Meet COSO, a 360° vision to manage risk

 

Meet COSO, a 360° vision to manage risk

Introduction

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was designed to identify, assess and manage risks; to give an overview of the threats to which a company is exposed; to expand the concept of internal control; and to have a clear direction of the business.

This framework was designed to deal with risk intelligently to maintain business profitability and performance and to understand the importance of both government and internal company compliance.

In 1992 the first COSO version was published and, since then, the document has become a reference for risk managers, boards of directors and managers of organizations around the world. By providing a 360° view of the risks that could affect the company, this framework allows to give a line to activate plans and thus make a correct risk management.

In addition, it makes it possible to prioritize and align objectives, make sound decisions, have strategic planning and internal control of all areas of the company. In that vein, implementing COSO improves performance and oversight also helps reduce fraud in organizations, make better decisions and meet goals.

The Treadway Commission's Committee of Sponsoring Organizations says COSO is dedicated to providing thoughtful leadership through the development of comprehensive frameworks and guidance on internal control, institutional risk management, and fraud deterrence, in order to improve organizational effectiveness.

What is COSO?

The Treadway Commission Committee of Sponsoring Organizations (COSO) is an internal control framework that was established more than two decades ago to provide organizational leadership on three fronts: enterprise risk management (ERM), internal control, and fraud deterrence. This framework was designed by representatives of five private sector organizations in the United States, following an international fraud crisis to prevent bad business practices.

According to the thesis Methods of Administration and Risk Assessment of the University of Chile, COSO favors business and serves for a company to strengthen its internal control systems, therefore, it is being incorporated into the policies, rules, and regulations of many companies for better control. "The need for an operational risk framework in the company, which will deliver fundamental keys and concepts, a common language, direction and clear guidance, made this framework increasingly essential," the research adds.

According to the model of the Committee of Sponsoring Organizations of the Treadway Commission, Internal Control is a process that is managed by the management and the rest of the personnel of an organization, designed with the purpose of providing security in the effectiveness and efficiency of operations, reliability of financial information and compliance with regulations to ensure the achievement of objectives.

This framework addresses transcendental issues in a correct risk management such as risk appetite and tolerance, as well as a vision of risks from all their perspectives, impacts and probabilities.

The 5 components of COSO:

1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring

1. Control environment:

Defines parameters to manage the internal control of the company that has to do with organizational structure, administrative policies, institutional ethics and hierarchy relationships, authority and responsibility, as well as integrity, company values and management philosophy. The control environment is the basis on which the rest of the elements are positioned and fundamentally influences the objectives and strategy of the company.

The COSO II document, updated in 2013, states that the control environment is the set of standards, processes and structures that provide the basis for carrying out Internal Control throughout the organization. "The board and senior management set the example regarding the importance of Internal Control and standards of expected conduct."

The elements of a control environment are prioritized as follows:

2. Risk Assessment

During the evaluation, risks are identified and analyzed, according to the probability of impact and frequency, to know their possible consequences if they occur. In this process, each risk is analyzed and classified as high (very likely to occur), medium (feasible) or low (very unlikely).

It is analyzed if each impact can be internal or external and if it is high, medium or low to prioritize them in that order. This evaluation serves to start working on the most urgent risks and propose strategies to mitigate or avoid them.

To assess the risks, it is recommended to draw up a heat map, where the impact and probability are classified. Each is identified with a different color: High Risk (Red) - Medium Risk - High (Orange) - Medium Risk (Yellow) - Low Risk (Green).

COSO II says that risk assessment involves a dynamic and interactive process to identify and analyze risks that affect the achievement of the entity's objectives, giving the basis for determining how risks should be managed. "Management considers possible changes in the context and in the business model itself that impede its ability to achieve its objectives."

3. Control activities

It refers to the policies and procedures that outline the appropriate actions to manage risks, make decisions that favor the operation and the achievement of objectives. All areas of the company, without exception, are responsible for executing control activities, which lead to correct decision-making and compliance with objectives.

These control activities, according to COSO, can be preventive or detection and can encompass a wide range of manual and automated activities. These activities should minimize the risks that hinder the achievement of the organization's objectives.

4. Information and communication

Companies must manage information from all areas and unify it to have convergence and speak the same language. Information is one of the most important assets of the organization, so it must be protected and must be available to all areas of the company, thus reducing errors when identifying, classifying, evaluating and managing risks.

Therefore, the leaders of each area must ensure that they collect information that allows analyzing the risks and exchanging it to have an overview of the company. To the extent that this is met, there will be better internal control and obstacles that threaten the fulfillment of the objectives will be removed.

In this sense, the information is not only used for financial statements, but also in decision-making. For this reason, leaders must be rigorous when collecting information, verifying and confirming it so that it is true and accurate. Meanwhile, communication is the process of providing, sharing and obtaining the necessary, relevant and quality information.

According to COSO, the Information is necessary in the entity to exercise the responsibilities of Internal Control in support of the achievement of objectives. "Communication occurs both internally and externally and provides the organization with the necessary information to carry out daily controls. Communication allows staff to understand the responsibilities of Internal Control and their importance for the achievement of objectives." (COSO II, 2013).

5. Monitoring

A continuous monitoring of the organization's risk management helps to make the strategies to mitigate them effective and reduce errors that may affect the goals. In addition, it serves to check the effectiveness of internal control. Proper risk management is achieved with continuous supervision and monitoring, as well as frequent assessments.

Monitoring is: "Concurrent or separate assessments, or a combination of both. It is used to determine whether each of the components of Internal Control, including controls to implement the principles within each component, is present and functioning. Findings are evaluated and deficiencies are communicated in a timely manner, significant ones are communicated to senior management and the board" (COSO II, 2013).

With the Pirani Riskment Suite software, you can register the controls you consider necessary to prevent, detect or correct risks to which your company is exposed, you can qualify them through design, execution and solidity and finally, you can associate risks and responsible for supervising these controls.

Internal control, according to the COSO document

COSO II (2013) defines internal control as a process carried out by the Board of Directors, Management and other personnel of the Organization, designed to provide reasonable assurance on the achievement of objectives related to operations, reporting and compliance.

Internal Control Objectives

Objectives of operations

·       Related to the mission and vision of the entity.

·       They vary based on driving decisions related to the operating model, industry considerations, and performance.

·       They are opened in sub-objectives for the different components of the structure of the entity.

·       They include the safeguarding of assets.

Reporting objectives

·        External financial reports

o   Financial Statements

o   Investment Account

·        External non-financial reports

o   Sustainability Reports

o   Information to the public

·        Internal financial and non-financial reporting

o   Budget implementation

o   Activity Level Reports

Compliance objectives

·        Objectives related to compliance with laws and regulations.

·        Compliance with the entity's policies and procedures, for the purposes of the framework, corresponds to operational objectives

 

Limitations of Internal Control

·        Establishment of adequate objectives, as a precondition for internal control.

·        Human judgment in decision-making can be wrong or subject to bias.

·        Errors resulting from human error.

·        Possibility of cancellation of controls by management.

·        Possibility of circumventing controls due to collusion between different actors

·        External factors beyond the control of the entity

The evolution of this internal control framework

COSO I

With the purpose of directing companies to improve internal control, in 1992, the Committee of Sponsoring Organizations of the Treadway Commission published COSO I, in which it was defined that internal control is a responsibility of the management to have the objectives aligned with the control of financial information, compliance with regulations and security in operations.

This COSO required demonstrating commitment to integrity and ethical values, establishing authority structures and demanding accountability; Assess risk and analyze changes.

COSO II

In 2004, the "Enterprise Risk Management - Integrated Framework" (COSO II) standard was published, which expanded the importance of internal control and risk management in all areas of the organization, including directors and managers as well as other employees.

The COSO II document states that corporate risk management deals with risks and opportunities that affect the creation of value or the permanence of the company. In addition, risks are managed to identify potential events that may affect the organization and provide reasonable assurance in achieving objectives.

This new framework, instead of establishing structures with authority and demanding accountability, recommends accountability in oversight and instead of just assessing risks, identifies and analyzes them.

COSO II ERM

The version of COSO II ERM, was published in 2013 and is the evolution of the one edited in 2004. This new framework highlights the importance of agility of risk management systems to adapt to environments; confidence in eliminating risks and meeting objectives; as well as greater clarity in information and communication.

The new Enterprise Risk Management Framework "outlines how executives can be more confident to address many of the critical challenges of twenty-first century business as they navigate evolving markets, rapid innovation and increased regulatory focus," according to the University  of Chile's Methods of Risk Management and Assessment thesis.

"The Framework is designed to turn a preventive, process-based risk monologue into a proactive, opportunity-focused conversation to discover how risk management can create, preserve and realize quality and value," adds the Analysis of Risk Management and Assessment Methods.