In 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a comprehensive update to its original 1992 Internal Control - Integrated Framework. This COSO framework is the de facto framework used by more than 99 percent of the organizations required to comply with Section 404 - Internal Controls over Financial Reporting (ICFR) requirement of the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX).
COSO broadly defines enterprise risk management (ERM) as “The culture, capabilities and practices integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving and realizing value. The original 2004 framework encompasses, but does not replace, the Internal Control - Integrated Framework published by COSO in 1992. The 2004 framework was also updated in 2013 to address the struggles companies were facing in implementation, mainly due to the distraction of complying with the Sarbanes-Oxley Act (SOX).
Like its internal control counterpart, the ERM framework is presented in the form of a three-dimensional matrix. The matrix includes four categories of objectives across the top—strategic, operations, reporting and compliance. There are eight components of enterprise risk management, which are further explained below.
Finally, the entity, its divisions and business units are depicted as the third dimension of the matrix for applying the framework.
According to COSO, the new framework:
- Provides greater insights into strategy and the role of ERM in setting and executing strategy;
- Enhances alignment between organizational performance and ERM;
- Accomodates expectations for governance and oversight;
- Recognizes the continued globalization of markets and operations and the need to apply a common, albeit tailored, approach across geographies;
- Presents fresh ways to view risk in the context of greater business complexity;
- Expands risk reporting to address expectations for greater stakeholder transparency; and
- Accommodates evolving technologies and the growth of data analytics in supporting decision-making.
See “Updated COSO ERM Framework: What's New?” for details on why the COSO ERM Framework needed to be updated and how the focus is now on what is really important in making enterprise risk management work within an organization.
As outlined by COSO, the framework provides eight components for use when evaluating ERM:
1. Internal Environment
The internal environment sets the foundation for how risk is viewed and addressed by an entity’s people, including risk philosophy and risk appetite, integrity, ethical values, and the environment in which they operate.
Objectives must exist before management can identify potential events affecting their achievement. ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
3. Event Identification
Internal and external events affecting the achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities.
4. Risk Assessment
Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
5. Risk Response
Management selects risk responses—avoiding, accepting, reducing or sharing risk—developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
6. Control Activities
Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
7. Information and Communication
Relevant information is identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across and up the entity.
The entire ERM process is monitored, and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations or both.
See more information and guidance on the COSO ERM Framework with this COSO ERM Diagnostic Questionnaire.
*This post has been updated to include Enterprise Risk Management - Integrated Framework updates as well as the eight components of enterprise risk management.