Coso revamps enterprise risk management framework

As companies continue to apply lessons learned from the 2008 financial crisis, the Committee of Sponsoring Organizations of the Treadway Commission (Coso) has responded with a critical update to its integrated framework for enterprise risk management (ERM), first introduced in 2004.Two years in the making, the updates largely address correlations between risk management and performance targets.

Coso’s better-known framework concerning internal controls, first introduced in 1992, was updated in 2013. Changes to the ERM framework complement the revised internal controls framework.

‘These are big changes,’ says Dennis Chesley, lead partner for Coso ERM and leader of PwC’s global risk consulting division. ‘One of the feedback points from 2004 was that it looked like it was written by and for auditors.’ Instead of focusing on evaluation, the 2016 framework centers on implementation, he adds.

After surviving the great recession, companies are now seeking ways to ‘look around the corners to identify risk, assess [risk] and evaluate mitigation,’ Chesley says. Integrating risk management throughout, the framework now better defines the relationship between risk and value. At the same time, the framework simplifies the definition of enterprise risk management. The need to re-evaluate and strengthen internal controls continues to play an important role and is referenced throughout the new framework.

‘Risks are not a static thing,’ Chesley says. ‘They’re not the same as an audit finding. Risks will change over time, depending on the threat side ‒ competition, tech disruption, natural disaster and geopolitical instability. As with any framework, it’s about the what, not necessarily about the how.’

Organizations are typically geared to handle certain types of risk, he goes on to explain. As companies experiment with growth, the framework allows for an assessment of even unfamiliar risks. Coso specifically designed the revamped framework to apply to both small and large organizations, as well as for-profits and non-profits.

And because enterprise risk management requires flexibility, the revamped framework examines how an organization’s culture plays a role, as well as emphasizing the importance of strategy. For example, a manufacturing company that wants to increase its profits may have to choose between reducing costs by dramatically changing its existing manufacturing processes or expanding into emerging markets. Each option has a different risk profile, taking into account geopolitical factors, tax ramifications, supply-chain resilience and product quality assurance. The strategy a company selects will depend on its culture, experience, resources and risk tolerance.

The 2016 framework defines risk appetite as a function of performance. The higher the performance target, such as greater profit margins, the greater the risk appetite required. The definition is made clear using a new graph within the risk profiles that supplement the internal controls framework cube graphic introduced in 1992. In this graphic, the x-axis represents the level of performance an organization wants to reach; they-axis represents the risk appetite. Using this tool, companies can better calibrate performance targets to the level of risk they are willing to take in order to generate that performance.

‘In just about any business, setting a performance goal is a normal activity. But understanding how much risk is being taken in pursuit of the goal is not,’ Chesley says. ‘These graphs help demonstrate how to have the conversation [about setting performance goals based on risk tolerance]. In addition, the organization can determine how much variation from the performance goal is acceptable... both above the goal and below. This is where the risk part of the discussion can become very helpful as there are obvious risks in under-performance but as many or more risks in over-performance, for example portfolio concentration.’ 

This correlation is also inherently flexible, anticipating data that is expected to come over the next 10 years. Chesley notes that as companies and industries become larger and more complex, integrating risk management into business strategy becomes even more critical. ‘We think that in the next 10 years there will be significantly more financial ramifications to an organization’s mission, vision and values not matching its risk appetite and execution,’ he says.

The new framework is currently available for public comment at www.coso.org through September 30, 2016. Coso contracted with PwC to author the update, which was written with input from the Coso board, its advisory council and the results of a 2014 online survey.