First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

How well did COSO address comments on the ERM draft?

This article provides details of how well COSO has addressed comments on the ERM draft.

ERM draftLast July, I submitted written comments and suggestions to COSO on the draft of the ERM framework update.

In this post, I remind you of those comments and discuss (see Comment) how well they have been addressed in the final edition. (At the time, I discussed them with several people involved in the update, who all agreed they had merit. However, I got the impression they were reluctant to make the sort of major change I was asking for, saying that COSO might follow the updated framework with thought papers.)

The COSO update has an appendix where they talk about their response to comments. Unfortunately, most of my comments are not addressed in that section.

I will share in a later post my assessment of the final product based on a set of questions that I encourage you to consider. Please join the conversation and share your assessment of the value of the ERM framework update here.


July, 2016

There’s a lot to like in the update, which in many respects I consider an upgrade.

In fact, I would describe this document as having the potential for a ‘leap forward’, not just a step. It’s more than an ‘upgrade’.

However, it is not yet there. I believe another significant leap forward is required, and this can be delivered through careful and thoughtful consideration of the comments COSO receives on the Exposure Draft (ED) – followed by action to address them.

I believe that while PwC and the COSO Board and its advisors have clearly stepped back and taken a big picture look at its ERM guidance, a second step back and another look at the essentials of risk management should be taken to consider whether the guidance is truly achieving its potential.

What is that potential? It is to transform how organizations are run, from the setting of the mission, objectives, strategies and plans to the daily operation of the business: how it performs in practice through intelligent and informed decision-making at levels of the extended enterprise.

As is said in the Introduction:

The value of an entity is largely determined by the decisions that management makes—from overall strategy decisions through to day-to-day decisions. Those decisions can determine whether value is created, preserved, realized, or eroded.”

In its ideal state, the management of risk is part of the rhythm of the business[1], entwined[2]into every business process and decision at all levels across the extended enterprise. It is no longer a compliance activity, but an essential ingredient in the success of the organization. It is not limited to avoiding harms, but also encompasses determining when the ability to reap a reward justifies taking the risk of harm.

Comment: COSO has gone a long way to see risk management “entwined” into every business process. However, they have done little IMHO to explain how it is part of decision-making and they have not addressed decisions and actions in the extended enterprise.

They say that an ethical person does the right thing when nobody is watching. Effective risk management is present when there is reasonable assurance that every decision-maker, from the board down to the front-lines, will make the ‘right’ decision without a risk officer present.

Comment: This important concept appears to be missing – that we need reasonable assurance that decision-makers are taking the right risk. Risk appetite is a way to identify after the fact whether too much risk has been taken. It only works proactively when each decision-maker knows which risks to take and I don’t believe that is sufficiently covered in their discussions of risk appetite and tolerance.

In fact, in an ideal world, people don’t think about risk management – it’s simply effective management.

Although the Foreword says (more than implies) that the earlier version had been broadly accepted and should be considered a success, that comment is highly questionable.

Surveys have shown that the ISO 31000:2009 global risk management has been adopted more often in recent years than the COSO ERM Integrated Framework. Many have taken the best of both to develop their own framework, and many experienced risk practitioners and thought leaders have dismissed the COSO product entirely.

Other surveys, notably by Deloitte[3], have found a huge disconnect between those leading risk management and the executives and directors who should be obtaining value from it. Only a small percentage said that risk management had made a significant contribution to their setting and execution of strategies.

There are several reasons for this. They include:

  • Creating the perception that the consideration of risk is something separate from the activity of managing the organization; as the ED says, it should be an integral element in decision-making every day at all levels of the organization.

    Comment: COSO has made efforts to address this. But the lack of discussion on decision-making and the continuing focus on a risk profile (which they admit is simply a list of risks, a.k.a. a risk register) will likely inhibit meaningful progress. The key point here is that organizations have been managing risk for centuries, often with success, without a formal program or office. As Alex Sidorenko says, talking about ‘risk management’ instead of effective management can actually inhibit a constructive discussion, because the ‘r’ word has a negative connotation in the minds of executives and because it appears to be something different from effective management when in fact it is not. Good managers manage risk all the time; they anticipate what might happen and deal with it; effective boards insist on discussions of what might happen and related scenarios as part of their strategy-setting and performance review discussions.

  • A focus that is restricted to the potential negative effects of uncertainty, considered at intervals rather than continuously.

    Comment: The need for continuous risk discussions is included, but it is still focused on potential negative effects.

  • A disconnect with management who are looking to enhance performance and deliver value, not just avoid failure.

    Comment: The update talks about performance but not how to assess the likelihood of achieving strategies and objectives and therefore enable actions to increase the likelihood and extent of success.

  • Reporting risks rather than the likelihood and extent that objectives will be achieved.

    Comment: This is a major issue that is not effectively addressed.

  • Communicating in a language different from that of the business. This inhibits management’s ability to not only understand at an intellectual level that the management of risk can help them be more effective as managers and successful as business leaders, but actually believe it.

    Comment: See prior comments.

  • An expressed desire, fueled by regulators and the concept of risk appetite, to ‘manage’ or ‘mitigate’ risk when in real life risk needs to be taken.

    Comment: I do not see how the update will constructively influence regulators.

  • Failing to understand that events and situations (requiring decisions and choices) create the potential for not just one but multiple effects – both negative and positive effects are likely every time a decision is made or an event or situation presents itself. All potential effects of a decision need to be assessed, generally in the same way, to understand the potential rewards and harms, understand and evaluate options, and consider what should be done to improve the likelihood and extent of success.

    Comment: This is a major gap in the update.

First, I want to congratulate the Board, its advisors, and PwC for progress on a number of fronts. They include (not in any particular order):

  • Emphasizing that risk management is about addressing the uncertainty that lies between where we are and where we want to be (although not in that language)
  • Restating that risk management is about achieving objectives. This was also in the prior version, but is repeated and emphasized for the great majority that did not see it in the 2004 edition
  • Making the point (I see Jim DeLoach’s influence) that risk management is not about the periodic review of a list of risks (i.e., enterprise list management)
  • Talking about the need to consider what might happen in the future when setting strategies and objectives
  • Restating that decisions need to be made based on an evaluation of both the potentially positive and negative effects of uncertainty
  • Introducing a discussion of risk culture
  • Using the word “anticipate”, which I think is a highly descriptive way to explain what risk management is all about

These are points made in the Executive Summary.

Comment: We should not forget that the update is an improvement on the 2004 version.

I have developed a set of 12 questions to assist in the evaluation of the Exposure Draft and whether it will move the practice of effective management as far forward as it can and should.

Comment: I wonder whether PwC used the set of questions.

My comments are at this 50,000 foot level. They affect much of the detail and I hope the COSO Board and advisors, assisted by PwC, will consider them and then apply them to the detailed content.

Final thoughts and suggestions

As I said at the beginning of this response, the ED is an upgrade and has some valuable content. The ideas and aspirations laid out in the Executive Summary are, for the most part, excellent.

However, I have problems that I believe are significant.

  1. The ED continues the focus on harms. There is a huge difference between opportunities (such as the opportunity to take advantage of a competitor’s stumble) and recognizing that any situation, event, decision, or choice can have multiple effects on achieving objectives: some positive as well as some adverse. All have to be assessed and evaluated, not just the harms.

    Comment: The executive summary may say that there are multiple potential effects, both positive and negative, but the body talks almost exclusively about harms. There is no discussion of the need to identify, assess, and evaluate all potential effects.

  2. The ED continues to focus on a list of risks. While it talks about decision-making and makes the point that risk management informs decision-making, it is more than that. Every decision is a risk decision. Every decision is about understanding the current situation, what is expected to happen, whether that is acceptable, what options are available, and then making informed choices. That is risk management as well as effective management. It is not just risk-informed decision-making. The best way to improve the management of risk is to improve the decision-making process and capability. If the framework could provide a structured process for decision-making, that would make it both practical and of immense value. Instead, it pays scant attention and continues to talk about generating and maintaining lists of risks.

    Comment: The framework body focuses on a risk profile (the same thing as a list of risks, just different language), risk appetite, and so on. There is no discussion of how to weigh all the possibilities, the ranges of good and bad potential effects, to come to an intelligent decision. While the update talks about decision-making, this is absent from the principles and I see no related guidance.

  3. The idea that you can aggregate all risks into a risk profile is alarming. You simply cannot do that and expect to be successful. The potential for each objective to be achieved must be managed individually as well as collectively. Compliance risk should not be aggregated with reputation or financial risk. In fact, there is danger in aggregating different forms of compliance risk; compliance risk in aggregate may appear to be at an acceptable level while the company is significantly in breach of specific regulations or laws.

    Comment: This misguided guidance remains prominent.

  4. Finally, and most important of all, risk management is really about anticipating what might happen that would affect your journey from where you are to where you want to be. The COSO Board needs to reconsider how it describes terms like uncertainty, risk, and risk management with this in mind. Good decisions come from understanding what might happen, all possible effects, then making informed, intelligent choices.

    Comment: Unfortunately, I do not see sufficient progress. While talking about performance is progress, there is insufficient attention to assessing the likelihood of achieving objectives or on decision-making.

I have pointed out other areas for improvement, such as an expanded discussion and guidance on board oversight, and a major overhaul of the thinking around risk appetite and tolerance. But these are the most crucial issues.

A couple of closing suggestions:

  1. Expand the Advisory Board to include practitioners from around the world, especially from nations where the practice of risk management is more advanced than in the US. Grant Purdy, John Fraser, Richard Anderson, and Martin Davies would be excellent additions.

    Comment: While some expert advisors were present (notably, Carol Fox), I wish COSO had brought more thought leaders into the process.

  2. Consider, where possible, the use of plain English instead of technical jargon. This would make the guidance clearer to executives and board members. Talk about optimizing outcomes, achieving success, and so on – the language of the business.

    Comment: See prior comments.

There is an opportunity to make a huge leap forward, providing a beacon for world-class risk management, or should I say effective management.

That will require a further step back, a deep breath, a willingness to accept the need for change, the courage to make a huge departure from traditional thinking (which has proven to be failing us), and action.

It is better to take longer to think this through, make the changes thoughtfully, than to tinker with the ED. That, I suggest, will not be sufficient.


Final comment: My impression is that COSO only tinkered with the draft. I understand that they are considering further work, thought papers or similar, that will build on the framework and address some of the points above.

But, have they made a “leap forward”? Have they done enough to move practices forward, in the right direction? Did they want to make that leap forward, or were they too risk averse?

Will this update change the percentage of executives answering the piercing question by Deloitte, “Does risk management support, at a high level, the ability to develop and execute business strategies”, up from 13% close to 80%?

What do you think?


[1] “Drive business results by harnessing uncertainty”, EY February, 2015

[2] A great word, far better than ‘integrated’ or ‘embedded’, used by PwC in Risk in review: Going the distance, 2016

[3] Exploring Strategic Risk reported that “Only 13% of [C-level] respondents believe their risk management processes support, at a high level, the ability to develop and execute business strategies”

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

Send to Kindle

, , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.