Risk Management Reports

Each month the presses disgorge quantities of material on our discipline, a few new and pertinent, most repetitive and some downright useless. I read this never-ending onslaught to try and winnow the valuable from the remainder. Much of this material suggests “guidelines” or “standards” for adoption by interested organizations. There is a neverending market for “how to do it!” This month I review two working drafts, one the revision of the Australia-New Zealand risk management “standard” first offered in 1995 and revised in 1999, and the other the brief of the Committee of Sponsoring Organizations of the Treadway Commission (known as COSO). It is probably unfair to review working drafts but I do so in the spirit of constructive criticism and in the hope that some of my readers will forward their own comments to the authors.

The draft revision (version 6.3) of ANZ-4360 from Standards Australia and Standards New Zealand is a model of clarity. It is brief (23 pages), complete, and refreshingly well written. It remains the gold standard for all others, worldwide. Its authors describe it as a “generic framework for establishing the context, identifying, evaluating, treating, monitoring and communicating risk.” They refuse the trap of over-describing each step. It requires each organization, profit-making, nonprofit or governmental, to adapt this simple and succinct framework to its individual circumstances. It pre-supposes organizational intelligence, in contrast to many other documents that laboriously and at great length take us step by step. Furthermore it describes the discipline only as “risk management,” free of those entangling and modifying adjectives (enterprise, business, integrated, holistic, business, etc.) that confuse the public. “Risk” is broadly construed: “exposure to the consequences of uncertainty, or potential changes from what is planned or expected.” This definition acknowledges that risk involves both upside and downside potentials.

Risk management is “the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects.” The draft proposes the goal of “creating a balance between realizing opportunities for gains while minimizing adverse impacts.” It is the recognition of this balance that is so lacking in other purported “standards” and “guidelines.” 

The ANZ Standard outline nine steps in the plan for creating an effective program of risk management: 

1. Insure support of senior management.
2. Develop risk management policy.
3. Communicate the policy.
4. Establish accountability and authority.
5. Customize the risk management process.
6. Identify and provide resources.
7. Develop plan for appropriate organizational levels.
8. Manage risks at the area, project and team levels.
9. Monitor and review.

The process itself (I still prefer the term “discipline”) is equally simple:

1. Communicate and consult with stakeholders.
2. Establish the context.
3. Identify risks.
4. Analyze risks (qualitative and quantitative).
5. Evaluate risks.
6. Treat risks.
7. Monitor and review.

Some comments: a few of this document’s “risk treatment” steps are out-dated and appear to be drawn primarily from the insurance sector, well-represented on the working team. One obvious option – that of increasing risk if purported benefits dramatically outweigh possible losses – is not mentioned. The draft still uses the outmoded term “risk transfer” when the more current phrase “risk sharing” is preferable.

The ANZ Risk Management Standard remains one of the most valuable documents for organizations wishing to improve their own processes: it is brief, simple and acknowledges the ability, and necessity, of each organization adapting these principles to its own situation. 

For more information and a copy of the draft, contact Standards Australia at www.standards.com.au. See also my prior comments in RMR March 1995, February 1996 and January 2000. 

Now consider a contrast in length, premises, and clarity. The Committee of Sponsoring Organizations of the Treadway Commission (known as COSO) started a project in January 2002 to define and describe “enterprise risk management” framework. The participating organizations include the American Institute of Certified Public Accountants, the Institute of Internal Auditors, Financial Executives International, the Institute of Management Accountants and the American Accounting Association, plus an Advisory Council composed of academics, financial executives, auditors and consultants. PricewaterhouseCoopers is the principal author. This team produced an initial draft in late 2002 and a second in early winter 2003, both of which I reviewed. The third, dated July 2003, is the current version. COSO plans a final document in early 2004. 

In marked contrast to the Australia-New Zealand draft, reading this effort feels like an elephant stepped on me! Instead of 23 pages, it stretches to 139. Its Executive Summary, once a manageable seven pages, is now 23. It personifies the “thud” factor: the noise made when an unnecessarily long consultant’s report hits the desk. It cries out for serious editing: within the first 5 pages I stumbled over seven split infinitives (a personal pique); passive sentences abound; the word “impact” is misused, and “data” crops up as a singular noun. It is an exercise in cranial congestion: too many words, too much jargon and too little clarity. 

Furthermore it starts with flawed premises. The Executive Summary states that “no common terminology” for risk management exists. This is not true. The authors apparently did not read or deliberately overlooked the ISO definitions published in 2001, developed after an exhaustive global study. Even worse, COSO defines risk in a narrow and negative context: “the possibility that an event will occur and adversely (my italics) affect the achievement of objectives.” While the draft emphasizes that decisions are made in the joint context of opportunities and “risks,” it confuses matters within the document saying that “events may have a negative impact, a positive impact, or both,” while repeating its weak definition of risk. Later, the text acknowledges that individuals “have different responses to potential losses compared to potential gains. How a risk is framed – focusing on the upside (a potential gain) or downside (a potential loss) – often will influence the response.” This implies that risk itself incorporates both sides, something contrary to its definition. 

This obsession with downside results leads to a comparable over-focus on “control,” understandable because of the make-up of the Council and its advisors. But it creates a document that undercuts the real benefits of risk management and leads to a narrow vision of the discipline. A reader of Risk Management Reports remarked on this problem to me in early July, after she read this draft. 

"This tone and the focus on 'control' permeate every guidance document and research paper published by the member organizations of this project. This is to be expected, since accounting and auditing organizations exist for the sole purpose of 'providing assurance of adequate control.' Quite frankly, it is self-serving, detracts from the important messages (at least for me), and suggests that ERM is primarily inwardly focused." 

She elaborated further on the importance of viewing risk in both its facets, plus and minus:

" . . in our experiences, ERM allows our management team to understand better the intricacies of issues over which we have limited control - our relationships with government and stakeholders, and the unknowns in pursuing new investment opportunities." 

I harp on these points because they lie at the core of what risk management is and what it can achieve for organizations – better decision-making in the face of uncertainty. The September 6, 2003, issue of The Economist illustrated this idea: “Innovators who keep their eyes open for unexpected results—and quickly take advantage of them—reap the biggest rewards.” This newspaper also reported on a recent study that confirmed that “taking advantage of random events . . . generated 13 times more successes than failures.” 

 Risk management is not a narrowly restricted effort to contain or control the downside effects of events; it is a discipline for building improved resilience and flexibility in the face of continued uncertainty. To deny the upside face, as this COSO draft does, greatly reduces its value.

One other caveat: COSO lists various resources in its extensive bibliography, but again they are one-sided. It listed no citations to the numerous papers and books of the public policy sector, represented by the Society for Risk Analysis.

Despite its excessive length and archaic verbosity, the COSO “Enterprise Risk Management Framework” has certain merits. First, its description of the process confirms much of the recent literature: 

1. Internal environment
2. Objective setting
3. Event identification
4. Risk assessment
5. Risk response (a term I much prefer to “risk treatment”)
6. Control activities
7. Information and communication
8. Monitoring

We now have a consensus on the process itself, a contribution of this draft.

Second, the Framework’s section on Information and Communication correctly emphasizes the need for “effective communication and exchange of relevant information with external parties, such as customers, suppliers, regulators and shareholders.” “Exchange” is the key word here. We need a continuing two-way dialogue with these, and other, external groups. Stating that communication about risks and responses should be “meaningful, pertinent and timely, and conform to legal and regulatory requirements” is obvious. The problem is how to do it. COSO, despite its length, contributes little to this important discussion, leaving it to each organization. Some serious and detailed reading of the extensive SRA materials on risk communication would help. 

The COSO draft lacks brevity, clarity and solid premises. The authors might make a dramatic alteration in this document before they issue it in 2004, but I remain pessimistic. For readers who want to read or comment on this draft, go to www.erm.coso.org.