I remember in college, I’d turn in a paper and feel a sense of relief knowing that I never had to look at it again. Feedback from the instructor was informative but required no further action. Man, do I miss that. Don’t you? I’m sure PwC, who authored the COSO Enterprise Risk Management (ERM) Framework, did when they had to take another hack at updating it. And, I find it slightly amusing that COSO didn’t even want to do the legwork on the update themselves, passing it back off to PwC. They just supervised.
But, nevertheless, after over a decade, someone decided we couldn’t put off updating the Framework any longer. In September, COSO offered up the final version of the new, improved COSO ERM. The Journal of Accountancy quoted Bob Hirth, COSO’s chair, that the “our overall goal is to continue to encourage a risk-conscious culture.”
Much of it is essentially the same, but a nip and tuck here and there to rejuvenate it, including:
- A flashy, new title: Enterprise Risk Management – Integrating with Strategy and Performance. (Very creative; kudos to whoever came up with that.)
- A greater emphasis on strategy alignment and integrating ERM with decision-making
- Reminder that ERM shouldn’t be an isolated exercise performed periodically. Seems they caught on to the fact that we’re all lazy and just want to check the box.
- Adoption of a components and principles structure, mimicking COSO Internal Control – Integrated Framework (2013)
- Eight components got re-envisioned and turned into just five.
- 20 principles
- Simplification of the ERM definition to make sure after reading the behemoth Framework, you at least grasp what ERM is.
- COSO nixed the Rubix cube diagram, finally! What is this thing?
But never mind the clunky visuals, this refreshed COSO is a snoozer.
There’s always been something about COSO standards that I can’t quite put my finger on. Maybe it’s all the jargon, but am I the only one who feels like I’m reading a last-minute final paper from that required management class you took in college? It even starts the executive summary with the classic, “art and science” trope:
Our understanding of the nature of risk, the art and science of choice, lies at the core of our modern economy. Every choice we make in the pursuit of objectives has its risks. From day-to-day operational decisions to the fundamental trade-offs in the boardroom, dealing with risk in these choices is a part of decision-making.
As we seek to optimize a range of possible outcomes, decisions are rarely binary, with a right and wrong answer. That’s why enterprise risk management may be called both an art and a science. And when risk is considered in the formulation of an organization’s strategy and business objectives, enterprise risk management helps to optimize outcomes.
But, hey, I’ve used the “art and science” introduction a time or two, so I won’t bash it too hard.
We’ll see if executives find value in transitioning to the new guidance. No one’s forcing them since 2017 COSO ERM doesn’t supersede the 2004 version.
I expect it will take a while for people to embrace the changes. Everyone’s always a little skeptical and slow to implement new guidance. Just look at the procrastination on the standard updates for leases as an example. If history is any indication, on the last go around GC reported that a year after the 2013 update was made to the sibling standard, COSO Internal Control – Integrated Framework, approx. 20% of companies were planning to blow it off, and only 60% were on top of using it for SOX compliance. The remainder were “unsure,” whatever that means.
As Greg Kyte put it for the last COSO update, “[We] wondered if either update was actually necessary”
Necessary or not, it’s another way to convince clients that they should pay you to consult them on all the revolutionary changes. Good luck with that!