While working in public accounting, I had the chance to dive into the COSO integrated control framework for a large utility client. A couple observations stuck with me about this experience.  

First, the tone at the top of an organization is key. Leadership determines an organization’s values, models those values, and must actively influence their employees to work in line with those values. A mission and vision only carries weight if leadership is willing to invest in and promote it.

Second, the risk assessment component of the framework is essential to understanding an entity's operating environment. During my first meeting with the Director of Risk Compliance, I was blown away by the level of detail within the risk matrix his team had prepared to map out internal and external factors that could potentially impact the business. This one graphic captured risks across 6 different categories, and charted both the likelihood of occurrence and financial impact of each risk. A thick binder of research supported the matrix, demonstrating the detailed analysis that went into this depiction of risk. I immediately recognized the value this powerful visual could bring to the entire business. As it turns out, I wasn't the only one to see the potential for a broader application.

In 2014, COSO kicked off a revision of the integrated control framework with a focus on enterprise risk management (ERM) as a strategic enabler. Miles Everson, PwC U.S. Advisory Leader delivered a call to action, “It’s time to view risk as a competitive advantage, reframing risk as a key enabler of strategy and performance.”  The revised guidance comes a decade after the ERM Framework was originally issued.

Each year, COSO issues new or revised guidance on a broad array of topics including governance, operational performance, internal control, ERM, and fraud deterrence.  For example, COSO updated the integrated control framework in 2013 to incorporate sustainability and corporate social responsibility. Since then, sustainability has certainly earned its seat at the table of organizations of all sizes. Leading with topics such as sustainability and strategy demonstrates COSO’s commitment to relevancy across all roles of an organization. Frank Martens, a long-time COSO contributor and PwC veteran, shared the vision for the latest release, “We want it to be inspirational.” The goal is for these changes to last for the next 10+ years.

Risk management methodology shares similarities with the research that goes into performing a SWOT analysis, analyzing Porter’s 5 forces, and conducting competitive intelligence. Each approach calls for knowledge of internal factors such as key employees, key contracts, key processes, and external factors such as economic trends, competitor activities, and reputation. Where strategy can be more opportunistic, risk management differs in its focus on mitigation activities. Both have their place. By linking these assessments, organizations can advance effectiveness through collaborating across teams, and ultimately leverage transparency to achieve a higher degree of precision in planning.

The new ERM guidance was released just this week.  Here are a handful of ways to lead its adoption:

• Consider risk when developing strategies, not just when subsequently evaluating them
• Encourage all teams to talk about risk using general business terms
• Align culture & strategy by understanding risk tolerance and decision-making norms
• Don’t elevate a strategy+risk mindset in lieu of internal controls, you need both

While public companies will no doubt have the strongest necessity to jump on board, all leaders can fortify their organizations by considering the strong correlation between strategy and risk.

 

Looking for additional resources? Check out:

PwC COSO ERM Microsite

COSO Guidance on ERM