How well did COSO address comments on the ERM draft?

September 22, 2017 8 comments

Last July, I submitted written comments and suggestions to COSO on the draft of the ERM framework update.

In this post, I remind you of those comments and discuss (see Comment) how well they have been addressed in the final edition. (At the time, I discussed them with several people involved in the update, who all agreed they had merit. However, I got the impression they were reluctant to make the sort of major change I was asking for, saying that COSO might follow the updated framework with thought papers.)

The COSO update has an appendix where they talk about their response to comments. Unfortunately, most of my comments are not addressed in that section.

I will share in a later post my assessment of the final product based on a set of questions that I encourage you to consider. Please join the conversation and share your assessment of the value of the ERM framework update here.


July, 2016

There’s a lot to like in the update, which in many respects I consider an upgrade.

In fact, I would describe this document as having the potential for a ‘leap forward’, not just a step. It’s more than an ‘upgrade’.

However, it is not yet there. I believe another significant leap forward is required, and this can be delivered through careful and thoughtful consideration of the comments COSO receives on the Exposure Draft (ED) – followed by action to address them.

I believe that while PwC and the COSO Board and its advisors have clearly stepped back and taking a big picture look at its ERM guidance, a second step back and another look at the essentials of risk management should be taken to consider whether the guidance is truly achieving its potential.

What is that potential? It is to transform how organizations are run, from the setting of the mission, objectives, strategies and plans to the daily operation of the business: how it performs in practice through intelligent and informed decision-making at levels of the extended enterprise.

As is said in the Introduction:

“The value of an entity is largely determined by the decisions that management makes—from overall strategy decisions through to day-to-day decisions. Those decisions can determine whether value is created, preserved, realized, or eroded.”

In its ideal state, the management of risk is part of the rhythm of the business[1], entwined[2] into every business process and decision at all levels across the extended enterprise. It is no longer a compliance activity, but an essential ingredient in the success of the organization. It is not limited to avoiding harms, but also encompasses determining when the ability to reap a reward justifies taking the risk of harm.

Comment: COSO has gone a long way to see risk management “entwined” into every business process. However, they have done little IMHO to explain how it is part of decision-making and they have not addressed decisions and actions in the extended enterprise.

They say that an ethical person does the right thing when nobody is watching. Effective risk management is present when there is reasonable assurance that every decision-maker, from the board down to the front-lines, will make the ‘right’ decision without a risk officer present.

Comment: This important concept appears to be missing – that we need reasonable assurance that decision-makers are taking the right risk. Risk appetite is a way to identify after the fact whether too much risk has been taken. It only works proactively when each decision-maker knows which risks to take and I don’t believe that is sufficiently covered in their discussions of risk appetite and tolerance.

In fact, in an ideal world, people don’t think about risk management – it’s simply effective management.

Although the Foreword says (more than implies) that the earlier version had been broadly accepted and should be considered a success, that comment is highly questionable.

Surveys have shown that the ISO 31000:2009 global risk management has been adopted more often in recent years than the COSO ERM Integrated Framework. Many have taken the best of both to develop their own framework, and many experienced risk practitioners and thought leaders have dismissed the COSO product entirely.

Other surveys, notably by Deloitte[3], have found a huge disconnect between those leading risk management and the executives and directors who should be obtaining value from it. Only a small percentage said that risk management had made a significant contribution to their setting and execution of strategies.

There are several reasons for this. They include:

  • Creating the perception that the consideration of risk is something separate from the activity of managing the organization; as the ED says, it should be an integral element in decision-making every day at all levels of the organization

Comment: COSO has made efforts to address this. But the lack of discussion on decision-making and the continuing focus on a risk profile (which they admit is simply a list of risks, a.k.a. a risk register) will likely inhibit meaningful progress. The key point here is that organizations have been managing risk for centuries, often with success, without a formal program or office. As Alex Sidorenko says, talking about ‘risk management’ instead of effective management can actually inhibit a constructive discussion, because the ‘r’ word has a negative connotation in the minds of executives and because it appears to be something different from effective management when in fact it is not. Good managers manage risk all the time; they anticipate what might happen and deal with it; effective boards insist on discussions of what might happen and related scenarios as part of their strategy-setting and performance review discussions.

  • A focus that is restricted to the potential negative effects of uncertainty, considered at intervals rather than continuously

Comment: The need for continuous risk discussions is included, but it is still focused on potential negative effects.

  • A disconnect with management who are looking to enhance performance and deliver value, not just avoid failure

Comment: The update talks about performance but not how to assess the likelihood of achieving strategies and objectives and therefore enable actions to increase the likelihood and extent of success.

  • Reporting risks rather than the likelihood and extent that objectives will be achieved

Comment: This is a major issue that is not effectively addressed.

  • Communicating in a language different from that of the business. This inhibits management’s ability to not only understand at an intellectual level that the management of risk can help them be more effective as managers and successful as business leaders, but actually believe it

Comment: See prior comments.

  • An expressed desire, fueled by regulators and the concept of risk appetite, to ‘manage’ or ‘mitigate’ risk when in real life risk needs to be taken

Comment: I do not see how the update will constructively influence regulators.

  • Failing to understand that events and situations (requiring decisions and choices) create the potential for not just one but multiple effects – both negative and positive effects are likely every time a decision is made or an event or situation presents itself. All potential effects of a decision need to be assessed, generally in the same way, to understand the potential rewards and harms, understand and evaluate options, and consider what should be done to improve the likelihood and extent of success

Comment: This is a major gap in the update.

First, I want to congratulate the Board, its advisors, and PwC for progress on a number of fronts. They include (not in any particular order):

  • Emphasizing that risk management is about addressing the uncertainty that lies between where we are and where we want to be (although not in that language)
  • Restating that risk management is about achieving objectives. This was also in the prior version, but is repeated and emphasized for the great majority that did not see it in the 2004 edition
  • Making the point (I see Jim DeLoach’s influence) that risk management is not about the periodic review of a list of risks (i.e., enterprise list management)
  • Talking about the need to consider what might happen in the future when setting strategies and objectives
  • Restating that decisions need to be made based on an evaluation of both the potentially positive and negative effects of uncertainty
  • Introducing a discussion of risk culture
  • Using the word “anticipate”, which I think is a highly descriptive way to explain what risk management is all about

These are points made in the Executive Summary.

Comment: We should not forget that the update is an improvement on the 2004 version.

I have developed a set of 12 questions to assist in the evaluation of the Exposure Draft and whether it will move the practice of effective management as far forward as it can and should.

Comment: I wonder whether PwC used the set of questions.

My comments are at this 50,000 foot level. They affect much of the detail and I hope the COSO Board and advisors, assisted by PwC, will consider them and then apply them to the detailed content.


Final thoughts and suggestions

As I said at the beginning of this response, the ED is an upgrade and has some valuable content. The ideas and aspirations laid out in the Executive Summary are, for the most part, excellent.

However, I have problems that I believe are significant.

  1. The ED continues the focus on harms. There is a huge difference between opportunities (such as the opportunity to take advantage of a competitor’s stumble) and recognizing that any situation, event, decision, or choice can have multiple effects on achieving objectives: some positive as well as some adverse. All have to be assessed and evaluated, not just the harms.

Comment: The executive summary may say that there are multiple potential effects, both positive and negative, but the body talks almost exclusively about harms. There is no discussion of the need to identify, assess, and evaluate all potential effects.

  1. The ED continues to focus on a list of risks. While it talks about decision-making and makes the point that risk management informs decision-making, it is more than that. Every decision is a risk decision. Every decision is about understanding the current situation, what is expected to happen, whether that is acceptable, what options are available, and then making informed choices. That is risk management as well as effective management. It is not just risk-informed decision-making. The best way to improve the management of risk is to improve the decision-making process and capability. If the framework could provide a structured process for decision-making, that would make it both practical and of immense value. Instead, it pays scant attention and continues to talk about generating and maintaining lists of risks.

Comment: The framework body focuses on a risk profile (the same thing as a list of risks, just different language), risk appetite, and so on. There is no discussion of how to weigh all the possibilities, the ranges of good and bad potential effects, to come to an intelligent decision. While the update talks about decision-making, this is absent from the principles and I see no related guidance.

  1. The idea that you can aggregate all risks into a risk profile is alarming. You simply cannot do that and expect to be successful. The potential for each objective to be achieved must be managed individually as well as collectively. Compliance risk should not be aggregated with reputation or financial risk. In fact, there is danger in aggregating different forms of compliance risk; compliance risk in aggregate may appear to be at an acceptable level while the company is significantly in breach of specific regulations or laws.

Comment: This misguided guidance remains prominent.

  1. Finally, and most important of all, risk management is really about anticipating what might happen that would affect your journey from where you are to where you want to be. The COSO Board needs to reconsider how it describes terms like uncertainty, risk, and risk management with this in mind. Good decisions come from understanding what might happen, all possible effects, then making informed, intelligent choices.

Comment: Unfortunately, I do not see sufficient progress. While talking about performance is progress, there is insufficient attention to assessing the likelihood of achieving objectives or on decision-making.

I have pointed out other areas for improvement, such as an expanded discussion and guidance on board oversight, and a major overhaul of the thinking around risk appetite and tolerance. But these are the most crucial issues.

A couple of closing suggestions:

  1. Expand the Advisory Board to include practitioners from around the world, especially from nations where the practice of risk management is more advanced than in the US. Grant Purdy, John Fraser, Richard Anderson, and Martin Davies would be excellent additions.

Comment: While some expert advisors were present (notably, Carol Fox), I wish COSO had brought more thought leaders into the process.

  1. Consider, where possible, the use of plain English instead of technical jargon. This would make the guidance clearer to executives and board members. Talk about optimizing outcomes, achieving success, and so on – the language of the business.

Comment: See prior comments.

There is an opportunity to make a huge leap forward, providing a beacon for world-class risk management, or should I say effective management.

That will require a further step back, a deep breath, a willingness to accept the need for change, the courage to make a huge departure from traditional thinking (which has proven to be failing us), and action.

It is better to take longer to think this through, make the changes thoughtfully, than to tinker with the ED. That, I suggest, will not be sufficient.



Final comment: My impression is that COSO only tinkered with the draft. I understand that they are considering further work, thought papers or similar, that will build on the framework and address some of the points above.

But, have they made a “leap forward”? Have they done enough to move practices forward, in the right direction? Did they want to make that leap forward, or were they too risk averse?

Will this update change the percentage of executives answering the piercing question by Deloitte, “Does risk management support, at a high level, the ability to develop and execute business strategies”, up from 13% close to 80%?

What do you think?


[1] “Drive business results by harnessing uncertainty”, EY February, 2015

[2] A great word, far better than ‘integrated’ or ‘embedded’, used by PwC in Risk in review: Going the distance, 2016

[3] Exploring Strategic Risk reported that “Only 13% of [C-level] respondents believe their risk management processes support, at a high level, the ability to develop and execute business strategies”


Which are the best principles for effective risk management?

September 15, 2017 16 comments

As we get to know COSO’s updated risk management framework, a good place to start is by examining the 20 principles around which it is built.

While the executive summary talks in a principled manner about the management of risk, the framework is essentially a discussion of each of its 20 principles.

The COSO principles are:

  1. Exercises Board Risk Oversight—The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives.

  2. Establishes Operating Structures—The organization establishes operating structures in the pursuit of strategy and business objectives.

  3. Defines Desired Culture—The organization defines the desired behaviors that characterize the entity’s desired culture.

  4. Demonstrates Commitment to Core Values—The organization demonstrates a commitment to the entity’s core values.

  5. Attracts, Develops, and Retains Capable Individuals—The organization is committed to building human capital in alignment with the strategy and business objectives.

  6. Analyzes Business Context—The organization considers potential effects of business context on risk profile.

  7. Defines Risk Appetite—The organization defines risk appetite in the context of creating, preserving, and realizing value.

  8. Evaluates Alternative Strategies—The organization evaluates alternative strategies and potential impact on risk profile.

  9. Formulates Business Objectives—The organization considers risk while establishing the business objectives at various levels that align and support strategy.

  10. Identifies Risk—The organization identifies risk that impacts the performance of strategy and business objectives.

  11. Assesses Severity of Risk—The organization assesses the severity of risk.

  12. Prioritizes Risks—The organization prioritizes risks as a basis for selecting responses to risks.

  13. Implements Risk Responses—The organization identifies and selects risk responses.

  14. Develops Portfolio View—The organization develops and evaluates a portfolio view of risk.

  15. Assesses Substantial Change—The organization identifies and assesses changes that may substantially affect strategy and business objectives.

  16. Reviews Risk and Performance—The organization reviews entity performance and considers risk.

  17. Pursues Improvement in Enterprise Risk Management—The organization pursues improvement of enterprise risk management.

  18. Leverages Information Systems—The organization leverages the entity’s information and technology systems to support enterprise risk management.

  19. Communicates Risk Information—The organization uses communication channels to support enterprise risk management.

  20. Reports on Risk, Culture, and Performance—The organization reports on risk, culture, and performance at multiple levels and across the entity.

There is no doubt in my mind that all of these are good practices.


  • Are they essential to effective risk management? Or are they simply essential to any organization that strives to achieve results? Are they simply attributes of any well-run organization? In fact, are they all the attributes of a well-run organization? Where are the principles relating to decision-making? Certainly, establishing objectives and an organizational structure, or hiring good people, do not seem attributes specific to risk management – although it is difficult to understand the risks to objectives if your objectives are not defined.
  • Does achieving these principles indicate that the risk management is effective? I will provide my assessment of the COSO update in a later post. However, these principles are not written in a way that sets the bar very high. It is possible to believe you have achieved these principles while the board and top management see little value being derived from their investment of time and resources into risk management.
  • Are these principles as useful as those from other guidance?

In World-Class Risk Management, I included the following table. It lists the 11 ISO 31000:2009 principles and my revised list of 6.

Principles in ISO 31000:2009 Norman’s Revised Principles
a.      Risk management creates and protects value. 1:     Risk management enables management to make intelligent decisions when setting strategy, making decisions, and in the daily management of the organization. It provides reasonable assurance that performance will be optimized, objectives achieved, and desired levels of value delivered to stakeholders.
b.      Risk management is an integral part of the organizational procedure. Not needed as I would include it in #1.
c.      Risk management is part of decision making. Not needed as I would include it in #1.
d.      Risk management explicitly addresses uncertainty. 2:     Risk management provides decision-makers with reliable, current, timely, and actionable information about the uncertainty that might affect the achievement of objectives.
e.      Risk management is systematic, structured and timely. 3:     Risk management is systematic and structured. (Timeliness is covered in my #2.)
f.       Risk management is based on the best available information. Not needed, covered by my #2
g.      Risk management is tailored. 4:     Risk management is tailored to the needs of the organization and updated/upgraded as needed. This takes into account the culture of the organization, including how decisions are made, and the need to monitor the program itself and continually improve it.
h.      Risk management takes human and cultural factors into account. 5:     Risk management takes human factors (that may present the possibility of failures to properly identify, analyze, evaluate or treat risks) into consideration and provides reasonable assurance they are overcome.
i.       Risk management is transparent and inclusive. I would not include this as a principle.
j.       Risk management is dynamic, iterative and responsive to change. 6:     Risk management is dynamic, iterative and responsive to change.
k.      Risk management facilitates continual improvement and enhancement of the organization. I would not include this as a principle. It is covered by my #4 and management should always be looking to continually improve, so this is not a distinguishing feature of risk management.


I will let you decide which is the best set of principles: which is clearer in setting expectations for the effective management of risk and which is better as a basis for assessing the maturity of risk management. (Hint: I think my list is not only better but more succinct, relevant, and acctionable.)

Comments welcome!

Is the COSO ERM Update a success or failure?

September 9, 2017 8 comments

A few days ago, COSO published an update to their 2004 ERM Framework. The product, retitled Enterprise Risk Management: Integrating with Strategy and Performance, is available from the AICPA or IIA – see here for the links.

This is their news release, dated September 6. It asserts that:

“The updated edition is designed to help organizations create, preserve, and realize value while improving their approach to managing risk.”

Has it achieved that goal? Or has it failed?

Will it advance practices or has it fallen short of leading thinking?

I am in the process of a careful review of the product and will share the results later.

But I encourage all of you to not only review it but answer my question (is it a success or failure) using a set of questions I shared in June 2016 on this site – upgraded with a few clarifications and couple of additions (at the end).

Even if you don’t provide your own assessment (for whatever reason), consider subscribing or returning to see how others have commented on the product.

My ask is that you assess the updated Framework by rating each of these 14 questions on a scale of 1-10 (10 being perfect). When you rate, consider whether the COSO discussion provides practical guidance or just makes a theoretical point. Will the guidance help organizations actually achieve the principle or point being made?

Then provide your overall pass/fail.

Here are the assessment questions.

  1. Does the draft provide useful guidance that will help leaders of the organization define the mission, objectives, strategies, and plans that will deliver optimal value to stakeholders?
    • If the mission is not optimal, it is unlikely that the objectives will be
    • If the objectives are not optimal, it is unlikely that strategies to achieve them will be
    • …and so on
    • In order to set the optimal mission, objectives, strategies, and plans, leaders need to consider all the possibilities. They need to be able to obtain as clear a view as possible of potential opportunities and harms for all potential options. Their assessment of what might lie ahead, and how it might affect their journey, needs to be performed in a structured fashion – both opportunities and harms – and a reasonable judgment made that takes all of the potential effects of uncertainty into account
    • It is not sufficient to say that you have considered all the options (possibilities) for mission, objectives, strategies, and plans. The processes where those are selected have to involve the right people, consider all the available useful information (which is reliable, timely, and up-to-date), and more – in other words, the risk of setting a wrong or sub-optimal mission, objective, or strategy, has to be at acceptable levels.
    • Organizations need to periodically review their mission and change it as conditions change. Think of Intel, Microsoft, HP, Apple and more
  2. Does the draft provide useful guidance when it comes to executing against the defined mission, objectives, strategies, and plans? Is there sufficient guidance on effective decision-making, and will it move the practice of risk management away from only reviewing, periodically, a list of risks? Will it lead to organizations practicing risk management continuously?
    • The Executive Summary makes the points that risk management must be continuous, enable effective decision-making, and be more than the review of a list of risks
    • But, does the detail of the framework deliver on those promises?
    • As COSO says in their Executive Summary, execution and the optimization of performance rely on decisions that are made not only by leaders in establishing the goals and objectives of the organization, but by managers at every level of the organization every day
    • In order to make good decisions, people need to consider all the potential consequences of the choices they make. Those include not only the harms but also the rewards that may occur. The consideration needs to be structured and based on useful, timely, current, and reliable information
    • Also as COSO says, risk management needs to be an essential part of running the organization and delivering performance. It should not be separate. Does the guidance enable organizations to manage risk as part of the rhythm of the business? Does it help management entwine the consideration of risk into every business process?
  3. Will the guidance still lead people to only identify, assess, and address potential harms? Will risk reporting still be focused on the level of risk rather than the likelihood of achieving each objective?
    • COSO says the consideration of both harms and rewards (in their language, ‘risks’ and ‘opportunities’) is essential if risk management is to be effective
    • While that is essentially what the prior version said, its language focused almost entirely on ‘risk’ and arguably this has led to most organizations only managing potential harms
    • Most organizations limit risk reporting to a list of risks and their level. But if it’s really about achieving objectives, shouldn’t reporting be about whether each objective is likely to be achieved, exceeded, or missed? It should not be limited to an assessment of potential harms
  4. Does the guidance explain clearly and help decision-makers understand and then evaluate all the potential effects of uncertainty?
    • Some look at ‘opportunity’ as the positive side and ‘risk’ as the negative. But, most situations and certainly most decisions have multiple potential consequences. It’s not just reward or just harm, usually it’s both. For example, when you decide to overtake another car on the freeway, there is potential to go faster as well as the potential for a crash. Only by understanding and then weighing all the potential consequences can a good decision be made. As another example, when you purchase a hotel while playing Monopoly, you create the opportunity to obtain rent (and this requires considering the size of that gain and its likelihood) as well as increase the potential to go bankrupt if you land on another’s property and have to pay rent
    • Some assess the ‘level’ of risk as a point – a level of impact and the likelihood of that impact. However, there is almost always a range of potential impacts, each with its separate likelihood. For example, if the organization decides to reduce the price of its products, sales could (a) increase by 10%; (b) increase by 20%; (c) remain the same; (d) change by another percentage. All of these possibilities have different likelihoods. If you wanted to plot the ‘level of risk’, it would be a range or a curve on the chart and not a point
    • The actions and decisions of one affect many. Is the guidance sufficient on this point?
    • Many define the level of risk based on the amount of impact multiplied by its likelihood. But then a 5% likelihood of a $200 loss is the same as a 50% likelihood of a $20 loss. One may be acceptable but the other not. Does COSO discourage the assessment of risk based on this simplistic calculation?
  5. Will the update provide decision-makers with the structure/process they need to decide whether to ‘take the risk’ because of the potential for reward?
    • In real life, people have to ‘balance’ risk and reward
    • Will the guidance provide a disciplined process for identifying and evaluating all the potential effects of each option and only then making an informed decision? Or does it only consider and provide guidance on assessing harms?
    • For example, if the potential for loss is assessed as between $50 (20% likelihood) and $100 (5% likelihood), should a manager ‘take the risk’ when the potential for gain is between $50 (20%) and $250 (5%)?
  6. Will the update lead to providing decision-makers with the guidance they need if they are to make the decisions management and the board want them to make?
    • The great majority of organizations who have a ‘risk appetite statement’ at the entity level have not been able to cascade it down in a way that enables those making the decisions in real life to know what is necessary
    • Different conditions (e.g., whether there is huge public scrutiny, whether the organization is likely to exceed or miss its earnings targets) can lead to executives wanting to change the risk decisions that are made
    • It’s one thing to say that you need to avoid exceeding defined risk limits, but when the reward is high it may be appropriate to take that risk. Does the guidance enable agile decision-making that considers changes in the environment?
  7. Does the update provide sufficient guidance on how to assess and then correct, as necessary, the culture of the organization?
    • It is encouraging that this is now included. Is it sufficient?
  8. Does the update provide sufficient guidance on each stage of the risk management process, including identifying, assessing, evaluating, and treating risk and opportunity? Does it provide sufficient guidance on communications and monitoring, including continuous improvement?
    • There is more to assessing risk (good and bad) than impact and likelihood. Other considerations include duration, speed of onset, and more
    • Many use models. Is this covered sufficiently?
  9. Is the updated COSO guidance on risk appetite and risk tolerance useful? Does it mirror and enable effective decision-making in real life? Does the guidance help to establish not only the upper limit of ‘risk’ that should be taken, but the lower level as well?
    • If organizations don’t ‘take risk’ they will not survive. It is dangerous to be too risk averse
    • How does an organization establish the minimum level as well as the maximum?
    • Does COSO provide sufficient guidance on how to assess both the upside and the downside?
    • Does the updated guidance help people ‘balance’ risk and reward, knowing when to ‘take the risk’? Or does it lead people to evaluate whether the level of harm is acceptable without considering the level of benefit? Does COSO guide people to consider the potential effect on strategies and objectives, or only to assess risk based on some out-of-context measure?
    • The COSO definition of risk appetite in the current framework talks about an amount of risk. Sometimes risk appetite is expressed in terms like “we have no tolerance for this risk”
    • However, in real life people make decisions based not only on the ‘amount’ of risk (harm) but the likelihood of that amount of risk. For example, I might accept a 2% possibility of losing $100 but not a 20% possibility
    • A generic statement like “we have no tolerance for this risk” does not help real life decision-making. While no organization will state a level at which loss of life is acceptable, in many industries the only way to get to zero likelihood is to exit the business
    • What is an acceptable level of variation from objectives? If you set an objective of 10% growth but are willing to accept 5% growth, 5% is your true objective. Alternatively, your objective may remain 10% but you will accept a 7% chance that it will be reduced to 5%
    • Is the ISO 31000:2009 term ‘risk criteria’ better, especially as it can be applied to individual decisions?
  10. Will it be possible to assess the effectiveness of risk management in practice using the updated version?
    • Any assessment should be based on whether the management of risk helps people establish the optimal vision, objectives, strategies, and plans, make better decisions and, as a result, increase the likelihood of achieving objectives
    • Any assessment should identify the areas where the risk of failure in identifying, assessing, evaluating, or taking action to address risk is higher than desired
    • If the assessment is against principles, are those in the COSO draft as good or better than those in ISO 31000:2009?
    • Is all the COSO principles are present and functioning, does that mean that risk management is effective? If one or more are not present, does that mean that risk management is without doubt ineffective?
  11. Will the guidance provide sufficient guidance to enable the board and/or a committee of the board to provide effective oversight?
    • Is the guidance as good as that in South Africa’s King IV Exposure Draft?
  12. Is the updated document consumable? Is it too long? Will it be read, understood, and acted on by all levels of the organization?
  13. Will the updated product help the busy executive or board member understand what risk management is all about, that it is not simply a compliance exercise but can improve the likelihood of quality decisions and the achievement of the right objectives?
  14. Is the 2017 product a sharp improvement on the 2004 version?
    • Are the changes and additions an improvement?
    • Does the updated Framework represent leading thinking?
    • Will it help move practices around the world to greater levels of maturity and effectiveness?
    • Is it better than the ISO 31000:2009 global risk management standard and other guidance that has been provided by regulators, national corporate governance codes, and so on?
    • Would you recommend an executive, board member, or practitioner buying the updated Framework? Or, should they buy my book?

How good is your chief risk officer?

September 2, 2017 5 comments

My best-selling book, World-Class Risk Management, describes how risk management can enable better decision-making, from strategy-setting to execution, and make a significant contribution to the success of any organization.

But how do you assess the leader of risk management within your organization?

Here are some attributes I consider critical. They tend to overlap but offer different ways of thinking about the individual and their team. They are not necessarily in order of importance; I leave the prioritization to you.

  1. Dedicated to helping the organization to succeed rather than simply avoid failures. (This should be the perception of others, not just the risk officer.)
  2. Has a deep understanding of the business, how it delivers value, is organized, makes decisions, and is run
  3. Seen as a trusted and valuable partner (not police) by the management team at all levels
  4. Listens, especially before speaking
  5. Looks to enable management to identify, assess, and evaluate risk rather than being the authority themselves
  6. Constructive and has good ideas
  7. Willing to recommend taking more ‘risk’ where appropriate for the business
  8. Helps everybody consider all the things that might happen, the multiple effects (positive and negative) that might flow from an event or situation, so they can make the best decisions for the organization
  9. Communicates effectively and is persuasive when appropriate and necessary
  10. Speaks well with and to authority
  11. An effective facilitator of discussions, especially across multiple groups
  12. Helps everybody understand how to identify, assess, evaluate, and respond to what might happen (risk)
  13. Seen as helping each executive, manager, and team succeed through informed and intelligent decision-making
  14. Enables an effective discussion around strategy, the setting of objectives, the management of major projects, and other key matters – either in person or by ensuring effective processes and methods are in place for managing the effects of uncertainty: what might happen (risk)
  15. Avoids enterprise list management and provides actionable, useful information to leaders of the organization that helps them understand the likelihood of achieving each of their objectives – in other words, not simply managing the so-called ‘top risks’ out of context
  16. Ensures that decision-makers have useful guidance on which risks to take
  17. A leader
  18. Works effectively with internal audit
  19. A potential leader of a business operation
  20. Objective and able to speak out as an independent voice when necessary and appropriate

Technical risk management expertise is not one of my top 20 attributes. Certainly it is valuable, but should it rate higher than any of the above?

What have I missed?

With which items do you disagree?

I welcome your comments.


PS – This is a review of my book from an experienced CRO:

Norman Marks’ latest book “World-Class Risk Management” (2015) is a must read for anyone interested in this evolving topic. It will appeal to the beginner as it leads one from the basics through the various concepts and techniques, while it challenges the most serious practitioner to re-evaluate what they do and why. The academic will also benefit from using this book because of the exhaustive references to some of the best source material on this topic. Norman challenges many stereotypical and clichéd views on risk management, but keeps coming back to simple, easy to understand concepts. He captures the essence of his thinking in “The management of risk is an essential element in successful management.” (page 13). This book makes you think, yet it is written in a lucid and friendly style. His thinking on ‘risk appetite’ challenges some ‘sacred cows’ held by many, but will help those who have struggled with this concept to find better ways of approaching this controversial subject. I wish he had written more on risk workshops but that may be another book someday. Well done, Norman, and thank you for sharing your experience, research and thinking.


A conversation about risk with a CEO

August 27, 2017 6 comments

This last week, I was privileged to share a trans-Atlantic flight with the chancellor of one of the top universities in Europe.

The time passed much more quickly than usual, especially when I was able to talk to him about risk management and how (IMHO) it should be practiced – in a way that focuses on achieving success rather than avoiding failure.

I had told him that I was returning from leading a 3-day training course on risk management and other topics. This interested him, but initially more from an academic than a practical perspective.

He asked me about the latest thinking on risk management. Of course, I was only too happy to share with him my view that it should focus on helping people make informed and intelligent decisions, knowing which risks to take, and helping them achieve objectives. I told him that most risk management functions focus on managing lists of risks, which only helps organizations avoid failure rather than achieve success.

That changed his tone and interest from academic to practical.

The chancellor was concerned about a major project, the building of a new hospital on campus. The university’s CFO was responsible for the building. But while he was a fine CFO with a bright future, he had not yet earned the chancellor’s confidence that he could complete a major building project on time, within budget.

The chancellor shifted his position in his seat to give me his full attention.

He explained that he wanted to help the CFO. But he wasn’t an expert on building projects either.

When I said that, in his shoes, I would ask the CFO to talk about what needed to go right for the project to succeed and what he was doing about it, he thought that was excellent. It’s such a better question than ‘what might go wrong’.

Identify what needs to go right, make sure resources and tasks are identified to make it happen, consider potential obstacles, then act and continuously monitor. (We had an interesting few minutes talking about the need to monitor progress and what still lay ahead.)

We got to the heart of the problem when I asked him whether the CFO was the right man to lead the project.

He was uncomfortable answering this. I think it was because he had doubts, didn’t know how to address them, and did not want to infer that the CFO was less than excellent at his day job. But he clearly had doubts and I left him thinking about how he could help (by asking questions rather than stepping) and whether he needed to hire a specialist project manager.

Our conversation lasted more than an hour – and we barely used the “r” word (risk) at all.

We talked about the effective management of the project, considering what might happen (things we want to happen and things we would prefer not to happen), assessing whether that would be acceptable, and what needed to be done to improve the likelihood of success.

When we parted, he said he was very grateful and had a lot to think about before he returned home.

At this point, I am convinced that the way to have a risk discussion with an executive is to leave the “r” word out of the conversation. (I would make an exception where the executive truly understands what risk management is about, but even in financial services most think of risk as something to avoid or mitigate.)

Focus on helping the organization succeed instead of avoiding failure.

This requires a change in attitude and orientation by the risk practitioner, and it has to come from the heart more than the head.

Do you think this would work for you?

After all, risk management is simply effective management. The “r” word is too often a turn off for executives and misunderstood by board members. So let’s try to avoid using it and have a constructive conversation about success.

I would appreciate your thoughts on this short video.

Wells Fargo and KPMG – did KPMG fail the investors?

August 19, 2017 13 comments

My friend Francine McKenna recently had a piece (she is co-author) published by MarketWatch.

Where was KPMG, Wells Fargo’s auditor, while the funny business was going on? Is scathing in its discussion of the role played by KPMG.

I doubt that anybody would speak up in active support of KPMG, but is it fair to blame them and say they have failed investors?

This is how MarketWatch described the underlying fiasco:

The record of management failures at Wells started with revelations last year that millions of accounts had been opened illicitly. It got longer after the admission last month that the bank had also forced unneeded auto insurance on customers and neglected to refund optional guaranteed asset protection, so-called GAP, coverage for auto loan borrowers.

Politicians and regulators see the misbehavior as a pattern that should have been caught — and stopped. And there have been consequences for the bank. One CEO was forced to step down and forfeit millions of dollars in incentive compensation. Thousands of workers, including several executives, have been fired. Most recently the bank reshuffled its board, replacing its chairman and adjusting board committee memberships including on its audit and examination committee.

However, the authors continue:

But external auditors should serve as another line of defense. Each year, auditors offer an opinion on whether their clients’ financial statements are truthful. To do so, the auditors have to determine whether they have enough confidence in the company’s internal controls to offer that blessing.

In November, KPMG was questioned by a Senate committee. MarketWatch reports:

KPMG’s response to the senators in November acknowledged that its audits of Wells Fargo’s financial statements included procedures to identify instances of unethical and illegal conduct.

Those procedures included interviews with the company’s chief auditor, members of the bank’s Corporate Investigations Unit, bank financial executives, and attorneys inside and outside the bank, the auditor wrote. KPMG also reviews regulatory reports and reporting to executive management, the audit committee and the rest of the board from the chief compliance officer regarding investigations that related to accounting, internal accounting controls, auditing, and whistleblower claims and claims of retaliation.

KPMG wrote it did become aware, as early as 2013, of “instances of unethical and illegal conduct by Wells Fargo employees, including incidents involving these improper sales practices.” But the firm said it was “satisfied that the appropriate members of management were fully informed with respect to such conduct.”

Yet the auditor said nothing about these issues to investors, either in its audit opinion, its opinion on the bank’s internal controls, or elsewhere.

Instead, KPMG told the senators, its view is that “not every illegal act has a meaningful impact on a company’s financial statements or its system of internal controls over financial reporting. From the facts developed to date, including those set out in the CFPB settlement, the misconduct described did not implicate any key control over financial reporting and the amounts reportedly involved did not significantly impact the bank’s financial statements.”

The MarketWatch article is accurate but is it fair?

Sorry, Francine, it is not.

What is omitted from the article is that:

  1. The external auditors are engaged to audit and provide opinions on (a) the financial statements and (b) the system of internal control over financial reporting.
  2. The external auditors are obliged to assert in their audit report (included on Form 10K) whether the financial statements are free from material error and whether the system of internal control provides reasonable assurance that material errors will be prevented or detected.
  3. When it comes to fraud, the PCAOB’s Standard Number 5 directs the external auditor to consider only fraud that might lead to a material error in the financial statements.
  4. The external auditor’s responsibility beyond that is to disclose significant matters to the audit committee of the board.
  5. There is no requirement that the external auditor share any issues unrelated to material errors in the financial statements to investors.
  6. It is not the fault of the external auditors if the board fails to act on fraud that is not material to the financial statements. They do not assess the effectiveness of the board beyond where it may unacceptably raise the level of risk of material error in the financials.

Rather than blame KPMG, I would have preferred that Francine and her co-author suggest that the rules and standards that direct the work of the external audit firms be changed.

Should they disclose non-material fraud? I am not in favor.

Should they disclose concerns with the effectiveness of corporate governance? That is something worth debating.

What do you think?

I welcome your views.

Linking risk management to results

August 12, 2017 15 comments

COSO ERM 2004 defined risk management:

Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Taking out the middle part, you get:

Enterprise risk management is a process…… designed to….. provide reasonable assurance regarding the achievement of entity objectives.

This is mistaken and I am glad that the exposure draft of COSO ERM 2017 has removed this assertion. It redefines enterprise risk management as:

The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value.

The draft also says:

Integrating enterprise risk management throughout an organization improves decision-making in governance, strategy, objective-setting, and day-to-day operations. It helps to enhance performance by more closely linking strategy and business objectives to both risk and opportunity. The diligence required to integrate enterprise risk management provides an entity with a clear path to creating, preserving, and realizing value.

The ISO 31000:2009 global risk management standard has a set of principles (IMHO, better than those in the draft of COSO ERM 2017). The first three are:

1: Risk management creates and protects value.

2: Risk management is an integral part of all organizational processes.

3: Risk management is part of decision making.

How does risk management create and protect value?

  1. By improving the quality of decisions by making them ‘risk-aware’, ensuring that decision-makers consider all the potential consequences of their decisions
  2. Helping to identify what might go wrong so it can be addressed if unacceptable
  3. Helping identify opportunities for things to go better than planned so they can be evaluated and pursued if justified

Some have decided that you can measure the effectiveness of risk management by examining the success of the organization.

If it were true that risk management provided reasonable assurance that objectives would be achieved (i.e., if COSO ERM 2004 was correct), then fine.

But risk management only provides reasonable assurance that decisions can be made on reliable information about what might happen. It provides reasonable assurance that risks to the achievement of objectives are at desired levels.

It doesn’t provide reasonable assurance that those things will actually happen. It will only help you assess that the likelihood of a particular benefit or harm is x%.

History has proven time and again that companies that take more risk than stakeholders might desire can be highly successful, even for an extended period. At the same time, organizations that have gone to great lengths to understand, analyze, and treat their risks have still failed. Just think of NASA and its few disasters.

Every organization is at the mercy of actors beyond their control, such as the weather, the economy, the health of their customers, the vagaries of regulators, and so on. A quality risk management program may make you aware of potential events and situations that might arise and cause you grief, but it won’t keep them at bay.

So does it make sense to evaluate the effectiveness of risk management by looking at the frequency of safety incidents or compliance failures, or the gross margin achieved?


It does make sense to analyze why failures occur and whether the root causes should have been, but were not, foreseen.

The value that is created by an effective risk management is the confidence of the board and decision-makers in the information they use to make decisions.

Do you agree?

I welcome your thoughts.