COSO Enterprise Risk Management

BUSINESS PRESCRIPTION — COSO ENTERPRISE RISK MANAGEMENT:

Organizations are looking for a structured methodology that lets them quantify risk, establish risk appetite/tolerance, identify and prioritize controls, and establish a system of record to meet a multitude of legal and compliance obligations.

This is where COSO comes in. The COSO Internal Control Framework was originally authored in 1994 with the aim of establishing internal controls to manage operational efficiency and effectiveness, financial reporting reliability, and compliance with laws and regulations. The Internal Control Framework has received a lot of attention recently, as it is the approach most organizations are taking for Sarbanes-Oxley compliance and is recommended by the SEC and Public Company Accounting Oversight Board.

What has been lacking is a structured framework to build an ERM process upon that integrates and extends the Internal Control guidance. PricewaterhouseCoopers, working alongside a project advisory council, worked with COSO in developing this needed guidance. The result: the recent release of the COSO ERM framework.

COSO defines enterprise risk management as:
“Enterprise risk management provides a framework for management to effectively deal with uncertainty and associated risk and opportunity and thereby enhance its capacity to build value.”

The COSO framework provides an answer to the challenges organizations are facing in governance, risk, and compliance. This framework’s goal is to build a risk management process as a foundational element of business operations.

The Evolution Of Technologies And Tools In Support Of COSO ERM

Sarbanes-Oxley (SOX) was the primary driver in providing a wake-up call within organizations for a consistent and defined structure to ERM.

Facing Section 404 compliance, organizations turned to documenting accounting controls in spreadsheets of SOX-specific solutions. Organizations have now become aware that a broader approach to risk and compliance management is needed. This results in a shift in the approach and tools needed to document risk, compliance, and internal controls. Neither the spreadsheet approach nor specific SOX tools are enough — organizations now need tools that can document and manage risk and compliance to the broader risk and compliance demands the organization faces.

SOX vendors, such as OpenPages and Paisley Consulting, are quickly expanding their tools to become broad enterprise risk and compliance management platforms. Others, particularly Axentis, provide an enterprise risk and compliance management platform already — including SOX compliance — and are among the first to integrate the COSO ERM framework into their solution.

Vendors in the SOX segment will face increasing demand for broader enterprise risk and compliance management capabilities — those that are to narrowly focus are likely to falter.

(COSO is the Committee of Sponsoring Organizations of the Treadway Commission. It is a cooperative effort between the American Institute of Certified Public Accountants, American Accounting Association, the Financial Executives Institute, the Institute of Internal Auditors, and the Institute of Management Accountants. Further information on COSO and the Enterprise Risk Management framework can be found at http://www.coso.org.)