An Analysis of the Committe of Sponsoring Organizations of the Treadway

Download

Purpose

The purpose of the paper is to evaluate and analyze The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) framework for Enterprise Risk Management (ERM), identify strengths and weakness and identify areas for potential future empirical research. This paper will be divided into eight specific areas (1) a definition and comparison of traditional risk management and ERM (2) an overview of the COSO framework (3) an overview of recommendations for implementing the COSO framework (4) an analysis of the costs and benefits associated with and ERM plan (5) an analysis of the weaknesses of the COSO framework (6) proposed modifications to the COSO framework (7) an identification of areas for empirical research and (8) a summary of the material presented.

Risk Management and ERM

Risk management in general is focused on managing risks through conducting risk assessments of some type and then developing strategies to deal with the risks that were identified. Risks may be associated with criminal activity, the environment, liability issues, technology, politics, financial issues and a wide variety of other issues. The risk assessment will have some method for prioritizing risks and determine strategies to deal with these risks which may include risk mitigation, transfer of risk to a third party, avoiding the risk altogether or accepting the risk.

Traditionally, risk management has been conducted in a somewhat isolated fashion; with different departments, such as finance and legal, conducting their own risk assessments and developing strategies for dealing with risks associated with their areas of responsibility. This usually led to a fragmented approach to risk management, with each department only concerned about issues that specifically related to them and not about the organization as a whole. (Francis, S., & Richards, T., 2007)

ERM takes traditional risk management to the next level by establishing one, organization wide, risk management plan in order to protect and create value for the businesses stakeholders including employees, customers, stockholders and society overall. In order to accomplish this ERM is an integrated approach to risk management that combines risk management with strategic planning, operations management and internal controls. ERM is a constantly evolving field of risk management in order to address the needs of the various stakeholders in a very complex business world. (O’Rourke, 2007).

In order to accomplish this ERM encompasses the following aspects:

• Aligning risk appetite and strategy – this is the process of management taking into account the organizations risk appetite when making decisions related to organizational strategy.
• Enhancing risk response decisions – this includes have the proper data from an organizational wide basis to make risk response decisions including avoidance, mitigation, acceptance or transfer.
• Reducing operational surprises and losses – ERM helps to ensure that organizations are not subject to operations surprises and losses that are attributed to risks.
• Identifying and managing cross enterprise risks – ERM is based on an integrated model to risk management, thereby managing risks organizational wide across all departments and functions.
• Providing integrated responses to multiple tasks – in conjunction with managing risks on and organizational wide basis ERM provides for integrated responded to managing risks based on risk response decisions.
• Seizing opportunities – management is properly positioned to proactively identify opportunities by being able to consider all potential risk events on an organizational wide basis.
• Improving deployment of capital – ERM provides for improved use of capital by properly identifying risk response decisions based on an integrated, organizational wide model.

The COSO Framework

In September, 2004, COSO released its Enterprise Risk Management – Integrated Framework. This was the accumulation of three years work by COSO and PricewaterhouseCoopers to develop an ERM framework that could be used by organizational management to implement ERM or evaluate current ERM programs. The purpose of this framework was for “providing key principles and concepts, a common language, and clear direction and guidance” (COSO Framework, 2004) for ERM. The COSO Framework (2004) defines ERM as:

Enterprise risk management is a process, affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (p.4)

COSO Framework (2004) goes on to clarify that ERM has several fundamental concepts including (1) an ongoing process (2) involves people at every level of the organization (3) is applied in enterprise level strategy (4) is applied organizational wide at all levels and departments (5) takes an entity level view of risk (6) is designed to identify potential risk related events and to provide a strategy for managing these risks (7) manages risks within a set risk acceptance level within the organization (8) provides reasonable assurance that risks have been identified and steps to manage those risks have been taken to the executive management and board of directors and (9) is geared to the achievement of objectives in one or more categories which may be overlapping.

Based upon this definition and concepts COSO developed their ERM framework with four objective categories and eight interrelated components. The purpose behind the objective categories is to establish common categories within the ERM that can be used to focus on separate aspects of the ERM for each organization, based on their individual mission, vision, strategic objectives and strategies. The four categories include (COSO Framework, 2004):

• Strategic – high level goals related to supporting the organizations overall mission.
• Operations – effective and efficient use of resources
• Reporting – the reliability of reporting systems and processes.
• Compliance – compliance with all appropriate regulations and laws.

COSO (Framework, 2004) allows for a fifth, optional objective category of safeguarding of resources which as the name implies, would focus on effective safeguarding of organizational resources.

In general, objectives related to reporting and compliance are within the control of the organization and therefore, ERM is expected to address them in a way that offers assurance that they will be meant. Strategic and Operations objectives may or may not be within control of the organization and therefore, ERM is expected to provide a plan for ensuring there is proper oversight of these objectives is accomplished and that executive management and the board of directors are kept informed on a timely basis of issues relating to these objectives. (COSO Framework, 2004)

The COSO Framework (2004) then consists of eight interrelated components that are intergraded with the management process based on how the enterprise is run.

• Internal Environment – consists of (1) establishing a risk management philosophy that recognizes both unexpected and expected events (2) establishes the entity’s overall risk culture and (3) takes into account any other actions of the organization that may affect its rick culture. Factors that effect the internal environment include risk appetite, the board of directors, human resource polices and standards, the organizational structure, ethical standards and the assignment of responsibility and authority.
• Objective Setting – this occurs as management considers its risk strategy in the setting of company objectives. This includes the forming of the risk tolerance for the entity which is how much risk senior management and the board of directors is willing to accept for the entity. Risk tolerance is then determined; which is the acceptable level of variation around objectives.
• Event Identification – both risks, which have a negative impact, and opportunities, which have a positive impact, are identified and differentiated between. This requires identifying incidents that could affect strategy and achievement of objective. This includes both internal and external events and addresses how these factors interact to influence the overall risk profile.
• Risk Assessment – this assess risks from both the likelihood of the event occurring and the impact that the event might have on objectives. It is used to assess risks and measure the potential impact on related objectives through the use of both qualitative and quantitative methodologies. As part of this assessment it should relate time horizons to objective horizons and assess risk on both an inherent and a residual basis.
• Risk Response – this component identifies and evaluates possible responses to risk based upon the entity’s risk appetite, cost vs. benefit analysis of the response and the degree to which a response will reduce the likelihood of an event or the impact of that event. The results are then used for the selection and implementation of responses to the overall portfolio of risks and potential responses.
• Control Activities – this includes all policies and procedures that used to control as well as respond to risks that have been identified in the risk assessment process. These policies and procedures may be enterprise wide or within a certain level or function of an organization and include policies related to information technology, finance and internal controls.
• Information and Communication – communication if critical for the success of ERM and it is necessary for communication channels to flow down, up and across organizations to ensure open and timely dissemination of information. Management must identify and communicate information in a manner and timeframe that enables people to carry out their responsibilities.
• Monitoring – in order to ensure success all components must be monitored through ongoing monitoring activities, separate evaluations or a combination of both. This would include monitoring through internal controls and audits which are critical to the overall success of the ERM program.

The COSO Framework (2004) is based on the relationship between the four objective elements and the eight ERM components. Each of the eight components must be present and operating within each of the four objective areas. For the COSO Framework (2004) in order for an ERM program to be operating and effective all eight components must be present in each of the four objective categories. In order for this criteria to be meant the COSO Framework (2004) states “there can be no material weaknesses, and risk needs to have been brought within the entity’s risk appetite”.(p.7) When all eight components are present in all four objective categories management and the board of directors “have reasonable assurance that they understand the extent to which the entity’s strategic operations objectives are being achieved, and that the entity’s reporting is reliable” (COSO Framework, 2004, p.7)

COSO (Framework, 2004) acknowledges that the eight components may not function the same in various entities and that in some cases the application of the components may be informal; but the components must be present and functioning for the ERM plan to be effective.

Implementing the COSO Framework

COSO Application Techniques (2004) identifies nine (9) key elements for the successful implementation of the COSO ERM Framework.

• Core Team Preparedness – the organization should identify a core team with key members that will be responsible for the implementation of the ERM plan. Once identified team members need to become familiar with the COSO Framework (2004) components, concepts and principles. Team members should be chosen form key business and support units such as strategic planning, finance, information technology, operations, human resources and upper management.
• Executive Sponsorship – in order for the ERM plan to be effective executive sponsorship is a key element early in the process including visible CEO support. Executive management must communicate the business case for ERM and provide all resources needed to successfully implement the plan
• Implementation Plan Development – the next step should be to develop and initial implementation plan including specific responsibilities, milestones, work flows, resources and timing. A project management plan should be formulated and the plan will be used to communicate expectations to all affected departments and functional areas.
• Current State Assessment – an assessment will need to be conducted of the current risk management system and how it is being applied. This assessment will need to include identification and evaluation of all current policies and processes in the organization in order to determine how they may be applied to the new ERM framework.
• Enterprise Risk Management Vision – the core team must develop an ERM vision that includes how ERM will be integrated within the objectives of the organization. This vision must address how ERM will be focused on aligning risk appetite with the organizational strategy, enhancing risk response decisions, identifying organizational wide risks, managing organizational wide risks, seizing opportunities and improving the deployment of capital.
• Capability Development – using the current state assessment and the ERM vision the core team must identify the capabilities already in place as well as new capabilities that will need to be developed to implement and maintain the ERM plan. This will include the designation of responsibilities and any modifications needed to organizational polices and procedures.
• Implementation Plan – the initial implementation plan is then updated based on the current state assessment, ERM vision and capability development decisions made by the core team. Adjustments are made to areas of responsibility and the overall project management plan as needed.
• Change management Development and Deployment – actions are taken to implement and maintain the ERM plan in accordance with the ERM vision. Training and monitoring are key elements that must be addressed during this phase.
• Monitoring – ERM requires ongoing monitoring in order to constantly review and modify the ERM plan as needed based on changing conditions.

While these nine (9) elements may seem easy to implement in theory the reality is that the COSO Framework can be very difficult to implement. Ballou & Heitger (2005) recommend the use of a building-block approach to the implementation of the ERM plan based on the COSO Framework. Ballou & Heitger (2005) propose “(1) implementing the ERM framework on a limited basis across each of the framework’s eight interrelated components” and “(2) placing initial emphasis on entity-wide risks across all four risk categories”. (p.6) This approach is proposed in order to avoid being intimidated by the complexity of cost of attempting to implement the framework all at one time. Using the building-block approach the ERM framework can then be expanded through out the organization as management becomes comfortable with the processes involved. Some of the reasons for recommending a building-block approach include (1) culture shifts take time (2) it can lead to a better allocation of resources (3) it helps to simplify the implementation instead of trying to do it all at once and (4) it provides time to win over manager and employees who have skeptical perceptions of ERM. (Ballou&Heitger, 2005)

Bowling and Rieger (2005) identify three specific success factors related to the implementation of an ERM plan based on the COSO Framework and challenges associated with each of these success factors.

Focus on Strategy and Business – it is necessary when implementing the ERM plan to make sure focus is on the overall business strategy and objectives as set by executive management and the board of directors. The challenge to this success factor is making sure you have strong support form top management. An ERM plan is strategic in nature and as such is not going to succeed without the explicit support of the board of directors, CEO and executive management.

Think Broadly about the Expansive Range of Risks Facing your Organization – the second success factor is making sure to take a broad look at risk management on an organizational wide basis. This is the key element of ERM, that risk management is administered on and enterprise level, not a departmental or functional area level. Also, it is important to make sure that all risks are included in the ERM plan, not just risks that were included in the traditional model. The challenge to this success factor is making sure the organization has sufficient resources to manage the ERM plan. It is unlikely that an ERM plan can be effectively implemented and maintained with the same resources used for traditional risk management. This is another area where executive management support is critical.

Recognize that ERM is a Multi-Year Journey – the final success factor is to recognize that ERM is a multi-year journey thereby setting appropriate goals and expectations. The challenge to this success factor is making sure you maintain the stamina needed to implement and make the ERM plan a success. In order to maintain this stamina it will be necessary to have the proper resources and executive management support.

The Institute of Internal Auditors (2004) provides specific implementation guidelines based upon eight specific steps.

• Organizational Design of Business – the organization needs to identify strategies and key business objectives and make sure the objectives are related to the strategies, so that they cascade down the organization. Responsibilities must be assigned to leaders and organizational elements.
• Establishing and ERM Organization – the organization must determine its risk philosophy, survey its risk culture and consider current organizational ethical values. Final roles and responsibilities within the organization must be defined taking into account the integration of ERM.
• Performing Risk Assessments – identify measure and prioritize organizational wide risks including environmental, process and information technology risks.
• Determining Overall Risk Appetite – the board of directors and executive management must determine the risk appetite for the organization. Key elements include what risks the organization will not accept, what risks it will accept for new initiatives and what risks it will accept based on competing objectives such as gross profit vs. market share.
• Identifying Risk Responses – the organization must identify its risk response to each of the risks identified in the risk assessment. This includes accepting, avoiding, mitigating or transferring the risk.
• Communication of Risk Results – the results of the must be properly communicated. Business objectives must be linked to operational risks and responses and risks to be monitored must be identified.
• Monitoring – the ERM process must be constantly monitored in order to ensure risks are being properly addressed and controls are properly working to mitigate risks as planned.
• Oversight & Periodic Review by Management – management must take ownership of the ERP plan and must constantly review the plant to make adjustments for changes in objectives or processes as needed.

Costs and Benefits an ERM Plan

Not surprisingly, the cost and benefits of ERM plans have been an area of much debate. In general, it is expected that any type of risk management plan will save an organization money and protect it from catastrophic losses. One of the main principles of a risk management plan is to do a cost benefit analysis of all risks in order to identify prudent and cost effect risk responses.

However, while a primary selling point of ERM is that it improves the allocation of resources and provides a better overall risk management plan a common concern is that it requires too many resources and costs to much to implement.

Alternatives to the COSO Framework

The COSO Framework (2004) to ERM is highly recognized but it is by no means the only framework for ERM. The Risk and Insurance Management Society (RIMS) has a risk maturity model for evaluating the effectiveness of ERM. The RIMS maturity model uses seven core competencies to evaluate the effectiveness of an ERM plan within an organization. A separate maturity rating is given to each competency and the maturity of the ERM plan is determined by the weakest link. The seven core competencies are:

• ERM Based Approach – this includes the degree of executive support for the ERM plan and the degree of integration of internal audit, compliance, information technology and risk management. This evaluates how integrated the overall organizational approach to ERM is and the support level provided by executive management.
• ERM Process Management – evaluates how well the ERM processes have been integrated into business processes in order to identify, assess, evaluate, mitigate and monitor risks.
• Risk Appetite Management – evaluates the degree of understanding that executive management and the organization as a whole have in regards to the risk/reward tradeoffs that occur within the business environment. This is done by evaluating the policies in place to guide decision making in regards to risks.
• Root Cause Discipline – evaluates the effectiveness of the organization in identifying a problems root cause, and using that information to reduce uncertainty and measure the effectiveness of controls.
• Uncovering Risks – evaluates the organizations effectiveness in uncovering risks during the risk assessment portion of ERM. This includes using all available sources to identify risks such as employees, databases and other electronic files to discover potential risks on and enterprise wide basis.
• Performance Management – evaluated the degree of executing the vision and strategy of the organization in conjunction with the ERM plan. Looks at the degree of uncertainty that the organization experiences and why.
• Business Resiliency and Sustainability – evaluates the extent to which the ERM plans sustainability aspects are integrated into operational planning including supply chain disruptions, market price changes, cash flow volatility, etc.

While the RIMS risk maturity model provides an alternative method for evaluating ERM programs from the COSO (2004) framework other organization have developed customized ERM frameworks. Dorminey & Mohn (2007) evaluate a case in which the Federal Reserve Bank of Richmond developed an ERM model that could be used for not-for-profit government agencies.

The Federal Reserve Bank of Richmond decided against using the COSO Framework due to the fact that a for-profit corporation has different strategic motivators then not-for-profit government agencies. For example, a for-profit organization has a profit objective whereas a not-for-profit will have a mission objective. In many cases a for-profit may be risk seeking whereas a not-for-profit will almost always be risk avoiding. There are these plus several other significant differences between the motivations and objectives of for-profit and not-for-profit organizations. With this in mind the Federal Reserve Bank did not feel that the COSO Framework would meet the needs of their ERM program.

The most significant difference between the Federal Reserve Bank’s ERM framework and the COSO Framework is the way risks are identified and assessed. The Federal Reserve Bank implemented a process that build the risk profile form the functional area up while the COSO Framework dictates that the risk profile is determined by executive management. The Federal Reserve Bank identified the risks within each functional area and then assessed the risk events in terms of both functional area and organizational wide objectives.

Another organization that decided against the COSO Framework is IBM who developed their own framework for ERM. Abrams, Kanel, Muller, Pfitzmann & Ruschka-Taylor (2007) evaluated the IBM ERM framework which is comprised of five layers including:

• Jurisdiction Layer – this layer includes external influences on the organization including regulatory agencies, the business environment, economy, litigation, competition and any other external influences that can have and effect on the organizations operations.
• Strategy Layer – this layer includes the board of directors, executive management, internal auditors and the audit committee. This is where the organizations goals and objectives are set and organizational structure is decided.
• Deployment Layer – this layer includes mid to upper management and is where policies and procedures are determined and implemented in order to ensure the business strategy and objectives are accomplished.
• Operation Layer – this layer contains the day to day operations of the organization including employees, plant, equipment and resources in general.
• Events layer – this layer contains real-tim and historic event information which is then used for the operations layer to make decisions to act upon them.

IBM uses this five layer approach to identify how the organization operates and therefore how the ERM plan will be implemented and maintained within the organization.

Weaknesses of the COSO Framework

Quinn (2006) identifies several criticisms of the COSO framework which include (1) it’s to simplistic (2) there is limited implementation guidance (3) it pays to little attention to external risks (4) if fails to justify why companies should implement it and (5) companies say COSO failed to clearly define what the Securities and Exchange Commission thinks about the framework.

While these are all justifiable concerns about the COSO Framework it appears that most concerns revolve around the fact that it is too generic and lacks guidance on implementation. The four objective categories and eight elements of the COSO Framework are so generic in order to apply to any industry they don’t provide any specific guidance to at all. A detailed review of the framework has resulted in finding almost no guidance in relation to actually drafting and implementing a specific ERM plan. To some extent it appears to be more of an elaborate definition of ERM then a specific framework to implement.

The complete lack of any specific implementation guidance within the framework has left organizations wondering where to start and how to succeed with ERM. In some cases it may actually make ERM appear to be a far more daunting task then it actually is.

Proposed Modifications to the COSO Framework

The COSO framework was released almost four years ago and it appears that this would be a good time to update and revise the framework in order to provide better guidance to organizations. Specifically it would be extremely helpful if COSO developed an implementation guide and used case studies of successful implementations. This implementation guide would be a major asset to organizations who are looking to implement an ERM program or who a struggling with a current implementation.

A second area of improvement would be the addition of industry specific notes for each the four objective categories and eight elements within the framework. While it is recognized that it would be impossible for COSO to provide specific guidance for all industries they could provide additional guidance from major industry segments such as finance, manufacturing, service, etc.

Areas for Future Research

There are two specific areas where additional research is needed in the near future. First, additional research is needed to evaluate the effectiveness of the COSO Framework on an industry specific basis. It seems apparent that some industries are much more likely to use the COSO Framework then others and research is needed to see if the COSO Framework is more relevant to specific industries then others. As case studies are somewhat limited and time consuming it may be wise to conduct this research using a quantitative method with the use of surveys. Second, additional research is needed to evaluate the implementation and success of the COSO Framework. This research was primarily focused on the framework itself and even in industries where the COSO Framework seems to be accepted, there is very little research related to the actual implementation and success of the framework. Again, as case studies can be time consuming quantitative research through the use of surveys may be timelier to gain insight into the success or failure of the framework from an implementation point of view.

Conclusion

ERM is a critical element to a successful risk management program for any organizations. The COSO Framework for ERM is a solid beginning point for the design and implementation of an ERM program within and organization but it lacks many of the specifics that risk mangers will need to fully design and implement their program. COSO could greatly benefit risk managers and senior executives by providing industry specific guidance in the framework and implementation guidelines for the framework.