The COSO ERM Update – Megrow Starts the Dissection

The COSO ERM Update – So What?

COSO, together with a number of partners, published the much anticipated ERM-framework update a few months back. I blogged about it the moment it was hot off the press.

The dust has settled, it’s time to dig a little deeper and ponder about the actual impact of the update. The executive summary of the press release already spans 16 pages, giving us an indication about the complexity of the task the authors have tried to tackle.

I decided to look at the new framework from two angles. First: what does it mean to the “converted”, i.e. the ERM practitioners who are familiar with the matter and second, how does an ERM-skeptic (yes, they exist in large numbers… ) look at the new framework and more importantly would it convince him or her to become an ERM-believer?

for the converted

For the “converted” it seems to makes sense. The world has moved on, risks have become more complex, Cyber, IoT and other hot topics were not on the agenda 14 years ago when the original framework was published.

Furthermore, linking ERM to strategy and ultimately to performance also is the right thing to do. After all, elaborately conceived risk heat maps that end up in drawers don’t contribute much to a company’s performance. Boards have become bored with just looking at risk maps, showing numbers in red, amber and green.

And lastly, to counter the ever-increasing complexity of risk with a set of principles is probably the only way to go about it. It is impossible to define universal, detailed standards for today’s and tomorrow’s rapidly evolving risk landscape. Taking the “principles” route is an easy way around being tangible – this criticism of the new framework is heard often.

for the non-converted

stay tuned, update coming soon.