COSO has published its draft Enterprise Risk Management Framework for comment. The document is available at COSO's web site. The full document is 152 pages long, so I would start with the Executive Summary (the first 26 pages) unless you have a lot of free time on your hands.

Even for those of us that are not planning to implement a formal Enterprise Risk Management (ERM) program, this document provides excellent information. From an internal audit standpoint, it outlines a good thought process to go through when considering risk in our audits. The document lays out eight components of effective ERM:

- Internal Environment -- the foundation for risk management, considering tone at the top, risk appetite, culture, etc.

- Objective Setting -- the following types of objectives are identified: strategic, operations, reporting, and compliance. Objectives must exist before management (and auditors) can identify events or risks potentially affecting the achievement of these objectives.

- Event Identification -- Events, risks, and threats...what can go wrong or prevent the company / department from achieving their objectives.

- Risk Assessment -- How potential events / risks affect the achievement of objectives. Consider the likelihood and impact.

- Risk Response -- In response to each event / risk / threat identified, will management avoid, reduce, share, or accept the risk.

- Control Activities -- The policies and procedures that help ensure that risk responses are properly executed. As auditors, we are probably the most familiar with internal controls.

- Information and Communication -- Information, from internal and external sources, must be identified, captured and communicated in a form and timeframe that enable personnel to carry out their responsibilities. Information is needed at all levels of an organization to identify, assess and respond to risks, and to otherwise run the company and achieve its objectives.

- Monitoring -- To be effective, risk management activities must be monitored. Ongoing monitoring is built into the normal, recurring operating activites of a company. Separate evaluations consist of such activities as internal and external audit, and management self assessments. "You should only expect what you inspect."

For those of you familiar with COSO's Internal Control - Integrated Framework, you will see the similarity with the new framework.

What does COSO stand for. I her it and know about it but can't remembe what it stands for?

Committee of Sponsoring Organizations (COSO)

The Committee of Sponsoring Organizations of the Treadway Commission is a voluntary organization comprised of the following prominent accounting associations:

- American Institute of Certified Public Accountants (AICPA)
- American Accounting Association (AAA)
- Financial Executives International (FEI)
- Institute of Internal Auditors (IIA)
- Institute of Management Accountants (IMA)

They primarily do studies on ethics, internal controls, and corporate governance.

COSO was formed in 1985 to sponsor the work of the independent National Commission on Fraudulent Financial Reporting (the "Treadway Commission").

Probably more information than you wanted...