Enterprise risk management is getting remodeled. Late last year, the Committee of Sponsoring Organizations (COSO) released a draft of its updated internal control framework, designed to improve the framework developed in 1992. The revision adds 17 principles, such as “holding individuals accountable for their internal control responsibilities,” “selecting and developing controls that help mitigate risks” and “evaluating and communicating deficiencies to those responsible for corrective action.”
COSO’s model has been criticized for failing to prevent the frauds and restatements seen over the last decade. Now the question is whether the proposal, developed by PWC, addresses the framework’s shortcomings.
Tim Leech, managing director at Canadian consultancy Risk Oversight, is skeptical. “Since the 1992 framework, there have been thousands of control failures [at companies] and all of them were certified by the auditors as having sound risk management systems.” The framework is too limited in scope, he adds. “It doesn’t deal at all with forward risk.”
Carol Fox, director of the strategic and enterprise risk practice at the Risk and Insurance Management Society, says the revised framework “expands the role of internal controls beyond financial risk to include operations and compliance and adds non-financial reporting,” but “still doesn’t ask the right questions about systemic risk. They don’t look out past things that have an auditable line and don’t look at the links that could lead to risks.”
John Phelps, director of business risk solutions at Blue Cross/Blue Shield of Florida and a RIMS board member, agrees. “COSO has drawn up a very good controls framework, but an ERM manager’s responsibility goes well beyond controls.”
Phelps says his company uses COSO’s model, but also applies ISO 31000, a framework developed by regulators in Australia and New Zealand. “We chose that,” he says, “because it deals with the management of risk throughout the operation, including control, and because it views risk as an opportunity, not just as something to mitigate.”
The COSO draft “strengthens the 1992 framework, but also reinforces the original framework, which is really just about controls,” Phelps says. “And enterprise risk management takes the view that controls are only one essential element of a program, not the basis of a program.”
Responding to the criticism, Chuck Landes of the American Institute of CPAs, a COSO board member, says, “We didn’t feel that the ’92 framework was broken. It just needed to be freshened up, and we think that the addition of the 17 principles will help managers, auditors and audit boards.”
For a discussion of C-suite efforts to incorporate better quantification and deeper analytics into their strategic planning, see Beyond Insurance.
COSO’s exposure draft is available here.