The piece COSO and ISO forgot
Both COSO (their internal control and enterprise risk management frameworks) and ISO (risk management standard) focus on the reliable achievement of objectives.
But is that right?
Let me tell you a personal story. Many years ago, in a time lost to the ages, I was a young IT audit manager at a major public accounting firm in London. I was fascinated by the new microcomputers and had purchased a TRS 80 Model II from Radio Shack. I taught myself some Basic and was working late many evenings trying to write simple programs on this 16k device that used a portable table recorder for external storage. I thought I could see how consumers and businesses of the (then) future would use devices like this and the new Apple II (for which I yearned). My senior manager suggested I bring the microcomputer into the office and show the IT audit partners. I was both excited and nervous, knowing that this embryonic device would only wow somebody with imagination. Sure enough, the senior partner huffed and mumbled something about wasting time on something that would never take off.
Now fast forward about three years. I am now the IT audit manager with the US part of the firm, responsible for the Los Angeles office. I am working with a client and talking to the CEO, who tells me that he can’t get his controller to use this new program called VisiCalc (one of the first spreadsheet programs). The CEO is fed up getting schedules from the controller with math mistakes that could be avoided if he used a simple spreadsheet. When I talk to the controller about getting microcomputers such as an Apple II or IBM, he huffs about “these toys” and sticking with what works.
Finally, let’s consider the mobile phone companies, like Nokia, that owned major shares in the global cell phone market. Nokia had about a 40% share of both revenue and profits. Their vision of the future did not include the dominant position that Apple would take with its iPhone. Nokia want from dominance to a 15% laggard.
The partners at my firm retained a vision that businesses would continue to run on IBM, Honeywell, ICL, DEC, and other mainframes. They were late to realize and be ready to develop capabilities and tools for the mini and then personal computers.
The controller at the Los Angeles company continued to use his adding machine and provide schedules with math errors. Not only was his boss frustrated, but the audit team was always finding errors in the financial statements.
Nokia failed to see the future as well, and its strategies had to be changed in crisis mode.
Looking at these, each demonstrates a failure to adapt business objectives and adopt new strategies while the old ones continue to work.
Where am I going with all this?
Addressing risks to strategies, and the controls that minimize those risks and help you achieved your objectives, will fail when those are the wrong objectives and strategies.
I am a big fan of PwC’s 2007 report on the State of the Internal Audit Profession, looking forward to 2012. I criticized them when new firm leadership took a different slant in the next years’ reports, but have to give them credit for one thing: they suggesting focusing on the value-drivers of the organization.
Whatever the type of organization (for-profit, not-for profit, government, etc.), it exists to provide value to its stakeholders. Sometimes that is profits and dividends; other times it is waste disposal and other public services. PwC suggested that internal auditors understand the sources of value, and then assess whether the organization has good processes and controls to develop objectives and strategies to create and preserve value. Only then do you assess risks and related controls to achieve the objectives.
The Singapore paper on risk oversight also starts with understanding “the mission of the company and of the reasons it exists in relation to all its stakeholders”. It advises that:
“Effective risk governance provides the appropriate level of direction and control in:
- determining the goals and strategy of the company;
- pursuing those goals;
- identifying the risks which are present or which may arise when the company pursues its goals; and
- determining measures to mitigate the risks.”
When COSO and ISO guidance starts with the achievement of objectives, it misses the point that the objectives may be wrong. Risk and control managers may be helping the organization drive at speed towards and then over a cliff.
Risks need to be considered in setting objectives and strategies that are create value. There are also the risks that the objectives and strategies are misguided, ineffectively communicated, and so on.
Controls exist (even though COSO advises otherwise) within the objective and strategy-setting processes. There are controls to ensure the right people are involved, have access to the information they need to set appropriate and achievable objectives and strategies, and then communicate them across the enterprise.
So what does this all mean?
- Let’s collectively urge those responsible for the COSO and ISO guidance to address the setting of objectives and strategies to create value
- Let’s consider the risks that the objectives and strategies are sub-optimal (which includes their being outdated), and
- Let’s consider the consideration of risk as part of the objective and strategy-setting processes, and the controls that address those risks
What do you think?