NYSE-listed organizations are extending the use of the COSO standard and framework beyond the management of financial reporting risk as mandated by section 404 of the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX).
Since 2013, COSO has also covered operational risk areas, including cyber security. In 2015, COSO released COSO in the Cyber Age, which outlines considerations for performing a COSO-focused cyber risk assessment.
COSO gave risk practitioners a common framework for managing multiple facets of risk in Enterprise Risk Management (ERM). What they soon discovered was that while COSO provided a strong conceptual foundation that tied the management of controls and risks to the definition and achievement of business strategies, it did not provide the analytical basis for quality measurements that can help inform business strategies and enable cost-effective decision making regarding resource allocations. The end result was the establishment of complex processes, but little actionable data.
That gap can be filled by using a proven analytical risk model such as FAIR as part of your COSO-based risk management program. The remainder of this article will explain what the COSO standard and framework are and how the FAIR model can complement them.
What is the difference between a risk management standard and framework?
Let's start with some nomenclature to explain why we are referring to 'standards' and 'frameworks' separately. According to the Institute of Risk Management, a risk management standard is "the combination of a description of the risk management process, together with the recommended framework".
- The steps of a risk management process can vary but typically include the identification of risks, their measurement and prioritization, their treatment via preventative and response controls, their reporting and the monitoring and audit of the entire process.
- The components of a risk management framework generally include risk governance (roles, responsibility, communication, reporting), risk strategy (including risk appetite and attitudes) and risk protocols (guidelines for the organization).
The COSO ERM standard
The COSO ERM Integrated Framework (a standard) established in 2004 incorporates but does not replace the COSO Internal Control - Integrated Framework (a framework), originally published in 1992. Both have since been updated. The aim of the COSO standard and framework is to assist organizations in structuring and evaluating controls that address a broad range of risks, inform strategic and operational decision-making and achieve regulatory compliance.
COSO ERM makes a direct relationship between an organization's goals, and enterprise risk management (ERM) components. This relationship is represented in a three-dimensional cube.
As COSO ERM describes its framework, "within the context of the established mission or vision of an organization, management establishes strategic objectives, selects strategy and sets aligned objectives cascading through the enterprise". The framework is geared to achieving corporate goals, set out in four risk categories represented as the top face of the cube:
- Strategic: high-level goals aligned with mission
- Operations: efficient use of resources
- Reporting: reliability of the findings
- Compliance: compliance with laws and regulations
The various phases of the risk management process are listed on the front side of the cube and are similar to the steps outlined by other risk management standards from organizations such as ISO or NIST. The side of the cube speaks about the slicing and dicing of the findings by organizational boundaries such as business unit, division or enterprise-level.
Of the three dimensions, COSO's main concern centers on the risk management framework aspects (governance, strategy, protocols). It is important to note that the top two risk categories listed above point to economically or financially-driven decision making and the third points to quality of the underlying data.
Using FAIR as the analytic model of your COSO-inspired program
COSO provides a comprehensive framework that explains what to do to incorporate risk into the definition and adjustment of business strategies, but when it comes to assessing risk and providing the data to inform those strategies- i.e. identifying, measuring, prioritizing, reporting risk - it does not provide any indication of how to do it. Risk practitioners are left to their own devices in finding an effective way to accomplish that.
The use of the FAIR analytic model as part of COSO-focused risk assessments can ensure that the goals of enabling strategic and cost-effective decision making can be met, in the following ways:
- FAIR provides a model that helps define risk scenarios consistently across the enterprise and ensure that what is being managed is a real risk, i.e. a probable loss, versus a control deficiency, a threat or other 'concern'. These are factors of risk but not risks in themselves. Without a structured risk model such as FAIR, organizations end up defining risk based on mental models of risk analysts and managing many 'risky issues' that are not real or do not represent a material risk to the organization, misleading decision-makers in the process.
- FAIR also provides a model to quantify risk in financial terms, dollars and cents (or euro, pound or yen...). Articulating risk in such terms allows business executives and board members to evaluate the impact of events in terms they understand, conduct cost-benefit analysis and make informed decisions. Qualitative rating methods such as 'high-medium-low' or ordinal scales '1-5' that are in vogue in many companies provide only very high-level understanding of risk and certainly do not enable financially-driven decision making.
With financial risk data in hand, the various actors of the risk governance process can make more explicit and business-aligned decisions, and organizations can effectively and efficiently meet the objectives of the COSO standard. The combined use of the COSO ERM standard and the FAIR analytic model allows organizations to answer strategic and tactical questions expressed in economic terms such as:
- How much risk do we have?
- What are our top risks, based on business impact?
- What are the controls that are most effective in mitigating our top risks?
- How does the cost of the various control initiatives compare with the possible risk reductions?
- How much should we invest in controls based on our risk appetite?
- Should we proceed with that M&A based on the risk findings? Should we adjust the acquisition price accordingly?
- What type and how much cyber insurance should we buy?
Consider joining the FAIR Institute to learn more about FAIR.