|
The beast has at last produced its expected offspring, and a hulking, awkward creature it
is. Given a gestation period of over three years, we might logically expect something that
could immediately go forth and be useful but, alas, this creature is preceded by smaller,
clearer-eyed and more nimble adversaries, leaving it to lumber away from its five parents
(a biological marvel!) and gather dust when it finally settles to earth.
I speak, of course,
of the long-awaited “final” version of the Enterprise Risk
Management – Integrated Framework, produced by representatives
of the five organizations that make up COSO, the Committee of
Sponsoring Organizations of the Treadway Commission (American
Accounting Association, American Institute of Certified Public
Accountants, Financial Executives International, Institute of
Management Accountants and the Institute of Internal Auditors).
I reviewed its first draft in 2002, its second early in 2003
and its third late last year, after which I wrote about its
weaknesses and strengths in the October 2003 RMR.
While I acknowledge some improvement in this final effort, I’m afraid
that its monstrous size and tedious prose (one appendix is made
up entirely of passive sentences!) will condemn it to the dusty
shelf, especially in comparison to the revised Australia/New
Zealand Risk Management Standard 4360:2004, reviewed last month
in RMR. See also my review of the Risk Management Standard
2002 from three UK associations, a crisp and efficient distillation
(RMR November 2002). Consider that this COSO work is
in two volumes totaling 230 pages, as compared to
the lean and limber 28 pages of AS/NZS 4360 and the 17
pages of the UK publication. Yes, COSO’s opening Executive Summary
has been pared from 22 to 9 pages, meaning that several more
senior executives and directors are likely to read it, but the
excessive length of what’s left has two significant deficits:
too few will take the time to read it, and it dwells too heavily
on an intricately detailed “process” that reeks of “controls.”
COSO slips into the fatal fallacy of trying to tell us “how”
to do it, rather than “why.” But because of the sheer volume
of interest today in risk management, a partial result of Sarbanes-Oxley
and similar initiatives around the world, COSO’s version will
receive broad distribution. It doesn’t deserve it.
COSO continues to focus on risk as the potential for an adverse outcome. In an
Appendix the authors acknowledge further discussion on this point but they conclude
“adding the concept of opportunity would cloud the concepts and make communication
more difficult. Maintaining the distinction between a negative event and a positive one
brings clarity to the enterprise risk management language.” I continue to disagree, with
respect, along with others in Australia, New Zealand, Canada, and UK and in ISO (whose
glossary of 2002 comes down firmly on the idea that risk encompasses both positive and
negative outcomes). An unexpected event may carry, simultaneously, potentially
favorable and unfavorable results and recognizing them together creates the chance for a
more intelligent organizational response.
|
If we are trying to persuade others that enterprise risk management is a necessary
alteration of organizational behavior, why not adopt a definition that is brief and easily
remembered? COSO weights us down with a 54 word slug: “Enterprise risk management
is a process, effected by an entity’s board of directors, management and other personnel,
applied in a strategy setting and across the enterprise, designed to identify potential events
that may affect the entity, and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.”
Compare that to AS/NZS 4360: Risk management is the culture, processes and
structures that are directed towards realizing potential opportunities whilst managing
adverse effects.” Much better, but still not as memorable as my preference: “risk
management is a discipline for dealing with uncertainty.” Take your pick!
COSO’s process remains at eight steps, compared to 4360’s five. Again, if we want to
communicate with others, why not reduce the process to two simple steps: risk analysis
and risk response? I take no fault with the content of these other steps, but they can be
included more effectively in later internal description and development. I do emphatically
agree, however, with one COSO comment: “it is a multidirectional, iterative process in
which almost any component can and does influence another.” That’s both the beauty
and the challenge of learning to deal more intelligently with risk!
Despite my carping comments on length and prose, I do find much of value in COSO
2004. As a reference document I can recommend it be read and absorbed by students of
the discipline. Let executives and directors read the Antipodean and UK versions! Order
copies from the AICPA at www.cpa2biz.com/store (at US$75. for non-members of the
sponsoring groups) or telephone 888-777-7077.
|
Increasing numbers of companies are undertaking
enterprise-level approaches to risk—a
more encompassing and systematic review of potential risks
and their mitigation than
most companies have undertaken in the past. . . . These
assessments typically are rolled
up to the corporate level, sometimes with direct input
from the board or audit committee.
These assessments have often been relatively broad, focusing
on reputation, litigation,
product development, and health and safety risks, rather
than focusing solely on financial
risks. Where we have seen these assessments implemented
we have commented
favorably, particularly when the board or the audit committee
is actively involved.
Moody´s Findings on Corporate Governance in the United States and Canada: August
2003 – September 2004, Moody´s Investors Service, New York, October 2004
|
|