Published September 28, 2017 • By Karen Walsh • 3 min read
The June 2017 COSO framework update takes enterprise risk management (ERM) to the yoga studio. Yoga inspires a healthy lifestyle steeped in self-analysis and physical flexibility. The core components of the COSO framework update are the exercises that lead to organizational health and flexibility, for public companies and private companies. With ERM as your organization’s daily downward dog exercise, you can build your company’s core strength. Just as some yoga practitioners use blocks to support their form, ZenGRC’s automated platform helps you reach the flexibility necessary to engage in effective ERM. To see how the platform can support your compliance health, book a demo with one of our GRC experts.
How Risk Relates to Resiliency
Risk management may be the main drive of the new COSO framework update, but the executive summary (“The Summary”) specifically notes that the Board of Directors are responsible for investigating how management creates a culture that inhibits or enables risk taking. The Summary’s discussion of Board oversight focuses on more than the potential harms of various risks. One of this section’s key drivers relates to the connected nature of risk and resiliency. Overly risk averse organizations may be too inflexible to incorporate necessary changes. ZenGRC creates visibility into areas with the greatest risk and offers the Board insight into the corporate culture. This tool helps management provide answers quickly and efficiently, allowing everyone to focus on what matters—running a successful business.
Why Mission, Vision, and Core Values Are Integral to ERM
Traditional notions of risk management look at what could go wrong and apply strategies to keep that from happening. However, the Treadway Commission’s Committee of Sponsoring Organizations (COSO) takes a new approach to creating an integrated framework by going further and mapping an organization’s values to those strategies. Mission, vision, and core values are more than taglines to put in advertisements. The way in which an organization conducts business defines its approach to customers and strategies. Misalignment of strategies and values can leave an organization foundering, and traditional risk management ignores this potential pitfall. Organizations use cost-benefit analysis to choose COSO compliance solutions. The new COSO framework asks companies to analyze their strategy choices and evaluate the trade offs. The COSO framework update asks organizations not only to detail their decisions but also to continually review these decisions to ensure ongoing alignment. Flexibility means being able to make changes, and that can be time consuming when an internal control maps to multiple standards. A change to a firewall may impact PCI DSS, ISO, and HIPAA. Spreadsheets make these simple changes feel unwieldy while an automated system can make a company more resilient. ZenGRC offers tools that show where control activities map to more than one standard, simplifying your strategy review and enabling changes.
How to Create a Focused ERM Strategy
The new COSO framework update is organized into five interrelated parts.
Governance and Culture
COSO defines governance as the oversight and management of ERM, while culture is the way that the behaviors of the organization’s employees are associated with entity risk.
Strategy and Objective Setting
The control framework suggests that risk appetite help define the strategy while objectives measure the effectiveness.
Once risk impacts are defined, organizations need to prioritize the risks and report the processes.
Review and Revision
As part of continuous monitoring, organizations should review performance and revise appropriately. This can include having a regular internal audit performed.
Information, Communication, and Reporting
Information and communication of that information from internal and external sources, such as auditors, must be ongoing.Gaining insight into ERM means creating and analyzing metrics. Being able to assess effectiveness requires constant communication. ZenGRC provides a way for organizations to efficiently manage tasks and effectively communicate between stakeholders.
The Summary’s most important message is that a true risk management solution needs to include agile decision-making that offers rapid and cohesive responses to a changing landscape. The Summary lists four specific areas of concern. First, the rise of Big Data means structuring analyses in new ways. Second, artificial intelligence and automation allow for deeper insight into trends and patterns. Third, ERM can help address the rising cost of compliance and risk management by coordinating activities efficiently across an effective internal control framework. Fourth, integrating ERM into organizations makes them more stable. To be agile decision makers, information security teams need equally agile tools to help them collect the necessary data about their control environments to meet the requirements of internal auditors certified by the American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Institute of Internal Auditors, or Institute of Management Accountants . ZenGRC’s automated platform addresses these future issues. The ease of documentation aggregation and reporting to offers c-suite insight into a company’s trends. The rising cost of compliance comes not just in dollars but also in man hours. The ZenGRC platform cuts down on the time spent managing compliance by helping stakeholders collectively track changes and tasks.