Recently, COSO published an update to their 2004 ERM Framework. The product, retitled Enterprise Risk Management: Integrating with Strategy and Performance, is available from the AICPA or IIA – see here for the links.
This is their news release, dated September 6. It asserts that:
“The updated edition is designed to help organizations create, preserve, and realize value while improving their approach to managing risk.”
Has it achieved that goal? Or has it failed?
Will it advance practices or has it fallen short of leading thinking?
I am in the process of a careful review of the product and will share the results later.
But I encourage all of you to not only review it but answer my question (is it a success or failure) using a set of questions I shared in June 2016 – upgraded with a few clarifications and couple of additions (at the end).
Even if you don’t provide your own assessment (for whatever reason), consider subscribing or returning to see how others have commented on the product.
My ask is that you assess the updated Framework by rating each of these 14 questions on a scale of 1-10 (10 being perfect). When you rate, consider whether the COSO discussion provides practical guidance or just makes a theoretical point. Will the guidance help organizations actually achieve the principle or point being made?
Then provide your overall pass/fail.
Here are the assessment questions.
- Does the draft provide useful guidance that will help leaders of the organization define the mission, objectives, strategies, and plans that will deliver optimal value to stakeholders?
- If the mission is not optimal, it is unlikely that the objectives will be
- If the objectives are not optimal, it is unlikely that strategies to achieve them will be
- …and so on
- In order to set the optimal mission, objectives, strategies, and plans, leaders need to consider all the possibilities. They need to be able to obtain as clear a view as possible of potential opportunities and harms for all potential options. Their assessment of what might lie ahead, and how it might affect their journey, needs to be performed in a structured fashion – both opportunities and harms – and a reasonable judgment made that takes all of the potential effects of uncertainty into account
- It is not sufficient to say that you have considered all the options (possibilities) for mission, objectives, strategies, and plans. The processes where those are selected have to involve the right people, consider all the available useful information (which is reliable, timely, and up-to-date), and more – in other words, the risk of setting a wrong or sub-optimal mission, objective, or strategy, has to be at acceptable levels.
- Organizations need to periodically review their mission and change it as conditions change. Think of Intel, Microsoft, HP, Apple and more
- Does the draft provide useful guidance when it comes to executing against the defined mission, objectives, strategies, and plans? Is there sufficient guidance on effective decision-making, and will it move the practice of risk management away from only reviewing, periodically, a list of risks? Will it lead to organizations practicing risk management continuously?
- The Executive Summary makes the points that risk management must be continuous, enable effective decision-making, and be more than the review of a list of risks
- But, does the detail of the framework deliver on those promises?
- As COSO says in their Executive Summary, execution and the optimization of performance rely on decisions that are made not only by leaders in establishing the goals and objectives of the organization, but by managers at every level of the organization every day
- In order to make good decisions, people need to consider all the potential consequences of the choices they make. Those include not only the harms but also the rewards that may occur. The consideration needs to be structured and based on useful, timely, current, and reliable information
- Also as COSO says, risk management needs to be an essential part of running the organization and delivering performance. It should not be separate. Does the guidance enable organizations to manage risk as part of the rhythm of the business? Does it help management entwine the consideration of risk into every business process?
- Will the guidance still lead people to only identify, assess, and address potential harms? Will risk reporting still be focused on the level of risk rather than the likelihood of achieving each objective?
- COSO says the consideration of both harms and rewards (in their language, ‘risks’ and ‘opportunities’) is essential if risk management is to be effective
- While that is essentially what the prior version said, its language focused almost entirely on ‘risk’ and arguably this has led to most organizations only managing potential harms
- Most organizations limit risk reporting to a list of risks and their level. But if it’s really about achieving objectives, shouldn’t reporting be about whether each objective is likely to be achieved, exceeded, or missed? It should not be limited to an assessment of potential harms
- Does the guidance explain clearly and help decision-makers understand and then evaluate all the potential effects of uncertainty?
- Some look at ‘opportunity’ as the positive side and ‘risk’ as the negative. But, most situations and certainly most decisions have multiple potential consequences. It’s not just reward or just harm, usually it’s both. For example, when you decide to overtake another car on the freeway, there is potential to go faster as well as the potential for a crash. Only by understanding and then weighing all the potential consequences can a good decision be made. As another example, when you purchase a hotel while playing Monopoly, you create the opportunity to obtain rent (and this requires considering the size of that gain and its likelihood) as well as increase the potential to go bankrupt if you land on another’s property and have to pay rent
- Some assess the ‘level’ of risk as a point – a level of impact and the likelihood of that impact. However, there is almost always a range of potential impacts, each with its separate likelihood. For example, if the organization decides to reduce the price of its products, sales could (a) increase by 10%; (b) increase by 20%; (c) remain the same; (d) change by another percentage. All of these possibilities have different likelihoods. If you wanted to plot the ‘level of risk’, it would be a range or a curve on the chart and not a point
- The actions and decisions of one affect many. Is the guidance sufficient on this point?
- Many define the level of risk based on the amount of impact multiplied by its likelihood. But then a 5% likelihood of a $200 loss is the same as a 50% likelihood of a $20 loss. One may be acceptable but the other not. Does COSO discourage the assessment of risk based on this simplistic calculation?
- Will the update provide decision-makers with the structure/process they need to decide whether to ‘take the risk’ because of the potential for reward?
- In real life, people have to ‘balance’ risk and reward
- Will the guidance provide a disciplined process for identifying and evaluating all the potential effects of each option and only then making an informed decision? Or does it only consider and provide guidance on assessing harms?
- For example, if the potential for loss is assessed as between $50 (20% likelihood) and $100 (5% likelihood), should a manager ‘take the risk’ when the potential for gain is between $50 (20%) and $250 (5%)?
- Will the update lead to providing decision-makers with the guidance they need if they are to make the decisions management and the board want them to make?
- The great majority of organizations who have a ‘risk appetite statement’ at the entity level have not been able to cascade it down in a way that enables those making the decisions in real life to know what is necessary
- Different conditions (e.g., whether there is huge public scrutiny, whether the organization is likely to exceed or miss its earnings targets) can lead to executives wanting to change the risk decisions that are made
- It’s one thing to say that you need to avoid exceeding defined risk limits, but when the reward is high it may be appropriate to take that risk. Does the guidance enable agile decision-making that considers changes in the environment?
- Does the update provide sufficient guidance on how to assess and then correct, as necessary, the culture of the organization?
- It is encouraging that this is now included. Is it sufficient?
- Does the update provide sufficient guidance on each stage of the risk management process, including identifying, assessing, evaluating, and treating risk and opportunity? Does it provide sufficient guidance on communications and monitoring, including continuous improvement?
- There is more to assessing risk (good and bad) than impact and likelihood. Other considerations include duration, speed of onset, and more
- Many use models. Is this covered sufficiently?
- Is the updated COSO guidance on risk appetite and risk tolerance useful? Does it mirror and enable effective decision-making in real life? Does the guidance help to establish not only the upper limit of ‘risk’ that should be taken, but the lower level as well?
- If organizations don’t ‘take risk’ they will not survive. It is dangerous to be too risk averse
- How does an organization establish the minimum level as well as the maximum?
- Does COSO provide sufficient guidance on how to assess both the upside and the downside?
- Does the updated guidance help people ‘balance’ risk and reward, knowing when to ‘take the risk’? Or does it lead people to evaluate whether the level of harm is acceptable without considering the level of benefit? Does COSO guide people to consider the potential effect on strategies and objectives, or only to assess risk based on some out-of-context measure?
- The COSO definition of risk appetite in the current framework talks about an amount of risk. Sometimes risk appetite is expressed in terms like “we have no tolerance for this risk”
- However, in real life people make decisions based not only on the ‘amount’ of risk (harm) but the likelihood of that amount of risk. For example, I might accept a 2% possibility of losing $100 but not a 20% possibility
- A generic statement like “we have no tolerance for this risk” does not help real life decision-making. While no organization will state a level at which loss of life is acceptable, in many industries the only way to get to zero likelihood is to exit the business
- What is an acceptable level of variation from objectives? If you set an objective of 10% growth but are willing to accept 5% growth, 5% is your true objective. Alternatively, your objective may remain 10% but you will accept a 7% chance that it will be reduced to 5%
- Is the ISO 31000:2009 term ‘risk criteria’ better, especially as it can be applied to individual decisions?
- Will it be possible to assess the effectiveness of risk management in practice using the updated version?
- Any assessment should be based on whether the management of risk helps people establish the optimal vision, objectives, strategies, and plans, make better decisions and, as a result, increase the likelihood of achieving objectives
- Any assessment should identify the areas where the risk of failure in identifying, assessing, evaluating, or taking action to address risk is higher than desired
- If the assessment is against principles, are those in the COSO draft as good or better than those in ISO 31000:2009?
- Is all the COSO principles are present and functioning, does that mean that risk management is effective? If one or more are not present, does that mean that risk management is without doubt ineffective?
- Will the guidance provide sufficient guidance to enable the board and/or a committee of the board to provide effective oversight?
- Is the guidance as good as that in South Africa’s King IV Exposure Draft?
- Is the updated document consumable? Is it too long? Will it be read, understood, and acted on by all levels of the organization?
- Will the updated product help the busy executive or board member understand what risk management is all about, that it is not simply a compliance exercise but can improve the likelihood of quality decisions and the achievement of the right objectives?
- Is the 2017 product a sharp improvement on the 2004 version?
- Are the changes and additions an improvement?
- Does the updated Framework represent leading thinking?
- Will it help move practices around the world to greater levels of maturity and effectiveness?
- Is it better than the ISO 31000:2009 global risk management standard and other guidance that has been provided by regulators, national corporate governance codes, and so on?
- Would you recommend an executive, board member, or practitioner buying the updated Framework? Or, should they buy my book?
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- How effective are your systems of governance, risk, and control/compliance (GRC)? - October 19, 2021
- Delivering value from IT audit - September 22, 2021
- Selecting software for risk management - August 18, 2021