This article provides a practical explanation of the COSO Framework. After reading, you will understand the basics of this powerful risk analysis and management control tool.
What is the COSO Framework?
The COSO Framework, COSO model, or COSO square, defines the internal control of an organisation – carried out by management – as a process. A process that identifies events that could potentially affect the entity is referred to as Enterprise Risk Management (ERM). ERM includes methods and processes that organisations use to manage risk and seize opportunities that ensure that the company’s objectives are met.
The COSO Framework was originally developed in 1992 by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). COSO developed this framework to help companies identify, assess and improve the control of internal processes. The importance of internal (risk) management is significant, since the presence or absence of such a management system can determine the quality of the output in the statements of results. A functioning and accurate internal control process provides the users of the financial statements with a reasonable degree of certainty that the statements of results are correct and can be used in a well-considered decision making process.
In September 1992, COSO released a report entitled “Internal Control – Integrated Framework”. Following its issue, they made a number of changes in 2004. The report describes a common definition of internal control and provides a framework for organisations to manage and improve their internal control systems. Since then, the framework has been used as a standard reference model by many organisations.
The three dimensions of the COSO Framework
COSO’s ERM is based on the principle that every organisation is primarily active in creating added value for its stakeholders. The greater the risk of a decision taken, the higher the return. In a rapidly changing environment, uncertainty often arises, and this offers both risk and opportunity. ERM enables management to identify, assess and manage these risks. COSO’s internal control framework is generally presented as a cube, because three dimensions for control have been merged into the framework that represents the direct relationship between the:
A – Control components
The management draws up a philosophy with regard to risks and thus indicates the risk appetite of the organisation. The internal environment provides the basis for the idea of how risks are viewed and how they are anticipated. It is crucial that senior management demonstrates the importance of ERM at all levels of the organisation.
Objectives must be set before management can identify potential events affecting performance and results. ERM ensures that management has a process or tool to set goals and that the chosen goals are in line with the mission statement of the organisation and consistent with the risk appetite.
Identification of events
It is of great importance that the identification of events that may affect the objectives is carried out for both the internal and external environment. This includes events that represent risks and events that may create opportunities. Events that affect both should be handled with extra care.
The risks identified must be analysed before it can be determined how they will be handled. Risks are associated with targets that can be influenced and are assessed on both an inherent and residual basis. The assessor should take into account the risk weight as the impact. This is an ongoing process which means that risk analysis must be performed on a continual basis.
Risk control measures
After the risks have been identified and assessed, the risk analyst identifies and evaluates possible responses to the risks including avoiding, accepting, reducing or sharing risks. Management selects a series of actions to align risk with the risk tolerance and risk appetite of the organisation.
Once the risks, measures and responses to them have been identified, procedures are drawn up or the policy is adjusted to ensure that the selection of risk management measures is carried out carefully and effectively.
Information & communication
Relevant information relating to the risks run, measures taken or organisational units affected, is recorded and communicated to employees at all levels of the organisation. This may take the form of a timetable that enables staff to carry out their responsibilities while respecting the risks.
The entire ERM process is monitored and modified if necessary. In a highly dynamic environment, adequate and dynamic action and response is required to limit damage or exploit opportunities.
B – Activities
COSO emphasises that risk management is not strictly a series process, where a component only affects the next component, but a multi directional process where almost every component may influence a different component. The process should therefore be applied at all levels of an organisation:
- The whole of the organisation
- Organisational divisions
- Business units
C – Organisational objectives
Within the framework of COSO, ERM aims to achieve the objectives of an organisation, as set out in the four categories below. Managing the risks within these four categories will create added value for the stakeholders within the organisation because it reflects the risk appetite of the organisation.
These objectives are set at a high level and are aligned with a company’s mission statement and vision.
These objectives relate to the actions that a company performs to achieve the set goals and are tested for effectiveness and efficiency.
These objectives reflect the need for reliable reporting within an entity.
The objectives under compliance refer to the need of an organisation to comply with relevant laws and regulations.
Applicability and benefits of COSO’s ERM
Organisations operate in an environment where factors such as globalisation, technology, restructuring, changing markets, competition and regulation may create uncertainty. These uncertainties offer both risks and opportunities. COSO’s ERM offers organisations:
- The ability to manage risks within their risk appetite philosophy
- Providing maximum value to stakeholders
- Certainty and knowledge about risks
- The ability to prevent business failures and scandals
- A framework to meet the requirements of laws and regulation
It’s Your Turn
What do you think? Are you familiar with COSO Framework explanation? To what extent do you think active risk identification and management is important for business results? What are your business or processes that can contribute to a reliable risk policy?
Share your experience and knowledge in the comments box below.
- Coso, I. I. (2004). Enterprise risk management. Integrated Framework.
- Bowling, D. M., & Rieger, L. (2005). Success factors for implementing enterprise risk management: building on the COSO framework for enterprise risk management to reduce overall risk. Bank Accounting & Finance, 18(3), 21-27.
- Moeller, R. R. (2007). COSO enterprise risk management: understanding the new integrated ERM framework. John Wiley & Sons.
How to cite this article:
Janse, B. (2018). COSO Framework. Retrieved [insert date] from ToolsHero: https://www.toolshero.com/management/coso-framework/
Add a link to this page on your website:
<a href=”https://www.toolshero.com/management/coso-framework/”>ToolsHero: COSO Framework</a>
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?