You’ve heard the words in business circles —COSO, ERM, SOX, and COBIT. Looks like alphabet soup. But what do they mean? If you think these all relate to risk management, you are on the right track. The difference lies in their primary focus/objective and the methodology. Before we dig deeper into the different frameworks, let’s first define what risk management is.
What Is Risk Management?
Risk management is the process of identifying, assessing and controlling financial, legal, strategic, and security risks to an organization’s financial reporting, capital, and earnings. Risks originate from many sources, including financial reporting errors, fraud, legal, statutory, strategic management errors, cyber threats, and/or natural disasters.
A successful risk management program will enable management teams to consider a broad range of risks an organization faces. Risk management also considers the relationship between risks – and the cascading impact they could have on an organization’s strategic goals.
To reduce risk, management teams need to effectively implement internal controls to minimize, monitor, and control the impact of threats.
Risk Management Frameworks
COSO (Committee of Sponsoring Organizations of the Treadway Commission)
If you are curious about the unusual name, here is the explanation. The COSO internal control framework was introduced in 1992 and then overhauled to a more modern, comprehensive version in 2013. The framework was sponsored and funded by five accounting and auditing associations:
The commission was led by James Treadway, the former SEC commissioner.
COSO is recognized as the leading framework for designing, implementing, and assessing the effectiveness of internal controls. Its objective was to provide reasonable assurance regarding achieving organizational objectives in the following categories: operational effectiveness and efficiency, financial reporting reliability, compliance with applicable laws and regulations, and asset safeguarding.
SOX (Sarbanes-Oxley Act)
SOX is a legislation passed by the U.S. Congress in 2002 and was sponsored in Congress by Senator Sarbanes and Representative Oxley. One of the features of this law was the addition of a requirement for management to certify and the independent auditor to attest to the effectiveness of a company’s internal control system. The goal was to protect shareholders and the public from fraudulent financial reporting practices. Among the COSO objectives, SOX’s focus was on the financial objective.
ERM (Enterprise Risk Management)
The ERM framework, issued in 2004, added a focus on the strategic objective (i.e., high-level goals that support the organization’s mission) to COSO’s operational, financial, and compliance objectives.
ERM expanded on COSO’s risk management focus to seize opportunities for achieving organizational objectives such as enhancing profits. ERM considers both positive risks (i.e., business opportunities) and negative risks (i.e., business threats).
COBIT (Control Objectives for Information and Related Technologies)
COBIT is the IT equivalent of COSO. It is a framework created by ISACA (Information Systems Audit and Control Association) for information technology management and governance. It aimed to link business risks, control requirements, and the technical infrastructure. It is used for the governance of both IT implementations and ongoing operations.
While there are many frameworks to choose from, it is important to find the right one for your company and ensure compliance. Our Internal Audit team has extensive knowledge of risk management frameworks and can work with you to select the best option for your business and guide you through compliance. Reach out to speak to our team and get started.