As we get to know COSO’s updated risk management framework, a good place to start is by examining the 20 principles around which it is built.
While the executive summary talks in a principled manner about the management of risk, the framework is essentially a discussion of each of its 20 principles.
The COSO principles are:
-
Exercises Board Risk Oversight—The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives.
-
Establishes Operating Structures—The organization establishes operating structures in the pursuit of strategy and business objectives.
-
Defines Desired Culture—The organization defines the desired behaviors that characterize the entity’s desired culture.
-
Demonstrates Commitment to Core Values—The organization demonstrates a commitment to the entity’s core values.
-
Attracts, Develops, and Retains Capable Individuals—The organization is committed to building human capital in alignment with the strategy and business objectives.
-
Analyzes Business Context—The organization considers potential effects of business context on risk profile.
-
Defines Risk Appetite—The organization defines risk appetite in the context of creating, preserving, and realizing value.
-
Evaluates Alternative Strategies—The organization evaluates alternative strategies and potential impact on risk profile.
-
Formulates Business Objectives—The organization considers risk while establishing the business objectives at various levels that align and support strategy.
-
Identifies Risk—The organization identifies risk that impacts the performance of strategy and business objectives.
-
Assesses Severity of Risk—The organization assesses the severity of risk.
-
Prioritizes Risks—The organization prioritizes risks as a basis for selecting responses to risks.
-
Implements Risk Responses—The organization identifies and selects risk responses.
-
Develops Portfolio View—The organization develops and evaluates a portfolio view of risk.
-
Assesses Substantial Change—The organization identifies and assesses changes that may substantially affect strategy and business objectives.
-
Reviews Risk and Performance—The organization reviews entity performance and considers risk.
-
Pursues Improvement in Enterprise Risk Management—The organization pursues improvement of enterprise risk management.
-
Leverages Information Systems—The organization leverages the entity’s information and technology systems to support enterprise risk management.
-
Communicates Risk Information—The organization uses communication channels to support enterprise risk management.
-
Reports on Risk, Culture, and Performance—The organization reports on risk, culture, and performance at multiple levels and across the entity.
There is no doubt in my mind that all of these are good practices.
But:
- Are they essential to effective risk management? Or are they simply essential to any organization that strives to achieve results? Are they simply attributes of any well-run organization? In fact, are they all the attributes of a well-run organization? Where are the principles relating to decision-making? Certainly, establishing objectives and an organizational structure, or hiring good people, do not seem attributes specific to risk management – although it is difficult to understand the risks to objectives if your objectives are not defined.
- Does achieving these principles indicate that the risk management is effective? I will provide my assessment of the COSO update in a later post. However, these principles are not written in a way that sets the bar very high. It is possible to believe you have achieved these principles while the board and top management see little value being derived from their investment of time and resources into risk management.
- Are these principles as useful as those from other guidance?
In World-Class Risk Management, I included the following table. It lists the 11 ISO 31000:2009 principles and my revised list of 6.
Principles in ISO 31000:2009 | Norman’s Revised Principles |
a. Risk management creates and protects value. | 1: Risk management enables management to make intelligent decisions when setting strategy, making decisions, and in the daily management of the organization. It provides reasonable assurance that performance will be optimized, objectives achieved, and desired levels of value delivered to stakeholders. |
b. Risk management is an integral part of the organizational procedure. | Not needed as I would include it in #1. |
c. Risk management is part of decision making. | Not needed as I would include it in #1. |
d. Risk management explicitly addresses uncertainty. | 2: Risk management provides decision-makers with reliable, current, timely, and actionable information about the uncertainty that might affect the achievement of objectives. |
e. Risk management is systematic, structured and timely. | 3: Risk management is systematic and structured. (Timeliness is covered in my #2.) |
f. Risk management is based on the best available information. | Not needed, covered by my #2 |
g. Risk management is tailored. | 4: Risk management is tailored to the needs of the organization and updated/upgraded as needed. This takes into account the culture of the organization, including how decisions are made, and the need to monitor the program itself and continually improve it. |
h. Risk management takes human and cultural factors into account. | 5: Risk management takes human factors (that may present the possibility of failures to properly identify, analyze, evaluate or treat risks) into consideration and provides reasonable assurance they are overcome. |
i. Risk management is transparent and inclusive. | I would not include this as a principle. |
j. Risk management is dynamic, iterative and responsive to change. | 6: Risk management is dynamic, iterative and responsive to change. |
k. Risk management facilitates continual improvement and enhancement of the organization. | I would not include this as a principle. It is covered by my #4 and management should always be looking to continually improve, so this is not a distinguishing feature of risk management. |
I will let you decide which is the best set of principles: which is clearer in setting expectations for the effective management of risk and which is better as a basis for assessing the maturity of risk management. (Hint: I think my list is not only better but more succinct, relevant, and acctionable.)
Comments welcome!
- What is quality internal auditing? - April 17, 2024
- Conflicting research and thoughts on ESG - March 20, 2024
- Useful ethics training for internal auditors - February 21, 2024