RIMS Membership Has a Say in COSO’s New ERM Framework

When Risk & Insurance Management Society (RIMS) members use the new ERM framework published Sept. 6 by the Committee of Sponsoring Organizations of theTreadway Commission (COSO), they may recognize their own ideas prominently displayed. Carol Fox, RIMS vice president of strategic initiatives announced the call for public comment on Risk Management Monitor in June 2016. She said feedback from the industry, and particularly RIMS members, is reflected in COSO’s ERM Framework: Integrating with Strategy and Performance.

“RIMS members took advantage of the unique opportunity to influence one of the industry’s major guidance documents. For several weeks, members collaborated and drafted a response, which was publicly available through the end of last year,” said Fox, who participated on the project’s advisory council. “We were very appreciative that COSO reached out to RIMS and other professional associations, whose input strengthened the content, ideas and approaches featured in Integrating with Strategy and Performance.

A summary of the public comment feedback includes:

  • More than 200 responses–double that of the internal control update
  • Over 70% of responses from individuals
  • Over 50% of participation outside of North America
  • Almost 50% had affiliations beyond COSO memberships
  • Almost 50% of respondents had 10 or more years of risk management experience
  • Positive ratings outnumbered negative ratings by 4.5 to 1

The new publication serves as an update to 2004’s Enterprise Risk Management – Integrated Framework, which is internationally regarded as the standard for applied risk management frameworks. Developed by PwC under the direction of the COSO Board, its simple, five-component structure considers various viewpoints and operating structures while highlighting the importance of enterprise risk management in strategic planning. It also emphasizes embedding ERM throughout an organization, as risk influences strategy and performance throughout the organization.

“The complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting,” said COSO Chair Robert B. Hirth Jr. “Our overall goal is to continue to encourage a risk-conscious culture.”

Enterprise Risk Management: Integrating with Strategy and Performance is available in printed form, e-book, on-line subscription and pdf licensing for large organizations, accounting and consulting firms. Additionally, COSO is planning for the framework to be translated into several languages, including Chinese, Japanese, Spanish and French.

Visit www.coso.org for purchase information and for a link to the framework’s executive summary.

How to Influence Risk Management Standards, Frameworks and Guidelines

What do you want risk management standards, frameworks and guidelines to do for your success? Many people depend on these documents to provide needed guidance. Yet, you have heard the reasons people give for not wanting to deal with risk management standards and frameworks. Perhaps you have even voiced these yourself, at one time or another:

  • Our organization is so unique, no one standard or framework could possibly apply.
  • Standards are the same as regulations—we don’t need more regulations.
  • We know what we are doing—we don’t need any guidance. Those things don’t apply to us anyway.

Whether we like it or not, standards are a part of life and our daily language. We refer to a gold standard as a measure of excellence. There are standard breeds of dogs, horses and even chickens. We have internet standards. And what would we do without standards of care, and food safety standards?

Standards have been around a long time, and actually have benefited society. When time was standardized along the prime meridian, commerce flourished. When the United States decided to build the transcontinental railroad using a standard gauge, deliveries of passengers and goods were made more efficiently. Anyone who has traveled internationally can attest to at least one outcome when there is a lack of standards: the proliferation of power adapters that are needed when representatives from different nations gather.

Standards and guidelines—which typically are voluntary—are not regulations. Standards are created through consensus, public comment and acceptance. Regulations, on the other hand, are mandated through legislation. A primary standard (or “recognized” standard) is an established norm or collection of “best practices” that evolve over time under the jurisdiction of an international, regional or national standards development body. Standards are published as a formal document that can establish criteria, methods, processes and practices. In contrast, a guidance document, company product, corporate standard, etc., that may be developed outside of a recognized standards setting body—but which becomes generally accepted—is often called a de facto standard.

Ultimately, standards provide value when they foster common understanding reflecting collective wisdom, while creating efficiencies and better results for the organizations using them. In benefiting organizations, risk management standards generally recommend, but do not require, risk management criteria, methods, processes and practices. Therefore, they boost risk management’s value—one of the reasons you should care about risk management standards, frameworks and guidelines. And shouldn’t you be involved in developing guidance about your daily work? Another reason to care.

The problem is not a shortage of risk management standards and frameworks, but the proliferation of standards and frameworks that, at times, seem to contradict each other. The result is confusion, even about how terms and concepts are used. Sorting through these contradictions is challenging, particularly when others in the organization may be advocating a different risk management approach. These differences lead respective proponents to argue about which one is “right” or “better,” rather than focusing on the value that risk management can deliver. Creating a new risk management standard does not necessarily help the situation, as it usually just becomes one more competing standard.

There is an unmistakable need for understanding how to apply various risk management standards. Another reason for you to care: how complementary—or contradictory—risk management standards and frameworks may be can either help or hurt your efforts.


We all have a unique opportunity right now to influence two of the major risk management guidance documents: ISO 31000:2009 developed by the International Organization for Standardization and the COSO ERM Framework 2004 under the auspices of the Committee of Sponsoring Organizations. Both are undergoing revision reviews at this time.

To influence the ISO 31000 revision: Seek to join the national mirror committee of your country. In the United States, the Technical Advisory Group for the American National Standards Institute (ANSI) is administered by the Association of Safety Engineers (ASSE) and chaired by Carol Fox, RIMS vice president of strategic initiatives. If you are interested in joining the US TAG, contact Ovidiu Munteanu for information and an application (omunteanu@asse.org).

To influence the COSO revision: The revision is open for public comment June 15 through September 30, 2016. COSO has expanded its website, www.COSO.org, with a section on the Framework update that includes the proposed Framework, survey and comment tools, and FAQs about the project, details of the most significant updates and how to respond to the survey. Written comments on the exposure draft will become part of the public record and will be available on the COSO website through Dec. 31, 2016.