Enterprise Risk Management

COSO framework proves efficacious

Studies show usage is on the rise

By Michael J. Moody, MBA, ARM

Enterprise risk management (ERM) continues to find itself a center of attention as 2011 begins. ERM has been associated with the general improvements available to overcome many of the risk management shortcomings that have been closely aligned with the financial crisis that has occurred over the past few years. Incorporating an ERM approach and making the board of directors more accountable for risk oversight have been discussed as a possible solution. 

Current state of ERM

ERM, for the most part, is still in its early stages of evolution. While some industries (i.e., the  financial services sector) have been actively engaged in ERM for 10 or 12 years, most organizations have only recently become aware of it. As a result, many organizations are still working through the challenges and growing pains of early development and implementation. 

One of the earliest attempts to standardize the practice of ERM came in 2004, when the Committee of Sponsoring Organizations of the Treadway Commission (COSO) presented its Enterprise Risk Management—Integrated Framework, or, as it has become known, "COSO's ERM Framework."

To date, however, there has been little comparative analysis of how the COSO framework has been adopted or implemented. COSO has been aware of this fact for some time and in late 2010 retained the Enterprise Risk Management Initiative at North Carolina State University to help provide some details regarding this matter.

An online survey was developed to determine the risk management practices of the participants as well as the strengths and weaknesses of the COSO framework. The survey group included about 460 participants who answered the online questionnaire. The results of the survey are documented in a new COSO publication titled Current State of Enterprise Risk Oversight and Market Perception of COSO's ERM Framework, or, as it is generally referred to, COSO's 2010 Report on ERM.

The survey provided significant insight into how the COSO Framework is being used. It also offered suggestions for improvement. Among the key findings were:

• "The state of ERM appears to be relatively immature." For example, only 28% of the participants noted that their current stage of implementation was "systemic, robust and repeatable with regular reporting to the board." Over 60% noted that "risk tracking is mostly informal and ad hoc," or tracked only within individual silos.

• "Boards of directors, especially those on the audit committee, are placing greater expectations on management to strengthen risk oversight in the majority of organizations." This puts pressure on CEOs to place more responsibility on corporate management to increase its risk involvement. 

• "Almost 65% were fairly familiar or very familiar with COSO's ERM Framework." Most of the other Frameworks (ISO 31000, Turnbull Guidance, Australia/New Zealand) scored less than 2% on the issue of familiarity.

• "Most believe that the COSO ERM Framework is theoretically sound, provides a common language for ERM that is widely accepted by organizations, and clearly describes key elements of a robust ERM process." This finding is not surprising because about 55% of the participants were using the COSO Framework for ERM guidance.

• "Forty-one percent of respondents believe the cube depiction of the COSO ERM Framework is a very effective portrayal of the interrelationships of the elements of ERM." However, 26% believe the cube is unnecessarily complicated and may cause negative reactions to the COSO approach.

• "The majority of respondents do not appear to be familiar with Volume 2 of the COSO ERM Framework." Volume 2, which contains the "Applica­tion Techniques," is rarely used and therefore many of COSO's templates and tools are not being used.

The final portion of the Report on ERM asked participants to provide suggestions for actions that COSO could take to improve the effectiveness of the Framework. The top three suggestions were to provide:

• "more practical guidance with either case studies or examples" 

• "simplification" of the document; and

• "more industry-specific guidance."

Risk oversight

In addition to the 2010 Report on ERM, COSO also presented the results of a second survey, titled Board Risk Oversight—A Progress Report. This second study was an attempt to identify current conditions as well as provide insight into opportunities for improvement. To assist with the study, COSO commissioned the services of risk and business consultant Protiviti. The survey was distributed to more than 200 past and present corporate board members.

As the report correctly points out, "Risk oversight is a high priority on the agenda of most boards of directors." Recent disruptions within the financial markets are evidence of "perceived risk management weaknesses" across the entire financial services sector. The resulting wave of legislative and regulatory actions worldwide clearly illustrates the need for more effective risk oversight, according to the study. As a result, boards are making major revisions to their companies' operational and strategic approaches to risk oversight. 

An important insight gained from the survey is that "there are mixed signals about the effectiveness of board risk oversight across organizations." The key finding of the study was that "while many boards of directors believe they are performing their risk oversight responsibilities diligently and achieving a high level of effectiveness," that is not the case. In fact, according to  the survey results, the majority of participants noted that their boards are not following "mature and robust risk oversight processes."

Based on the survey responses, the study indicates a number of areas that represent opportunities for improvement. Among the key areas noted were:

• "There is an opportunity to improve the robustness of the risk oversight process." The majority of respondents agreed that there was a need for "a more structured process for monitoring and reporting key risks to the board."

• "There is an opportunity to enhance risk reporting to the board." Many participants believed that the type and frequency of reports to the board were lacking. Participants also observed that many organizations have an opportunity to improve their company's risk reporting process as well as increase the regularity of reporting.

• "There is an opportunity to improve the risk appetite dialogue." Despite the fact that many participants noted that major efforts are under way within their organizations to better understand the entity's risk appetite, "less than 15% felt that the board was sufficiently involved in the process."

• "There is an opportunity to improve monitoring of the risk management process." Almost two-thirds of the survey participants indicated that "board monitoring is not done at all, or is carried out in an ad hoc manner."

The study points out that despite some board members' views that their risk oversight process was effective, there were many ways to improve the overall process. Suggestions offered in the report highlight ways the board can move the oversight process to a more mature stage, and these opportunities are identified and presented throughout the report. 

Conclusion

COSO set the stage for the emergence of ERM when it published its ERM Framework in 2004. A number of other groups and organizations followed with their own versions of an ERM framework. According to COSO statistics, however, over 50% of the survey participants still use the 2004 Framework for ERM guidance. Without question, the studies show that COSO is still a force to be reckoned with.

The information provided in the two studies offers a number of ways to improve both the general practice of ERM, and equally as important, the board's oversight of risk management-related issues. Any individuals who have been charged with the ERM responsibility within their organizations, as well as any board members, would be well served to review the latest COSO studies. They offer a multitude of suggestions and recommendations for improvement, regardless of which ERM framework an organization has chosen.