Home > Risk > Which are the best principles for effective risk management?

Which are the best principles for effective risk management?

September 15, 2017 Leave a comment Go to comments

As we get to know COSO’s updated risk management framework, a good place to start is by examining the 20 principles around which it is built.

While the executive summary talks in a principled manner about the management of risk, the framework is essentially a discussion of each of its 20 principles.

The COSO principles are:

  1. Exercises Board Risk Oversight—The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives.

  2. Establishes Operating Structures—The organization establishes operating structures in the pursuit of strategy and business objectives.

  3. Defines Desired Culture—The organization defines the desired behaviors that characterize the entity’s desired culture.

  4. Demonstrates Commitment to Core Values—The organization demonstrates a commitment to the entity’s core values.

  5. Attracts, Develops, and Retains Capable Individuals—The organization is committed to building human capital in alignment with the strategy and business objectives.

  6. Analyzes Business Context—The organization considers potential effects of business context on risk profile.

  7. Defines Risk Appetite—The organization defines risk appetite in the context of creating, preserving, and realizing value.

  8. Evaluates Alternative Strategies—The organization evaluates alternative strategies and potential impact on risk profile.

  9. Formulates Business Objectives—The organization considers risk while establishing the business objectives at various levels that align and support strategy.

  10. Identifies Risk—The organization identifies risk that impacts the performance of strategy and business objectives.

  11. Assesses Severity of Risk—The organization assesses the severity of risk.

  12. Prioritizes Risks—The organization prioritizes risks as a basis for selecting responses to risks.

  13. Implements Risk Responses—The organization identifies and selects risk responses.

  14. Develops Portfolio View—The organization develops and evaluates a portfolio view of risk.

  15. Assesses Substantial Change—The organization identifies and assesses changes that may substantially affect strategy and business objectives.

  16. Reviews Risk and Performance—The organization reviews entity performance and considers risk.

  17. Pursues Improvement in Enterprise Risk Management—The organization pursues improvement of enterprise risk management.

  18. Leverages Information Systems—The organization leverages the entity’s information and technology systems to support enterprise risk management.

  19. Communicates Risk Information—The organization uses communication channels to support enterprise risk management.

  20. Reports on Risk, Culture, and Performance—The organization reports on risk, culture, and performance at multiple levels and across the entity.

There is no doubt in my mind that all of these are good practices.


  • Are they essential to effective risk management? Or are they simply essential to any organization that strives to achieve results? Are they simply attributes of any well-run organization? In fact, are they all the attributes of a well-run organization? Where are the principles relating to decision-making? Certainly, establishing objectives and an organizational structure, or hiring good people, do not seem attributes specific to risk management – although it is difficult to understand the risks to objectives if your objectives are not defined.
  • Does achieving these principles indicate that the risk management is effective? I will provide my assessment of the COSO update in a later post. However, these principles are not written in a way that sets the bar very high. It is possible to believe you have achieved these principles while the board and top management see little value being derived from their investment of time and resources into risk management.
  • Are these principles as useful as those from other guidance?

In World-Class Risk Management, I included the following table. It lists the 11 ISO 31000:2009 principles and my revised list of 6.

Principles in ISO 31000:2009 Norman’s Revised Principles
a.      Risk management creates and protects value. 1:     Risk management enables management to make intelligent decisions when setting strategy, making decisions, and in the daily management of the organization. It provides reasonable assurance that performance will be optimized, objectives achieved, and desired levels of value delivered to stakeholders.
b.      Risk management is an integral part of the organizational procedure. Not needed as I would include it in #1.
c.      Risk management is part of decision making. Not needed as I would include it in #1.
d.      Risk management explicitly addresses uncertainty. 2:     Risk management provides decision-makers with reliable, current, timely, and actionable information about the uncertainty that might affect the achievement of objectives.
e.      Risk management is systematic, structured and timely. 3:     Risk management is systematic and structured. (Timeliness is covered in my #2.)
f.       Risk management is based on the best available information. Not needed, covered by my #2
g.      Risk management is tailored. 4:     Risk management is tailored to the needs of the organization and updated/upgraded as needed. This takes into account the culture of the organization, including how decisions are made, and the need to monitor the program itself and continually improve it.
h.      Risk management takes human and cultural factors into account. 5:     Risk management takes human factors (that may present the possibility of failures to properly identify, analyze, evaluate or treat risks) into consideration and provides reasonable assurance they are overcome.
i.       Risk management is transparent and inclusive. I would not include this as a principle.
j.       Risk management is dynamic, iterative and responsive to change. 6:     Risk management is dynamic, iterative and responsive to change.
k.      Risk management facilitates continual improvement and enhancement of the organization. I would not include this as a principle. It is covered by my #4 and management should always be looking to continually improve, so this is not a distinguishing feature of risk management.


I will let you decide which is the best set of principles: which is clearer in setting expectations for the effective management of risk and which is better as a basis for assessing the maturity of risk management. (Hint: I think my list is not only better but more succinct, relevant, and acctionable.)

Comments welcome!

  1. September 15, 2017 at 9:45 AM

    I don’t know if I share your optimism, to me they are empty consulting talk type principles. I mean 20, really? I can get the whole of essence of risk management across in 2: change how people make decisions, change how people think about uncertainty. We are way overcomplicating risk management. Your 6 principles make much more sense to me.

    • Norman Marks
      September 15, 2017 at 9:50 AM

      Thanks, Alex

    • September 17, 2017 at 6:09 PM

      I agree with Mr. SIdorenko. Your 6 principles can be very useful in actually running a business. Simple and elegant….better yet, understandable and honest. Bravo!

      I always thought ISO was Europe’s practical joke on America; one which made the world safe for bureaucrats and box checkers. Seriously. I’d be angry if I thought it was malicious.

      All risk is contextual – generalized platitudes a la ISO are irrelevant. What, then, is relevant? Uncertainty is relevant to managing the upside (growth and novelty) and the downside (screw-ups, Black Swan Events, randomness) of business.

      Very few managers have anything but a fuzzy, intuitive understanding of uncertainty and its wicked cousin, indeterminacy. The proof is that we spend so much time trying to quantify the unquantifiable and squirreling around with probabilities.

      • Norman Marks
        September 17, 2017 at 6:14 PM

        Love the part about “trying to quantify the unquantifiable and squirreling around with probabilities”. Its either acceptable or not.

  2. September 15, 2017 at 12:04 PM

    I love your simplicity, Norman. I’m getting old now can easily remember 6 principles – but not 20. If I can remember all 6, that means I can implement them all. For 20, chances are I forget more than half of them.

    And yes, you’re book is one of my risk bibles!

    • Norman Marks
      September 15, 2017 at 1:26 PM

      Thanks, Markus!

  3. September 15, 2017 at 12:30 PM

    I would love to see some effort placed on inserting details around what we call standard math “GEMS” (Genuine Expert Methods). GEMs that help companies move away from ordinal-based techniques are the top needed ones.

    I like both lists and see value in them, but at this stage of risk assessment maturity, we really need more detailed analytic guidance. For instance, we might all be able to make major strides forward if we had a cross-industry standard such as the Federal Reserves SR 11-7 for Risk Model Management. I think this is where we need to get down to analytic specifics and that is our concern for our Members that need help in the trenches of cyber breach analytics, cyber risk assessment and operational risk assessment.

    My 2 cents!


    • Norman Marks
      September 15, 2017 at 1:28 PM

      Why, Phil? What is the value of expressing a value on a risk? For a start, there is always a range of possibilities and there may be multiple consequences (including both adverse and beneficial) to any event or situation. Then there is the question of whether the risk is one that should or should not be taken, given all the facts and circumstances. Focusing on math can deter from applying judgment.

      • September 17, 2017 at 5:44 AM

        Norm, point #1 is that our Members and ourselves are concerned with the levels of time and money that is being spent on ordinal-based risk assessment with no clear proof of positive results. There are some studies on this that have our attention.

        Point #2 – We need to tie value at risk to cybersecurity insurance underwriting as well as the level of risk mitigation investments.

        Point #3 – Companies need assistance with probability management when very little breach data exists. They are not familiar with the Bayesian math that is geared for these circumtances along with peer-based risk assessment calculations.

        Point #4 – Board of Director and C-level Exec’s need more accurate and granular probability data to work with to ensure that decisions are being made that secures shareholders.

        I came from an ordinal-based risk assessment mentality and I have personally seen the benefits of the new era of breach analytics and risk assessments and realize that a tipping point in risk assessment is coming (i.e. once the standards bodies realize that they need to bring standards up to speed).

        My 2 cents!

  4. September 16, 2017 at 12:14 PM

    What are principles? Let’s take a simple example: a screwdriver. ‘A screwdriver consists of a shaft, usually of metal, with a handle on one end and a bladed arrangement at the other which engages with a screw or bolt. When turned, usually by hand, it removes or inserts the screw or bolt into a material’. This shows a principle consists of a description of how the entity is made and how it is used and the result. This combination should not apply to any other entity and any individual part should not be used alone. Thus, ‘it removes or inserts the screw or bolt into a material’ does not uniquely define a screwdriver, since it could apply to a hammer (used improperly!).

    What’s a risk? ‘The possibility that events will occur and affect the achievement of strategy and business objectives (or will not occur)’ (COSO). So what about risk management? The definition implies that risk management is ‘made of’ probability and consequence (handle and shaft) applied to ‘events’ (screws and bolts). The result is the effect on strategy and objectives (screws and bolts removed or inserted).

    Applying these conclusions to COSO’s principles:

    Principles 1 to 9 and 15 to 20 affect probability and consequence and so are the wood and metal of risk management. However, they are not very specific, in the same way that wood can be used for objects other than handles.

    Principles 10 to 13 are the use of risk management; the ‘screwing in’.

    Principle 14 is the result.

    Looking at these principles against my somewhat strange example; the materials of risk management are not clearly defined; how risk management is used is OK; the results of risk management are poorly defined.

    Moving onto Norman’s revised principles:

    1 and 2 are the results of risk management

    4 and 5 are the use of risk management

    3 and 6 don’t seem unique to risk management. They are like specifying the screwdriver shaft should be rigid. If it isn’t rigid, it isn’t going to work.

    Norman’s revised principles don’t cover what risk management is ‘made of’. Is this essential? After all if we specify that our aim is to remove a screw or bolt, and specify how it is to be done,does it matter if we use a manual screwdriver, electric screwdriver or spanner? The end will define the means.

  5. Malcolm Staite
    September 17, 2017 at 2:38 AM

    When asked how to get smarter, Warren Buffett once held up stacks of paper and said, “Read 500 pages like this every week. That’s how knowledge builds up, like compound interest.” All of us can build our knowledge, but most of us won’t put in the effort.

    So …risk professionals……..exactly what is the problem with reading 20+ principles ????

  6. GSosbee
    September 19, 2017 at 2:34 PM

    COSO is an intellectual exercise while ISO is a process exercise. Both are really designed to be standards to which the risk management effort is to be judged (audited). While anything ISO is really a box checking exercise, the COSO principles come the closest to real world application as they can be rearranged into three broad categories – (1) Board Directives; (2) Risk Management Program Design and Implementation; and (3) Management Oversight.

    What both do confirm is that to have an effective risk management effort there has to be one risk management program designed and implemented by a professional Chief Risk Executive. This doesn’t mean individuals other than the CRE inside the organization cannot perform “risk management” duties. Rather it means any internal process must fit into the risk management program (terms, definitions and measurement) managed by the CRE. This is the only way the risk element in any strategic or tactical decision can be successfully exercised.

    • September 20, 2017 at 4:21 AM

      Excellent view of a well-functioning risk management system.

  7. Jonathan Whitham
    September 20, 2017 at 4:15 AM

    I like your principles Norman. As you point out, a number of the ISO principles are not really principles at all but what I would term SOBOs – statements of the bleedin’ obvious. In my opinion, much of what is written about risk seems to be written from an intellectual standpoint, rather than a practical one. Trying to apply and monitor 20 principles is not practical for most organisations or risk teams, but six is certainly achievable. Thanks again for taking the time to analyse this stuff and apply some practicality to the situation.

  1. September 20, 2017 at 9:21 PM
  2. January 26, 2018 at 10:31 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: