Home > Risk > PwC does better on risk management

PwC does better on risk management

Last week, I wrote about a PwC piece that IMHO gave poor guidance to boards and their oversight of risk management.

To be fair, there are people in PwC who “get it”.

A different piece, presumably by different people, makes some important points.

How your board can ensure enterprise risk management connects with strategy says (emphasis added):

  • Any major strategic decision carries uncertainty. A well-developed enterprise risk management (ERM) program can help executives meet key business objectives.
  • “ERM” means different things to different people. Some companies simply use ERM to identify, prioritize and report on risks—protecting value. The best companies use ERM to make better decisions, improve their strategic, financial and operational performance and create value. But it takes work and buy-in at all levels to make that happen.
  • ERM is the collection of capabilities, culture, processes and practices that helps companies make better decisions as they face uncertainty. It gives employees a framework and policies to help them understand, identify, assess and manage risks so the company can meet its objectives. It’s most valuable when it’s integrated with strategic planning.
  • ERM should also look at whether the company is taking enough risk and focus on areas of overperformance as much as poor performance.
  • The best ERM programs allow companies to have both risk agility (can you quickly adapt to a changing environment?) and risk resilience (can you withstand business disruption?). And companies that are committed to effective ERM programs periodically assess how they can be further improved.

All of the above is good.

But after a good start, PwC reverts back to a discussion of how to manage the adverse and ignores what it said about making better decisions, creating value, or taking enough risk.

I am afraid that the updated COSO ERM Framework, which is being led by PwC, will do the same. (It did this in 2004 as well). They will start with great stuff about decision-making, setting and then executing on strategies, and creating as well as protecting value.

But then they will revert to their roots and talk about managing a list of risks.

Risk management is about understanding what might happen as you strive to achieve your objectives, then taking actions to increase the likelihood and extent of success.

That means that when you make strategic decisions you have to understand not only the possibilities of bad things but the possibilities of good.

Apply the same discipline and process to the likelihood and magnitude of positive effects as you do to adverse.

In addition, if you don’t focus on the achievement of objectives, but instead manage individual risks, how do you know whether you are likely to achieve them – or the possibility of exceeding them?

I only hope that PwC, with the influence of the COSO Board, gets the COSO 2017 ERM update right.

What do you think?

I welcome your comments?

By the way, if you are involved in the ISO 31000 update, do you expect that to be a leap forward enabling advances in practices such as decision-making?

Advertisements
  1. Glenn Daly
    June 3, 2017 at 5:16 PM

    Re the comment “ERM means different things to different people”. Is not that the root of the problem with risk management?. The fact that this has and continues to be allowed to happen?. Those who only want to tick boxes (currently the majority) make it more difficult for those who want to do it properly. Greater clarity at a regulatory level is required.

    Am not sure this will occur re COSO guidance. Look at the people who the big 4 firms are selling as specialist risk advisory people. How many of these people know what are the critical business processes where decisions are made and fully appreciate the activities required to guide optimal decision making as distinct from protecting value?. How many of these people including the heads of these functions have ever performed a monte carlo simulation using a specialist software tool?. How many have culture change experience to enhance decision making throughout an organisation? etc. At a superficial level yes expect all the right words to be there in COSO, but when it gets to the substance of the matter, am not so confident given commercial realities have to be factored in.

  2. Hans Læssøe
    June 6, 2017 at 1:23 AM

    I agree with Glenn and your lack of trust they COSO and ISO updates will be truly strategic and business focused on balanced risk taking.

    I am stil optimistic for two reasons:
    – Every revision tend to get slightly closer to “getting it”. The latest I have seen of COSO is a big step in the right direction.
    – Companies that truly do and utilize active strategic risk taking/management will prevail over those who do the “tick boxing” Glenn mentioned.

    The difficulty is, that PwC and others tend to focus on what they know, i.e. compliance – and that hampers their adaptation to the more volatile business conditions.

    That said … there is a strong opportunity to get ahead to the game in your industry, if/when you actively deploy that “a stitch in time saves nine” and hence do proactive risk management rather than reactive “problem solving”.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: