In my opinion, one sentence stands out, whether you are looking at the COSO Internal Control – Integrated Framework (2013 version) or the COSO Enterprise Risk Management – Integrated Framework.
That sentence is:
An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories.
The sentence is important because it emphasizes the fact that the purpose of controls is to address risk, and that you have ‘enough’ control when risk is at desired levels.
To me, this means that:
- Before you assess the effectiveness of internal control, you need to know your objective(s), because we are talking about risk to objectives – not risk out of context
- You need to know the risk to those objectives
- You need to know what is an acceptable level of risk for each objective, and
- You need to be able to assess whether the controls provide reasonable assurance that risk is at acceptable levels
You may ask “where is that sentence?”, because when consultants (and even COSO and IIA) make presentations on COSO 2013 and effective internal control, all you hear about are the principles and components.
In fact, anybody who reads COSO 2013 should have no difficulty finding this most important sentence. It’s in the section headed “Requirements for Effective Internal Control”.
This is how that section starts:
An effective system of internal control provides reasonable assurance regarding achievement of an entity’s objectives. Because internal control is relevant both to the entity and its subunits, an effective system of internal control may relate to a specific part of the organizational structure. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories. It requires that:
- Each of the five components of internal control and relevant principles are present and functioning
- The five components are operating together in an integrated manner
There is no mention of satisfying the requirement that the “components and relevant principles are present and functioning” until after the reference to risk being at acceptable levels.
In fact, I believe – and I know of at least one prominent COSO leader agrees – that assessing the presence and functioning of the components and principles is secondary, provided to help with the assessment.
Let’s have a look at the very next paragraph in the section:
When a major deficiency exists with respect to the presence and functioning of a component or relevant principle or in terms of the components operating together, the organization cannot conclude that it has met the requirements for an effective system of internal control.
When you look at this with the (COSO) risk lens, this translates to the ability to assess internal control as effective, and the principles and components as present and functioning, as long as there is no deficiency in internal control that is rated as “major”.
How does COSO determine whether a deficiency is “major”? That can be found in the section, “Deficiencies in Internal Control”.
An internal control deficiency or combination of deficiencies that is severe enough to adversely affect the likelihood that the entity can achieve its objectives is referred to as a “major deficiency”.
Let’s translate this as well:
- If the likelihood of achieving objective(s) is “severe”, then the risk is outside acceptable levels.
- If the risk is outside acceptable levels, not only should the related component(s) or principle(s) not be assessed as present and functioning, but internal control is not considered effective.
- When it comes to SOX compliance, a “major deficiency” translates to a “material weakness”. The objective for SOX is to file financial statements with the SEC that are free of material error or omission. The acceptable level of risk is where the likelihood of a material error or omission is less than reasonably possible.
- That means that if the deficiency is less than “major” (or “material” for SOX purposes), then the related component(s) or principle(s) can be assessed as present and functioning – and internal control can be assessed as effective.
So, the only way to assess whether the principles and components are present and functioning is to determine whether the risk to objectives (after considering any related control deficiency) is at acceptable levels.
Do you see what I mean?
Risk is at the core. Assessing the presence and functioning of components or principles without first understanding what is an acceptable level of risk to objectives is misunderstanding COSO!
Why are so many blind to this most important sentence?
I have a theory: the presentations were all prepared based on the Exposure Draft. That document failed to reference the requirement that internal control be designed to bring risk within acceptable levels. (The defect was fixed after comments were received on the issue.)
Do you have a better theory?
Can you explain the blindness of so many to the most important sentence in the entire Framework?
A new article in Singapore’s Business Times explains that when Singapore achieved its independence in 1965 (through separation from Malaysia), its attention to enterprise risk management helped it become the economic success it is today. The author says:
Mr Lee [Singapore’s Prime Minister] could arguably have contributed to the development of the ERM framework. Part I of From Third World to First: The Singapore Story, 1965-2000 reads in many areas like a primer on ERM concepts and techniques.
The article refers to the 1995 Australia/New Zealand risk management guidance, which was followed by the COSO (seen as an American publication) and ISO publications.
I like the article’s definition:
ERM can be broadly defined as managing uncertainty – both the risk and opportunity arising therefrom – to create, sustain and grow value.
In 1965, Singapore was faced by a number of grim realities. It had no natural resources; in fact, it has to import almost all its water and food. (The article talks about the lack of an ‘economic hinterland’.)At that time, Singapore had uncertain relations from its neighbors in Malaysia and Indonesia, which could have led to conflict. In its early days of independence from Great Britain (achieved in 1959), the region went through a period of communist insurgency, so civil peace could not be taken for granted. Finally, the region had a culture that included a level of corruption and bribery (coyly referred to in the article as ‘guanxi’).
Singapore’s ERM program identified three risks, according to the article:
Risk A was survival without an economic hinterland. Risk B centred on guanxi or personal relationships in business transactions. Risk C was the prevalent toleration of money politics accepted as common practice and part of the regional political culture.
Risk A arose from the uncertainty of the new nation’s survival without an economic hinterland following Singapore’s expulsion from Malaysia.
Risk B and Risk C, attributable to history and culture, threatened achievement of the strategic goals and operational objectives arising from Risk A.
The leadership team saw both Risk A and Risk B as road blocks. These risks precluded good corporate governance essential to attract foreign direct investments to support Singapore Inc’s early industrialisation goals.
Singapore’s leadership team addressed these three risks, not by always trying to limit risk but in some cases working to take advantage of opportunities.
To mitigate Risk A, the leadership team identified the opportunities presented by the uncertainty of survival without an economic hinterland.
These opportunities were channelled to business planning. A plan and strategy re-emerged, Mr Lee wrote, to “leapfrog the region”, link up with developed nations, and “create a First-World oasis in a Third-World region”.
The key operational objective was to build Singapore Inc’s own economic hinterland, bring about transformational change and prove the prognosticators wrong.
Responding to Risk B and Risk C to achieve comparative advantage in a region known for corruption, the leadership team embraced the rule of law.
Built on the legacy British legal system, the law was implemented under a culture of efficient, effective and honest enforcement.
This served to encourage the inflow of investments and to protect investors. The action comported with the ERM concept and technique to use controls, together with monitoring, as a risk response or risk treatment.
Control was in the form of laws, regulations and rules to mitigate the identified cultural risks. Monitoring came from the enforcement of rules efficiently, effectively and honestly.
This is a time when tributes to Lee Kuan Yew (the Mr. Lee referred to by the article) are flowing in. Who can dispute the success of his leadership (while recognizing the harshness of some earlier actions)?
Is it justifiable to put much of the transformation of Singapore down to risk management? The article says:
The legacy of Mr Lee and his pioneer generation of leaders in facing uncertainty with capacity, sagacity and gumption is an inspiration to managers in this endeavor.
What do you think?
Is risk management about “facing uncertainty with capacity, sagacity and gumption”?
I would like to say that the answer is “yes”, because I used to work for PwC and know many of their people – very good people.
I would also like to say “yes” because COSO has hired PwC to lead the update of their Enterprise Risk Management – Integrated Framework.
But, I cannot say that they do – at least not what is required for the fully effective management of uncertainty.
I think they understand much of the common, traditional wisdom about risk management, that managing risk is about avoiding threats as you strive to achieve your objectives.
But, I think they fail to understand that uncertainty between where you are and where you want to go contains both threats and opportunities – and managing risk is about making intelligent decisions at all levels of the organization, both to limit the effect and likelihood of bad things happening and to increase the effect and likelihood of good things.
Risk management is more than a risk appetite framework set by executives and approved by the board.
It is more than “embedding” the consideration of risk into the strategy-setting and execution processes.
It is more than enabling the board and executive management to make informed decisions, or even for division leaders to make informed decisions. Every decision, whether by executives or junior employees, creates and/or modifies risk.
No. Effective risk management is something that is (or should be) an integral part of making decisions and running the business every minute of every day, at all levels across not just the enterprise but the extended enterprise.
It’s about enabling decision-makers to take the right amount of the right risk.
What’s the point of a risk appetite statement if it is not effective in driving decisions, which occur not only in the board and executive committee rooms, but in every corner and crevice of the organization?
I am using PwC’s latest publication as the basis for this opinion. While Risk in review: Decoding uncertainty, delivering value (subtitled How leading companies use risk management to drive strategic, operational, and financial performance) makes some good points, it also misses the key point about enabling decision-makers to take the right amount of the right risk. It focuses instead on a view of risk management that is centered on a periodic review of a limited, point-in-time list of negative risks – such as those found in a heat map.
(The good point made by PwC is that risk and strategy need to be entwined, both in the setting of strategy and its execution. It is also useful to see that few organizations, just 12% in their view, have achieved PwC’s limited view of risk management leadership.)
I will let you read PwC’s ideas and limit my comments to their Five steps to risk management program leadership.
1. Create a risk appetite framework, and take an aggregated view of risk
I have no problem with the principle that the board and top management should understand and provide guidance to decision-makers so that they take the right amount of the right risk. I also agree that there are multiple sources of risk to any business objective, and that it is necessary to see the full picture of how uncertainty might affect the achievement of each objective.
But, as I said, a risk appetite framework has little value if it is not sufficiently granular so that every decision-maker knows what he or she must do if they are to take the right amount of the right risk. Few organizations have been able to translate a risk appetite statement to actionable guidance for decision-makers, even when they try to use risk tolerance statements. Risk criteria at the decision-maker level must be established that are consistent with the aggregated enterprise view, and this is exceptionally difficult in practice.
In addition, decision-makers should not be excessively inhibited from seizing opportunities or taking/ retaining “negative risk” when it is justified. The focus is far too often on limiting risk, even when it is at a level that should be taken.
2. Monitor key business risks through dashboards and a common GRC technology platform
I agree that every decision-maker should know the current level of risk. But what is key is that the decision-makers have this information. While it is nice to have the risk function aware of current levels of risk, it is the decision-makers who have to act with that knowledge.
Further, why this nonsense about a “GRC technology platform”? Let’s talk about a risk management solution. I know that PwC makes a lot of money helping organizations select and then implement GRC solutions, but we are talking about risk management. Let’s focus on the technology needed for the effective management of risk by decision-makers at all levels across the organization. Integrating internal audit and policy management is far less important (IMHO).
Finally, people forget (and that includes PwC) that you need to monitor risk to each objective, not risk in isolation. Executives and managers need to receive integrated performance and risk information for each of their objectives.
3. Build a program around expanding and emerging business risk, such as third-party risk and the digital frontier
Everybody talks about risk expanding, that there is more risk today than in the past. I am not sure that is correct. Maybe we are just more attuned (which is a good thing) to thinking about risk, and certainly risk sources are becoming more complex. But is there actually more risk?
PwC talks about third-party risk, but that is not new at all. I wish they would talk about risk across the extended enterprise, which would broaden the picture some.
Technology-related business risk clearly merits everybody’s attention. It is unfortunate that insufficient resources are being applied by the majority of organizations to understanding and addressing both the potential harms and benefits of new technology.
4. Continuously strengthen your second and third lines of defense
Is there a reason we shouldn’t strengthen management’s ability to address uncertainty? (They are the so-called first line of defense.) Instead of the risk function feeding fish to management, why not train them to catch their own fish? Every decision-maker should be trained in disciplined decision-making, including the disciplined consideration of uncertainty.
Yes, the second line (risk management, compliance, information security, and so on) should be strengthened.
But, internal audit should not be limited to being seen as a “line of defense”. For a start, risk is not always something you need to defend against – often it should be actively sought as a source of value. Then, internal audit should help the organization actively take the right amount of the right risk, which it does by providing assurance that the processes for doing so are effective and by making suggestions for improvement.
I much prefer to talk about lines of offense. When you attack, you still need to be aware of IEDs, sniper positions, and mines. But the focus is on achieving success rather than avoiding failure.
5. Partner with a risk management provider to close the gap on internal competencies
Such a self-serving platitude! Yes, fill resource gaps with competent, knowledgeable professionals. But don’t hire a consultant to run periodic workshops – fill that need in-house.
Am I unfair to PwC?
Do they understand risk management and what it needs to be if an organization is to make the most of uncertainty?
We need to be tough on them if they are going to help COSO bring their ERM Framework up to the standard required for today and tomorrow – enabling better decisions so everyone takes the right level of the right risk.
I welcome your thoughts.
At least, that is what one expert has to say in a provocative piece in SC magazine.
Here are some excerpts, but I recommend you read the short article.
The author, the CEO of a software vendor of cybersecurity products, starts with these points:
…user-driven technology has progressed so rapidly that it has significantly outpaced technology’s own ability to keep data protected from misuse and guarded from cyber vulnerabilities…….
A lack of reliable security is the price we’ve paid for this eruption of amazing new cloud-based services and keeping vital data out of the wrong hands is an uphill battle.
He then spells out a truth that we should all acknowledge:
Anyone who tells you that your data is secure today is lying to you. The state-of-the-art that is cybersecurity today is broken. There must be a better way. But don’t lose hope, there is.
The article then takes a new direction (at least for me):
CIOs today need to adopt an entirely new security philosophy – one that hinges on the fact that your files and information will be everywhere……..
If we can build a new security approach from the ground up based on the premise that data will escape, and are then able to secure everything no matter where it is, we end up debunking the concept of the “leak” entirely.
I do agree that the traditional, exclusive, focus on preventing an intrusion cannot continue. He says:
That’s why my biggest frustration coming out of the recent Sony and Anthem hacks is companies opting for reactive solutions to fortify firewalls and secure siloed tunnels of information. For example, there was a major uptick in company-wide email-deletion policies in the wake of the Sony attack. Now that’s just dumb. Those are band-aid strategies that fail to address the heart of the problem.
He continues to press his point:
Maintaining a level of security in a boundaryless world means security and policy follow exactly what you’re trying to protect in the first place — the data……
Usable security, where users can choose how they want to access, store and share data, can only be made possible by providing a seamless user experience, so security is integrated into the daily work of everyone. A great user experience is one major obstacle security vendors (and arguably, all enterprise services) have yet to conquer. If we can do it, we will move away from panic-inducing scare tactics used to encourage adoption, and instead empower users with a solution they actually like to secure data…..
In order to be a security company, enterprises need to rethink a few things. First, users have to be in control of their data at any given point in time and should be able to revoke access when they want by utilizing familiar technology. They should have complete peace of mind that their data truly stays theirs. Second, in a cloud and mobile world there are no real controlled end-points anymore, unless we want to take a step back into the stone ages. And third, the firewall model is broken and trying to extend the perimeter out simply doesn’t work anymore. It’s about protecting the information, wherever it is, and not about locking everything down where it’s hard to access, use and share for your employees and partners.
So he is presenting a new cybersecurity world where the security follows the data, using encryption and other methods.
I think that is something that every organization should consider – especially encryption.
But is it enough?
For a start, how secure is encryption in the face of the sophisticated attacker? Maybe it is reasonably secure now, but we cannot be sure it will remain secure. Consider how encryption was broken by researchers, with the story told in this 2013 article.
I think you need at least three levels of protection: prevention, encryption, and detection, followed by response.
We can no longer assume that the bad guys cannot get in, and I am reluctant to assume that my encryption will not be broken if they have time.
So, we need the ability to detect any intruders promptly – so we can shut them down and limit any damage.
Too few have sufficient detection in place. Just look how long hackers were inside JP Morgan, and then how long it took the company to expel them!
I welcome your views.
I have been a big fan of the Open Compliance and Ethics Group for many years (since well before they honored me as a Fellow).
OCEG is a not-for-profit organization that focuses on “principled performance”, which they define as “a point of view and approach that helps organizations reliably achieve objectives while addressing uncertainty (both risk and reward) and acting with integrity (honoring both mandatory commitments and voluntary promises)”.
One of the reasons I continually recommend OCEG is that it is a great source of information and guidance, much of it free. In fact, individual membership is also free.
There’s a lot to like in the illustration.
For example, it emphasizes the need to monitor changes in privacy requirements everywhere the organization currently operates – and where it plans to operate. This needs to be communicated to operating management, who needs to limit the collection and storage of potentially private or confidential information to what is necessary to run the business.
It also tells us that we need to understand privacy risks and ensure we have controls in place commensurate with and appropriate to managing those risks.
It’s impossible to capture in a single page diagram everything that is critical to managing privacy risk and remaining in compliance. One point I would make is that the organization needs to assign responsibility for monitoring and communicating compliance requirements (including not only regulatory but societal requirements) to operating management. The diagram assumes a “privacy team”, but sometimes it just takes one expert. It is critical that the assigned individual has the time to serve as the expert and is sufficiently integrated with management operations to be able to provide timely input before management violates a regulation or damages reputation by exceeding what the local community will tolerate.
At one of my former companies, a mid-level attorney was tasked with handling privacy compliance matters. While he understood the laws and regulations, he was busy on other matters and very reluctant to insert himself into situations when my audit team found non-compliance issues. He was neither proactively ensuring management complied with EU regulations, nor assertive when non-compliance was detected.
I learned the lesson that those charged with being the privacy expert (and the same applies to any compliance expert) need to have a level of passion for the topic and the desire to prevent issues as well as defend the company when it fails to comply.
I would also consider the issue of how private and confidential information is held within the organization. It’s not enough to limit employee access; the information needs to be protected from intruders, generally through encryption.
What do you think of the illustration? What would you add?
Last week, I participated in an NACD Master Class. I was a panelist in discussions of technology and cyber risk with 40-50 board members very actively involved – because this is a hot topic for boards.
I developed and shared a list of 12 questions that directors can use when they ask management about their organization’s understanding and management of cyber-related business risk.
The set of questions can also be used by executive management, risk professionals, or internal auditors, or even by information security professionals interested in assessing whether they have all the necessary bases covered.
This is my list.
- How do you identify and assess cyber-related risks?
- Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of IP, compliance risk, and so on) and not just “IT-risk”?
- How do you evaluate the risk to know whether it is too high?
- How do you decide what actions to take and how much resource to allocate?
- How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?
- How do you assess the potential new risks introduced by new technology? How do you determine when to take the risk because of the business value?
- Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?
- How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?
- Can you respond appropriately at speed?
- What procedures are in place to notify you, and then the board, in the event of a breach?
- Who has responsibility for cybersecurity and do they have the access they need to senior management?
- Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce new risks by signing up for new cloud services?
I am interested in your comments on the list, how it can be improved, and how useful it is – and to whom.
I am interested in the topic of “leadership”. I have chosen to define it in terms of whether people willingly follow (or stay with) an individual.
While others identify as effective leaders those who have been at the helm of successful organizations, in my experience leaders are not limited to those whose organization’s succeed. CEOs with poor leadership skills have seen their organization excel – perhaps by luck or the ability of others within the organization. CEOs with excellent leadership skills have seen their organizations fail, through no fault of their own.
I have had the pleasant experience of working with several that I would call effective leaders. These are people I would willingly follow.
But, they are all different. The have different qualities, each of which have made me want to work with and for them.
Is that your experience?
What has made you want to stay with or follow a leader?