An Open Letter to COSO about Enterprise Risk Management
This post is about a path forward for COSO and I believe they are open to constructive commentary and suggestions. I ask that you add your constructive comments and suggestions to mine. Disagreements are welcome.
While I am on record as saying that I prefer the ISO 31000:2009 global risk management standard to the COSO Enterprise Risk Management – Integrated Framework, I am also on record as saying that neither is perfect.
For example, it is generally accepted that risk management is a process. However, ISO 31000:2009 does a better job of explaining and describing a process than COSO’s ERM framework. The ISO standard has a process diagram that is the foundation of the guidance. COSO has the static “cube”. While many have seen and are familiar with the COSO ERM cube, very few tell me that they are able to explain it to their management stakeholders – it confuses rather than clarifies. (By the way, the COSO Internal Controls Framework cube is excellent – simpler and easy to explain.)
On the other hand, the ISO 31000:2009 framework provides no guidance on how to address the requirement (by an increasing number of regulators) to create a board-approved “risk appetite statement”. I agree with people like Grant Purdy and others that “risk appetite” (or risk tolerance, if you prefer) is not a particularly useful expression, and that the level of risk is only one of the criteria that should be used to assess whether the current condition of a risk/opportunity is acceptable or not. Nevertheless, organizations are being required to have one and I don’t accept that just because people don’t like the expression is sufficient reason for ignoring the issue.
This post is about sharing with the COSO board and influencers my (and I hope, your) suggestions for a path forward.
Why now? This post is triggered by my review of the new COSO publication, Risk Assessment in Practice. Authored by two experienced consultants in enterprise risk management from Deloitte, it should have been excellent. After all, this is the firm that has given us a series of risk management guidance that I strongly recommend at every opportunity: the Risk Intelligence White Papers. They also published earlier this year a useful survey of executives on risk monitoring.
Unfortunately, this new piece of guidance is not up to Deloitte’s normal standard. (I checked around and I am not the only individual who has a poor opinion of Risk Assessment in Practice.) For example, a critical piece of risk assessment is determining whether the risk is at an acceptable level (risk tolerance in COSO language). However, you will only find a single passing reference to risk tolerance in the paper! (By the way, ISO has published ISO/IEC 31010:2009 Risk-Management – Risk Assessment Techniques. While the COSO guidance is free, the ISO one is not. (It is available from multiple sites, including Canada, $250; Switzerland, CHF 238; US, $285). The ISO guide is far longer and more detailed, but a dry and technical read.)
COSO’s publishing pieces like this latest does not improve their reputation as a source of guidance on risk management – or internal control, by inference.
This is what I recommend:
1. I believe that COSO has an important role to play when it comes to internal control – where there are few alternatives and their Internal Control Framework is the only framework specifically recognized by the SEC for Sarbanes-Oxley compliance.
COSO was born out of the need to address financial fraudulent reporting (Treadway Commission), and there is clear value in an independent organization that focuses on financial reporting fraud.
As a community, we should do everything we can to support and help COSO deliver quality, useful guidance on internal control and financial reporting fraud.
2. But, there are viable alternatives when it comes to risk management, including not only the ISO standards but guidance from professional risk management associations such as the Institute of Risk Management (IRM) and the Risk Management Society (RIMS).
I suggest it is time to start a process of convergence of the ISO and COSO guidance on risk management. That will involve some political rethinking on both sides and therefore won’t happen immediately.
Over time, COSO should re-align its mission to be consistent with its strengths: internal control and financial reporting fraud.
Having two competing risk management camps is not in the best interests of the risk management community, boards, or the practice in general.
This year, many of us attended a conference on the ISO 31000 standard in Paris. In 2013, the annual conference will be in Toronto. COSO and its sponsoring organizations should attend and contribute.
3. In the meantime, COSO should partner with IRM and RIMS, rather than with the accounting firms, on any new risk management work.
In addition, COSO should broaden its review and advisory board to include organizations and individuals focused on risk management – such as Carol Fox of RIMS and Steve Fowler of IRM. This can help ensure quality reviews by expert practitioners of risk-related publications prior to issue.
COSO should engage actively with the ISO community and participate in the development of ISO standards (such as the update of the ISO 31000:2009 standard and the related ISO 31004 guide to 31000).
If the decision is to continue with risk management guidance, COSO should include organizations like RIMS and IRM as sponsoring organizations.
Do you agree?
How would you advise the COSO board?