Home > Risk > New ERM Guidance from COSO

New ERM Guidance from COSO

February 8, 2020 Leave a comment Go to comments

It’s is very hard to talk or write intelligently about risk and its management when your language gets in the way.

A new COSO paper, written by two individuals I have known a long time and for whom I have great respect, is trapped by one awful word, a true four-letter word: ‘risk’.

Creating and Protecting Value: Understanding and Implementing Enterprise Risk Management is based on COSO’s 2017 update of its 2004 ERM Framework. Their intent is to explain how effective ERM can add value to an organization, and to give some guidance on how to implement or upgrade it.

But it is bedeviled by this four-letter word.

There is no common and shared understanding of what the word means. Is it:

  • The possibility of something bad happening?
  • The effect of uncertainty on objectives? (ISO 31000)
  • The effect of what might happen on the achievement of enterprise objectives, effects that can be good, bad, or both? (Marks)

Let’s start with some excellent language from the document. They say (my highlights):

  • COSO’s 2017 Framework, Enterprise Risk Management – Integrating with Strategy and Performance, defines enterprise risk management as: “The culture, capabilities, and practices, integrated with strategy-setting and performance that organizations rely on to manage risk in creating, preserving, and realizing value.
  • …in today’s risk environment, improved risk management processes are needed to ensure that organizations are successful.
  • …the role of ERM [is] not just that of a separate staff function but [is] integral to how an organization creates and preserves value.
  • …improved risk management practices can contribute to improving performance and helping the organization create and enhance value.
  • The 2017 Framework clearly positions ERM as an activity whose role and objective are helping the organization to create and protect value. It accomplishes this by helping the board and management make better informed decisions…. The overall objective of ERM is accordingly, enhanced performance of the organization. It is not a separate activity with its own objectives but an integral part of the organization’s strategy setting and performance processes.
  • its benefit is improved decision making and ultimately improved performance of the organization as it strives to meet its mission and achieve its strategies and business objectives.

I have noted these because, as COSO states, the objective of ERM (or whatever you want to call it) is helping the organization succeed. It is not limited to protecting value from harm. It includes enabling the organization to create and realize value.

Focusing on avoiding failure is not the path to achieving success.

The authors note that the benefits of ERM include:

  • Increase the range of opportunities by considering both the positive and negative aspects of risk
  • Increase positive outcomes and advantages while reducing negative surprises

This is spot-on from the authors:

Another way to look at the benefit and value of ERM is its contribution to better decision making. Boards and management are constantly faced with decisions ranging from strategy decisions to day-to-day decisions. An ERM process provides additional risk information related to the strategies to enable them to make better informed decisions to create and protect value.

But then language impairs the message as the authors continue.

They are sucked into focusing their total attention on the possibility of harm. Even though they have talked about achieving success, and that there are possibilities of both loss and gain from events and situations, they limit ERM to addressing things that might happen to impair (i.e., ignoring the possibility of enhance) the achievement of strategies and objectives. They are concerned only with protecting and not creating value – despite the title of the paper.

More excerpts:

  • Following the updated Framework, the organization is trying to identify those events that might impair its ability to achieve its strategies and business objectives.
  • The key risks that ERM is focused on are those events, and the resultant outcomes, that could impair the organization’s ability to implement its specific strategies.
  • It accomplishes this by helping the board and management make better informed decisions that enable them to effectively manage those risks that could impair their ability to achieve their strategies and business objectives.
  • ERM helps not only identify risks but also assesses which risks are significant enough to impair the organization’s ability to achieve its objectives.

When the South African Institute of Directors updated their code of corporate governance, providing us with the excellent King IV code, they changed from talking about ‘risk’ to talking about ‘risk and opportunity’. That is better, but still doesn’t entirely get us to where we need to be: talking about the ability to increase the likelihood of success.

Manage success, not failure.

Here’s a simple example of why focusing exclusively on the possibility of harm will lead to the wrong business decision.

The company is considering making an acquisition. The acquisition is expected to increase the potential for credit loss for the post-acquisition enterprise by $5 million based on the prior experience of the acquired business. The risk manager worked with the company’s Credit Department to assess the total company credit risk and says that there is a 10% likelihood that the company will exceed the defined risk appetite.

The CEO correctly points out that while he doesn’t want to incur additional credit losses, the acquisition is 80% likely to deliver an additional $50 million to the company’s bottom line.

The point is that the acquisition will not only increase the possibility of harm, but the possibility of reward.

Effective risk management (in my world) is about providing decision-makers with all the information they need on all the more significant things that might happen, both good and bad, so they can make an informed and intelligent decision.

I’m fine with the idea of starting an ERM program with the ways in which the enterprise can deliver value to stakeholders.

Then, ‘what might happen’ is factored in when setting objectives and related strategies. It’s not after-the-fact. It’s an integral part of objective-setting and then deciding which strategies to adopt to achieve the objectives. (In other words, don’t assume that the right objectives are set, which is what COSO ERM does.)

Once objectives and strategies are set, understanding and monitoring what might happen is appropriate. But don’t monitor only the possibility of bad things happen; make sure you are able to take advantage of the good, the opportunities that may arise. For example, will you know when a competitor stumbles or a customer has a greater than expected need?

When you consider the possibility of harm, weigh that against the possibility of reward.

Ongoing decision-making should be based on am understanding not only of what could go wrong and what needs to go right (glad to see the document using my language here), but also what could go even better than expected.

But limiting ERM to managing a list of risks is not effective management of the organization for success.

My advice:

  • Stop using the awful four-letter word. Instead, think about how you should consider what might happen so that you have an acceptable likelihood of achieving your objectives: being successful.
  • Talk about how you can increase the likelihood of success; talk about what might happen. (Read my books)
  • Don’t monitor and address only the possibility of harm but also the possibility of greater than expected reward.
  • Weigh all possibilities and make informed and intelligent decisions.
  • Make sure that all decision-makers know how to make the informed and intelligent decisions necessary for success.
  • Make sure all decision-makers know how their decisions might affect the likelihood and extent of success. (Risk appetite is generally less useful than people think because it focuses exclusively on the possibility of harm, without considering the possibility of reward.)

I welcome your thoughts.

  1. Anonymous
    February 8, 2020 at 2:11 PM

    Hi Norman – the use of quantitative risk analysis solves these problems with language (or at least makes it secondary or mute point) as nicely shown by your example – when decision makers see the whole risk profile for the investment they see both the threat and opportunity sides and can make a sensible risk based decision (ie is the opportunity worth the threat) which in your example was an 80% of adding $50m of value. To focus solely on either the threat or opportunity side is flawed as decision makers need to see the total risk profile. Cheers Greg

    • Norman Marks
      February 8, 2020 at 2:15 PM

      Greg, calling it quantitative risk analysis is going to be off-putting for decision-makers. Can we come up with language that is more like business English? Otherwise, I agree.

      • Anonymous
        February 8, 2020 at 4:21 PM

        Hi Norman – I think it is just a matter of knowing your stakeholders and the people receiving the info and you use their language or the company’s language. What has worked for me are terms like NPV profile, capital profile, Operating cost etc. Cheers Greg

  2. Vincent Tophoff
    February 8, 2020 at 2:47 PM

    Swap the word “risk” with “uncertainty” and you get a completely different (and better, because more balanced) conversation!

    • Norman Marks
      February 8, 2020 at 2:51 PM

      Except nobody knows what that means either. Is it the lack of knowledge, the possibility something might happen, or the possibility that you might not succeed? Who knows? Even the people who wrote ISO 31000:2009 couldn’t agree

      • Vincent
        February 8, 2020 at 2:57 PM

        Thanks Norman and I know, I have been there! On a different note, be on the lookout for a new book from Grant Purdy and Roger Estall.

      • Roger Estall
        February 8, 2020 at 7:40 PM

        Hi Norman, I can’t see any underlying differences in meaning of the three examples of uncertainty (of thousands of examples) that you cite here. Surely they are all cases of not being certain – which, let’s face it, has always been the meaning of uncertainty.

        • Norman Marks
          February 8, 2020 at 7:51 PM

          Not sure I agree, Roger

      • Erik Schneider
        February 10, 2020 at 10:04 AM

        Decision professionals use ‘uncertainty’ to mean the outcome of a decision is not certain, and includes room for positive and negative outcomes. I find it very hard to believe that standards and risk practitioners are going to redefine the meaning of risk to mean anything other than the chance of negative outcomes to business people. No one puts positive outcomes in their risk register and no one talks about the risk of winning a lottery (although negative outcomes lurk there as well). Risk is in the ERM acronym so a complete name change to the field is required or it will continue to be perceived as a department of downside specialists.

        But guess what? Even decision professionals focused on positive and negative outcomes have a had time convincing senior business leaders that their services add value for strategic decisions. There are some exceptions, O&G and pharmaceuticals for example, but not much beyond that. And the field of decision analysis and quality is a mature one based on over 50 years of research. So if decision quality has difficulty gaining traction, I fail to see how ERM is suddenly going to get a welcome just because they’re now talking risk and opportunity. Maybe the size of the professional bodies and consulting firms can change this but I have my doubts, especially in the short / medium term.

  3. Grant Purdy
    February 8, 2020 at 3:44 PM


    Let’s just be clear. There is no objective evidence to support the contention that adopting ‘risk management’ equates to enhanced organisational performance. So, the COSO statement that “its benefit is improved decision making and ultimately improved performance of the organization as it strives to meet its mission and achieve its strategies and business objectives” is, at the very best, based on faint correlations, not causation.

    I know that we live in the times of ‘false news’, but this is surely a breathtaking example of the axiom attributed to Vladimir Lenin, Joseph Goebbels, Adolph Hitler and other masters of propaganda, that: “a lie repeated often enough becomes accepted truth”.

    The faint correlations between organisations that are successful and those that adopt the risk management paraphernalia, can be explained more credibly by already successful organisations being able to afford the ‘risk management’ edifice or, quite simply, that they are subjected to coercion by regulators who have also eaten the ‘risk management’ magic mushrooms or drunk the ‘risk management’ kool-aid.

    Like all belief systems, this amorphous thing called ‘risk management’ requires all disciples to just suspend disbelief and sing along with the choir. Sure, some people may be part of a particular sect that requires them to subscribe to special and different meanings to some words (the like R one). But, in all cases, whatever flavour of ‘risk management’ edifice you subscribe to (or particular three letter acronym – ERM, GRC, RBT etc. you bow down to), the edifice and its constructs, factually and objectively, don’t make life any easier or enhance decision-making.

    While one might nit-pick over certain words and part phrases in the COSO report, let’s be honest: to all normal people who make decisions, ‘risk management’ paraphernalia is both complicated and unnatural (and some of us suspect that was the intention all along).

    For example, the belief system gives special and varying meanings to simple words and many disciples and COSO-worshippers popularise the dichotomy of ‘risk and opportunity’. However, this is about as logical as pairing bulldozers with cauliflowers – sure, it can be done, but why? The two words are utterly unrelated and are not antonyms. An ‘opportunity’ is just a time or set of circumstances that makes it possible to do something – look it up! How can that be the antonym to risk?

    Another example, that seems common across all the many sects of the ‘risk management’ belief system, is the contention that, to be successful, organisations will need to somehow integrate the related paraphernalia into their usual way of operating and making decisions. This is neither realistic nor valid which is why, at the best (!) ‘risk management’ is usually applied (imperfectly) as an ‘add on’.

    I know this will be regarded by all ‘believers’ as heresy, but the real world fact is that ‘risk management’ doesn’t help decision makers achieve sound decision-making. Fact!.

    If it was so obviously a simple way to improve decision making that made our organisations more successful, then it would have sold like ‘hot cakes’ and we would not need the coercion of stock exchanges and regulators. And, yet, 30 or more years since the ‘risk management’ belief system was first hatched, organisations still struggle to understand what to do and why they have to do it (and so they must employ expensive consultants and professionals to ‘help’ them).

    In reality, relatively few organisations in the world actually either buy-in to this belief system and of those that are ‘forced’ by regulators to chant the ‘risk management’ liturgy, few if any master its intricacies, or fundamentally change the way they operate.

    I’d like to suggest that, rather than writing yet more guides on how to build clunky, artificial ‘risk management’ edifices that actually support perverse and unhelpful behaviours, it might be time we simply focused on helping organisations make better decisions that properly take into account sources of uncertainty. In other words, we help decision-makers of every kind achieve sufficient certainty that their decisions will deliver their intended outcomes.

  4. February 9, 2020 at 1:14 AM

    Grant, you make the comment, ‘I know this will be regarded by all ‘believers’ as heresy, but the real world fact is that ‘risk management’ doesn’t help decision makers achieve sound decision-making. Fact!’. I don’t agree. If I have the objective of buying a newspaper from the shop on the other side of a busy road, there is the risk that I will be knocked down by a car. I manage that risk by looking both ways before crossing. If I consider that the road is too busy to cross, even with looking, then the risk exceeds my ‘risk appetite’, I can manage the risk further by using a pedestrian crossing. So I decide to use the crossing.That’s the real world, which doesn’t obsess about risks but takes them into consideration when pursuing an objective.

    The issue I have with ERM, is that it’s a solution looking for a problem. It does obsess with risks instead of concentrating on the means to achieve objectives. May I suggest, as a retired internal auditor, that this results from risk managers looking for a purpose?

    • Grant Purdy
      February 9, 2020 at 3:48 PM

      Dear dmgriff,

      What you describe is just a normal process for making decisions. It does not need a special label. However, it is not recognisable in terms of the organisational edifices that are now called ‘risk management’. Where is your risk appetite statement, your risk register? And how did you assess the level of risk without a magic matrix?

      I think you have just confirmed my point – that risk management is a nonsense phrase that is banded around by many but understood by very few. Probably because it involves the ‘r word’ that none of us can agree what it means, and we use it variously as a noun, a verb and as an organisational property.

      At one time, what you describe would be called ‘doing a risk assessment’ but we could not even agree whether it was really a risk analysis or a risk assessment. And then, presumably you took certain actions to safeguard yourself. But is that risk treatment, or risk mitigation, or risk modification – or, as some people still insist, ‘risk management’?!!!

      Of course, when we cross the road we take into account the uncertainties involved in the context of our general purpose (which probably involves living as long as possible and avoiding unnecessary pain).

      You can easily describe the thoughts and actions you take when crossing the road without using any r-laden jargon or ambiguous code. For example: we cross that because we have recognised the opportunity presented by being on the other side (unharmed) and a tentative decision is made as to where and when to cross and how quickly to move.

      The possibility of being struck by oncoming traffic is reduced by looking first in the direction of the traffic on our side of the road and then, if that is sufficiently distant, looking in the other direction.

      A mental clock notes the time elapsed since the first look and, having regard to traffic speeds, we will typically update our situational awareness of traffic on our side of the road by again looking in that direction and either confirm or revise our decision to cross and the speed at which we do so.

      During implementation (i.e. crossing) most of us will continue to monitor the traffic in both directions and, if the evolving situation is different to that predicted, will revise the original decision and either retreat or speed up.

      If we are more conscious of the implicit assumptions on traffic in this decision, then it’s likely that we will recognise the advantage of adding a further secondary element to the decision (additional to continuing to monitor traffic) and discontinue the practice of using our phone during the crossing to make monitoring easier and more reliable.

      While you may think that ‘risk managers’ are looking for a purpose, as a friend of mine might say, “if internal auditors are the answer, what was the question?”

      • Norman Marks
        February 9, 2020 at 3:52 PM

        Grant, I hope you are also checking that the opportunity/reward on the other side of the road is still there! You are also checking that there isn’t a greater opportunity down the road from you.

        • Grant Purdy
          February 9, 2020 at 4:39 PM

          Of course!

          Decision making is dynamic and always benefits from a regime of continuous monitoring – even after a decision has been made. The opportunity or the context and your assumptions may change. Also, the outcomes you desired may not have been realised.

          Of course, I could always wait for an internal auditor to do the monitoring for me – but I’d be waiting a long time and the opportunity would have passed many months ago.

          So how do risk registers that are compiled or updated once a year without much thought to context fit this? Well, of course, they don’t!

  5. Bill Spoehr
    February 9, 2020 at 8:47 AM

    The indiscriminate use of the four-letter, ill-defined, work “risk” has done more to turn the acronym, ERM, into a four letter word among senior leadership and Boards than any other factor. Plus, the IIA’s and COSO guidance on implementation requiring “risk tolerances” and “risk appetites” that arise out of “voting sessions” and lots of navel pondering by senior leaders, has, perhaps fatally, harmed the development of useful ERM processes in non-highly regulated industries. My organization is not required by regulators to show we “consider risk”, but that assessment happens daily as leaders consider new initiatives, etc.

    In my experience, boards and senior leaders innately consider risks when evaluating strategic initiatives – this is as it should be. But, the processes are clearly ad hoc on any maturity scale. It would be benefit if these processes were better documented and “formalized” without having to sit around a conference table for hours. Common goals are essential and good communication skills are needed to articulate to leaders the benefits of “thinking about risk”, without being a meeting killer with discussions of what can go wrong.

    As usual, Norman, your comments are dead on.

  6. February 10, 2020 at 2:05 AM

    Grant, Norman and others. We seem to be in some sort of agreement. The problem with the concept of risk is that it has been made too complex. Your solution involves using other words, mine involves getting back to what most people understand by risk. I suspect my cause is lost.

    Grant, if internal auditors are the answer, the question is, ‘How do we ensure that processes exist to maximise the impact and/or likelihood of events which might benefit the achievement of our objectives or minimise the impact and/or likelihood of events which might prevent us achieving our objectives?’

    (Incidentally, it is not the job of an internal auditor to monitor, that is management’s responsibility)

    • Norman Marks
      February 10, 2020 at 6:15 AM

      Please remember that events and situations happen that have BOTH positive and negative effects on the achievement of objectives. Its almost never just one or the other.

    • Bill Spoehr
      February 10, 2020 at 8:05 AM

      Agree with “it is not the job of IA to monitor”, or quite frankly, to lead an ERM process. for the former, IA cannot “be” the control – as you point out, that’s management’s job. For the latter, IA is requested to “lead” ERM because IA tends to be results oriented, good collaborators and communicators, and has the breadth of organizational knowledge and credibility to drive the project forward.

      • Grant Purdy
        February 10, 2020 at 2:08 PM


        That seems to be a great project for internal audit to run! A nonsense program that no one wants or understands and that destroys rather than adds value to an organisation. Sounds a perfect fit to me!

        Just incidentally, if it’s not IA’s job to provide independent monitoring of context, assumptions and decision outcomes, what do they really do? I’ve always wondered.

        • February 11, 2020 at 6:18 AM

          Grant, as I wrote previously, the purpose of internal audit is to ensure processes (i.e. controls) exist to maximise the impact and/or likelihood of events which might benefit the achievement of our objectives or minimise the impact and/or likelihood of events which might prevent us achieving our objectives

          • Grant Purdy
            February 11, 2020 at 2:42 PM

            That sounds like the role of management. I.e.those who make decisions. When decision are made, those who make them need to ensure that the outcomes are sufficiently certain and that they will support and not detract from the organisation’s purpose. As part of the decision the decision makers should also decide what monitoring regime is required. This might (or might not) involve elements of independent monitoring of context, assumptions and outcomes.

            If IA is not there to provide independent monitoring (as part of the decision making process), I return to my point of not being clear as to what the question IA is the answer to.

            As for the word ‘control’ this seems to suffer the same level of ambiguity as ‘risk’. For example, is it a verb or a noun? Is it a process or ‘thing’?

            That’s why the whole Internal Audit edifice is as value-destroying as the ‘risk management’ one. What is the point of either of them?

            • February 12, 2020 at 1:22 AM

              In an ideal world there would be no point in external audit, internal audit, risk management, quality control, and all the other monitoring and controlling value-destroyers. Unfortunately it’s not an ideal world.

              • Roger Estall
                February 12, 2020 at 3:43 AM

                I wonder whether the reason that ‘our world’ is NOT ideal, is because those who have responsibility for their organisation imagined that all those people with the odd titles that you mentioned were discharging their responsibilities for them?
                I don’t know about you, but so many organisations take great reassurance from being in a state that they have no outstanding unresolved items from their last audit, completely unmindful of what might have changed in the meantime, because they rely on ‘auditors’ to discover and highlight what they have got wrong.
                You’ve no doubt heard of Munchausen Syndrome … capture by auditor is not too dissimilar! And the auditors LOVE it!!

    • Grant Purdy
      February 10, 2020 at 2:23 PM


      You might as well give up trying to convince people your definition of the word ‘risk’ is the correct one.

      That given in ISO 31000 seemed elegant and simple to the team that developed it, but now, some 11 years after it was published, most people can’t get their heads around it. Even ISO, who has clearly spent a fortune shipping a group of ‘experts’ around the world to various lovely locations so that they can come up with a better definition, has now thrown in the towel. Seehttps://www.oxebridge.com/emma/annex-l-rewrite-wont-update-definition-of-risk-after-all-making-entire-effort-pointless/?mc_cid=6245515afb&mc_eid=8dfa6e4298

      We can never stop people (mis)using the ‘r’ word. It will always mean something to them -that they don’t really understand and can’t explain. However, if we want to hold meaningful and efficient conversations that help people make better decisions, it’s better if we use language that is not ambiguous and which all can understand. Maybe then, when decision makers consider the sources of uncertainty for their desired outcomes that are present in the assumptions they make, they will appreciate and find relevant the advice they are given. It might even help overcome some biases.

    • Roger Estall
      February 10, 2020 at 5:49 PM

      Your statement ” The problem with the concept of risk is that it has been made too complex. Your [other contributors) solution involves using other words, mine involves getting back to what most people understand by risk. I suspect my cause is lost.” caught my eye.
      Your first sentence refers to ‘it’ – i.e. the ‘concept of risk’ as if this was something that has shared meaning. Whatever is this concept that you are referring to, which you choose to label ‘risk’, the issue is not that said concept (whatever it is) has been made too complex, it is that an untold number of other concepts have also been labelled risk with no more or less justification than in your choice of label. There is no basis at all that I can see for your assertion in the second sentence that ‘most people’ have a shared understanding of what is being labelled by the word ‘risk’. The evidence of this is abundant. And yet, contributors to this and earlier discussions of similar vein still seem to hold a nostalgic belief that this word labels some immutable tenet of knowledge – such as those that the labels gravity, tax and death refer to, and they use the word risk as if such knowledge flows from it.
      Forget the word. It has no value, and as Grant suggests, just use plain language to talk about whatever it is that YOU have in mind when the spirit moves you to invoke the risk label!
      It follows (as has long been known) that the expression ERM (whether in acronym or its full glory) is also a useless label – firstly because of the inherent and unavoidable problems of the R word (as above); secondly, because it is not clear which pair of words is the compound noun (ER or RM) – neither of which, aside from the inherent R problem has a coherent meaning – for example, if E (which means organisation) is an adjectival modification of RM, what other kinds of RM are there (none) and so it serves only to confuse, but if the E word, as part of an ER compound noun is an adjectival classification of R, what other kinds or R are there (none)?
      So yes, whatever is your cause, I think it might indeed be lost!

      • February 11, 2020 at 6:13 AM

        I don’t see why I should forget the word ‘risk’. It’s a simple word, understood by most and even used by the BBC in one headline today. Just because the risk management community have managed to define it in such an obscure way, or add in other inappropriate concepts, it shouldn’t stop the rest of us using it.

        I agree with your comments about ERM, a phrase which I don’t use. I also dislike the term ‘risk manager’ since risk managers don’t manage risk – that’s the responsibility of those charged with delivering objectives.

        • Roger Estall
          February 12, 2020 at 3:34 AM

          We’ve got an equivalent of the BBC where I live and, like the BBC, our mob said tonight that ‘there is a risk of rain tomorrow’.
          They were referring to the chance that it might rain tomorrow and it won’t just be the ‘risk management community’ that take that inference! Indeed, most people will, which is no doubt why the broadcaster said it. So are you saying that that is also your understanding of ‘the’ word? Or are you saying that this meaning is ‘obscure’ or ‘inappropriate’ and all who think otherwise are wrong?
          And of course, like it or not, all the people called ‘risk manager’ imagine that they are doing worthwhile stuff, and indeed, may well be, and (rightly or wrongly) are certainly so recognised in their organization as doing so.
          But how can that be the case if you are saying that they are not doing what they say they are doing – that, in effect, they are shysters? Or could this just be a further example of what Grant has been explaining –
          the word has no utility.

  1. February 10, 2020 at 3:46 AM
  2. December 28, 2020 at 10:37 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: