I recently sat down with Jeff Thomson, our newly appointed senior strategic advisor at Competent Boards. You may already know Jeff from his previous roles as CEO and president of the Institute of Management Accountants and CFO of business sales at AT&T. He brings decades of business acumen, governance expertise and a forward-looking perspective on environmental, social and governance (ESG) issues.

Our conversation explored the dynamics of risk management, the value of internal controls, governance infrastructure and the critical role of boards in steering organizations through an increasingly uncertain business environment. As Jeff puts it, sound risk management and internal controls are “good for business”, and not just a “finance and accounting thing”.

First, some brief background. COSO stands for the Committee of Sponsoring Organizations comprised of five US-based global accounting and finance associations that were tasked in the late 1980’s by Congress to develop credible and well-vetted frameworks and guidance to prevent the high incidence of fraud at US savings and loans institutions. The result was the development of two global frameworks, separate but related, focused on enterprise risk management and internal controls. 

Over the years, COSO has provided supplemental guidance and research on topics such as artificial intelligence, cloud computing, cybersecurity, and most recently, a publication titled Internal Control over Sustainability Reporting: Building Trust and Confidence. Jeff was one of the main authors of this study, together with Bob Herz, another Competent Boards faculty member and former chair of the  Financial Accounting Standards Board.

The COSO frameworks focus on governance, risk management and internal controls, enabling organizations to grow with confidence and integrity in today’s uncertain environment. The frameworks can be put to good use by organizations of any size, any structure, anywhere in the world with a view to achieving dual goals:

●     Ensure legal compliance to protect and preserve value and reputation (think Sarbanes Oxley financial reporting requirements and similar regimes around the world).

●     Support long-term value creation by taking an integrated, built-in approach to risk management and internal controls. Indeed, COSO’s landmark Internal Control-Integrated Framework, or ICIF, directly ties risk management and internal controls to other stakeholder objectives. 

I asked Jeff if COSO puts appropriate emphasis on the role of the board of directors. “Absolutely”, was his reply. “Board accountability and competence are foundational to applying the COSO components. For example, surveys indicate a significant lack of stakeholder trust in ESG/climate reporting which is now going mainstream around the world with national disclosure mandates. An integral part of these mandates is an articulation of your board’s education and competence in climate, biodiversity and other evolving sustainability matters. It is critical that board members have a basic knowledge in these areas enabling them to ask the right questions, exercise professional skepticism, and carry out their duties of oversight and foresight.”

One company applying the COSO frameworks effectively is Whirlpool Corporation, the Fortune 500 appliance maker well regarded for its early commitment to corporate social responsibility. Under the leadership of Kristy Proos, director of ESG reporting, Whirlpool was an early adopter of COSO’s guidance on Internal Control Over Sustainability Reporting. Kristy worked with the internal audit team at Whirlpool to conduct advisory services and provide gap analysis. As part of the analysis, the internal audit team assessed each of the 17 principles of COSO’s Internal Control Framework as it applied to their ESG Reporting. If a gap was identified, the team provided recommendations on how to mitigate those risks, including process enhancements and control recommendations. Together with a commitment to education and active governance by the board and senior management, Kristy believes that these moves will help Whirlpool progress towards reasonable assurance in ESG reporting and, as a result, continue to enhance stakeholder trust in non-financial reporting.

 Here are some of Jeff’s other insights on COSO and recommendations for corporate boards:

  1. Embrace the COSO Frameworks: Jeff emphasized the importance of adding the COSO frameworks to board, management and audit business processes. He noted that they extend well beyond compliance and beyond accounting. For more on COSO’s work, see www.coso.org.
  2. Define Risk Appetite: Every company must articulate its risk appetite, in other words, its willingness to tolerate risk so that it can be agile in mitigating those risks and seizing opportunities as they arise.
  3. Integrate Risk Management: Jeff recommends integrating risk assessment and mitigation into a company’s mission and purpose. This holistic approach ensures that risk management is not an isolated exercise but is woven into the fabric of organizational strategy and operations.
  4. Be Agile and Innovative: Organizations must cultivate a culture of agility and innovation to adapt to the changing business and regulatory landscape. This culture empowers organizations to anticipate and respond effectively to whatever comes their way.
  5. Be Proactive: Board members must keep abreast of the latest developments in ESG, sustainability, geopolitics, technology, and more.
  6. Invest in Governance Infrastructure to Remain Compliant and Competitive: These investments include board training, leader accountability and the capability to be legally compliant while seeking opportunities for long-term value creation. 

Jeff’s advice underlines the complexities of managing risk, and the crucial role of board members in steering their company through today’s unpredictable business landscape. As we venture further into this challenging terrain, I am optimistic that insights such as Jeff’s will help guide us towards a more sustainable and resilient future.

Back To News & Views