We need to review and provide feedback on the COSO ERM Exposure Draft
This last week, COSO published an Exposure Draft of its ERM Framework Update, freshly entitled Enterprise Risk Management – Aligning Risk with Strategy and Objectives. You can see an introductory video, review, and then provide feedback on the draft here.
The COSO update is a significant moment for all risk practitioners. So I strongly recommend that everybody take the time to review and give careful consideration to the draft.
But, let’s do that by looking at the big picture rather than the detail.
Let’s also put aside any predisposition we may have either to like or dislike COSO’s work.
How should we assess the ERM Update draft? That’s the focus of this post.
COSO not only provides the opportunity to submit comments, but has a history of listening and making changes where appropriate.
While COSO has provided their own set of review questions, I am not persuaded they strike to the heart of whether the draft meets the needs of its potential users. COSO’s questions seem to assume that their thinking is correct and only asks whether it is clear. For example, rather than ask whether we agree with their concept of risk appetite, the survey asks whether it is clearly explained.
I suggest we do it against criteria that focus on whether the draft will provide the guidance that enterprises need if they are to be successful.
In other words, if organizations adopt the updated COSO guidance, are they likely to increase their ability to set and then achieve their objectives and deliver the value their stakeholder needs?
How about using the following questions as the basis for assessing and then providing feedback? They are distilled from some of the points COSO makes in the video and the Executive Summary of the draft, plus some consideration of the fundamentals of world-class risk management.
- Does the draft provide useful guidance that will help leaders of the organization define the mission, objectives, strategies, and plans that will deliver optimal value to stakeholders?
- If the mission is not optimal, it is unlikely that the objectives will be
- If the objectives are not optimal, it is unlikely that strategies to achieve them will be
- …and so on
- In order to set the optimal mission, objectives, strategies, and plans, leaders need to consider all the possibilities. They need to be able to obtain as clear a view as possible of potential opportunities and harms for all potential options. Their assessment of what might lie ahead, and how it might affect their journey, needs to be performed in a structured fashion – both opportunities and harms – and a reasonable judgment made that takes all of the potential effects of uncertainty into account
- Organizations need to periodically review their mission and change it as conditions change. Think of Intel, Microsoft, HP, Apple and more
- Does the draft provide useful guidance when it comes to executing against the defined mission, objectives, strategies, and plans? Is there sufficient guidance on effective decision-making, and will it move the practice of risk management away from only reviewing, periodically, a list of risks? Will it lead to organizations practicing risk management continuously?
- The Executive Summary makes the points that risk management must be continuous, enable effective decision-making, and be more than the review of a list of risks
- But, does the detail of the framework deliver on those promises?
- As COSO says in their Executive Summary, execution and the optimization of performance rely on decisions that are made not only by leaders in establishing the goals and objectives of the organization, but by managers at every level of the organization every day
- In order to make good decisions, people need to consider all the potential consequences of the choices they make. Those include not only the harms but also the rewards that may occur. The consideration needs to be structured and based on useful, timely, current, and reliable information
- Also as COSO says, risk management needs to be an essential part of running the organization and delivering performance. It should not be separate. Does the guidance enable organizations to manage risk as part of the rhythm of the business? Does it help management entwine the consideration of risk into every business process?
- Will the guidance still lead people to only identify, assess, and address potential harms? Will risk reporting still be focused on the level of risk rather than the likelihood of achieving each objective?
- COSO says the consideration of both harms and rewards (in their language, ‘risks’ and ‘opportunities’) is essential if risk management is to be effective
- While that is essentially what the prior version said, its language focused almost entirely on ‘risk’ and arguably this has led to most organizations only managing potential harms
- Most organizations limit risk reporting to a list of risks and their level. But if it’s really about achieving objectives, shouldn’t reporting be about whether each objective is likely to be achieved, exceeded, or missed? It should not be limited to an assessment of potential harms
- Does the guidance explain clearly and help decision-makers understand and then evaluate all the potential effects of uncertainty?
- Some look at ‘opportunity’ as the positive side and ‘risk’ as the negative. But, most situations and certainly most decisions have multiple potential consequences. It’s not just reward or just harm, usually it’s both. For example, when you decide to overtake another car on the freeway, there is potential to go faster as well as the potential for a crash. Only by understanding and then weighing both can a good decision be made. As another example, when you purchase a hotel while playing Monopoly, you create the opportunity to obtain rent (and this requires considering the size of that gain and its likelihood) as well as increase the potential to go bankrupt if you land on another’s property and have to pay rent
- Some assess the ‘level’ of risk as a point – a level of impact and the likelihood of that impact. However, there is almost always a range of potential impacts, each with its separate likelihood. For example, if the organization decides to reduce the price of its products, sales could (a) increase by 10%; (b) increase by 20%; (c) remain the same; (d) change by another percentage. All of these possibilities have different likelihoods. If you wanted to plot the ‘level of risk’, it would be a range or a curve on the chart and not a point
- The actions and decisions of one affect many. Is the guidance sufficient on this point?
- Many define the level of risk based on the amount of impact multiplied by its likelihood. But then a 5% likelihood of a $200 loss is the same as a 50% likelihood of a $20 loss. One may be acceptable but the other not. Does COSO discourage the assessment of risk based on this simplistic calculation?
- Will the update provide decision-makers with the structure/process they need to decide whether to ‘take the risk’ because of the potential for reward?
- In real life, people have to ‘balance’ risk and reward
- Will the guidance provide a disciplined process for identifying and evaluating all the potential effects of each option and only then making an informed decision? Or does it consider only harms?
- For example, if the potential for loss is assessed as between $50 (20% likelihood) and $100 (5% likelihood), should a manager ‘take the risk’ when the potential for gain is between $50 (20%) and $250 (5%)?
- Will the update lead to providing decision-makers with the guidance they need if they are to make the decisions management and the board want them to make?
- The great majority of organizations who have a ‘risk appetite statement’ at the entity level have not been able to cascade it down in a way that enables those making the decisions in real life to know what is necessary
- Different conditions (e.g., whether there is huge public scrutiny, whether the organization is likely to exceed or miss its earnings targets) can lead to executives wanting to change the risk decisions that are made
- It’s one thing to say that you need to avoid exceeding defined risk limits, but when the reward is high it may be appropriate to take that risk. Does the guidance enable agile decision-making that considers changes in the environment?
- Does the update provide sufficient guidance on how to assess and then correct, as necessary, the culture of the organization?
- It is encouraging that this is now included. Is it sufficient?
- Does the update provide sufficient guidance on each stage of the risk management process, including identifying, assessing, evaluating, and treating risk and opportunity? Does it provide sufficient guidance on communications and monitoring, including continuous improvement?
- There is more to assessing risk (good and bad) than impact and likelihood. Other considerations include duration, speed of onset, and more
- Many use models. Is this covered sufficiently?
- Is the updated COSO guidance on risk appetite and risk tolerance useful? Does it mirror and enable effective decision-making in real life? Does the guidance help to establish not only the upper limit of ‘risk’ that should be taken, but the lower level as well?
- If organizations don’t ‘take risk’ they will not survive. It is dangerous to be too risk averse
- How does an organization establish the minimum level as well as the maximum?
- Does COSO provide sufficient guidance on how to assess both the upside and the downside?
- Does the updated guidance help people ‘balance’ risk and reward, knowing when to ‘take the risk’?
- The COSO definition of risk appetite in the current framework talks about an amount of risk. Sometimes risk appetite is expressed in terms like “we have no tolerance for this risk”
- However, in real life people make decisions based not only on the ‘amount’ of risk (harm) but the likelihood of that amount of risk. For example, I might accept a 2% possibility of losing $100 but not a 20% possibility
- A generic statement like “we have no tolerance for this risk” does not help real life decision-making. While no organization will state a level at which loss of life is acceptable, in many industries the only way to get to zero likelihood is to exit the business
- What is an acceptable level of variation from objectives? If you set an objective of 10% growth but are willing to accept 5% growth, surely 5% is your true objective. Alternatively, your objective may remain 10% but you will accept a 7% chance that it will be reduced to 5%
- Is the ISO 31000:2009 term ‘risk criteria’ better, especially as it can be applied to individual decisions?
- Will it be possible to assess the effectiveness of risk management in practice using the updated version?
- Any assessment should be based on whether the management of risk helps people establish the optimal vision, objectives, strategies, and plans, make better decisions and, as a result, increase the likelihood of achieving objectives
- Any assessment should identify the areas where the risk of failure in identifying, assessing, evaluating, or taking action to address risk is higher than desired
- If the assessment is against principles, are those in the COSO draft as good or better than those in ISO 31000:2009?
- Will the guidance provide sufficient guidance to enable the board and/or a committee of the board to provide effective oversight?
- Is the guidance as good as that in South Africa’s King IV Exposure Draft?
- Is the updated document consumable? Is it too long? Will it be read, understood, and acted on by all levels of the organization?
My request of you is:
- Do you think this list of 12 questions (I would prefer that there were fewer, but there you are) would be a sound basis for assessing the Exposure Draft?
- If it is, please share your assessment – here as well as with COSO.
 In my mind, this should include all executives and board members because everyone who leads and manages an organization, in fact every decision-maker, is a risk manager. Their decisions, from establishing the vision and mission, through strategy and objective-setting, to the decisions that are made every day across the enterprise as we execute on strategy, create and/or modify risk – and by risk, I refer to the effect of what might happen as we go from where we are to where we want to be.
 The Internal Control Framework Exposure Draft had issues that several of us pointed out. To their credit, COSO made some substantial changes. For example, they inserted as the first sentence in the section on effective internal control the key observation that effective internal control provides reasonable assurance that the risk to objectives is at acceptable levels. Without that sentence (and, for some, even despite that sentence) they would have created a checklist comprised of principles and points of focus. Instead, they told us to consider risk when assessing internal control.
 Asking a question like this is a technique I have used with good effect when running internal audit. It’s not whether the document explains defined content or ideas. It’s about whether it will help those charged with leading, directing, and running the enterprise be successful.