Risk Advisory Group COSO Plans More Detailed Recommendations in 2021

The Wall Street Risk and Compliance Journal

The Committee of Sponsoring Organizations of the Treadway Commission—known for its influential, albeit somewhat abstract, risk management guidelines—is looking to provide more practicable advice on managing emerging risks.

COSO, whose guidelines are closely followed by public companies and government agencies, has spent recent months publishing more prescriptive advice meant to supplement broad-stroke suggestions in its most-recognized documents, one on internal controls and another on enterprise risk management.

“We want to make sure that these very broad, principle-based frameworks can be effectively applied in the real world,” COSO Chairman Paul Sobel said.

In the year ahead, the group plans to issue detailed recommendations on how organizations can better manage risks related to cloud computing, artificial intelligence and outside contractors, among other topics. The reports would follow a series of similar ones issued over the past two years on topics such as cyberattacks, blockchain and compliance risks.

The effort attempts to address one of the more challenging aspects of advising on risk management: There is no one-size-fits-all approach. Individual companies face different kinds of risks. And even if two companies faced identical risks, they might manage them differently.

David Fisher, a partner at McLean, Va.-based advisory firm Guidehouse, said COSO’s enterprise risk framework has helped his team steer organizations past the simple creation of risk lists, enabling them to better govern risk management and connect risk assessments to a broader strategy. “It’s the heart of what we use,” said Mr. Fisher, who leads Guidehouse’s risk consulting practice.

At the same time, his group has paid special attention to some of COSO’s more prescriptive reports, such as one published in May that spelled out how organizations can better understand, monitor and communicate risk appetite. “That’s been a challenge for our clients,” Mr. Fisher said.

The guidance was useful because understanding how much risk an organization is willing to accept is central to effective risk management, he said. The detailed recommendations helped his clients “really understand how to think about the concept—but, more importantly, how to then actualize it within their organization,” said Mr. Fisher, a former Internal Revenue Service chief risk officer.

“Anything we can do to take concepts and make them feel real is, from a consulting standpoint, both our challenge and opportunity in ERM,” he said. “It’s a waste of time if this stuff isn’t real.”

Read the Full Article

About the Experts

Back to top