In September of 2017, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published a revision of its corporate risk management framework (ERM), now called ERM – Integrating with Strategy and Performance. The original framework was introduced in 2004 by COSO and has since become widely recognized and adopted by organizations around the world.
An interesting fact is that even after almost two years since the publication of the revision, the visibility and adoption of the 2017 version still does not seem to have met the expectations of the authors. In a simple internet search for COSO, the main results and images continue to show the previous revision, giving the reader the false impression that the latest revision is not as relevant.
Why update the COSO ERM Framework?
There are a number of reasons. The complexity of doing business is changing and new risks are emerging at a faster pace than we saw in the past. Changing customer behavior is exerting considerable influence on an unpredictable global economic scenario.
Meanwhile, the evolution of technology and the increasing call for transparency are overwhelming strategic planning processes and operational capabilities. Dealing with these challenges requires that organizations adopt a new approach to managing risks: one that helps to create, preserve and gain value today and in the future.
The main changes
1. Introducing a new structure
With only five components and twenty principles aligned with the business cycle, the key principles of the framework encompass processes ranging from governance to routine daily activities. They are manageable and applicable to all organizations, regardless of the size, type or business sector, and they allow for a broader discussion of risks between the board and management.
2. Exploring the different benefits of ERM
The framework presents a clear case for integrating corporate risk management practices with performance and strategy management practices, aimed at providing benefits that add value. Shifting the focus to these benefits promotes discussion on the importance of ERM.
3. Focus on integrating risk management
The framework provides guidance on how to better integrate corporate risk management, linking risk to the definition of day-to-day strategies and activities, incorporating them into the organization’s culture, capabilities and practices and promoting better and more assertive decision making.
4. Written from a business perspective
The language of the framework makes discussions about risk relevant and universal, establishing definitions, components and basic principles for all levels of management involved in planning, implementing and carrying out ERM practices.
5. Presenting new graphs
The framework provides new conceptual graphs. The main graph shows the relationship between risk management and the business model. Other graphs, such as risk curves, highlight the relationships between risk, strategy and performance, incorporating risk management in day-to-day discussions even more.
6. Exploring risk management at all levels of the organization
From the corporate level to risks at the process level, the framework explores how the identification, assessment and management of risk changes from transactional to strategic.
7. In-depth discussions on challenging topics
The framework examines topics such as risk appetite and a perspective on portfolio risk and addresses some of the errors that exist today, providing a comprehensive view on the matter.
8. Greater emphasis on culture
The framework examines how business risk management practices can bring more transparency and risk awareness to an organization’s culture, helping people make decisions while understanding the importance of culture in defining these decisions.
9. Addressing the evolving role of information technology
The framework sheds light on how business trends (such as data proliferation, artificial intelligence and automation) influence an organization’s strategy, the business context and risk management.
COSO ERM Framework
At a first glance, the main chart of the new framework may seem surprising. The term “risk” does not even appear among the 5 components. It is clear the intention is to relate the framework to something broader and strengthen the presence of ERM in corporate governance practices and strategy.
As we go down the list of the 20 principles, we see terms that are already familiar to us. Risks are there, and they still need to be identified, evaluated and monitored, perhaps without such a rigid structure, but rather with an approach that allows for the desired broader application.
For quite some time, we have seen a number of business areas move towards risk management. With the revision of COSO ERM, we see the opposite: risk management moving towards other business areas. It is a clear sign that in order to achieve excellence in corporate governance, we have to stop thinking in terms of isolated parts, but rather in terms of a unified and perfectly synchronized system.