Companies may choose to adopt the COSO (short for the Committee of Sponsoring Organisations) enterprise risk management framework to “satisfy their internal controls and regulatory compliance, but also to move towards a fuller risk management process,” according to Sarah Martin, Senior Consultant, Seed Consultancy. 

“Managing risk in a COVID world becomes more relevant and significant with each passing day. Whilst many companies might have paid lip service to enterprise risk management, the COVID pandemic illustrates the clear business benefits of managing risk from an enterprise wide perspective. COVID may have drawn executive attention on ERM, but it’s crucial that business leaders and organisations alike understand that the benefits extend far beyond avoiding a crisis, as an agile and effective ERM function empowers an organisation to manage its risks in order to grow,” she explained.

In light of this, she pointed to COSO as an effective ERM system to manage risks. “The purpose of the framework is to provide companies with key principles and concepts – essentially a common language – clear direction and guidance regarding the management of enterprise risks,” she said.

COSO’s precedent was a first framework developed in 1992 providing “a comprehensive context to assist organisations assess and improve their internal control systems. It grew to become an extremely popular framework, with the majority of users claiming they utilised it as their guide on both internal controls and overall compliance activities for the organisation.”

However, Ms Martin continued, it soon became clear that there were gaps in the framework. “Whilst it kept proving to be useful in minimising risks relating to fraudulent behaviour and kept companies in check from a regulatory compliance point of view, it failed to identify and assess the risks for which companies needed to establish a set of controls,” she said.

Therefore, in 2004, COSO created its ERM system to aid organisations “which managed to oversee their risks in four main categories, being strategy, operations, reporting and compliance” to “manage in creating significant stakeholder value.”

The framework was updated in 2017 following criticism that the initial iteration still leaned heavily toward audit, accounting and essentially consulting firms, she said. 

The new standard, which was revised to include five components with 20 principles spread through each component, boasted “significant changes”, she continued. Indeed, it now “placed greater emphasis on the importance of integrating risk considerations when designing and implementing strategies to accomplish an organisation’s performance goals and objectives.”

Ms Martin outlined the five components which include:

• Governance and Culture – this forms the basis of the other components by providing guidance on board oversight responsibilities, operating structures, leadership’s tone, and attracting, developing, and retaining the right individuals.
• Strategy & Objective-Setting – this component focuses on strategic planning and how the organisation can understand the effect of internal and external factors on risk.
• Performance – after an organisation develops its strategy, it then moves on to identify and assess risks that could affect its ability to achieve these goals.
• Review and Revision – at some point after risks have been prioritized and a course of action been chosen, the organization moves into the review and revision phase where it assesses any changes that have taken place. This is also the opportunity to understand how the ERM process in the organization can be improved upon.
• Information, Communication, and Reporting – this last component involves sharing information from internal and external sources throughout the organization. Systems are used to capture, process, manage, and report on the organization’s risk, culture, and performance.

Ms Martin underscored the need for entities and businesses to adopt efficient strategies in uncertain times, saying that “entities, non-profit organisations and Governments face an evolving landscape of environmental, social and governance related risks that can impact their profitability, competitiveness and ultimately their success and survival. As the COVID-19 crisis continues to unfold, organisations around the world are battling with the multidimensional set of risks it has unleashed.”