This September, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published a much-anticipated update to their 2004 “Enterprise Risk Management—Integrated Framework,” a renowned and widely used risk management framework. The new release is formally called “Enterprise Risk Management—Integrating with Strategy and Performan...
The COSO update comes to meet the rising expectations of risk management, according to Bob Hirth, COSO Chair: “The complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting…Our overall goal is to continue to encourage a risk conscious culture.”
The risk landscape has changed drastically and will continue to do so. I often site the SEC’s Proxy Disclosure Enhancements as a proof point of this change. The Proxy holds boards explicitly responsible for their company’s risk management programs by requiring them to either adopt an effective ERM program, or disclose their risk management shortcomings. Other standards that underscore this transitional landscape is the Yates Memo, the IIA’s International Professional Practices Framework, and SEC Regulation S-K.
Failures in risk management have become all too common, and consumers, in addition to regulators, are taking action. Facebook and Equifax are poignant examples of this. Consumers will start to move their business and loyalty to institutions that can demonstrate effective risk management and governance because they are the only companies who will be able to prove their trustworthiness.
Managing risk has become undeniably complex and more imperative than ever before. However, frameworks like COSO 2017 provide a sense of assurance and a method to re-establish a world without catastrophic corporate scandals.
The road to this restored confidence is enterprise risk management, which COSO defines:
“Enterprise risk management is not a function or department. It is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with the purpose of managing risk in creating, preserving, and realizing value.”
I couldn’t agree with this definition more. It touches on many attributes of ERM that I've long championed: integration across silos and levels, strategy and goal alignment, culture, and performance.
Another framework which I co-authored, the RIMS Risk Maturity Model (RMM), also emphasizes value. In fact, an independent study by Queen’s University, “The Valuation Implications of Enterprise Risk Management Maturity,” based on RMM data found that organizations with mature ERM programs realize a 25% market valuation premium over those in which “silo-based risk activities are dominant.”
Realizing this value, however, is more than a matter of understanding the theories presented by COSO 2017. It’s a matter of taking actionable steps towards aligning with those theories. It’s also a matter of prioritizing these steps, as it is often too big a task to take on all at once. Not all components presented by the COSO update contribute equal business value; those that contribute more value should of course be prioritized.
Below are some of the theoretical goals of the updated Framework that I resonate with most, as well as some helpful resources I’ve published that show you how to implement COSO 2017.
The enhancements are ordered by percent contribution to business value, as determined by “The Valuation Implications of Enterprise Risk Management Maturity” study.
As put forth by the Framework, “Organizations that integrate enterprise risk management throughout the entity can realize many benefits including…increasing positive outcomes and advantage while reducing negative surprises: Enterprise risk management allows entities to improve their ability to identify risks and establish appropriate responses, reducing surprises and related costs or losses, while profiting from advantageous developments.”
While I wholly agree with this sentiment, I would also add that there is a crucial difference between risk outcome and root cause, as this distinction is vital to effective risk identification. All organizations must not only understand the distinction between risk outcome and root cause, but actively identify root cause instead of outcome. A fundamental problem in risk management is the identification of risk symptoms, not root-cause risks, which allows the initial problem to persist.
The Queens University study revealed that, statistically, an effective root-cause discipline and consistent uncovering of risks combine for 31% of ERM’s total valuation impact.
Related resource: 5 Steps for Better Risk Assessments
The COSO update emphasizes the correlation between risk management and enhanced business performance:
“Every entity has a mission, vision, and core values that define what it is trying to achieve and how it wants to conduct business. Some organizations are skeptical about truly embracing their corporate credos. But mission, vision, and core values have been demonstrated to matter—and they matter most when it comes to managing risk and remaining resilient during periods of change.”
COSO’s acknowledgment of performance as being intimately related to enterprise risk management is a key step forward for the industry. To go beyond a mere understanding of this principle, and to achieve its implementation, organizations must measure their board risk oversight by collecting internal metrics, uncovering trends, and using that data to execute strategy.
Performance Management, one of the seven attributes defined by the RIMS Risk Maturity Model, accounts for 23% of the market valuation premium.
Related resource: Meaningful Metrics: Using ERM to Inform Strategy
“Enterprise Risk Management—Integrating with Strategy and Performance” clarifies the “importance of enterprise risk management in strategic planning and embedding it throughout an organization—because risk influences and aligns strategy and performance across all departments and functions.”
The Framework itself is a set of principles organized into five interrelated components: Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, Information Communication and Reporting.
I've always believed that organizations should not operate as a collection of independent silos. Instead, risk management should extend across all business areas and ultimately align with the corporation’s strategic objectives.
This RMM attribute, ERM Process Management, is generally defined as “Integration into business processes to support the reduction of uncertainty and promote exploitation of opportunities.” It accounts for 20% of the total valuation impact brought by mature enterprise risk management.
Related resource: How to Integrate Governance Areas
The new COSO update clearly emphasizes the board’s risk oversight responsibility, a point many organizations need to improve upon. Boards need to foster the development of a risk-aware environment.
Too often, however, organizations emphasize aspects such as risk appetite too early and do not focus enough on areas that can be easily measured. Risk appetites, while useful, contribute less than 1% of the valuation premium, according to the RMM. Risk tolerance at the process activity level, however, is where the value is most gained because of its ability to be measurable and promote accountability.
The Queens University study determined that “the most important aspects of ERM from a valuation perspective relate to embedding discipline throughout the organization.” This attribute has an individual value contribution of 17%.
Related resource: 5 Steps Towards an Actionable Risk Appetite
The new Framework also considers how businesses will have to adapt to keep up with the ever-increasing uncertainty in the business world. Regulations will always be updating, data will get bigger, and accountability will continue to increase.
Specifically, COSO 2017 references dealing with the proliferation of data, advising “advanced analytics and data visualization tools will evolve and be very helpful in understanding risk and its impact.” The Framework also mentions artificial intelligence and automations, stating “it is important for enterprise risk management practices to consider the impact of these and future technologies, and leverage their capabilities.”
I believe this future has already arrived. Instilling a sense of certainty and simplicity enterprise-wide is more than a one-person, one-team, or one-department job. Achieving a truly integrated approach to ERM and drastically enhancing performance already demands a powerful software solution.
Related resource: 7 Ways to Build the Business Case for ERM Software