The world has changed radically since 2004, the year The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its original, principles-based Enterprise Risk Management (ERM)–Integrated Framework. Since that time, there have been tremendous technology advances, the continued development of a truly globalized economic system, and lingering impacts from a devastating recession that sprung from the banking and financial crises of 2007.
In parallel, risk management and internal audit practices have evolved as both professions have become more globalized and well-regarded within organizations. Risk guidance has improved. COSO significantly revised its ERM framework in 2017, introducing some important new features that can be of great help to organizations, risk managers, and internal auditors. In addition to COSO, the International Organization for Standardization published guidance in 2009 (ISO 31000:2009) and revised it this year (ISO 31000:2018).
One year after COSO issued its updated framework, many internal audit functions are working to apply the new framework to help their organizations weather the risks that are on the horizon. The ISO standard and COSO framework are now closely aligned and complementary. However, the COSO framework provides more detailed guidance around managing risk.
Winds of Change
The 2004 COSO ERM Framework introduced some advances in risk management. First, it helped bring greater consistency and veracity to risk management processes and systems. Second, it stated that the context in which business risk arose was crucial — risk needs to be seen in the light of an organization’s objectives. The framework emphasized the notion that risk management was not just about mitigating risk, but about providing organizations with a range of appropriate responses, depending on how much risk they wanted to take. These factors have helped risk management become mainstream in many organizations.
COSO’s ERM Framework–Integrating With Strategy and Performance makes those ideas much more central and extends them to cover recent thinking in risk management theory and practice. This can be seen throughout its 20 core principles (see “COSO ERM Components and Principles” below) and is further underpinned by giving governance and culture a powerful role to play. In addition, the revised framework emphasizes information, communication, and reporting to give boards and management accurate and timely information to make effective decisions. Moreover, the document urges organizations to look as much to the upsides of risk as to the potential downsides and for internal auditors and other advisors to do the same.
Pinpointing Extreme Weather
For internal audit to contribute effectively to the organization’s risk management efforts, it must understand how the revised COSO ERM framework can be applied in practice. COSO has produced some sector-specific examples of how to apply the framework in Enterprise Risk Management–Integrating With Strategy and Performance: Compendium of Examples.
One risk that almost any organization faces relates to extreme weather events such as hurricanes, tornados, and floods. The application of COSO ERM to this type of risk can be illustrated by mapping the framework to the COSO ERM components. Environmental risks are covered in draft guidance that COSO has developed with the World Business Council for Sustainable Development, Applying Enterprise Risk Management to Environmental, Social, and Governance-related Risks.
Governance and Culture To start, the organization should establish governance for effective risk management for extreme weather events, just as it would for any other threat. However, discussions at the board level could evidence the importance the board places on understanding the potential impact and likelihood of weather events. Moreover, it should convey the board’s desire to ensure such events are managed appropriately. This step maps to the framework’s governance and culture component (principles 1–5). These principles cover everything from exercising board risk oversight to considerations of how to develop the operational structures and culture needed to deal effectively with extreme weather events.
Strategy and Objective-setting In this step, internal auditors would seek to understand the risk in terms of the business’ context and strategy. In this respect, the board and management need to understand how extreme weather events may disrupt the pursuit of specific strategies and business objectives. The strategy and objective-setting component (principles 6–9) includes developing a risk appetite for this particular threat and considering alternative strategies for approaching risk management. This also includes how the business context impacts the organization’s risk profile.
Performance Principles 10–14 cover performance of risk management. Selecting an extreme weather event as a specific risk covers principle 10 (identify risk). Management would next identify the possible outcomes from such events, based on its understanding of the business context and strategy, and this would feed into the assessment and prioritization of this risk. This assessment requires understanding the potential impact of weather event outcomes and the likelihood that those events would occur at the impact levels envisaged. As with all risk assessments, management must be careful not to fixate on a particular event or outcome. Rather, it needs to consider the full range of possible outcomes.
From this assessment, management can determine which of those events and outcomes should be a priority to manage. Management should then consider its ability to mitigate the impact of those risks, as well as its appetite for related risk outcomes, and select the most appropriate risk management responses or strategies. It is important that the business assigns responsibility and accountability for managing the risks.
Possible responses may include taking moves to reduce risk, such as disaster preparation, and taking measures to reduce the impact of extreme weather events. Organizations could consider risk sharing and secure insurance to limit the financial impact of such events. They may consider avoiding risk by moving a facility to a location less prone to hurricanes and flooding, for instance. Businesses may decide to accept the risk and wait to respond when the risk event happens because advance preparations may not be cost effective or practical.
Finally, management also could consider risk pursuit if the organization is in the type of business that can benefit from extreme weather risk. For example, it could quickly ship building products to areas affected by weather events to accelerate the rebuilding process or rapidly send medical supplies or water into affected areas. The key is that the organization should consider all potential scenarios and plan for the relevant ones.
Review and Revision Weather patterns change, so organizations need to reassess the potential severity of extreme weather events and evaluate whether their risk responses remain optimal. Also, as these responses are tested by actual occurrences, management may reevaluate their capabilities to execute the desired responses based on their ongoing experiences. These map onto principles 15–17 in the review and revision component.
Information, Communication, and Reporting This component (principles 18–20) focuses on how extreme weather risk is communicated and reported throughout the business. The board must understand the context, the potential events and outcomes, the assessment and prioritization results, the rationale for the responses that have been chosen, and the results of the periodic reviews and assessments. This process also may include communication from management to risk managers to help them make more timely and effective decisions related to their risk management activities. This is likely to be empowered by digital communication channels within the organization.
The ERM Umbrella
Not surprisingly, internal auditors need to thoroughly understand the new COSO ERM framework to help their organizations fully benefit from it. Part of internal audit’s role is to educate the board, executive management, and others throughout the business about these ERM components and principles. In addition, internal audit needs to advise management and provide input to enterprise risk assessments.
The current framework puts a lot of weight on boards and executives receiving the right information at the right time to provide risk oversight and evaluate the effectiveness of risk management. To that end, internal audit can provide assurance and advice about whether the information that is being reported upward is comprehensive, accurate, and timely. This could take the form of one-off consultancy style exercises, be part of an audit, or be a report to the board.
Finally, internal audit must be in a position to evaluate the overall effectiveness of ERM, a role that has been in The IIA’s International Standards for the Professional Practice of Internal Auditing for some time. Standards 2110: Governance and 2120: Risk Management direct internal audit to assess risk management. Despite that, there is not much guidance available on how to conduct a comprehensive assessment. Internal auditors could use the 20 principles to perform a gap analysis throughout the business to see which elements of the guidance point to areas of risk management that require improvement.
An Accurate Forecast
And what of the internal audit function, itself? There are two areas of internal audit practice that the current COSO ERM framework will impact — planning and projects.
More than ever, internal auditors must understand the organization’s business objectives and strategies when it comes to periodic audit planning. Auditors need to know what the risks are to those objectives and how those risks currently are managed. For example, has management considered alternative strategies to manage the risk, or are executives simply trying to mitigate it? What is management’s tolerance to risk in that area and how open is that tolerance to variation around certain risks? The answers to these questions will influence what projects internal audit should undertake.
Audit’s planning needs to be done in light of the organization’s risk culture and risk appetite. These factors could have a major impact on the scope and testing approach designed for a particular audit if that audit is to provide assurance that is targeted at the right level of the organization.
If audit planning is executed in light of business objectives and management’s risk culture and risk appetite, audit projects will take the same focus. That will mean that individual audit risk assessments will be better aligned with the organization’s own risk assessment — and project scope and testing will be based on risk tolerance. Internal audit will report any deficiencies in the specific context of their potential impact on business objectives and on management’s risk tolerances. Hopefully, this will lead to audit paying more attention to the potential upsides of specific risks.
While many of the concepts in the current COSO ERM framework will be familiar to internal auditors, taken as a whole, it will represent a big leap in the quality of audit’s contribution to the business if implemented appropriately. Few internal audit departments are able to do a comprehensive assessment of the overall effectiveness of their organization’s ERM processes. The framework may enable internal audit to perform that assessment.
For internal auditors who are adopting the current framework for the first time, the key is to learn what it says and what it means to their organization in detail. Second, assessing the organization’s current ERM practices against the framework’s 20 principles can ensure auditors understand the guidance and have identified the most obvious gaps to remedy.
Third, if internal audit hasn’t already done so, it should start to audit and report in the context of the business’ objectives because this can help bring alive what the framework is about and make audits even more useful to management. Finally, internal audit should begin to take a more holistic approach to understanding the risks the organization faces and communicate that to management. That will help management understand risk better and how its responses to threats can turn into opportunities for the organization.