COSO’s Newest ERM Guidance

COSO ERM Framework

COSO has been a leader in the generation of guidance and frameworks on internal control procedures, fraud prevention, and ERM. COSO began its independent private sector endeavors in 1985 by studying the causes of fraudulent financial reporting. The first Enterprise Risk Framework was published in 2004, and the organization’s website (http://www.coso.org) provides several excellent ERM resources.

COSO’s ERM framework is highlighted prominently throughout its website and has been most recently updated with the 2017 edition of Enterprise Risk Management—Integrating with Strategy and Performance, a joint project of Pricewaterhouse Coopers and the COSO Board. AICPA members can purchase online, e-book, or paperback editions starting at $59, but several related resources are available for free on the COSO website. A Compendium of Examples contains detailed examples for applying the ERM principles from industry best practices, and is also available for purchase starting at $39.

The Guidance on Enterprise Risk Management webpage on COSO’s website provides easy access to several free resources related to the new ERM guidance, along with links to purchase the full framework (https://www.coso.org/Pages/erm.aspx). An “Executive Summary,” available as a 16-page PDF, explains the new framework’s role in providing ERM guidance to management and the board of directors (http://bit.ly/2TfbTpz). The 2017 edition narrows the framework focus into five components: governance and culture; strategy and objective setting; performance; review and revision; and information, communication, and reporting. The last page of the summary is a list of 20 components and principles, such as “an organization’s board of directors is responsible for overseeing strategic planning and governance,” “the organization should define its risk tolerance and identify and prioritize risks,” and “the entity should review its performance in light of the risks it faces.”

A nine-page “Frequently Asked Questions” booklet explains that the framework was updated to address new risks that have come to light since the original publication in 2004, as well as to provide greater emphasis on strategy and performance (http://bit.ly/2GMKp4y). The FAQs identify and explain 10 key changes, such as simplifying the definition of ERM, emphasizing the connection between risk and value, and highlighting the importance of strategy.

Finally, a useful “Slide Presentation” provides the most efficient way to read and absorb how the new 20 key principles map onto the five components discussed in the Executive Summary, as well as to obtain an overview of the major changes to the framework (http://bit.ly/2XpWd1V).

Following the release of the ERM framework, COSO, in partnership with the World Business Council for Sustainable Development (WBCSD), published guidance on “Applying Enterprise Risk Management to Environmental, Social and Governance-Related Risks” in October 2018. The new resources discuss environmental, social, and governance (ESG) risks; provide examples of specific companies that have experienced ESG-related risks; and apply the new ERM guidance to assist organizations with managing ESG risks, such as extreme weather events and product safety recalls. COSO recommends that ESG-related risks be incorporated into ERM and strategic planning activities. The new guidance includes a 16-page executive summary (http://bit.ly/2GNlkXf), as well as the complete 120-page full report (http://bit.ly/2VnmFXZ), both available for free on COSO’s website. The executive summary includes a checklist for organizations to identify their ESG-related risks, while the appendices in the full report provide a collection of tables, such as specific country risk disclosure requirements and example voluntary ESG frameworks.

COSO also offers several interesting “ERM Thought Papers” on its ERM Guidance web page. The publications are all free to download and generally run between 20 to 30 pages. One example is “ERM Risk Assessment in Practice,” authored by Deloitte & Touche LLP (October 2012, http://bit.ly/2H63huP). Another is “Enterprise Risk Management for Cloud Computing,” presented by Crowe Horwath LLP (June 2012, http://bit.ly/2SZTOws).

COSO’s publications emphasize the practical relationship between ERM and internal control. While this column is focused on the ERM aspect, readers should be aware that COSO has recently issued new internal control guidance for healthcare providers. The new “Implementation Guide for the Healthcare Industry” (January 2019) is available at https://www.coso.org/Documents/COSOCROWE-COSO-Internal-Control-Integrated-Framework.pdf.

PricewaterhouseCoopers Microsite

PricewaterhouseCoopers offers two separate online resources related to the COSO ERM framework. Its “COSO Enterprise Risk Management—Integrating with Strategy and Performance” website is essentially a portal for links to specific external resources, as well as a large collection of PricewaterhouseCoopers’s own podcasts and blog posts (https://pwc.to/2EoWrOj). The PwC Global Risk pod-cast series is currently up to 11 programs on risk management, available on the website, iTunes, and Stitcher, with most running for 10 minutes or less (https://pwc.to/2IBuMPf). Episode 1, “What You Need to Know about the New COSO ERM Framework” (nine minutes), covers what has changed in ERM guidance, reasons for the changes, and expected impacts (https://pwc.to/2BTRTip). Episode 7, “Case Studies that Illustrate How to Apply the Principles and Concepts of the COSO ERM Framework” (seven minutes), highlights nine helpful illustrations from the Compendium of Examples (https://pwc.to/2TkCVMb).

PricewaterhouseCoopers’ Risk Insights Blog

PricewaterhouseCoopers’ Risk Insights blog is a useful and concise collection of approximately 20 blog posts created since its inception in 2016 (https://pwc.blogs.com/resilience/). The most current article pertaining to the new ERM guidance is “The COSO ERM Framework One Year Later: What Have We Learned?,” which covers the authors’ experiences in talking to organizations about ERM implementation, including the fact that no two organizations started from the same place, but rather picked only one or two areas on which to focus (October 2018, http://bit.ly/2EoZoyn).

“COSO ERM Framework Implementation: Beyond Checklists and Templates” provides some overview information on the Compendium of Examples, including the importance of having specific applications to follow (June 2018, http://bit.ly/2IMMsrw). “The Top Changes to the COSO ERM Framework You Need to Know Now” discusses why the framework was updated and summarizes nine key changes (September 2017, http://bit.ly/2EzbK8c).

PricewaterhouseCoopers also conducts its own research into risk management–related topics, which are sometimes summarized on the Risk Insights blog. “Risk and Reward: How Family Businesses Can Tackle Digital Disruption” highlights the 2018 Global Family Business Survey; based on the survey results, the firm recommends the importance of having the right talent for key roles, along with good governance structures. Family businesses may need to hire from outside the family to gain needed skills, and 69% expected younger members to obtain outside experience before joining the organization (January 2019, http://bit.ly/2BUBXfF).