From Internal Control to Enterprise Risk Management

Article excerpt

In September 2004, the Council of Sponsoring Organizations of the Treadway Commission on Fraudulent Financial Reporting issued Enterprise Risk Management--Integrated Framework. The new publication is intended to provide a more robust framework for COSO's earlier seminal work Internal Control--Integrated Framework (1992).


In the early 1990s, the Treadway Commission came to the conclusion that a broad conceptual framework was necessary if managers were to be properly equipped to meet their responsibility for internal control. The key features of this conceptual framework, as set forth in Internal Control--Integrated Framework, can be very briefly summarized as follows:

* Managers are responsible for achieving three basic objectives: (1) they must operate effectively and efficiently, (2) they must produce financial reports that outside parties can reasonably rely upon, and (3) they must comply with applicable laws and regulations.

* Managers cannot leave the achievement of these objectives to chance. Rather, they must create a structure or framework of internal control to ensure that each of these objectives is met.

* A truly comprehensive framework requires five components: (1) the establishment and maintenance of a sound control environment (corporate culture): (2) the regular, ongoing assessment of risk, (3) the design, implementation, and maintenance of control-related policies and procedures to compensate for identified risks; (4) adequate communication; and 5) the regular, ongoing monitoring of control-related policies and procedures to ensure that they continue to function as designed and to ensure that identified problems are handled appropriately.

The first COSO report was extraordinarily well received. Indeed, its comprehensive framework of internal control has provided the criteria now commonly used for internal control assessments, such as those recently mandated by the Sarbanes-Oxley legislation.

COSO itself remains highly satisfied with its original work and expressly states that it does not intend for its more recent report to alter or supplant its earlier guidance. All the same, COSO reached the conclusion that its earlier work on internal control could benefit from being placed within an even broader conceptual framework that COSO chose to describe as enterprise risk management.


COSO defines enterprise risk management as "a process effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. This process necessarily involves both individual units within an organization and the organization as a whole."

Like the earlier report, Enterprise Risk Management--Integrated Framework reiterates essentially the same three basic managerial objectives identified previously: operations, reporting (broadened to encompass nonfinancial and internal reporting), and compliance. In addition, COSO has identified a fourth category--strategic objectives--that that it describes as being a "higher level objective" with which the other three objectives need to be aligned.

Enterprise Risk Management--Integrated Framework also replaces the single risk assessment component of the earlier framework with four separate components (including one that continues to be called risk assessment), while at the same time providing additional guidance on the remaining four components identified in the earlier report. Thus, Enterprise Risk Management--Integrated Framework identities eight interrelated components that are necessary to provide reasonable assurance that objectives are being achieved or that management is made aware of risks that could impede their achievement:

* Internal environment

* Objective setting

* Event identification

* Risk assessment

* Risk response

* Control activities

* Information and communication

* Monitoring

A key factor of the internal environment component is the identification of an organization's risk appetite. …