Home > Risk > Time for a leap change in risk management guidance

Time for a leap change in risk management guidance

November 5, 2016 Leave a comment Go to comments

Even though both COSO ERM and ISO 31000:2009 are evolving, moving to a greater emphasis on decision-making and the setting and execution of strategy, the practice of managing risk continues to lag.

I have written in my blogs and spoken in person to thought leaders involved in both COSO ERM and ISO 31000 updates about the need to take a huge leap forward.

When the practice is seen as failing to contribute to success, and limited to a compliance function, something dramatic has to happen.

Nothing recent exemplifies the scale of the problem as A Practical Approach to Institutional Risk Management.

This paper was developed through over 100,000 interviews by the staff of the Education Advisory Board and insights and advice from around 120 practitioners and consultants. (I recognize a number of names in the list of advisors. This may reflect their 2012 rather than 2016 thinking, and it is possible that their advice and insight was not heard.)

So does this paper reflect existing practice?

If so, it is clear why risk management is seen as incidental at best to organizational success.

The authors are focused entirely on risk registers – a list of risks. A list of things that might go wrong.

The issues they discuss are making the list of risks manageable and being able to “treat” those risks.

You will not find a single reference to decision-making.

The only reference to decisions is when the authors point out that the consequences of decisions, risks that are created or modified, are frequently not considered.

As EY points out, using a term I love, the management of risk has to be part of the rhythm of the business.

It has to be integral to how we make decisions, every hour of the day, at all levels across the extended enterprise.

Enterprise list management (to quote Jim DeLoach) is scratching the surface. While those scratches may be sufficient to fool some that risk management is in place, a periodic review of a limited list of risks is like driving down the freeway at speed and only looking at the traffic around you every 15 minutes.

COSO and ISO: it is time for a dramatic move in guidance and standards. You have to lead the way out of the pit of enterprise list management towards the goal of effective enterprise management.

Yes, enterprise management, because the management of risk is not a separate activity. You only succeed if you can anticipate (my new favorite word) what might happen as you journey towards your objectives, and make informed and intelligent decisions as you run the business.

COSO and ISO, are you listening?

Practitioners, please join me in demanding a leap forward.


  1. Mike Corcoran
    November 5, 2016 at 2:43 PM

    Enterprise value management is live and well and practiced everyday. Talked about everyday by numerous finanical cable programs and digital and print papers. This infatuation with risk management well is anything but.

  2. November 5, 2016 at 3:24 PM

    Norman. No mention of the IIA. Surely they have a major part to play?

    • Norman Marks
      November 5, 2016 at 3:29 PM

      David, the IIA is a member of the COSO Board and contributing, mostly as an observer, to the ISO 31000 update.

      • November 6, 2016 at 2:29 AM

        Norman. I think you underestimate the influence internal auditors have in achieving your aims.
        – COSO only applies to the US and ISO 31000 is not on the lips of many board members throughout the world.
        – Much legislation round the world recognizes the need to control risks and the importance of an internal audit department. The same is not true of risk management.
        – Consequently IA usually has direct access to the board and potentially some influence.
        – It’s probably easier to change the IIA standards than COSO or ISO 31000.
        – Internal auditors have to report on the effectiveness of controls (to put it simply). They need persuading that this can only be done by ensuring that mechanisms exist within their organization to: clearly specify objectives; constantly (i.e. as part of management’s normal responsibilities) identify the benefits which enhance the achievement of these objectives and the risks which threaten them; manage these benefits and risks by making decisions which maximise the benefits and minimise the risks (as defined by the board).

  3. November 5, 2016 at 5:39 PM

    Spot on Norman. The risk management cult have boxed themselves in by becoming less and less relevant to those they should be serving, the decision makers in organisations. The language of RM and its artefacts become more intricate and internally focussed each year. The profession and even those writing standards seem to have lost sight of why we originally starting postulating scenarios that test our out assumptions when faced with a decision and which expose sources of uncertainty and judge their significance.

    Like all cults, the RM one has become isolated from the community at large and it’s ‘religion’ is becoming more and more abstract and self serving. Also, unfortunately, those who challenge the cult and its direction are either being ostracised or leave to do something more worthwhile.

    Norman, you are to be applauded for challenging the status quo as you do in your book. However, I remain doubtful the industry and its powerful vested interests will allow the COSO and 31000 standards to be simplified and realigned with the needs of its real clients – the decision makers – to the extent they must. To do that will involve shredding the current drafts and starting again, something that would be politically unacceptable in both cases.

    People naturally ‘manage risk’ by attempting to understand uncertainty everyday and all the time and it’s quite easy to write a ‘standard’ that helps them do that better without using jargon and artificial confections like risk registers, risk appetite statement, establishing the context, risk velocity, risk universes etc etc. However, I guess that level of transparency won’t sell much software and consultancy.

    • RP
      November 7, 2016 at 2:13 PM

      Grant, your comment gets to the heart of the matter — thanks.

      What’s troubling to me, though, is that this isn’t limited to enterprise risk management; replace “RM” with another “cult” and your comment holds true. E.g. I see similar issues with the “PCI assessor industrial-complex.”

      “…to do something more worthwhile”

      That’s the rub: people who “get it” eventually leave RM, since you reach a point where you’re dealing with codified navel-gazing.

      That’s why I started avoiding RM engagements & projects. Arguing about “risk velocity” (is that the first derivative of risk?) and heat maps and the like seems so…wasteful. It certainly wasn’t that helpful to upper management or shareholders.

  4. Bill Storage
    November 5, 2016 at 8:01 PM

    As you note (“management of risk has to be part of the rhythm of the business”), decision analysis (sensible decision making) is a separate concept from risk analysis and risk management. Of course a primary reason for analyzing risk is to support good decisions in an enterprise. Do we launch the Challenger on this abnormally cold day?

    Not that you imply otherwise, but we should also note that even within the traditional boundaries of risk analysis and management, COSO, ISO, and the input from many consultancies are completely out of step with the more mature history of risk management in every other domain. With the existing language and conceptual structures of these frameworks (e.g., relationships between fundamental concepts like uncertainty, probability, risk, event and severity) it is truly impossible to model real-world risks. For example, the assumption of constancy of risk-tolerance across severity levels is deeply embedded in these frameworks and standards, yet history suggests no enterprise has such values or acts along those lines. I’ve written more detail on that topic here: https://onriskof.com/2016/09/27/comments-on-the-updated-coso-framework/ .

    While you correctly identify the need for more breadth, COSO and ISO would also benefit a great deal from more depth in the specific area of rational analysis and characterizations of the risks they purport to be capable of modelling.

  5. alexausrisk
    November 5, 2016 at 9:12 PM

    Norman, spot on. Some of us in tc 262 have been pushing for this change hard, with mixed results unfortunately

  6. Glenn Daly
    November 6, 2016 at 3:30 PM

    More than changing COSO and ISO 31000 is required to effect a change. Eg if an organisation runs into trouble and a listed company feels the need to hire a consulting firm to address what needs to be improved. What will tycally feature in the report?. As I found with my company a few years ago, part of the report will link the problem back to not having risk registers etc…even if this has nothing to do with the problem or poor decision making. Am tempted to put up a proposal to my RMC for me to do away with risk registers and all the other stuff, but would they aporove it? . Provably not. Being Malaysia based they have never heard of COSO etc…..so to achieve the change you are advocating across the world I think requires other changes albeit the guiding standards etc I suppose is a start.

  7. Graeme Alexander
    November 7, 2016 at 1:35 PM

    Wholeheartedly support the need for not just a leap but a revolution; a future state where having a risk list/register is seen as a symptom of a lack of sufficient decision (risk) management. This will need not just the support of standard setters but of industry bodies, regulators and professionals.

  8. Jacquetta Goy
    November 8, 2016 at 10:45 AM

    Hi Norman, I was given the report you dislike when I started with my university and was really quite horrified to see so called experts endorse an approach of taking a very long collated list of risks from other universities and spending a great deal of time trying to assess them at both institutional and unit level.

    I think that the concept behind the report is that as universities were thought to be spending too long identifying risks this could be short cut by essentially giving them an externally developed risk list. It missed I think addressing the root cause of the ‘assessments take too long’ issue although it identified the issue as being ill defined strategic plans. The solution then surely is to spend more time on developing better, more focused plans and then to assess and manage risk in order to achieve those objectives, rather than borrowing standardized and therefore probably fairly meaningless risk statements from elsewhere.

    Still it was four years ago, hopefully a new report would be more forward looking. I don’t believe that 31000 pushes organizations to risk listing though, I think this largely comes from consultancies who advocate the ‘risk universe’ concept, with it’s theory that you can identify every risk for any given organization and that organizations in similar sectors will have essentially the same risks. This misses the point that the activity of conceptualising risks is valuable in it’s own right – getting people to think and talk about risk is probably more important that any list generated.

  9. Sohail Khalil
    November 9, 2016 at 5:15 PM

    I strongly agree. The more we continue to sell ERM as an add-on the more it is treated as one. The problem with the list approach is that it usually starts with a lot of enthusiasm and good will but soon become a lethargic and routine exercise, which defeats the whole purpose of having a broad view and proactive management.
    The key, for me, is that we, the Risk Managers/ Champions/ Coordinators, should come out of our comfort zones and be more involved in operations and then champion what we preach.
    The business managers needs to see that we REALLY understand what they go through.
    It’s on us more than COSO or ISO. However, improvements on their side would be a big help.

  10. mahdi
    November 13, 2016 at 9:21 PM

    ERM is a vehicle not an outcome. ERM should stive to serve the business and develop better means to serve rather than applying the standards.

  11. Steven Ulmer
    November 20, 2016 at 2:41 PM

    #1 I am glad to see the conversation move past whether COSO ERM or ISO 31000 is better, Those discussions were counterproductive and at times quite unprofessional.

    #2 While it is several years old, the study cited in Norman’s original posting is quite interesting. I passed it on to my superiors at the university where I am an adjunct.

  1. November 8, 2016 at 5:37 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: