Although there is currently no fixed standard which ERM Framework has to be used, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has established an ERM framework that is not only fully SOX-compliant [1], but touches all necessary areas from different perspectives and is recommended by ACIPA’s Auditing Standards Board. It was first introduced in 1992 with originally focusing not on risk management, but internal control problems that proved to be difficult to enterprises [2]. In response to financial, accounting and auditing scandals like Enron, Tyco and WorldCom, the COSO Framework was republished in an updated version in 2004 to be in compliance with the SOX-Act. It is focusing now on giving a broad understanding of all aspects of enterprise risk management by defining essential components, providing a common language and giving a clear direction and guidance on how risk should be managed, giving the organization a portfolio view on risks [3].
The key issues that are important when using the COSO Framework are [4]:
- ERM is a process
- The ERM process is being implemented by people
- The concept of risk appetite has to be considered
- ERM is designed to help attain the achievement of objectives
- ERM provides only reasonable, not complete assurance on objective achievements
The framework can be imagined as a cube, with four objective categories (vertical columns), eight components (rows) and the five business units (3rd dimension).
Institute of Internal Auditors -COSO ERM Framework [3]
References:
[1] Robert R. Moeller, “Sarbanes-Oxley Internal Controls: Effective Auditing with AS5, CobiT, and ITIL”, John Wiley & Sons, 2008
[2] Robert R. Moeller, “COSO Enterprise Risk Management: Understanding the New Integrated ERM Framework”, John Wiley & Sons, 2007
[3] Institute of Internal Auditors, “Applying COSO’s Enterprise Risk Management Integrated Framework”, http://www.ucop.edu/riskmgt/erm/documents/coso_erm_frmwrk.ppt
[4] Anthony Tarantino, “Manager's Guide to Compliance: Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, OMB's A-123, ASX 10, OECD Principles, Turnbull Guidance, Best Practices, and Case Studies”, John Wiley & Sons, 2006
