Meet COSO, a 360° vision to manage risk
Meet COSO, a
360° vision to manage risk
Introduction
The Committee of Sponsoring Organizations of the Treadway Commission
(COSO) was designed to identify,
assess and manage risks;
to give an overview of the threats to which a company is exposed; to expand the
concept of internal control; and to have a clear direction of the business.
This framework was designed to deal with risk intelligently to maintain
business profitability and performance and to understand the importance of both
government and internal company compliance.
In 1992 the first COSO version was published and, since then, the document
has become a reference for risk managers, boards of directors and managers of
organizations around the world. By providing a 360° view of the risks that
could affect the company, this framework allows to give a line to activate
plans and thus make a correct risk management.
In addition, it makes it possible to prioritize and align objectives, make
sound decisions, have strategic planning and internal control of all areas of
the company. In that vein, implementing COSO improves performance and oversight
also helps reduce fraud in organizations, make better decisions and meet goals.
The Treadway Commission's Committee of
Sponsoring Organizations says COSO is dedicated to providing
thoughtful leadership through the development of comprehensive frameworks and
guidance on internal control, institutional risk management, and fraud
deterrence, in order to improve organizational effectiveness.
What is COSO?
The Treadway Commission Committee of Sponsoring Organizations (COSO)
is an internal control framework that
was established more than two decades ago to provide organizational leadership
on three fronts: enterprise risk management (ERM), internal
control, and fraud
deterrence. This framework was designed by representatives of five private
sector organizations in the United States, following an international fraud
crisis to prevent bad business practices.
According to the thesis Methods of Administration and Risk Assessment
of the University of Chile, COSO favors business and serves for a company to
strengthen its internal control systems, therefore, it is being incorporated
into the policies, rules, and regulations of many companies for better control.
"The need for an operational risk framework in the company, which will
deliver fundamental keys and concepts, a common language, direction and clear
guidance, made this framework increasingly essential," the research adds.
According to the model of the Committee of Sponsoring Organizations of the Treadway
Commission, Internal Control is a process that is managed by the management and
the rest of the personnel of an organization, designed with the purpose of
providing security in the effectiveness and efficiency of operations,
reliability of financial information and compliance with regulations to ensure
the achievement of objectives.
This framework addresses transcendental issues in a correct risk management
such as risk appetite and tolerance, as well as a vision of risks from all
their perspectives, impacts and probabilities.
The 5 components of COSO:
- Control
Environment
- Risk
Assessment
- Control
Activities
- Information
and Communication
- Monitoring
1. Control environment:
Defines parameters to manage the internal control of the company that has
to do with organizational structure, administrative policies, institutional
ethics and hierarchy relationships, authority and responsibility, as well as
integrity, company values and management philosophy. The control
environment is the basis on which the rest of the elements are positioned and
fundamentally influences the objectives and strategy of the company.
The COSO II document, updated in 2013, states that the control environment
is the set of standards, processes and structures that provide the basis for
carrying out Internal Control throughout the organization. "The board
and senior management set the example regarding the importance of Internal
Control and standards of expected conduct."
The elements of a control environment are
prioritized as follows:
2. Risk Assessment
During
the evaluation, risks are identified and analyzed, according to the probability of impact and
frequency, to know their possible consequences if they occur. In this
process, each risk is analyzed and classified as high (very likely to occur), medium
(feasible) or low (very unlikely).
It is analyzed if each impact can be internal or external and if it is
high, medium or low to prioritize them in that order. This evaluation serves to
start working on the most urgent risks and propose strategies to mitigate or
avoid them.
To assess the risks, it
is recommended to draw up a heat map, where the impact and probability are classified. Each is identified with a
different color: High Risk (Red) - Medium Risk - High (Orange) - Medium Risk
(Yellow) - Low Risk (Green).
COSO II says that risk assessment involves a dynamic and interactive
process to identify and analyze risks that affect the achievement of the
entity's objectives, giving the basis for determining how risks should be
managed. "Management considers possible changes in the context and in
the business model itself that impede its ability to achieve its
objectives."
3. Control
activities
It refers to the policies and procedures that outline the appropriate
actions to manage risks, make decisions that favor the operation and the
achievement of objectives. All areas of the company, without exception,
are responsible for executing control activities, which lead to correct
decision-making and compliance with objectives.
These control activities, according to COSO, can be preventive or detection
and can encompass a wide range of manual and automated activities. These
activities should minimize the risks that hinder the achievement of the
organization's objectives.
4. Information
and communication
Companies must manage information from all areas and unify it to have
convergence and speak the same language. Information is one of the most
important assets of the organization, so it must be protected and must be
available to all areas of the company, thus reducing errors when
identifying, classifying, evaluating and managing risks.
Therefore, the leaders of each area must ensure that they collect
information that allows analyzing the risks and exchanging it to have an
overview of the company. To the extent that this is met, there will be
better internal control and obstacles that threaten the fulfillment of the
objectives will be removed.
In this sense, the information is not only used for financial statements,
but also in decision-making. For this reason, leaders must be rigorous when collecting
information, verifying and confirming it so that it is true and accurate.
Meanwhile, communication is the process of providing, sharing and obtaining the
necessary, relevant and quality information.
According to COSO, the Information is necessary in the entity to exercise
the responsibilities of Internal Control in support of the achievement of
objectives. "Communication occurs both internally and externally and
provides the organization with the necessary information to carry out daily controls.
Communication allows staff to understand the responsibilities of Internal
Control and their importance for the achievement of objectives." (COSO II,
2013).
5. Monitoring
A
continuous monitoring of the organization's risk management helps to make the strategies to mitigate
them effective and reduce errors that may affect the goals. In addition, it
serves to check the effectiveness of internal control. Proper risk management
is achieved with continuous supervision and monitoring, as well as frequent
assessments.
Monitoring is: "Concurrent or separate assessments, or a combination
of both. It is used to determine whether each of the components of Internal
Control, including controls to implement the principles within each component,
is present and functioning. Findings are evaluated and deficiencies are
communicated in a timely manner, significant ones are communicated to senior
management and the board" (COSO II, 2013).
With the Pirani
Riskment Suite software,
you can register the controls you
consider necessary to prevent, detect or correct risks to which your company is
exposed, you can qualify them through design, execution and solidity and
finally, you can associate risks and responsible for supervising these
controls.
Internal
control, according to the COSO document
COSO II (2013) defines internal control as a process carried out by the
Board of Directors, Management and other personnel of the Organization,
designed to provide reasonable assurance on the achievement of objectives
related to operations, reporting and compliance.
Internal Control Objectives
Objectives of operations
·
Related
to the mission and vision of the entity.
·
They
vary based on driving decisions related to the operating model, industry
considerations, and performance.
·
They
are opened in sub-objectives for the different components of the structure of
the entity.
· They include the safeguarding of assets.
Reporting objectives
·
External
financial reports
o Financial Statements
o Investment Account
·
External
non-financial reports
o Sustainability Reports
o Information to the public
·
Internal
financial and non-financial reporting
o Budget implementation
o Activity Level Reports
Compliance objectives
·
Objectives
related to compliance with laws and regulations.
·
Compliance
with the entity's policies and procedures, for the purposes of the framework,
corresponds to operational objectives
Limitations of Internal Control
·
Establishment
of adequate objectives, as a precondition for internal control.
·
Human
judgment in decision-making can be wrong or subject to bias.
·
Errors
resulting from human error.
·
Possibility
of cancellation of controls by management.
·
Possibility
of circumventing controls due to collusion between different actors
· External factors beyond the control of the entity
The evolution of
this internal control framework
COSO I
With the purpose of directing companies to improve internal control, in
1992, the Committee of Sponsoring Organizations of the Treadway
Commission published COSO I, in which it
was defined that internal control is a responsibility of the management to have
the objectives aligned with the control of financial information, compliance
with regulations and security in operations.
This COSO required demonstrating commitment to integrity and ethical
values, establishing authority structures and demanding accountability; Assess
risk and analyze changes.
COSO II
In 2004, the "Enterprise Risk Management - Integrated Framework"
(COSO II) standard was published, which expanded the importance of internal
control and risk management in all areas of the organization, including
directors and managers as well as other employees.
The COSO II document states that corporate risk management deals with risks
and opportunities that affect the creation of value or the permanence of the
company. In addition, risks are managed to identify potential events that may
affect the organization and provide reasonable assurance in achieving
objectives.
This new framework, instead of establishing structures with authority and
demanding accountability, recommends accountability in oversight and instead of
just assessing risks, identifies and analyzes them.
COSO II ERM
The version of COSO II ERM, was published in 2013 and is the evolution of
the one edited in 2004. This new framework highlights the importance of agility
of risk management systems to adapt to environments; confidence in eliminating
risks and meeting objectives; as well as greater clarity in information and
communication.
The new Enterprise Risk Management Framework "outlines how executives
can be more confident to address many of the critical challenges of
twenty-first century business as they navigate evolving markets, rapid
innovation and increased regulatory focus," according to the
University of Chile's Methods of Risk
Management and Assessment thesis.
"The Framework is designed to turn a preventive, process-based risk
monologue into a proactive, opportunity-focused conversation to discover how
risk management can create, preserve and realize quality and value," adds
the Analysis of Risk Management and Assessment Methods.
Comentarios
Publicar un comentario