Mark Beasley, North Carolina State University
Doug Prawitt, Brigham Young University
Larry Rittenberg, University of Wisconsin - Madison
Perhaps there is no more pervasive concept that affects organizations more than risk. Many organizations and firms have a ‘risk model’ that they utilize. However, while models exist, no one comprehensive model pulls together all the risk elements into one encompassing framework that can be used across a wide variety of organizations and for a wide variety of purposes. Following up on its highly influential project on Internal Control, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has embarked on another landmark project, this time to provide guidance in helping organizations manage enterprise-wide risks. The goal of this project is to provide extensive guidance that contains both a conceptual framework and accompanying detailed application guidance to assist companies in the management of risks. While a fairly extensive literature on the subject exists in a variety of disciplines, COSO concluded after significant study that there is considerable disparity between studies on risk management and how risk is understood and managed by businesses and other organizations.
COSO embarked on this study in January 2001 after concluding that there is consensus worldwide that all organizations can benefit from improved risk identification and risk analysis procedures. Events of the past year have continued to highlight the central importance of effective enterprise risk management. Yet, until now, there has been no universally agreed-upon comprehensive framework to facilitate communication or to guide an organization’s efforts to manage risk. Because risk management has an important relationship with internal controls in both practice and theory, COSO intends for the enterprise risk management framework to have direct ties with its landmark internal control framework. Further, the concepts of risk may be incorporated into the accounting model as the concepts evolve.
In the spring of 2001, COSO appointed an Advisory Council to oversee the ERM project. The Advisory Council consists of representatives from each of COSO’s member organizations, including the American Accounting Association (AAA). After issuing a Request for Proposals and evaluating responses in the spring and summer of 2001, COSO’s ERM Advisory Council selected PricewaterhouseCoopers (PwC) to conduct the extensive study. PwC will provide substantial staff time to conduct the project, which will require an estimated 10,000 hours of professional time.
Who is COSO?
COSO is a voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. It is jointly sponsored and funded by the American Institute of CPAs (AICPA), the American Accounting Association (AAA), the Institute of Internal Auditors (IIA), the Financial Executives International (FEI), and the Institute of Management Accountants (IMA). Larry Rittenberg currently represents the AAA on the COSO Board. Mark Beasley and Doug Prawitt represent the AAA on the COSO Advisory Council that oversees the ERM project. All three of the AAA representatives are members of the auditing section. The Advisory Council periodically reports to the full COSO Board on the status of the project.
COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions. Since then, COSO has issued these additional studies:
- Report of the National Commission on Fraudulent Financial Reporting
- Internal Control: Integrated Framework
- Internal Control Issues in Derivatives Usage
- Fraudulent Financial Reporting: 1987-1997, An Analysis of U.S. Public Companies
Some of the PwC team leaders currently overseeing this project also participated on the earlier COSO internal control and derivatives projects.
Risk Management Project Goals and Objectives
COSO has established the following goals and objectives for the ERM project:
- There is a significant need for guidance about enterprise-wide risk management that provides both a conceptual framework and detailed application guidance. The guidance will include not only a theoretical framework for assessing enterprise-wide risks, but also actionable guidance to measure and control risk conditions, such as example risk management data assessment tools useful for benchmarking.
- The theoretical framework portion of the publication will be coordinated with COSO’s internal control framework as outlined in COSO’s Internal Control: Integrated Framework Guidance. However, the risk model is expected to be more encompassing than the internal control framework and should present a broader framework for identifying, managing, monitoring, and controlling risks.
- The enterprise-wide risk management guidance will emphasize coordinating risk management across critical segments of a business, not just financial reporting risks.
- The enterprise-wide risk management guidance will be targeted for middle market and larger companies, while still being useful to other organizations including government agencies, industry associations, and not-for-profit groups.
The overall goal of the study is to provide both conceptual and practical “how-to” guidance to assist organizations in building effective programs to identify, measure, prioritize and respond to risks. COSO recognizes that while many organizations are engaging in some aspects of risk management, this study will help identify all of the aspects that should be present and how they can be coordinated. Further, it will identify interrelationships between risk and risk management.
The Study’s Process
The project team led by PwC began its detailed work in Fall 2001 by assessing the guidance already available. That process included an extensive literature search in addition to conducting surveys and focus-group forum meetings to obtain relevant background input. Throughout the first-half of 2002, the project team will be developing the overall conceptual framework and designing the detailed framework and related application guidance. One of the key goals of this project is to ensure broad support and acceptance of the risk guidance. Thus, COSO plans to ensure appropriate due process by seeking input on both the conceptual framework and related application guidance. The exposure draft, which is targeted for Fall 2002, will be circulated widely to ensure feedback is received from not only the accounting community, but from other constituencies outside the accounting domain as well.
After evaluating and incorporating criticisms and suggestions on the exposure draft, COSO expects to issue its final report by summer 2003.
How Can Auditing Section Members Help?
The success of this project will be largely dependent on input received from experts in risk management. The project team would be happy to provide regular updates on progress to our section. Members of the Auditing Section can play a key role in providing useful input to the project team. First, Section members who have conducted research on risk management issues or are aware of relevant publications can assist the project team by providing information about those studies and documents. Please send relevant information to one of the authors of this article (Mark Beasley, (Doug Prawitt, (Larry Rittenberg). Second, Section members will be asked to respond to the exposure draft when it becomes available in Fall 2002 (please watch The Auditor’s Report for notice of the due process timetable). Third, there may be future opportunities for Section members to participate at presentations or workshops conducted by the project team. Lastly, we will be asking the Auditing Section to provide a team review of the conceptual model and the initial draft to help the project team members respond to the conceptual framework and the working draft. The AAA was instrumental in shaping the previous COSO projects to ensure a solid framework. We hope to continue that history of excellence as we deal with risk. We encourage your participation and seek any relevant input you may be able to provide.