COSO partnered with the World Business Council for Sustainable Development to develop a draft of ERM guidance for ESG.
In February, COSO released a draft for comments: Applying enterprise risk management ro environmental, social and governance-related risks (ESG). This time, PwC was not involved. Rather, COSO partnered with the World Business Council for Sustainable Development (WBCSD).
Here are the high-level comments I provided. The initial response to them was positive and constructive.
I would like to share a few generalized comments. But first let me commend you on tackling this topic. There is a lot of good material for consideration.
Please consider these points and questions:
- Risk management is not and should not be perceived as an annual activity. It’s an integral part of effective management, a continuous activity.
- It should be about enabling leaders and others across the organization make informed and intelligent decisions, considering what might happen (aka risk).
- ESG is a group of various sources of risk to the organization. They should be evaluated, not in a silo based on a risk appetite for each source of risk, but together with other sources of risk to an enterprise objective. In other words, leaders should consider the aggregate level of risk, taking ESG and other sources of risk that could affect the achievement of an objective, when making decisions.
- Risk management is not about managing a list of risks (inventory, profile, or other term). Risks are changing all the time and you shouldn’t be limited to managing a list of risks.
- People need guidance on daily decision-making. Anybody can make a decision that has a potential ESG effect of significance. Do you think this guide helps with that?
- The potential effect or consequences of an event or situation are not a likelihood:effect point. They are a range of potential effects, each with a different likelihood.
- The board and top management need to know how ESG related issues might affect the targets and metrics with which they measure success and the achievement of their objectives. Is this addressed, or are they asked to manage ESG risks separate from other governance activities?
- How does a board or top management decide how much scarce resource to allocate to address potential ESG issues rather than cyber or other issues, or profit opportunities? If this is not addressed in guidance, will it lead to appropriate actions by leaders?
I am open to discussing these points and any other questions you may have.
As I said at the beginning of my comments, there is good content in the draft. For example, I am encouraged that they talk about bias (specifically confirmation bias and a bias against allocating resources for ESG).
So I encourage everybody to read the draft and submit your own comments.
Moving on for a moment: I am concerned at the tendency of specialist groups to publish guidance that is focused on their area of interest and ends with an assessment of the risk as “high” or $250,000.
While each may say that their guidance can be part of an integrated, enterprise risk management approach, I am not sure that is true.
For example, when potential harms are assessed against “risk criteria” or “risk appetite” for harm to that specific area or asset, how do you determine where management and the board should allocate scarce capital and other resources?
I am in the process of writing a new book on technology-related risk. It involves reviewing guidance from NIST (SP 800-37) and ISO (27005). Both suggest that you identify “information assets”, value them based on several criteria, and then assess and evaluate risks to each asset based on their established risk acceptance criteria.
As you can imagine, I believe any and all ‘risks’ should be assessed based on how they (perhaps in conjunction with other ‘risks’) might affect the likelihood and extent of achieving enterprise objectives.
In my draft, I am including this hypothetical story:
The CEO and CFO are meeting with other business leaders to discuss the capital budget for the next year. They have decided that they can afford $50 million but the requests for capital amount to $100 million. They include:
- The acquisition of a small company that will expand their product offerings, an expansion eagerly sought by their customers. It is expected to cost $20 million with projected annual increases (existing and acquired products) of $40 million in revenue and $8 million in profits. The ROI is attractive and confidence in the success of the venture is high. It is expected to be welcomed by analysts and lead to a healthy boost of the company’s stock price.
- An investment in new technology that will reduce operating costs significantly and improve management’s ability to respond swiftly to market changes. The cost is estimated at $10 million with annual savings of $5 million.
- The replacement of critical manufacturing equipment that is near the end of its useful life. Continuing without replacement increases not only maintenance costs but the likelihood of equipment failures that will disrupt manufacturing and delivery of products to customers. The cost of the equipment is $20 million. The cost of delaying the investment (including revenue and customer satisfaction risk) is estimated at $5-8 million per annum, increasing by 10% each year.
- Continuing investments in new products. The next generation of products is eagerly anticipated by customers and stock analysts. While the investment will require $20 million in the next year, the overall return on the investment is very high (projected to be about 30%) and any delay could allow competitors to seize market share.
- Information security technology that the CISO and CIO both assert is needed to reduce cyber risk from its current high to acceptable levels. However, the cost is significant (about $15 million) and all the CISO says is that the risk to critical information assets will be reduced by at least $10 million per annum. The CISO is unable to offer any assurance that the investment will prevent a breach of the company’s systems that results in a major loss to the organization.
- Various smaller capital requests amounting to $15 million with an average projected ROI of 15%.
The CEO and CFO feel obliged to at least consider the cyber risk reduction investment, but the benefit is unclear and uncertain compared to the much more certain and significant benefit obtained from the other options.
They decide to make a modest, more of a token investment in cyber. At the same time, they ask the CISO and CIO to find a way to help them weigh the benefit of investment in addressing technology-related risk (including cyber) against other opportunities.
The above illustrates why it is essential to provide leaders with actionable information. They need to be able to make decisions between addressing one risk vs another, going forward with a project given all the uncertainties related to its success, and so on.
Rating a ‘risk’ as High or valuing it at $250,000 is meaningless as far as I am concerned.
Explaining how it affects the achievement of objectives, in a way that the potential effect of multiple sources of risk can be considered together and compared to potential rewards, is starting to help.
I welcome your comments.
- A really concise version of the IIA’s new Global Internal Audit Standards (GIAS) - September 18, 2024
- How effective is your board (or governing body)? - August 14, 2024
- Internal audit and generative AI - July 17, 2024