You may have heard or seen that the new COSO ERM Framework is out as of a day or two ago – Enterprise Risk Management – Integrating with Strategy and Performance. This is a project that COSO announced on October 21, 2014, so it is a longtime in the works. The original (first) framework was issued in 2004. Below I have provided the bare bones outline for the new ERM Framework, in addition to the bare bones outline for the COSO 2013 Internal Control Framework, and a summary of the business judgment rule. Why did I provide all three? Because for boards and audit committees, and for business entities and their executive officers, and sometimes for the employees also, all three are, or should be, tied together.
I will be commenting about and outlining the ERM Framework in detail in later posts (after I have had time to evaluate the detailed materials, and discuss them with colleagues). For now, all I can give you is the outline below. I do note – and I’m not being negative about this – that I have some concern that the five concepts and twenty principles, with the detail added, might be a lot for some small and mid-sized business entities, nonprofits and governmental entities to handle. But it is what it is. And as you may know, although it is now recognized that boards are responsible for oversight of risk management, many audit committees are responsible for risk management oversight pursuant to statute, regulation, or exchange requirements, and a typical audit committee charter lists oversight of risk management as an area of responsibility, generally there is no legally required or mandated risk management framework or process, although some industries (such as banks, for example) are heavily regulated for risk management purposes. It is possible that the new COSO ERM Framework will become the accepted framework to follow, although other frameworks do exist.
COSO (the Committee of Sponsoring Organizations of the Treadway Commission) is a private sector initiative, jointly sponsored and funded by the American Accounting Association, American Institute of Certified Public Accountants, Financial Executives International, Institute of Management Accountants, and The Institute of Internal Auditors.
The new COSO ERM Framework is organized into five interrelated primary or core components, which are supported by a set of twenty principles. The following is a broad outline of the five components and twenty principles. And as I stated above, in later posts I will be adding considerable detail. Below I have also provided an outline for the COSO 2013 Internal Control Framework, and a discussion about the business judgment rule.
Thanks for reading. David Tate, Esq., Royse Law Firm, Menlo Park office, with offices in the San Francisco Bay Area and Los Angeles
COSO ERM Framework – Enterprise Risk Management – Integrating with Strategy and Performance (five components, and twenty principles)
I. Governance and Culture Component:
- Exercises Board Risk Oversight
- Establishes Operating Structures
- Defines Desired Culture
- Demonstrates Commitment to Core Values
- Attracts, Develops, and Retains Capable Individuals
II. Strategy and Objective-Setting Component:
- Analyzes Business Context
- Defines Risk Appetite
- Evaluates Alternative Strategies
- Formulates Business Objectives
III. Performance Component:
- Identifies Risk
- Assesses Severity of Risk
- Prioritizes Risks
- Implements Risk Responses
- Develops Portfolio View
IV. Review and Revision Component:
- Assesses Substantial Change
- Reviews Risk and Performance
- Pursues Improvement in Enterprise Risk Management
V. Information, Communication, and Reporting Component:
- Leverages Information and Technology
- Communicates Risk Information
- Reports on Risk, Culture, and Performance
Enterprise Risk Management (ERM) and internal controls work together and should complement each other. The following is the broad outline of the COSO 2013 Internal Control Framework.
Sarbanes-Oxley section 404 requires public company management and its external auditors to attest to the design and operating effectiveness of a company’s internal control over external financial reporting. Internal controls should also be designed and implemented for private company, nonprofit and governmental entities.
COSO 2013 Internal Control Framework – 5 Components, and 17 Principles
1. Control Environment Component:
- Demonstrate commitment to integrity and ethical values.
- Board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
- Management establishes, with board oversight, structures and reporting lines and appropriate authorities and responsibilities in the pursuit of objectives.
- Demonstrate commitment to attract, develop and retain competent individuals in alignment with objectives.
- Hold individuals accountable for their internal control responsibilities in the pursuit of objectives.
2. Risk Assessment Component:
- Specify objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- Identify risks to the achievement of its objectives across the entity and analyze risks as a basis for determining how the risks should be managed.
- Consider the potential for fraud in assessing risks to the achievement of objectives.
- Identify and assess changes that could significantly impact the system of internal control.
3. Control Activities Component:
- Select and develop control activities that contribute to the mitigation of risks to the achievement of objectives and acceptable levels.
- Select and develop general control activities over technology to support the achievement of objectives.
- Deploy control activities through policies that establish what is expected and procedures that put policies into action.
4. Information & Communication Component:
- Obtain or generate and use relevant, quality information to support the functioning of internal control.
- Internally communicate information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
- Communicate with external parties regarding matters affecting the functioning of internal control.
5. Monitoring Activities Component:
- Select, develop and perform ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
- Evaluate and communicate internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
The Business Judgment Rule
The business judgment rule also is relevant on these topics (from Tate’s Excellent Audit Committee Guide). The business judgment rule provides a director with a defense to personal liability, holding that as a general principle of law, a director, including a director who serves as a member of a board committee, who satisfies the business judgment rule has satisfied his or her duties. Thus, the business judgment rule provides one standard of care, although other standards may very well also apply to specific tasks and responsibilities. The business judgment rule provides a very good overall approach for directors and audit committee members to follow, although the rule itself is lacking in specific detail. In some states the business judgment rule is codified by statute while in other states the rule is established by case law (see, i.e., Cal. Corp. Code §309 for California corporations, Del. Gen. Corp. Law §141 for Delaware corporations, in addition to relevant case law). The rule also applies to directors as board committee members.
The Business Judgment Rule
In summary, as a general principle the business judgment rule provides that a director should undertake his or her duties:
-In good faith, with honesty and without self-dealing, conflict or improper personal benefit;
-In a manner that the director reasonably believes to be in the best interests of the corporation and its shareholders; and
-With the care, including reasonable inquiry, that an ordinarily prudent person in a like position with like expertise would use under similar circumstances. The rule itself doesn’t require a particular level of expertise, knowledge or understanding; however, as you might be aware, public company audit committee members do have such a requirement, and you can at least argue that, depending on the facts and circumstances, a board or committee member should have or should obtain a certain unspecified level of knowledge or understanding to be sufficiently prepared to ask questions, evaluate information provided, and make decisions.
Reliance Upon Other People Under the Business Judgment Rule
In the course and scope of performing his or her duties, a director must necessarily obtain information from and rely upon other people. An independent director is not involved in the day-to-day operations of the business. The director provides an oversight function. Pursuant to the business judgment rule, a director is entitled to rely on information, opinions, reports or statements, including financial statements and other financial data, prepared or presented by any of the following:
-Officers or employees of the corporation whom the director reasonably believes to be reliable and competent in the relevant matters;
-Legal counsel, independent accountants or other persons as to matters that the director reasonably believes are within the person’s professional or expert competence; or
-A committee of the board on which the director does not serve, as to matters within that committee’s designated authority, so long as the director acts in good faith, after reasonable inquiry as warranted by the circumstances, and without knowledge that would cause reliance to be unwarranted.
That’s it for now. Thanks for reading. Much, much more to come on these topics. David Tate, Esq., Royse Law Firm, Menlo Park office, with offices in the San Francisco Bay Area and Los Angeles
* * * * *