Pivotal Change Needed to Take COSO’s ERM Framework from Risk to Strategic-Objective Based
Vincent Tophoff | October 12, 2016
The IFAC Professional Accountants in Business Committee recently submitted a response to the Committee of Sponsoring Organizations of the Treadway Commission (COSO)’s Exposure Draft of its updated integrated framework, Enterprise Risk Management—Aligning Risk with Strategy and Performance. The Framework is designed to help all organizations improve their approach to managing new and existing risks as a way to help create, preserve, sustain, and realize value.
IFAC has actively participated in the COSO Board’s Advisory Council for this update, which has allowed us to actively contribute to all stages of the update process. In that respect, we are happy to see that our views on the effective management of risk—expressed in IFAC’s recent thought paper, From Bolt-on to Built-in—are closely aligned with the intentions of the ERM Framework: “integrating enterprise risk management into an organization helps to accelerate growth and enhance performance by more closely linking strategy and objectives to both risk and opportunity.”
The biggest challenge that we encountered, however, is that the actual ERM Framework itself does not yet sufficiently live up to the intentions, or aspirations, as described in the Executive Summary. In our response, we provided many examples to demonstrate this point. For example, that the thrust of the draft is still about risk management as a separate activity, speaking predominantly in terms of identifying and managing individual risks, as opposed to an activity that’s integrated within the decision-making process.
In our opinion, the most pivotal change needed to align the ERM Framework with COSO’s intentions is to reverse the perspective from risk based to strategic-objective based: placing organizational strategy and execution at the forefront and then showing how organizations could actually integrate the management of risk into their already existing “culture, capabilities, and practices.”
Once this has taken place, the various elements of the ERM Framework will almost automatically fall into their new place: not as separate, add-on activities but as important pointers to influence the managerial processes that already exist—to enhance and improve them but not necessarily replace or increase them.
Such an approach would also correspond with the main objective of an organization, which is not to effectively manage risk nor to have effective controls, but to ensure that it makes the best decisions and achieves its strategic objectives.
We hope that our feedback, as well as that from many other interested parties (available on the COSO ERM Comments web page) helps create an updated ERM Framework that can truly support you in evaluating and improving the management of risk in your organization.