What Should IFAC Tell COSO?
Vincent Tophoff | February 2, 2015
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently announced its plan to update its Enterprise Risk Management (ERM) Integrated Framework (2004), which provides key principles and concepts for organizations to evaluate and improve their enterprise risk management.
The kickoff Advisory Council meeting for the update, with IFAC as a participant, will take place this February and the project is expected to be finalized sometime in 2016.
IFAC believes that it is of utmost importance that people in organizations are guided to good implementation and application of risk management. In that respect, COSO plays an important role as body of knowledge, experience, and thought leadership, now and even more in the future.
However, in the 10+ years since publication of the original Framework, environmental, social, and economic uncertainty has significantly increased across the globe. These changes include the continuing presence of systemic risk, driven by risk factors such as sovereign debt, continued or recurring recessions in major economies, and technological, safety, societal, and environmental issues. This brings into the spotlight the need for more effective governance in organizations, including enhanced risk management and internal control. So the update is very timely!
Based on IFAC’s research and publications in governance, risk management, and internal control, we already have many ideas and suggestions on how the COSO ERM Framework could be further improved. In general, the revised Framework should incorporate the main governance, risk management, and internal control developments over the last 10 years that have proven to be good practice.
In addition, we have many more specific suggestions.
- Instead of imposing typical risk management tools and processes onto people and processes, the updated Framework should try to adapt them to suit the needs of the non-risk management specialists in the organization and integrate them in their existing approaches to managing an organization.
- The Framework could better distinguish between the institutional arrangements necessary to enable good risk management in the organization, such as establishment of the organization’s limits for risk taking by the governing body, versus the actual risk management process to be applied in every decision-making process and subsequent execution.
- The Framework should also pay more explicit attention to the internal and external context as managing risk should not be done in isolation but by explicitly and continuously taking into account the changes in the environment.
- The best way for the updated Framework to inform everyone in the organization about the importance of risk management to each person’s daily job is to eliminate the risk management jargon and possibly include more graphical illustrations. Also, less text would foster wider acceptance and better understanding of the ERM Framework, generally making it more accessible and user-friendly, especially for those charged with governance and others in senior positions within organizations, regulators, oversight bodies, etc.
- For the Framework to remain relevant in an environment of greater global integration, COSO should further integrate this ERM Framework with its Internal Control Framework. It should also further align the various concepts and terminology with other frameworks, standards, and guidelines on governance, risk management, and internal control from across the globe.
- The current Framework is very descriptive and, therefore, less geared to explaining what organizations actually should do to implement and apply good risk management, including more emphasis on the upside of risk: seizing opportunities. The revised Framework could provide more “how to” recommendations, as well as practical examples on how to implement and apply good risk management.
In addition, COSO should continue to be a thought leader by not shying away from developing new approaches to solve persistent risk management issues!
What do you think?
We would like to help facilitate a constructive dialogue between COSO and users from across the world on how the COSO ERM Framework could be further improved. In the past, we have included input and consultations from our Professional Accountants in Business Committee and the independent International Auditing and Assurance Standards Board. However, we would also like to hear directly from you with feedback and information we can provide to COSO.
- What is your idealistic view of ERM?
- What are the three strengths of the 2004 Enterprise Risk Management – Integrated Framework?
- What are the three most significant areas for update of the Framework?
- What should the revised Framework consider to remain relevant for the next ten years?
- What would improve user acceptance of the Framework (delivery format, examples, organization of content, etc.)?
Risk management is getting ever more important and standards, frameworks, or guidelines can support organizations as they evaluate and improve their risk management arrangements. For this reason, let’s together make the update of the COSO ERM Framework a success!