Home > Risk > An Open Letter to COSO about Enterprise Risk Management

An Open Letter to COSO about Enterprise Risk Management

October 29, 2012 Leave a comment Go to comments

This post is about a path forward for COSO and I believe they are open to constructive commentary and suggestions. I ask that you add your constructive comments and suggestions to mine. Disagreements are welcome.

While I am on record as saying that I prefer the ISO 31000:2009 global risk management standard to the COSO Enterprise Risk Management – Integrated Framework, I am also on record as saying that neither is perfect.

For example, it is generally accepted that risk management is a process. However, ISO 31000:2009 does a better job of explaining and describing a process than COSO’s ERM framework. The ISO standard has a process diagram that is the foundation of the guidance. COSO has the static “cube”.  While many have seen and are familiar with the COSO ERM cube, very few tell me that they are able to explain it to their management stakeholders – it confuses rather than clarifies. (By the way, the COSO Internal Controls Framework cube is excellent – simpler and easy to explain.)

On the other hand, the ISO 31000:2009 framework provides no guidance on how to address the requirement (by an increasing number of regulators) to create a board-approved “risk appetite statement”. I agree with people like Grant Purdy and others that “risk appetite” (or risk tolerance, if you prefer) is not a particularly useful expression, and that the level of risk is only one of the criteria that should be used to assess whether the current condition of a risk/opportunity is acceptable or not. Nevertheless, organizations are being required to have one and I don’t accept that just because people don’t like the expression is sufficient reason for ignoring the issue.

This post is about sharing with the COSO board and influencers my (and I hope, your) suggestions for a path forward.

Why now? This post is triggered by my review of the new COSO publication, Risk Assessment in Practice. Authored by two experienced consultants in enterprise risk management from Deloitte, it should have been excellent. After all, this is the firm that has given us a series of risk management guidance that I strongly recommend at every opportunity: the Risk Intelligence White Papers. They also published earlier this year a useful survey of executives on risk monitoring.

Unfortunately, this new piece of guidance is not up to Deloitte’s normal standard. (I checked around and I am not the only individual who has a poor opinion of Risk Assessment in Practice.) For example, a critical piece of risk assessment is determining whether the risk is at an acceptable level (risk tolerance in COSO language). However, you will only find a single passing reference to risk tolerance in the paper! (By the way, ISO has published ISO/IEC 31010:2009 Risk-Management – Risk Assessment Techniques. While the COSO guidance is free, the ISO one is not. (It is available from multiple sites, including Canada,  $250; Switzerland, CHF 238; US, $285). The ISO guide is far longer and more detailed, but a dry and technical read.)

COSO’s publishing pieces like this latest does not improve their reputation as a source of guidance on risk management – or internal control, by inference.

This is what I recommend:

1. I believe that COSO has an important role to play when it comes to internal control – where there are few alternatives and their Internal Control Framework is the only framework specifically recognized by the SEC for Sarbanes-Oxley compliance.

COSO was born out of the need to address financial fraudulent reporting (Treadway Commission), and there is clear value in an independent organization that focuses on financial reporting fraud.

As a community, we should do everything we can to support and help COSO deliver quality, useful guidance on internal control and financial reporting fraud.

2. But, there are viable alternatives when it comes to risk management, including not only the ISO standards but guidance from professional risk management associations such as the Institute of Risk Management (IRM) and the Risk Management Society (RIMS).

I suggest it is time to start a process of convergence of the ISO and COSO guidance on risk management. That will involve some political rethinking on both sides and therefore won’t happen immediately.

Over time, COSO should re-align its mission to be consistent with its strengths: internal control and financial reporting fraud.

Having two competing risk management camps is not in the best interests of the risk management community, boards, or the practice in general.

This year, many of us attended a conference on the ISO 31000 standard in Paris. In 2013, the annual conference will be in Toronto. COSO and its sponsoring organizations should attend and contribute.

3. In the meantime, COSO should partner with IRM and RIMS, rather than with the accounting firms, on any new risk management work.

In addition, COSO should broaden its review and advisory board to include organizations and individuals focused on risk management – such as Carol Fox of RIMS and Steve Fowler of IRM. This can help ensure quality reviews by expert practitioners of risk-related publications prior to issue.

COSO should engage actively with the ISO community and participate in the development of ISO standards (such as the update of the ISO 31000:2009 standard and the related ISO 31004 guide to 31000).

If the decision is to continue with risk management guidance, COSO should include organizations like RIMS and IRM as sponsoring organizations.


Do you agree?

How would you advise the COSO board?

  1. October 29, 2012 at 2:45 PM

    Many comments to make Norman

    First- you state that you believe that COSO is open to constructive commentary and suggestions. I find this statement to be quite shocking as I believe the exact opposite of what you are saying. That is because many of the folks in the risk management community really understand COSO ERM for what it is- which is quite useless. Even if the COSO folks understood our remarks. do you really think they would want to jeopardize the millions of dollars invested in it and the thousands of client relationships established using it. The answer is quite easy to see. If they are serious and wish to see constructive feedback, then please share with us the comments they provided to you point by point on your remarks you posted to the COSO site on their draft document on internal control.We have many other examples to support our way of thinking including the conference that you organized in Florida in 2010 with strong representation from one member of COSO -Richard Chambers and various other participants both for COSO ERM and against it

    Second- it is an accurate statement that ISO 31000:2009 is not perfect. This is why a number of us are working on the sequel now with ISO 31004. But at least the creation of the ISO document was an open and honest process and not driven by an accounting firm. My sense is that whereas ISO 31000 still needs work, COSO ERM is quite useless. See among many blogs and articles on this subject matter, the blog by Grant Purdy on the ten deadly sins of COSO ERM.

    Third, you say that it is generally accepted that risk management is a process. I say that this is not the case. it is generally accepted that risk management is a discipline for managing uncertainty and such discipline encompasses the principles, process and framework.

    Fourth- you compare the diagram of ISO 31000 with the COSO ERM cube and you state among other things that those trying to explain the COSO ERM cube to their stakeholders have a difficult time in so doing. That is because the COSO ERM cube is missing quite a bit and more importantly those doing the explaining are lacking many of the essential skills to properly do this.

    Fifth- It is an accurate statement that the ISO 31000:2009 framework provides no guidance on how to address the requirement (by an increasing number of regulators) to create a board-approved “risk appetite statement”. To this I say that just because an increasing number of regulators are asking for this, does not make this a logical request (think of how much waste Sarbanes Oxley brought us). However to ignore risk appetite completely is as well nonsensical. This is why the alternative term of risk criteria has been developed which hopefully will be laid out with various examples in ISO 31004. Meanwhile Grant Purdy has already published various examples of how risk criteria can be applied in practice and a number of us are already using it

    Sixth-I am not sure whether the experienced consultants you refer to from Deloitte have ever worked in industry as Chief Risk Officers at major companies. Have they and if so where? And if you do not know the answer to this, don’t you believe it is important to know this?

    I see a much different path forward- path that will result in improved governance and risk management at various companies- a path that should bypass those groups and organizations that have held back the risk discipline.Such path is being discussed and talked about on our site at http://riskatmville.com

  2. October 29, 2012 at 2:54 PM

    Norman, I agree with you regarding that there should be colaboration between these instutions in order to draft a standard framework and guidance for risk management practioners, the board and the stakeholders, this will remove the confusion for many organisations, there need to have a common taxonomy, use a simple process for risk management, develop practical tools, have metrics, right reporting system.
    I would suggest that we include information intelligence in RM process to give the risk community a methodology to assess risk.
    The actual framework is as if you have an orange tree at home without the oranges, the tree continue to grow without the fruits.

  3. Jan Blanckaert
    October 30, 2012 at 4:29 AM

    Norman , I agree
    I have been studying risks management framework and standards to see how best to implement in our organisation and feel more the take the ISO 31000 approach rather than the COSO ERM approach because the ISO process approach is more explainable to management
    I agree because it would help organisations to create a better IMS vision . For a clear IMS vision all elements of GRC spectrum need to be considered but particular the approach towards enterprise risks management and internal controls are very fundamental . I believe your proposals towards COSO would move us in the right direction of at least avoid confusion by two strong parellell groups not working together .Relegious wars in history haven proven to be very damaging towards society and avoiding one from developping deserves some expert in the field brain and energy . In fact it should be a charter item of all those boards ( COSO , ISO , IRM/RIMS etc ) to unite , converge rather than split expert community . However I’m afraid that the professional ego wants power, and power in a split community is easier to get ( at least from part of that community ).

  4. October 30, 2012 at 5:47 AM

    Norman, Agree with your thought about being the time to start the convergence of the ISO and COSO guidance of risk management. Also agree that having two competing risk management comps is not in the best interests of the risk management community, boards or the practice in general. Unfortunately, I also have to agree with the comment from Jan Blankaert that differing professional egos want power and a split community adds to the confusion that provides the power.

  5. October 30, 2012 at 6:58 AM

    Norman, I fully support and agree with your recommendations. I do think however, that the “political risk” i.e the agreement of the two entities to merge will be the most difficult of any risk they may have to mitigate. I stand ready to assit you in moving this initiative forward.


  6. Richard Fowler
    October 30, 2012 at 7:36 PM

    This is a very thoughtful and thought-provoking article, Norman. My first impulse was to agree with you whole heartedly. But then I thought about all the other conflicting standards and frameworks that exist. Project management, information security, and auditing (to take examples from my own professional experience) have different approaches and governing organizations. But for complex areas such as these — and let’s include risk management as well — is convergence really necessary? Is there actually just one best way to implement these processes? I think we might be able to retain the different approaches and let competition drive improvements across the board.

    I also want to add that there are several references to risk tolerance in the article, but the article was more about how to assess the risks by adding vulnerability and speed to the impact and likelihood aspects more commonly used. My own complaint is that the impact scale they use provides examples of financial risk, compliance risk, personnel risk, reputation risk and safety risk, but does not include mention of strategic risk, market risk, credit risk, or even operational risk.

  7. Vuyelwa
    November 3, 2012 at 7:12 AM

    I agree. Collaboration will strengthen risk management practice and eliminate unnecessary confusion.

    • Ms. Vann
      December 1, 2013 at 2:40 AM

      A passer-by was venting about an organization, that doesn’t acknowledge risk management in any category . The employees are liabilities, numerous work related injuries over the years, the employees are still employed. Some have collected workers’ compensation, while continuing being employed. I forgot the name of the organization that was meant. As the comment states above obviously there’s is no collaboration.Share your comments

  8. Sanford Liebesman
    November 5, 2012 at 5:44 PM

    I will comment on you proposal when I have more time to study it. But for now I will give you some background of my contribution to the COSO revision. I am a member of the Institution of Management Accountants (IMA) organization supporting the COSO revision. I am a quality management person (leader in the ASQ) and was invited to bring quality into the revision by the IMA CEO and chairman Jeff Thomson. I did bring in a number of quality inputs including the requirement that objectives should be measurable. If you are interested my article in the April issue of Quality Progress standards column summarizes the inputs I provided. Also in the November issue I compared the revisions to COSO with the revisions to ISO 9001 and by implication ISO 14001. The ISO standards structures are changing drastically, while the COSO revision is maintaining its basic structure,

    Note also that both ISO standards are bringing in risk management whereas COSO already has a risk management component. Note that preventive action in ISO 9001 is a risk management tool.

    The reason I became involved in COSO is my interest in removing the silos between quality and finance. Companies will gain a tremendous advantage if they link quality and finance management systems. My recent book “Competitive Advantage: Linked Management Systems” provides information on removing the silos between quality, finance, environment and IT management systems.

    • Norman Marks
      November 5, 2012 at 5:55 PM

      Sanford, thank you for sharing thus. Are you familiar with ISO31000:2009, the risk management standard?

      Norman D. Marks, CPA, CRMA OCEG Fellow, Honorary Fellow of the Institute of Risk Management Vice President, Evangelist Better Run Business SAP

  9. November 7, 2012 at 7:31 AM

    Norman, thanks for raising this issue. We at RIMS believe that one of the primary challenges for risk practitioners in the trenches is in harmonizing the various approaches by blending siloed strategies through common risk management elements. As you know, we already are working with a number of associations and standards bodies, as well as academics. I personally would welcome the opportunity you suggest in your open letter. Let’s do it – for the good of the discipline and our collective organizations.

  10. January 4, 2013 at 4:02 AM

    COSO ERM Framework seem to champion the effective measurement of ERM in firms.What is your thought on S & P’s ERM index as applied in McShane et al,2011 paper

  11. January 11, 2013 at 7:53 PM

    Norman, great post! I agree with your view on COSO partnering up with IRM and RIMS.

  12. March 16, 2016 at 10:07 AM

    The biggest problem with all these ERM standards are that they rely upon jargon. An ERM process should be open source and be capable of explanation to all stakeholders who dont have the necessary background. An ERM standard should be simple and easy to operate even by a high school student. It should not degenerate into a money spinning racket. ERM Knowledge should be free and should be spread so that it does not stagnate in silos aloof from fast changing situations.

  13. Omphile Macheng
    December 12, 2017 at 9:55 PM

    Most of these standards communicate the same things but using different languages. What we need to understand is the background of the originator of a certain standard. Sometimes its more like people protect their professions and that compromises rational thinking.

  14. Omphile Macheng
    December 12, 2017 at 9:56 PM

    Language as in termininologies

  1. November 4, 2012 at 8:28 AM
  2. November 4, 2012 at 8:28 AM
  3. November 8, 2012 at 5:33 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: