What is COSO’s model? How do we manage risk?
COSO (Committee of Sponsoring Organizations of the Treadway Commission) is an organization made up of private organizations, established in the USA, dedicated to providing a common model of guidance to entities on fundamental aspects of:
- • executive management and governance,
- • business ethics,
- • internal control,
- • business risk management,
- • fraud deterrence, and
- • financial reporting.
COSO’s model evolution:
1992: Internal Control – Integrated Framework (Report COSO or COSO I) was published as an integrated framework in order to help companies to evaluate and improve their internal control systems.
2004: COSO’s model ERM (Enterprise Risk Management – Integrated Framework) or COSO II was published, allowing companies to improve their internal control system through a fuller process of risk management.
2013: COSO III was published, updated in the COSO ERM 2017 model, which improves the Integrated Framework allowing greater coverage of the risks that organizations face. Presentation of COSO ERM 2017 model
Representation of the COSO ERM Model 2017
Fuente: coso.org presentación “2017 ERM Slide Presentation”
Components of COSO Model of internal control:
Strategy and Objective-Setting:
Organization must reinforce the importance and understanding of its risk management, to establish the supervisory responsibilities necessary to carry it out and define its ethical values to follow.
Main actions to develop are the following:
- • Approve a policy to be followed by the Board of Directors to supervise the Entity’s risk
- • Establishes Operating Structures.
- • Defines Desired Cultures and values.
- • Senior management must demonstrate commitment to core values through, for example, the formation of committees and collegiate bodies for the control of its compliance.
- • Attracts, Develops, and Retains Capable Individuals.
Strategic planning process by defining business risk management, work objectives and strategies, and establishing a risk appetite aligned with them.
To carry out this part, organization must to:
- • Analyzes Business Context.
- • Defines Risk Appetite.
- • Evaluates alternative Strategies.
- • Formulate Business Objectives.
Review and Revision:
It involves identifying and to assess risks that may affect the achievement of business objectives. Risks are prioritized by severity based on defined risk appetite. Then, organization selects the responses to the risk and checks the amount of risk it has assumed.
To carry out this performance includes:
- • Identifies Risk.
- • Assesses Severity of each identified risk.
- • Identify, select and implement Risk responses.
Review and Monitoring:
In the performance review, the organization checks the operation of corporate risk management over time, and in view of the substantial changes that occur, decides which reviews or changes are necessary.
Points included in the review are following:
- • Assesses Substantial changes produced.
- • Reviews Risk and Performance produced during its management.
- • Pursues improvement in Risk Management.
Information, Communication and Reporting:
Business risk management requires a continuous process of obtaining and sharing the necessary information, both from internal and external sources. Communication must flow up and down throughout the organization.
This section requires:
- • Support risk management with systems and technology.
- • Use adequate communication channels.
- • Reports on Risk, Cultures and Performance to all involved parties.
Benefits for organizations:
It helps to better understand how to perform risk management and its role in implementing the best strategies to follow.
– It allows establishing objectives that relate performance and comprehensive management of business risk to increase the company’s profit.
It gives universal guidelines for corporate governance and oversight.
It helps to recognize the new context that globalization of the economy has brought about and the need to adapt to the changes and complexity of business world that it has brought with it.
It is a basis for expanding knowledge regarding risk management and responding to the expectations of managers and other interested parties.
It supports the evolution and use of new information and communications technology (ICT), and their application in data management and decision-making.
At GlobalSUITE Solutions we count on GlobalSUITE® software, fully developed by our team, which allows the implementation, management and maintenance of Risk Management System starting with established objectives, likewise, it allows assessment and monitoring of treatment of defined risk.