COSO for CSOs: An interview with the internal control and ERM frameworks’ co-author

As the business world focuses more on risk management, more people are turning to the frameworks developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

COSO is a joint initiative of five private-sector organizations dedicated to providing thought leadership on enterprise risk management (ERM), internal control and fraud deterrence.

Richard Steinberg is the lead project partner of the PricewaterhouseCoopers team that in 1992 conceptualized and developed the COSO Internal Control Integrated Framework. The framework—which is in the process of being updated, with a final draft expected this April—is widely used today for designing, implementing and evaluating the effectiveness of internal controls.

Steinberg also led development of the COSO Enterprise Risk Management Integrated Framework, developed in 2004. This is a broader framework that incorporates concepts of the Internal Control framework. It describes the critical principles and components of an effective ERM process, namely, how important risks should be identified, assessed, responded to and controlled.

Bradley Schaufenbuel, director of information security at Midland States Bank, recently interviewed Steinberg for CSO.

Bradley Schaufenbuel: Has the COSO framework for internal control met your expectations for adoption?

Rick Steinberg: It’s the standard used by the vast majority of public companies for enhancement and reporting as required by Sarbanes-Oxley. It has resulted in a common language of internal control that was absent before its issuance, as well as more commonly understood concepts and terminologies of internal control. I’ve also seen enhanced communication among executives across companies. Its principles and key concepts have stood the test of time, so yes, it has met my expectations.

You have said you believe that the updated internal control framework to be a substantial improvement over the old one. Why?

The key enhancement is that certain concepts inherent in the 1992 version—elements of control, attributes related to each principle—have been made more explicit. Also, the surrounding discussions have been brought up to date by focusing on new business models, evolving technology, third-party involvement and fraud detection.

[Also read Fraud prevention: Improving internal controls by Daniel Draz, CFE]

The principles inherent in the framework have been highlighted, and if that’s what security managers have been focusing on, it will be received well. If the hope is for a great deal more detail on information security, then it’s probably not going to satisfy those hopes.

Does the greater recognition of third parties highlight the need for organizations to increase their focus on improving vendor management and oversight programs?

The draft updated internal control framework certainly focuses better on the risks involved and the relationships with third parties and how to better manage those risks.

We’re not only talking about relationships with vendors but also other types of third parties—service providers, representatives, agents operating in foreign locations, business partners. They’ve all received more focus in this update.

There has been criticism that the COSO risk management framework is too complex. What can be done to simplify it or change this perception?

Risk management is simple in concept but can be challenging to deal with in the real world. I may be a bit biased, but I don’t think it’s extraordinarily complex.

The cube in the framework brings concepts together in a meaningful way. But people who don’t focus on risk on a regular basis or as a process might need to work a bit to get their arms around it.

There are other ways to do that than focusing solely on the framework; they can pursue educational and training programs to gain that understanding.

The framework’s Application Techniques volume is a tool that security managers might want to look into, because there’s a wealth of knowledge for specific ways to apply risk management effectively.

How pervasive are ERM programs that truly comport with the principals envisioned by the COSO risk-management framework?

Most companies practice risk management, but it’s not very common for companies to have all the elements of what COSO defines as an effective ERM framework. For example, there are some that might not really relate risks to their business objectives. They might not have set forth an established risk appetite or risk tolerances, or a portfolio view of risk.

Does a company need to apply the entire framework to benefit from ERM?

There are principles set forth in the ERM framework that need to be in place in order for a company to have what is defined as an “effective” ERM process. I do think, however, that many companies take significant steps to manage their risks without having what the COSO framework defines as ERM.

In some instances, companies’ risk management processes have served them well, but in other cases they have not. For example, we saw major banks in 2007 not focusing sufficiently on what are called “black swans,” thereby missing what were considered unlikely events that indeed resulted in having a major negative impact on those organizations.

One of the challenges of implementing a comprehensive ERM program is what a colleague of mine calls “blank-stare syndrome.” No matter how hard we try, ERM is an awful lot for folks to take in because there are so many moving parts. How do we get everyone on the same page?

That is certainly a challenge, and there are no easy answers. I’d like to start with the idea that the framework is not a primer on risk management. It’s aimed at business people with some background in managing business risk. The executive summary may be helpful to boards of directors who provide oversight to get a sense of what’s involved in ERM. But the framework does not attempt to take the place of what’s obtained through experience, education and training.

It’s also important to understand that the COSO ERM framework is not a how-to on developing ERM. It describes what an effective ERM process is, what it contains and represents, and how it works. But it does not set forth a specific methodology for implementing an ERM process. So to get on the same page, it’s useful to start with the framework and the key concepts of risk management and then select a methodology for making it happen in your company.

[Get ahead of the curve with the Risk’s Rewards blog | Sign up for CSO’s monthly Risk Management e-newsletter]

One approach that I find helpful is to use risk concepts in the strategic development process and related implementation planning. Another approach is to set an ERM program for one business unit, with a leader who is well respected, and see the successes and benefits it brings to that unit and how it can be extended to others in the company.

In a midsize company, you can take what I call a big-bang approach, where an ERM process is developed and rolled out for the entire organization. This can work if you’ve got the support of top management to develop and design how risk management will be deployed, with an appropriate implementation plan, along with training and all the elements of an effective project and change management.

What advice would you give a security leader in an organization that does not have an effective ERM program?

It might be useful to work together with other corporate leaders such as the CFO and chief compliance officer. In some companies, this group of executives has been able to influence and persuade the CEO to support an initiative that brings ERM to the fore.

It seems that initiatives concerning good corporate governance are often event-driven. How can we convince organizations to adopt effective processes for internal control and ERM without waiting for the next meltdown?

If CFOs, compliance officers and other senior staff managers band together, they can be a major influence in getting senior operations executives to consider that risk management is good management. They can be a positive force in moving an organization to deal effectively with risk in a strategy setting and integrate risk-management principles into business objectives.

With the Dodd-Frank Act, we are seeing the implementation of ERM programs, direct board oversight over ERM, and the appointment of chief risk officers becoming mandated for some larger banks. Do you foresee similar regulations coming in industries other than financial services?

Not in the near term. However, boards of directors across industries are providing much closer oversight into risk-management programs and are suggesting to chief executives that there should be a greater focus on risk management. So the pressure is coming from that direction rather than inside the Beltway.

You have witnessed the development of ERM for several decades now. In what directions do you foresee it heading in the near and distant future?

I believe we’ll see a continued evolution to stronger risk management, especially as executives see the business benefits, like ensuring that the supply chain continues unaffected and doesn’t halt manufacturing, that you don’t have the type of financial meltdown that we’ve seen in companies in recent years, the assurance that marketing programs in foreign locations achieve their stated goals.

The risks have evolved, and there are significant new ones that need to be dealt with. Often, risk management has been ad hoc. Now, executives and boards of directors want to take a more disciplined approach to identifying, analyzing and managing risk.