COSO ERM and ARIS for GRC

These days we were discussing again about COSO II or ERM framework, about its benefits and drawbacks and about how it fits to the ARIS solution for GRC. For those not familiar with the topic: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a U.S. private-sector organization, dedicated to providing guidance to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. COSO has established a common internal control model against which companies and organizations may assess their control systems.

The COSO ERM model asks for the layers of Internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication and monitoring. Those elements fit nicely with our BPM approach to business. (see picture)

 

The possibility to add GRC specific components and integrate them with the BPM framework elements offers unique insights and reporting possibilities. Risk identification can be supported by using Surveys to investigate through business units, process modeling and analytics to visualize dependencies. Risk assessment is a efficient workflow of its own and risk response is integrated with all other actions taken e.g. because of control effectiveness failures or improvement programs. Finally the Compliance Performance Manager and -Dashboard offer not only the possibility to analyze the data inside our solution but also the transactional systems of the customer and monitor exceptions from defined thresholds or rules.   So it was quite easy for me to have a very relaxed position in that discussion and state: "Yes, I'm sure that ARIS Solution for GRC fulfills the requirements of the current COSO model!"