NYSE-listed organizations are extending the use of the COSO standard and framework beyond the management of financial reporting risk as mandated by section 404 of the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX).
Since 2013, COSO has also covered operational risk areas, including cyber security. In 2015, COSO released COSO in the Cyber Age, which outlines considerations for performing a COSO-focused cyber risk assessment.
COSO gave risk practitioners a common framework for managing multiple facets of risk in Enterprise Risk Management (ERM). What they soon discovered was that while COSO provided a strong conceptual foundation that tied the management of controls and risks to the definition and achievement of business strategies, it did not provide the analytical basis for quality measurements that can help inform business strategies and enable cost-effective decision making regarding resource allocations. The end result was the establishment of complex processes, but little actionable data.
That gap can be filled by using a proven analytical risk model such as FAIR as part of your COSO-based risk management program. The remainder of this article will explain what the COSO standard and framework are and how the FAIR model can complement them.
Let's start with some nomenclature to explain why we are referring to 'standards' and 'frameworks' separately. According to the Institute of Risk Management, a risk management standard is "the combination of a description of the risk management process, together with the recommended framework".
COSO ERM makes a direct relationship between an organization's goals, and enterprise risk management (ERM) components. This relationship is represented in a three-dimensional cube.
As COSO ERM describes its framework, "within the context of the established mission or vision of an organization, management establishes strategic objectives, selects strategy and sets aligned objectives cascading through the enterprise". The framework is geared to achieving corporate goals, set out in four risk categories represented as the top face of the cube:
The various phases of the risk management process are listed on the front side of the cube and are similar to the steps outlined by other risk management standards from organizations such as ISO or NIST. The side of the cube speaks about the slicing and dicing of the findings by organizational boundaries such as business unit, division or enterprise-level.
Of the three dimensions, COSO's main concern centers on the risk management framework aspects (governance, strategy, protocols). It is important to note that the top two risk categories listed above point to economically or financially-driven decision making and the third points to quality of the underlying data.
COSO provides a comprehensive framework that explains what to do to incorporate risk into the definition and adjustment of business strategies, but when it comes to assessing risk and providing the data to inform those strategies- i.e. identifying, measuring, prioritizing, reporting risk - it does not provide any indication of how to do it. Risk practitioners are left to their own devices in finding an effective way to accomplish that.
The use of the FAIR analytic model as part of COSO-focused risk assessments can ensure that the goals of enabling strategic and cost-effective decision making can be met, in the following ways:
With financial risk data in hand, the various actors of the risk governance process can make more explicit and business-aligned decisions, and organizations can effectively and efficiently meet the objectives of the COSO standard. The combined use of the COSO ERM standard and the FAIR analytic model allows organizations to answer strategic and tactical questions expressed in economic terms such as:
Consider joining the FAIR Institute to learn more about FAIR.