New Risk Guidance Being Developed for Cybersecurity, Compliance

A key standard-setter on internal controls is preparing to publish a set of guidelines for companies on how to manage cybersecurity and other enterprise risks.

Source: WSJ | Published on August 12, 2019

Digital security concept

The new guidance from the Committee of Sponsoring Organizations of the Treadway Commission is expected to address how companies can apply the principles of enterprise risk management, or ERM, to protect against cyberattacks; how to better craft risk-appetite statements; and how to better manage risk and compliance across an enterprise.

COSO develops frameworks that many companies use to manage financial and nonfinancial risks. Its chairman, Paul Sobel, said in an interview that the guidance will be rolled out later this year and early next. He also shared some details on what to expect.

On Cybersecurity: Hackers have become more advanced in their attempts to break through companies’ defenses, said Mr. Sobel, who is also chief risk officer at pulp-and-paper company Georgia-Pacific LLC. “We continue to have very visible data breaches,” Mr. Sobel said. He said the coming guidance will be tailored to the needs of cybersecurity professionals.

In a recent example of a major data breach, a hacker accessed the personal information of more than 100 million customers and applicants at Capital One Financial Corp., the fifth-largest U.S. credit-card issuer.

Mr. Sobel said that the forthcoming COSO guidance has been under discussion for nearly a year and isn’t being crafted in response to the incident at Capital One. It is intended to help companies provide more detailed instructions on how to apply the 20 principles of COSO’s risk-management framework—which include board-level oversight of risk management—to information security.

On Risk Appetite: Companies’ adoption of risk-appetite statements is another subject that COSO plans to address in the guidelines, Mr. Sobel said.

Risk-appetite statements take different forms across industries. In financial services, the statements are typically more quantitative and formally agreed upon by directors, according to Mr. Sobel. In other industries, risk-appetite statements are less formal and serve as a discussion guide for directors, he said.

Currently, the statements focus primarily on how companies can protect themselves against downsides. The forthcoming guidance, however, will encourage directors to emphasize how companies can create value for their companies by properly managing risks.

“It gets to the crux of how boards and the C-Suite think,” Mr. Sobel said. He added that risk-appetite statements, as they are currently drafted, primarily resonate with risk executives.

On Compliance: COSO also plans to publish guidance for companies on how to manage compliance programs. Mr. Sobel said the guidance is being drafted in partnership with the Society of Corporate Compliance and Ethics, a Minneapolis-based professional association.

The goal is to help companies be “effective and efficient” in their approach to compliance, and to make sure they don’t overspend, Mr. Sobel said. “Companies may overmanage those risks sometimes,” he said.

On the Practical Application of ERM: COSO also expects to publish guidance for board directors on managing strategic risks—the kind that arise when companies expand, launch new products or change pricing models. The new guidance will provide board members and executives with examples of questions to ask and steps to take to prevent the loss of shareholder value, Mr. Sobel said.