The Committee of Sponsoring Organization of the Treadway Commission is making preparations to develop new risk guidance policies for companies to manage their cybersecurity threats. The expectation from the committee toward the companies is a well-structured key methodology of risk management that the enterprises would conduct toward encountering cyberattacks, crafting the risk-appetite statement and management in risk and compliance across the enterprise. COSO is known for establishing a management system to encounter financial and non-financial risks.
According to the Committee Chairman Paul Sobel in a Wall Street Journal news article, the risk guidance will be issued later this year. The following will be several details that outlined the main points relevant to the guidance. Based on the same article, the fifth-largest U.S. credit card issuer, Capital One Financial Corp, was infiltrated by attackers and more than a hundred million customers and applicants personal information were accessed.
With respect to the cybersecurity, he mentioned that attackers have more capabilities in performing malicious attacks that could penetrate the defence line of enterprise. Sobel, who is also chief risk officer at pulp-and-paper company Georgia-Pacific LLC, pointed out that “We continue to have very visible data breaches.” He stated that the up-coming issuing guidance will befit the needs of cybersecurity professionals. He also mentioned that the risk guidance that is about to be published has little to no connection with the Capital One Financial Corp case; however, the guidance is issued to provide more explicit instruction for enterprise to assess the 20 principles of COSO’s risk-management framework- which consist of a range of overview from risk management to information security. As for risk appetite, it has different definitions across different industries. On the one industry, it is a statement that is usually more quantitative and formally agreed upon by directors according to Mr. Sobel. On the other industry, it is less formal and could serve as a discussion guide for directors. In this context, the statement refers to how companies could prevent decline. The guidance will provide instructions to how managers could generate valuable assets for their companies by performing risk management techniques. In a compliance program addressed by Mr. Sobel, the objective is to be as “effective and efficient” and ensure that they do not overdo the expense. Lastly, the practical application on ERM is for the board of director to learn how to perform strategic risk management. The application techniques are needed when companies are scaling, launching new product lines or changing pricing models.
According to COSO website, Enterprise Risk Management – Integrated Framework defines essential enterprise risk management components, discusses key ERM principles and concepts, suggests a common ERM language, and provides clear direction and guidance for enterprise risk management.