Last week, I wrote about a PwC piece that IMHO gave poor guidance to boards and their oversight of risk management.
To be fair, there are people in PwC who “get it”.
A different piece, presumably by different people, makes some important points.
How your board can ensure enterprise risk management connects with strategy says (emphasis added):
- Any major strategic decision carries uncertainty. A well-developed enterprise risk management (ERM) program can help executives meet key business objectives.
- “ERM” means different things to different people. Some companies simply use ERM to identify, prioritize and report on risks—protecting value. The best companies use ERM to make better decisions, improve their strategic, financial and operational performance and create value. But it takes work and buy-in at all levels to make that happen.
- ERM is the collection of capabilities, culture, processes and practices that helps companies make better decisions as they face uncertainty. It gives employees a framework and policies to help them understand, identify, assess and manage risks so the company can meet its objectives. It’s most valuable when it’s integrated with strategic planning.
- ERM should also look at whether the company is taking enough risk and focus on areas of overperformance as much as poor performance.
- The best ERM programs allow companies to have both risk agility (can you quickly adapt to a changing environment?) and risk resilience (can you withstand business disruption?). And companies that are committed to effective ERM programs periodically assess how they can be further improved.
All of the above is good.
But after a good start, PwC reverts back to a discussion of how to manage the adverse and ignores what it said about making better decisions, creating value, or taking enough risk.
I am afraid that the updated COSO ERM Framework, which is being led by PwC, will do the same. (It did this in 2004 as well). They will start with great stuff about decision-making, setting and then executing on strategies, and creating as well as protecting value.
But then they will revert to their roots and talk about managing a list of risks.
Risk management is about understanding what might happen as you strive to achieve your objectives, then taking actions to increase the likelihood and extent of success.
That means that when you make strategic decisions you have to understand not only the possibilities of bad things but the possibilities of good.
Apply the same discipline and process to the likelihood and magnitude of positive effects as you do to adverse.
In addition, if you don’t focus on the achievement of objectives, but instead manage individual risks, how do you know whether you are likely to achieve them – or the possibility of exceeding them?
I only hope that PwC, with the influence of the COSO Board, gets the COSO 2017 ERM update right.
What do you think?
I welcome your comments.
By the way, if you are involved in the ISO 31000 update, do you expect that to be a leap forward enabling advances in practices such as decision-making?
- What is quality internal auditing? - April 17, 2024
- Conflicting research and thoughts on ESG - March 20, 2024
- Useful ethics training for internal auditors - February 21, 2024