The Committee of Sponsoring Organizations of the Treadway Commission, COSO, is dedicated to providing thought leadership through the development of comprehensive frameworks and guidance on internal control, enterprise risk management, and fraud deterrence designed to improve organizational performance and oversight and to reduce the extent of fraud in organizations.
The Framework itself is a set of principles organized into five interrelated components:
1. Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
2. Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
3. Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
4. Review and Revision: By reviewing entity performance, an organization can con-sider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.
5. Information, Communication, and Reporting: Enterprise risk managementrequires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.
The five components in the updated Framework are supported by a set of principles. 4 These principles cover everything from governance to monitoring:
- Governance and Culture:
- Exercises Board Risk Oversight;
- Establishes Operating Structures;
- Defines Desired Culture;
- Demonstrates Commitment To Core Values;
- Attracts; Develops, And Retains Capable Individuals.
- Strategy and Objective-Setting:
- Analyzes Business Context;
- Defines Risk Appetite;
- Evaluates Alternative Strategies;
- Formulates Business Objectives.
- Identifies Risk;
- Assesses Severity Of Risk;
- Prioritizes Risks;
- Implements Risk Responses;
- Develops Portfolio View.
- Review and Revision:
- Assesses Substantial Change;
- Reviews Risk And Performance;
- Pursues Improvement In Enterprise Risk Management.
- Information, Communication, and Reporting:
- Leverages Information And Technology;
- Communicates Risk Information;
- Reports On Risk, Culture, And Performance.
Looking into the Future
There is no doubt that organizations will continue to face a future full of volatility, complexity, and ambiguity. Enterprise risk management will be an important part of how an organization manages and prospers through these times. Regardless of the type and size of an entity, strategies need to stay true to their mission. And all entities need to exhibit traits that drive an effective response to change, including agile decision-making, the ability to respond in a cohesive manner, and the adaptive capacity to pivot and reposition while maintaining high levels of trust among stakeholders.
As we look into the future, there are several trends that will have an effect on enterprise risk management. Just four of these are:
- Dealing with the proliferation of data: As more and more data becomes available and the speed at which new data can be analyzed increases, enterprise risk management will need to adapt. The data will come from both inside and outside the entity, and it will be structured in new ways. Advanced analytics and data visualization tools will evolve and be very helpful in understanding risk and its impact—both positive and negative.
- Leveraging artificial intelligence and automation: Many people feel that we have entered the era of automated processes and artificial intelligence. Regardless of individual beliefs, it is important for enterprise risk management practices to consider the impact of these and future technologies, and leverage their capabilities. Previously unrecognizable relationships, trends and patterns can be uncovered, providing a rich source of information critical to managing risk.
- Managing the cost of risk management: A frequent concern expressed by many business executives is the cost of risk management, compliance processes, and control activities in comparison to the value gained. As enterprise risk management practices evolve, it will become important that activities spanning risk, compliance, control, and even governance be efficiently coordinated to provide maximum benefit to the organization. This may represent one of the best opportunities for enterprise risk management to redefine its importance to the organization.