Risk Management Reports

December, 2004
Volume 31, No. 12
COSO Enterprise Risk Management Framework 2004

The beast has at last produced its expected offspring, and a hulking, awkward creature it is. Given a gestation period of over three years, we might logically expect something that could immediately go forth and be useful but, alas, this creature is preceded by smaller, clearer-eyed and more nimble adversaries, leaving it to lumber away from its five parents (a biological marvel!) and gather dust when it finally settles to earth.

I speak, of course, of the long-awaited “final” version of the Enterprise Risk Management – Integrated Framework, produced by representatives of the five organizations that make up COSO, the Committee of Sponsoring Organizations of the Treadway Commission (American Accounting Association, American Institute of Certified Public Accountants, Financial Executives International, Institute of Management Accountants and the Institute of Internal Auditors). I reviewed its first draft in 2002, its second early in 2003 and its third late last year, after which I wrote about its weaknesses and strengths in the October 2003 RMR.

While I acknowledge some improvement in this final effort, I’m afraid that its monstrous size and tedious prose (one appendix is made up entirely of passive sentences!) will condemn it to the dusty shelf, especially in comparison to the revised Australia/New Zealand Risk Management Standard 4360:2004, reviewed last month in RMR. See also my review of the Risk Management Standard 2002 from three UK associations, a crisp and efficient distillation (RMR November 2002). Consider that this COSO work is in two volumes totaling 230 pages, as compared to the lean and limber 28 pages of AS/NZS 4360 and the 17 pages of the UK publication. Yes, COSO’s opening Executive Summary has been pared from 22 to 9 pages, meaning that several more senior executives and directors are likely to read it, but the excessive length of what’s left has two significant deficits: too few will take the time to read it, and it dwells too heavily on an intricately detailed “process” that reeks of “controls.” COSO slips into the fatal fallacy of trying to tell us “how” to do it, rather than “why.” But because of the sheer volume of interest today in risk management, a partial result of Sarbanes-Oxley and similar initiatives around the world, COSO’s version will receive broad distribution. It doesn’t deserve it.

COSO continues to focus on risk as the potential for an adverse outcome. In an Appendix the authors acknowledge further discussion on this point but they conclude “adding the concept of opportunity would cloud the concepts and make communication more difficult. Maintaining the distinction between a negative event and a positive one brings clarity to the enterprise risk management language.” I continue to disagree, with respect, along with others in Australia, New Zealand, Canada, and UK and in ISO (whose glossary of 2002 comes down firmly on the idea that risk encompasses both positive and negative outcomes). An unexpected event may carry, simultaneously, potentially favorable and unfavorable results and recognizing them together creates the chance for a more intelligent organizational response.

If we are trying to persuade others that enterprise risk management is a necessary alteration of organizational behavior, why not adopt a definition that is brief and easily remembered? COSO weights us down with a 54 word slug: “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Compare that to AS/NZS 4360: Risk management is the culture, processes and structures that are directed towards realizing potential opportunities whilst managing adverse effects.” Much better, but still not as memorable as my preference: “risk management is a discipline for dealing with uncertainty.” Take your pick!

COSO’s process remains at eight steps, compared to 4360’s five. Again, if we want to communicate with others, why not reduce the process to two simple steps: risk analysis and risk response? I take no fault with the content of these other steps, but they can be included more effectively in later internal description and development. I do emphatically agree, however, with one COSO comment: “it is a multidirectional, iterative process in which almost any component can and does influence another.” That’s both the beauty and the challenge of learning to deal more intelligently with risk!

Despite my carping comments on length and prose, I do find much of value in COSO 2004. As a reference document I can recommend it be read and absorbed by students of the discipline. Let executives and directors read the Antipodean and UK versions! Order copies from the AICPA at www.cpa2biz.com/store (at US$75. for non-members of the sponsoring groups) or telephone 888-777-7077.

Increasing numbers of companies are undertaking enterprise-level approaches to risk—a more encompassing and systematic review of potential risks and their mitigation than most companies have undertaken in the past. . . . These assessments typically are rolled up to the corporate level, sometimes with direct input from the board or audit committee. These assessments have often been relatively broad, focusing on reputation, litigation, product development, and health and safety risks, rather than focusing solely on financial risks. Where we have seen these assessments implemented we have commented favorably, particularly when the board or the audit committee is actively involved.

Moody´s Findings on Corporate Governance in the United States and Canada: August 2003 – September 2004, Moody´s Investors Service, New York, October 2004

Copyright 2004, by H. Felix Kloman and Seawrack Press, Inc.

Return to RMR Table of Contents
RiskINFO Home Page
Additional Topics This Month and Archives