In the fall of 2004, the Committee of Sponsoring Organizations of the Treadway Commission, known as COSO, released their
Enterprise Risk Management—Integrated Framework, which was authored by PricewaterhouseCoopers. This principles-based framework provides direction and criteria for improving an organization's ability to manage risk. Moreover, the enterprise risk management framework is fully aligned with the PwC authored COSO
Internal Control—Integrated Framework, which is now used by most organizations as the basis for their reporting under section 404 of Sarbanes Oxley. This enables organizations to build on their investment in internal control as they make improvements in risk management.
The following questions and answers address how an organization might view the enterprise risk management framework in the context of their Sarbanes-Oxley 404 compliance process:
- What makes this different from the internal control framework? How does it relate to Sarbanes-Oxley reporting?
The Internal Control—Integrated Framework is much broader than an internal control framework. The three key differences are that risk management considers risks during strategy setting, requires management to form a view of how much risk the organizations is prepared to accept, known as risk appetite, and requires that risk management be done outside of silos through a portfolio view of the organization's risks.
Much of the internal control focus today is on only one aspect of internal control—internal controls over financial reporting for Sarbanes-Oxley 404. This is distinct from reporting on risk management.
- With the significant amount of implementation effort companies are currently undertaking for Sarbanes-Oxley Compliance and adoption of new accounting standards, why should companies be motivated to implement enterprise risk management?
The implementation of the COSO Framework will provide long term benefits to an organization and therefore should be viewed with a longer term implementation perspective. The current emphasis on control in Sarbanes-Oxley is primarily focused on financial reporting. However, there are additional aspects of risk management that go beyond internal controls and are rooted in the strategy setting activities of a company and in the management analysis of risk appetite and risk tolerance necessary to pursue its objectives as a company.
Not all companies are at the same level of expertise or knowledge of risk management techniques and approaches vary widely. Continued adoption of the Enterprise Risk Management Framework by both companies and academics will result in a more consistent approach to risk management as companies strive to create value for stakeholders.
- What is the relationship between effective enterprise risk management and improved financial reporting and transparency?
There are natural linkages between enterprise risk management, improved financial reporting and transparency. The new COSO Framework requires that organizations establish a risk appetite, measure actions and decisions against that risk appetite and communicate results. Communication of enterprise risk management to users of financial information clearly enhances transparency.
- How might the framework assist organizations in structuring their entities to best manage exposure to risk?
By formally organizing risk management responsibilities and activities an organization is much better positioned to achieve its objectives. To achieve its business objectives, management will want to ensure that sound risk management processes are in place and functioning. Board and audit committees have an oversight role to determine that appropriate risk management processes are in place and that these processes are adequate and effective. The COSO Enterprise Risk Management—Integrated Framework provides comprehensive guidance on each of these points and includes numerous examples of approaches used by risk management practitioners in a diverse group of organizations.
Publications Search Page
