Risk Advisory Group COSO Plans More Detailed Recommendations in 2021

The group is zeroing in on emerging risks, offering advice that is more prescriptive than the guidelines in its broad frameworks

Risk advisory group COSO has issued guidance on cybersecurity and other areas of risk management.

Photo: nicolas asfouri/Agence France-Presse/Getty Images

The Committee of Sponsoring Organizations of the Treadway Commission—known for its influential, albeit somewhat abstract, risk management guidelines—is looking to provide more practicable advice on managing emerging risks.

COSO, whose guidelines are closely followed by public companies and government agencies, has spent recent months publishing more prescriptive advice meant to supplement broad-stroke suggestions in its most-recognized documents, one on internal controls and another on enterprise risk management.

“We want to make sure that these very broad, principle-based frameworks can be effectively applied in the real world,” COSO Chairman Paul Sobel said.

In the year ahead, the group plans to issue detailed recommendations on how organizations can better manage risks related to cloud computing, artificial intelligence and outside contractors, among other topics. The reports would follow a series of similar ones issued over the past two years on topics such as cyberattacks, blockchain and compliance risks.

香蕉视频苹果下载The effort attempts to address one of the more challenging aspects of advising on risk management: There is no one-size-fits-all approach. Individual companies face different kinds of risks. And even if two companies faced identical risks, they might manage them differently.

香蕉视频苹果下载Executives, directors and others with responsibility for risk and compliance issues often look to COSO’s blueprints for some direction. But the organization’s framework on enterprise risk management can be open to interpretation and sometimes confusing, risk experts say. Frameworks tend to be written broadly so that they can be applied universally, but that approach can come at the expense of clear how-to instructions.

香蕉视频苹果下载“This deeper guidance will help companies better customize those frameworks, so that they can truly be useful and meaningful for them and their unique strategies and business objectives,” Mr. Sobel said.

COSO Chairman Paul Sobel

Photo: Committee of Sponsoring Organizations of the Treadway Commission

Much of the supplementary guidance is centered on COSO’s enterprise risk management framework, which is more conceptual than its guidance on internal controls. The latter framework is widely adopted by companies for the purposes of complying with the Sarbanes-Oxley Act, which requires management to give assurance of the effectiveness of controls over financial reporting.

David Fisher, a partner at McLean, Va.-based advisory firm Guidehouse, said COSO’s enterprise risk framework has helped his team steer organizations past the simple creation of risk lists, enabling them to better govern risk management and connect risk assessments to a broader strategy. “It’s the heart of what we use,” said Mr. Fisher, who leads Guidehouse’s risk consulting practice.

At the same time, his group has paid special attention to some of COSO’s more prescriptive reports, such as one published in May that spelled out how organizations can better understand, monitor and communicate risk appetite. “That’s been a challenge for our clients,” Mr. Fisher said.

The guidance was useful because understanding how much risk an organization is willing to accept is central to effective risk management, he said. The detailed recommendations helped his clients “really understand how to think about the concept—but, more importantly, how to then actualize it within their organization,” said Mr. Fisher, a former Internal Revenue Service chief risk officer.

“Anything we can do to take concepts and make them feel real is, from a consulting standpoint, both our challenge and opportunity in ERM,” he said. “It’s a waste of time if this stuff isn’t real.”

Write to Jack Hagel at jack.hagel@wsj.com

Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8