As Australia digests the recently launched COSO enterprise risk management (ERM) framework, the debate over how much impact it will have here is raging. Stuart Fagg reports
The COSO (Committee of Sponsoring Organisations of the Treadway Commission) enterprise risk management integrated framework was released last month following more than three years of development. It was widely expected to clarify issues such as how to determine the right amount of risk for the value it is striving to create, the role of boards of directors and senior management in ERM and an application techniques add on, which illustrates how effective ERM concepts and principles may be applied in the business environment.
However, senior risk experts in Australia have offered differing views as to how successful the framework will be here. COSO’s internal controls framework became world’s best practice after being recommended by the US Securities and Exchange Commission (SEC) for Sarbanes-Oxley Act compliance and is in use at some of Australia’s largest corporates. Some believe the ERM framework will be as popular.
“The development of the framework is that a while back the original COSO internal controls framework was developed and the committee then saw that there was a greater trend towards a need to apply risk management, not just internal controls,” said Nick Chipman, partner, financial and organisational risk management at PricewaterhouseCoopers. “The ERM framework is the natural extension to the internal controls framework.”
With some Australian companies pursuing the Sarbanes-Oxley compliance route due either to being SEC registrants or wishing to raise capital in the US, the ERM framework could get a foothold here, Chipman added. “Given the pervasive nature of the impact of Sarbanes-Oxley requirements and US SEC registrants requirements, it will have global reach. The implications out of Sarbanes-Oxley is that COSO is the preferred internal controls model to consider and the parallel is the risk management aspect. In terms of best principles, it is up there.”
Other observers also lauded the launch of the framework. “There’s been a lack of clarity in just what ERM should involve,” said one senior financial services business figure. “This will certainly go some way to rectifying that and will also help debase the idea that ERM is an expensive and onerous invention of consultancies.”
However, those looking for a shot in the arm for their ERM problems may be disappointed. “I think it is a good contribution to the ERM body of knowledge, but it won’t be a silver bullet to make ERM suddenly easy to implement or more valuable,” said Gary Anderson, managing director of Protiviti. “But it does help clarify the links between ERM and internal controls. It is still a major challenge for companies that want to implement ERM properly and add value to their organisation rather than it being a compliance exercise.”
Akin to the ASX’s corporate governance guidelines and the recent update to AS/NZS: 4360, the COSO framework is a principles-based document. “If you were to take the principles as guideposts as to what the companies need to look at, there is more work involved, but it is more targeted work,” Chipman said. “So from that point of view is it more comprehensive? Yes. But does it get to describing exactly how it should be implemented in a company? No.”
The subject of ERM has attracted fierce debate. Some call it the best way to manage risk across complex and diverse organisations and jurisdictions while others point to its current incarnation and label it expensive and cumbersome. But that is less to do with the model used, and more to do with the culture of organisations involved. “We’ve seen plenty of frameworks that are expensive and unworkable,” Chipman said. “Is this going to correct that? Well it depends on whose got the wheel at the time.“
Stuart Fagg is editor of Lawyers Weekly’s sister publication Risk Management