did not yet sufficiently live up to those aspirations. The final version of the framework now highlights the importance of considering integrating risk in both determining strategy and in driving performance. In this respect it is now closely aligned with the central theme of IFAC’s thought paper From Bolt-on to Built-in, which addresses the centrality of managing risk as an integral part of the overall management of an organization.
For starters, the subtitle of the Framework has been changed from “Aligning Risk with Strategy and Performance” to “Integrating with Strategy and Performance,” highlighting the importance of integration in the final framework. In addition, a new chapter has been included on integrating risk management with strategy-setting through performance. In addition, the new signature graph—no longer a cube—now clearly depicts how the various enterprise risk management components are aligned with elements of common business models.
Also, the components themselves are now, rightfully, stripped from their siloed risk focus and placed in a more logical order, following the business model.
1. Risk Governance and Culture
2. Risk, Strategy, and Objective-Setting
3. Risk in Execution
4. Risk Information, Communication, and Reporting
5. Monitoring Enterprise Risk Management Performance
1. Governance and Culture
2. Strategy and Objective-Setting
4. Review and Revision
5. Information, Communication, and Reporting
While the subsequent guidance can support organizations in evaluating and improving their enterprise risk management arrangements, not all of the practice recommendations fully support the new approach. There is still a fair bit of inevitable “risk hunting” to satisfy those organizations that cannot say (yet?) goodbye to the old guard (think risk registers). Ultimately, it is not about managing risk or being in control, but about effectively setting and achieving your organization’s objectives. As long as you keep this big picture in mind, the revised framework provides many tips and hints.
The main recommendation in our 2016 comment letter was to: “reverse the perspective from risk-based to (strategic) objective-based: placing organizational strategy and execution at the forefront and then showing how organizations could actually integrate the management of risk into their (already existing) ‘culture, capabilities, and practices.’” We at IFAC believe that, in this final version, COSO has come a long way since the exposure draft, and by making this turn is now better following through with its own intentions.
Take a read through the framework yourself, and let us know your thoughts!
IFAC actively participated in the COSO Board’s Advisory Council for this update and we congratulate the COSO Board on this landmark revision.