The piece COSO and ISO forgot
Both COSO (their internal control and enterprise risk management frameworks) and ISO (risk management standard) focus on the reliable achievement of objectives.
But is that right?
Let me tell you a personal story. Many years ago, in a time lost to the ages, I was a young IT audit manager at a major public accounting firm in London. I was fascinated by the new microcomputers and had purchased a TRS 80 Model II from Radio Shack. I taught myself some Basic and was working late many evenings trying to write simple programs on this 16k device that used a portable table recorder for external storage. I thought I could see how consumers and businesses of the (then) future would use devices like this and the new Apple II (for which I yearned). My senior manager suggested I bring the microcomputer into the office and show the IT audit partners. I was both excited and nervous, knowing that this embryonic device would only wow somebody with imagination. Sure enough, the senior partner huffed and mumbled something about wasting time on something that would never take off.
Now fast forward about three years. I am now the IT audit manager with the US part of the firm, responsible for the Los Angeles office. I am working with a client and talking to the CEO, who tells me that he can’t get his controller to use this new program called VisiCalc (one of the first spreadsheet programs). The CEO is fed up getting schedules from the controller with math mistakes that could be avoided if he used a simple spreadsheet. When I talk to the controller about getting microcomputers such as an Apple II or IBM, he huffs about “these toys” and sticking with what works.
Finally, let’s consider the mobile phone companies, like Nokia, that owned major shares in the global cell phone market. Nokia had about a 40% share of both revenue and profits. Their vision of the future did not include the dominant position that Apple would take with its iPhone. Nokia want from dominance to a 15% laggard.
The partners at my firm retained a vision that businesses would continue to run on IBM, Honeywell, ICL, DEC, and other mainframes. They were late to realize and be ready to develop capabilities and tools for the mini and then personal computers.
The controller at the Los Angeles company continued to use his adding machine and provide schedules with math errors. Not only was his boss frustrated, but the audit team was always finding errors in the financial statements.
Nokia failed to see the future as well, and its strategies had to be changed in crisis mode.
Looking at these, each demonstrates a failure to adapt business objectives and adopt new strategies while the old ones continue to work.
Where am I going with all this?
Addressing risks to strategies, and the controls that minimize those risks and help you achieved your objectives, will fail when those are the wrong objectives and strategies.
I am a big fan of PwC’s 2007 report on the State of the Internal Audit Profession, looking forward to 2012. I criticized them when new firm leadership took a different slant in the next years’ reports, but have to give them credit for one thing: they suggesting focusing on the value-drivers of the organization.
Whatever the type of organization (for-profit, not-for profit, government, etc.), it exists to provide value to its stakeholders. Sometimes that is profits and dividends; other times it is waste disposal and other public services. PwC suggested that internal auditors understand the sources of value, and then assess whether the organization has good processes and controls to develop objectives and strategies to create and preserve value. Only then do you assess risks and related controls to achieve the objectives.
The Singapore paper on risk oversight also starts with understanding “the mission of the company and of the reasons it exists in relation to all its stakeholders”. It advises that:
“Effective risk governance provides the appropriate level of direction and control in:
- determining the goals and strategy of the company;
- pursuing those goals;
- identifying the risks which are present or which may arise when the company pursues its goals; and
- determining measures to mitigate the risks.”
When COSO and ISO guidance starts with the achievement of objectives, it misses the point that the objectives may be wrong. Risk and control managers may be helping the organization drive at speed towards and then over a cliff.
Risks need to be considered in setting objectives and strategies that are create value. There are also the risks that the objectives and strategies are misguided, ineffectively communicated, and so on.
Controls exist (even though COSO advises otherwise) within the objective and strategy-setting processes. There are controls to ensure the right people are involved, have access to the information they need to set appropriate and achievable objectives and strategies, and then communicate them across the enterprise.
So what does this all mean?
- Let’s collectively urge those responsible for the COSO and ISO guidance to address the setting of objectives and strategies to create value
- Let’s consider the risks that the objectives and strategies are sub-optimal (which includes their being outdated), and
- Let’s consider the consideration of risk as part of the objective and strategy-setting processes, and the controls that address those risks
What do you think?
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman,
Glad to see you are following up on this particular point of discussion on RM standards with a longer article on your personal blog and here. This issue is especially relevant to the ISO standard because it explicitly links risk to objectives, while COSO only regards risk as a standalone.
I always thought that the ISO Standard came up with a very powerful taxonomy and language for discussing about risk and RM, but I also have felt for some time that the standard had defined away some of the most vexing aspects of risk and focused instead on the more “manageable” parts. By presuming at the outset that the objectives are correctly and adequately established such that RM is mostly about lining up the frameworks and carrying out the process, while helpful, is also removing the bulk of the problem with RM. As we all know, the most recent financial crisis of 2008 was all about deficient risk governance by the highest echelons in the financial institutions even as the RM professionals performed their pieces valiantly. I should also throw in here examples of past debacles like Enron etc.
I think that addressing the risk associated with having wrong objectives is a glaring hole in the ISO standard and the way to plug that hole is via risk governance being integrated into the standard much like the GRC concept !!! If people talked about ERM as an integrated RM process cutting across all silos horizontally, it is also about RM being integrated across all levels vertically all the way to the Board. This aspect of RM needs to be built out more in the ISO standard. And it should take a page from the OECG book (no pun intended).
Your thoughts?
I agree with you. Did you means a page from the OCEG or the OECD book? There is merit in taking a page from a governance framework as well.
Norman
Norman D. Marks, CPA, CRMA OCEG Fellow, Honorary Fellow of the Institute of Risk Management Vice President, Evangelist Better Run Business SAP
To your point Norman and seeing the marketplace need, GVP Partners and the BTM Corporation have developed — Enterprise Risk and Value Management Services. A bit of background, BTM has its roots in aligning business, strategy and technology for innovation, agility, change management. Through GVP Partners, we have added enterprise risk and value management capabilities. We leverage our collective diagnostic, design, implementation and operating frameworks, tools and methodologies developed from best practice researchers like the BTM Institute.
Some of our solutions include:
BTM 360 Assess — From an ERM assessment perspective we use ISO31000, OCEG and/or COSO-ERM as an assessment tool to benchmark maturity levels and improvement opportunities.
BTM 360 Fusion — act like the PMO for managing the risks associated with business change and convergence for value creation and value preservation. It also maps out action plans for improving management capability/maturity levels over 17 dimensions – risk and governance is apart of this.
BTM 360 Works — is the enterprise risk and value intelligence operations center providing information to the BOD, Csuite, and Senior Management drawing KPI information from either the ERP system like SAP and Oracle or KRI indicators form applications like Bwise, Metric Stream and Archer. Makes it a repeatable process with ownership assignment, reporting and monitoring.
Our mission is to provide a repeatable process to help companies manage the risks associated with change (process, technology, strategic bets) to provide a competitive advantage as you seek to create and preserve value.
BTM was founded in 1999 and GVP Partners in 2008. Our fourth leg (enterprise risk and value management) is a new solution offering for 2012. GVP Partners brings 25 years of enterprise risk and value domain experience with Big 4 and public company trained partners/Chief Audit/Risk officers.
CEO’s, CFO’s and BOD members looking to transform their business model and/or enterprise risk and value management programs to greater levels of maturity, please give us a call for an introduction.
We see that companies, in the not too distant future, will have to assert annually on their ERM programs and have internal attestations performed most likely by internal audit for the Risk or Audit Committee. This is already required in many countries outside the US.
So we can help you get prepared!
Thanks
Mike Corcoran
GVP Partners
770.475.5944(o)
michael.corcoran@grcerm.com
Michael, knowing you I am sure you offer great value through your services.
What are you feelings and comments on the points made in the post? Do you work in the objective-setting process which, as pointed out by Harum, is where acceptable risk criteria are defined?
Norman
Norman D. Marks, CPA, CRMA OCEG Fellow, Honorary Fellow of the Institute of Risk Management Vice President, Evangelist Better Run Business SAP
We facilitate with the senior management team mostly using BTM 360 Fusion solution. This is about defining what needs to go right and well as what can go wrong (risk upside and downside criteria). We also size up enterprise risk and value management SWOT with BTM 360 Assess which can be tailored to ISO 31000, OCEG or COSO-ERM frameworks thereby understanding areas for improvement.
NM,
Very good principle you shared in that post (i.e. COSO/ ISO). It’s issues like those cited that continue to be encountered, when clients refuse to address recommendations that seek to change their way of thinking.
Amongst other things, IA’s work builds from an enterprise-risk assessment, which is based on the company’s strategies and objectives. As such, where these objectives are flawed (or near useless!), the work of IA is likely to add just as much value.
While it can be argued that too much input by Risk or Assurance functions can lead to the company’s overall strategy being ‘defined’ by these units, it is precisely at the strategy phase that the company ‘accepts’ risks that will be faced depending on the strategies selected.
In the context of COSO/ ISO the following could be considered for further discussion:
1. The COSO ERM cube has a linkage between ‘Enterprise level – Strategic – Objective Setting’, at which point your views can be emphasised.
2. ISO 31000 provides more of a framework, so I guess your views can be emphasised in the early stages of developing the RM framework.
On another note, you have been doing a great job over the years in promoting thoughts within the ERM/ IA field, and I truly hope you continue to do so in future.
– Best regards
Norman, I meant OCEG. If you’d agree with this premise of the missing piece in both RM standards (and it seems you do), then what are your thoughts about how a RM should address the risk associated with having erroneous or inadequate objectives? Is it even the RM’s responsibility to do this or is it the Board’s and therefore not within the role of the RM or the ERM Manager? And if it’s the Board’s, then would there be an IA’s responsibility to ensure that it works (for the benefits of the stakeholders). How do shareholders ensure that the right questions are being asked of the Boards and then the appropriate disclosure thereupon. What’s even more troubling is that it is the shareholders who have been more myopic in their demand for short term stock performance. Oh boy, these are really big questions!
I do agree, and appreciate the reference to OCEG.
I think risk and audit practitioners should be aware of the risk of poor objective and strategy-setting processes, and consider (perhaps with the board and certainly with management) whether those are being reasonably addressed. I would not try to second-guess board decisions, as much as make sure the processes involved have controls that reduce the risk to acceptable levels.
Risk sources might include:
– directors who don’t understand the business or its internal and external context
– unreliable, incomplete, or otherwise insufficient information on which to base objective and strategy-setting
– a failure to consider the inherent risks of every strategy
– a board meeting environment that is not conducive to the discussion and consideration of objectives and strategies, or where the board does not challenge a dominant CEO
– optimism bias, where everything is viewed though rose-tinted glasses
– an inability to consider something new, being wedded to what has worked in the past
– a dysfunctional executive team
– a lack of trust between executives and the board
– an inability to define and communicate actionable (at all levels of the organization) objectives and strategies
– etc.
Internal auditors need to audit governance processes where significant risks exist, and that might include audits of objective and strategy-setting processes – and the ability to change direction quickly, when the need arises/
Norman D. Marks, CPA, CRMA
OCEG Fellow, Honorary Fellow of the Institute of Risk Management
Vice President, Evangelist
Better Run Business
SAP
Join me online: IIA Governance blog | GRC and Audit blog | Twitter | LinkedIn
Norman,
Your comment is a good start. However, the question remains how would an RM system of an organization address such a risk of bad objectives when such a system is a part of the management and the organization. There seems to be a lack of authority for effective resolution of the matter in such a situation.
I don’t think the problem lies in adapting or changing objectives. It is in the lack of imagination shown by boards and executives in in identifying risks to the achievement of their set objectives. With hindsight, the boards and executives in the various examples cited have not asked enough “what if” questions when reviewing and adjusting strategies for sustained growth in the foreseeable future. It is unlikely that any organisation sets itself up with objectives designed to drive themselves off a cliff. If the identification and evaluation of risks to attaining objectives is properly done, then either strategies are changed to mitigate the risks to attaining the objectives or the objectives have to be reviewed and re-set. In so doing, the ISO and COSO focus is validated and the Singapore paper alignment to goals and strategies reinforces the focus.
With good corporate governance in force in the examples cited, the conflicts of interest between strategy setting and objectives set would have been brought into the open and resolved. Without good corporate governance, the focus on reliable achievement of objectives will be lost and strategy setting will be weak and ineffective.
Yes – objectives may be wrong. The question that any framework needs to answer is what it means, to them, to have a ‘wrong’ objective. The answer in my mind is to understand the relationship between objectives and strategies. An objective creates the need for a strategy. That strategy, in turn, creates sub-objectives for the next level of management who, in turn, create their strategies, etc. It’s a constant process of delegation and flow down through the organization. At any point, a bad strategy could create the wrong objectives for the next lower level of management. Or, the strategy is fine but the newly created sub-objectives do not support the strategy.
I think there are 3 considerations.
First, the possibility that it was a clearly dumb strategy from the start. Most organizations have controls over this problem through general management activities such as accountability, review and approval, governance, etc.
Second, the possibility that the strategy (and thus the sub-objectives that it spawned) was reasonable at its inception but became incorrect over time. The way to attack that issue is to capture foundational assumptions in a strategy and, if sufficiently critical, these assumptions may need to be monitored over time (through KRI?) to determine whether these assumptions remain valid. These KRI create the triggers to revisit a strategy that may be in the process of becoming irrelevant and, accordingly, the sub-objectives that it spawned may now be the wrong sub-objectives.
Third, the possibility that any objective simply fails to intuitively align with its higher level strategy.
As an auditor, all of these are within my scope. The first issue would likely come up during some type of general governance review. The second relates to the completeness and effectiveness of the risk management activities — how do we know when something is going bad? The third one should be very straight-forward. I think the first question any auditor should ask an auditee is “what are you trying to accomplish?” Then comparing that answer with a reasonable understanding of the organization’s overall goals and objectives should start the auditor down the right path of questioning wrong objectives. This should be easy for small and mid-size organizations. I realize it can be difficult for very large and complex ones.
The matter here appears to be so fundamental. Incorrect goals and objectives will always lead to sub optimal results. Putting controls in place to achieve poorly defined objectives will always lead to sub optimal business performance, which will irratate both organizational managers and investors alike.
Agree with you core point Norman – one would think its common sense that a poor strategy will always lead to poor outcomes regardless of how risks are or aren’t managed.
Coming to risk management though, I wonder whether changing a standard will change attitudes to risk management. Having worked with a number of Boards and Senior execs, the issue is real only when the attitude is merely ‘complying’ with a standard rather than truly manging the risk. I am fortunate enough to be part of a business where I as a risk practitioner sit on the strategy table and never find myself debating or being held back by the standards.
Ruby, you’re in a good situation to “sit on the strategy table” – many CAEs are, unfortunately, not. This also sometimes seems to stultify audit thinking at a conceptual level. At a professional event earlier this year, I raised a similar query as to whether an auditor could (and should) look closely at the objectives & strategy setting process. Two speakers, both CAEs at multi-billion dollar diversified enterprises, side-stepped the question by saying no value is gained by ‘second guessing management decisions’!
Norman, I completely buy your idea of the need to look into the validity of objectives and strategies. But I’ve to reluctantly align with Khanh above that, in general (and especially in markets and geographies outside North America and EU), there seems to be a lack of authority on the part of IA an ERM practitioners to deal with such situations.
Risk management works at all levels of the hierarchy, including at the strategic level. Of course, if the Board and Executive don’t perform strategic planning well, they will set poor objectives, and risk management is a central part of making that process work effectively.
Bearing in mind that risk can be postive as well as negative, the focus of strategic planning should be on opportunities as well as threats and both of these are driven in part from business as usual and in part from the changing business environment.
I agree that Internal Audit can have a role in monitoring the performance of this process, as can external auditors as well. However in the end it is talented executives performing risk management as part of strategic planning who will determine whether the strategy, and hence the objectives, are right for a changing world. As I think other posters have noted, this isn’t always evident in practice.
Very interesting Norman, and I agree that auditors and risk managers should not just feed information to the C-suite, but should be involved in leveraging that information to help set up objectives and make strategic business decisions. My company, Infogix, Inc., works with our customers to establish controls to monitor business information moving among disparate systems to detect and prevent errors. The information captured provides business operations managers with the knowledge to identify risks and use that to help shape a company’s strategic vision. On a side note, your trip down memory lane made me smile, thinking about just how far technology has advanced beyond the days of when a simple spreadsheet could help reduce information errors. The sheer volume of data flowing in and out of an enterprise can be overwhelming, and establishing and continually re-evaluating the overall strategy to monitor for, and remedy, information errors is only growing more difficult and critical.
To all, my real question, based on this discussion stream, is: should risk management really be tied to objectives or more optimally designed as a standalone activity (like the COSO approach)?
It should be tied to objectives with the caveat that risk must be embedded in the setting of objectives and strategy.
Norman D. Marks, CPA, CRMA OCEG Fellow, Honorary Fellow of the Institute of Risk Management Vice President, Evangelist Better Run Business SAP
When you tie risk management to stated objectives of an organization, then RM is doomed if you have faulty objectives. If you conduct RM within a larger scope, then you might have a greater chance of addressing the risk of faults in the objectives.
Separately, the kind of faulty objectives I am thinking of is not the kind that results from not having risk consideration embedded in the setting of objectives and strategy. It is more of the kind resulting from bad governance. For instance, when a company is intent of growing market share via below cost pricing or some other tactics. Or in the case of Long Term Capital, utilizing a trading strategy based strictly on a model-driven platform. How would a RM at Long Term Capital address the risk of such a faulty objective?
I think Michael Raynor in his book The Strategy Paradox says it well: Corporations must manage strategic uncertainty actively: Anticipate – building scenarios of the future; Formulate -creating optimal strategies for each of those futures; Accumulate – determining what strategic options are required; and, Operate – managing portfolios of options. The strategy paradox-any future strategy, even one perfectly executed, may fail, because the future cannot be predicted. We help companies do this.
Mike
All, while I understand and appreciate that you may have valuable services and products related to this topic, please refrain from using this forum to promote them.
Thanks
It seems the discussion is focused on the wrong point. The objective of the Board of Directors and Senior Management is to achieve an acceptable return on invested capital for the shareholders, thus benefitting the other stakeholders in the organization. Reading Norman’s examples, which sound all to familar to my own experience, reminds me that history is littered with organizations which failed to adapt to transformative macro change, such as the buggy manufacturer at the beginning of the 20th century or the steam locomotive manufacturer in the 1930s when diesel began rolling over railroads. Think about how few corporations reach their 100th anniversary.
I doubt either the COSO or ISO models effectively deal with such risk challenges. My experience has been that Boards and Senior Mgmt. teams rarely think outside the confines of the present situation, particularly in the risk management arena.
Even today, much of the risk conversation ultimately revolves around insureable/mitigatable issues, not the long-term technology, demographic, geopolitical risks that can render all of the tactical risk practices moot. With today’s short-term focus, and relatively short tenure of managers, this tactical focus shouldn’t be surprising.
Can either IA or Risk Mgmt. effectively play at this level. My experience says no, nor should they expect otherwise. Whatever my private thoughts, I can’t forsee issuing a report criticizing a strategy. I might have a conversation with my Audit Committee chairman, but ultimately I would leave (have left!) when I disagreed.
Norman, this reminds me of a discussion held back in 2010 where you asked the question in a blog post, “Is Internal Audit Meeting the Challenge? Perhaps Not!” Following your post were numerous comments, among them, one in which I believe you had said that you believed that objective-setting is not an activity within the COSO ICF, but instead, it is a prerequisite. You can’t identify risk to the business unless you know its objectives. You did go on to say, though, that Auditors should, if they adhere to the standards and defintion of internal audit, audit the governance process and its related controls. That would embrace the auditing the controls over governance-setting. I have attempted to accurately represent what I thought was your position back in 2010. Is that still your basic position? or, are you now saying that the people revising the COSO ICG should be more explicit and clear, and do, as you say above:
•Let’s collectively urge those responsible for the COSO and ISO guidance to address the setting of objectives and strategies to create value
•Let’s consider the risks that the objectives and strategies are sub-optimal (which includes their being outdated), and
•Let’s consider the consideration of risk as part of the objective and strategy-setting processes, and the controls that address those risks
I just want to clarify how your thoughts in 2010 differ (if at all) to your thoughts now about the above.
Wow, I am impressed Alfred! I still believe that internal auditors should audit governance processes (using a risk-based approach) and the COSO ICF should recognize that there are risks and controls there. If they decide to stick with achievement of objectives, they need to explain the gap.
Norman
Norman D. Marks, CPA, CRMA
OCEG Fellow, Honorary Fellow of the Institute of Risk Management
Vice President, Evangelist
Better Run Business
SAP
Valid point Norman
Isn’t that out of scope for a framework? It’s almost as if the framework should come with a disclaimer “assumes you have defined your objectives properly”. When I sit down with someone to understand their risks the first question asked (thanks Keith Baxter!) is “What do you need to do to be successful?” Defining those target successes help drill down to the risks which prevent the successes.
I will be the first person to suggest the most senior managers at any organization do not have a monopoly on all the good ideas, but I also think that by the time they sit down with the risk manager – someone who is there to facilitate a process that helps them achieve success – the strategy is set and the wheels are in motion.
We’ve all worked from organizations and managers and asked WTF are they thinking but the risk management process may not be the best forum to bring it up.
Don’t you think that there are risks and opportunities with each objective and strategy option? There are also controls to ensure the choices are made by the right people based on necessary information.
Norman D. Marks, CPA, CRMA OCEG Fellow, Honorary Fellow of the Institute of Risk Management Vice President, Evangelist Better Run Business SAP
Really excellent point! this was indeed our thinking in developing ISO 31000 as we were not permitted by the Technicam Management Board of ISO to venture into territory that would cause the risk management standard to be regarded in any way as a management standard. ISO 31000 is now up for review and ideas like this (the key reliance ISO 31000 has on a) objectives and b) performance) will no doubt arise for discussion.
As a practitioner you are absolutely right: objectives can be poorly expressed or even inaccurate or at a minimum, not helpful to an organization’s mandate but we made (and discussed) the assumption that this area was out of scope. As input to your point, in the development of ISO TR 31004 these types of issues arose and caused us to look very closely at ‘Annex SL’ (Guide ’83) of ISO which is the ISO management system standard under development. Our discussions continuing regarding better links between the ISO 31000 and Annex SL. I encourage you (and any reader of this blog) to tap into your national standards body and find out who you can contact to provide comments on the upcoming vote and review of ISO 31000. Together, we will improve!
I think there is huge value in aligning risk review to the objectives and strategies of the firm. Particularly because in previous conversations followed, I have seen RMs discussing the challenges of being heard or having a voice with Sr Mgmt/Board.
If you align your speak with the items they are passionate about, the opportunity to become a bigger part of the conversation may present itself. Yes, criticisms of a plan may be rebuffed, but there are positive ways in which to influence the conversation:
1. provide data/information that will aid in the weighing of two similar options
2. highlight suggestions that may help management make a strategy even more successful or provide early indicators when something is not working so corrective actions can be taken
3. even if you feel a strategy is flawed but it is going forward anyway, you can still look for solutions that can minimize the firms exposure or give them options when the ‘ship has to turn.’
Norman, Great post. You might enjoy this article by Alan Kay, one of the founders of the personal computer revolution, and Chief Scientist at XEROX PARC – the research lab that gave us the graphical user interface, the mouse, online collaboration technologies – and more. http://www.ecotopia.com/webpress/futures.htm
A couple quotes from Alan’s article, written in 1989, illustrate the challenge you address:
“we don’t have a very good concept of the future itself. [Marshall] McLuhan’s line–one of my favorites–is, ‘We’re driving faster and faster into the future, trying to steer by using only the rear-view mirror.’
“McLuhan had a great line about the 20th century. He said, “The 20th century is the century in which change changed.” […]
“…McLuhan was saying … that when change changes, you can’t predict the future in the same way anymore; you have some second order or third order effects…In other words, to think of the concept of future not as a thing that comes from the past–although it has come from the past in a way–but to realize that the forces that are bringing about change right now are so great that it’s very difficult to sit down and make simple extrapolations.”
Strategies, whether successful or failed, come from a worldview a perspective, “Point of View Is Worth 80 IQ Points” (Alan Kay). To get people to make their mental model(s) visible, to step outside their worldwiew, is not an easy task, but it is possible.