The Committee of Sponsoring Organizations of the Treadway Commission—known for its influential, albeit somewhat abstract, risk management guidelines—is looking to provide more practicable advice on managing emerging risks.
COSO, whose guidelines are closely followed by public companies and government agencies, has spent recent months publishing more prescriptive advice meant to supplement broad-stroke suggestions in its most-recognized documents, one on internal controls and another on enterprise risk management.
“We want to make sure that these very broad, principle-based frameworks can be effectively applied in the real world,” COSO Chairman
In the year ahead, the group plans to issue detailed recommendations on how organizations can better manage risks related to cloud computing, artificial intelligence and outside contractors, among other topics. The reports would follow a series of similar ones issued over the past two years on topics such as cyberattacks, blockchain and compliance risks.
The effort attempts to address one of the more challenging aspects of advising on risk management: There is no one-size-fits-all approach. Individual companies face different kinds of risks. And even if two companies faced identical risks, they might manage them differently.
Executives, directors and others with responsibility for risk and compliance issues often look to COSO’s blueprints for some direction. But the organization’s framework on enterprise risk management can be open to interpretation and sometimes confusing, risk experts say. Frameworks tend to be written broadly so that they can be applied universally, but that approach can come at the expense of clear how-to instructions.
“This deeper guidance will help companies better customize those frameworks, so that they can truly be useful and meaningful for them and their unique strategies and business objectives,” Mr. Sobel said.
Much of the supplementary guidance is centered on COSO’s enterprise risk management framework, which is more conceptual than its guidance on internal controls. The latter framework is widely adopted by companies for the purposes of complying with the Sarbanes-Oxley Act, which requires management to give assurance of the effectiveness of controls over financial reporting.
a partner at McLean, Va.-based advisory firm Guidehouse, said COSO’s enterprise risk framework has helped his team steer organizations past the simple creation of risk lists, enabling them to better govern risk management and connect risk assessments to a broader strategy. “It’s the heart of what we use,” said Mr. Fisher, who leads Guidehouse’s risk consulting practice.
At the same time, his group has paid special attention to some of COSO’s more prescriptive reports, such as one published in May that spelled out how organizations can better understand, monitor and communicate risk appetite. “That’s been a challenge for our clients,” Mr. Fisher said.
The guidance was useful because understanding how much risk an organization is willing to accept is central to effective risk management, he said. The detailed recommendations helped his clients “really understand how to think about the concept—but, more importantly, how to then actualize it within their organization,” said Mr. Fisher, a former Internal Revenue Service chief risk officer.
“Anything we can do to take concepts and make them feel real is, from a consulting standpoint, both our challenge and opportunity in ERM,” he said. “It’s a waste of time if this stuff isn’t real.”
Write to Jack Hagel at [email protected]
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8