If an organization called “the Committee of Sponsoring Organizations of the Treadway Commission” fails to get the heart racing, you’re perhaps to be forgiven.
But if you are an enterprise risk manager, “COSO” (as the body is mercifully abbreviated), then this is an organization to watch. A joint initiative of five prominent bodies from the accounting field, COSO develops frameworks and guidance on enterprise risk management (ERM), internal controls and fraud deterrence.
At a time when firms in just about every sector are increasingly concerned with enterprise-wide risk — and individual executive accountability when risk management failures appear and result in harm to customers, shareholders, and others — COSO’s just-released report, “Creating and Protecting Value: Understanding and Implementing Enterprise Risk Management,” may be something of a sleeper-hit.
Issued earlier this month, COSO’s new guidance appears aimed at risk managers who are looking to make their’s a value-creating role, rather than a mere cost-center that must be tolerated. “The goal is to develop a momentum for ERM to expand and deepen the organization’s strategy-setting, performance, and risk-management processes in pursuit of creating and protecting value,” said COSO Chairman Paul Sobel.
A clear lesson-learned during the evolution of the ERM function in recent years is that risk related management activities “must be integrated into the organization’s culture and core strategy-setting,” the report notes. Further, integration of ERM into the heart of core business processes is important to avoid the misconception that ERM is “just a separate compliance or regulatory driven staff function.”
COSO’s new guidance highlights the important role of the board in assuring that enterprise risk management is up to snuff, and positioned to be a value-creator for a firm. “It is up to the board of directors and management to define the desired culture of the entity as a whole and of the individuals within it,” the report notes. With institutional investors attending ever more so to “ESG” concerns, COSO’s advice should be heeded by boards wishing to satisfy them on governance questions.
COSO is correct: effective ERM is about far more than mere compliance, and nowhere is this more evident than in the misconduct scandals that have rocked firms as diverse as Boeing, Commonwealth Bank of Australia, and KPMG, among many others. Boards should take note, and maybe give the COSO guidelines a read.