Each month the presses disgorge quantities of material on our discipline,
a few new and pertinent, most repetitive and some downright useless. I
read this never-ending onslaught to try and winnow the valuable from the
remainder. Much of this material suggests “guidelines” or “standards”
for adoption by interested organizations. There is a neverending market
for “how to do it!” This month I review two working drafts, one the revision
of the Australia-New Zealand risk management “standard” first offered
in 1995 and revised in 1999, and the other the brief of the Committee
of Sponsoring Organizations of the Treadway Commission (known as COSO).
It is probably unfair to review working drafts but I do so in the spirit
of constructive criticism and in the hope that some of my readers will
forward their own comments to the authors.
The draft revision (version 6.3) of ANZ-4360 from Standards Australia
and Standards New Zealand is a model of clarity. It is brief
(23 pages), complete, and refreshingly well written. It remains the gold
standard for all others, worldwide. Its authors describe it as a “generic
framework for establishing the context, identifying, evaluating, treating,
monitoring and communicating risk.” They refuse the trap of over-describing
each step. It requires each organization, profit-making, nonprofit or
governmental, to adapt this simple and succinct framework to its individual
circumstances. It pre-supposes organizational intelligence, in contrast
to many other documents that laboriously and at great length take us step
by step. Furthermore it describes the discipline only as “risk management,”
free of those entangling and modifying adjectives (enterprise, business,
integrated, holistic, business, etc.) that confuse the public. “Risk”
is broadly construed: “exposure to the consequences of uncertainty, or
potential changes from what is planned or expected.” This definition acknowledges
that risk involves both upside and downside potentials.
Risk management is “the culture, processes and structures that are directed
towards the effective management of potential opportunities and adverse
effects.” The draft proposes the goal of “creating a balance between realizing
opportunities for gains while minimizing adverse impacts.” It is the recognition
of this balance that is so lacking in other purported “standards” and
The ANZ Standard outline nine steps in the plan for creating an effective
program of risk management:
- Insure support of senior management.
- Develop risk management policy.
- Communicate the policy.
- Establish accountability and authority.
- Customize the risk management process.
- Identify and provide resources.
- Develop plan for appropriate organizational levels.
- Manage risks at the area, project and team levels.
- Monitor and review.
The process itself (I still prefer the term “discipline”) is equally
- Communicate and consult with stakeholders.
- Establish the context.
- Identify risks.
- Analyze risks (qualitative and quantitative).
- Evaluate risks.
- Treat risks.
- Monitor and review.
Some comments: a few of this document’s “risk treatment” steps are out-dated
and appear to be drawn primarily from the insurance sector, well-represented
on the working team. One obvious option – that of increasing risk if purported
benefits dramatically outweigh possible losses – is not mentioned. The
draft still uses the outmoded term “risk transfer” when the more current
phrase “risk sharing” is preferable.
The ANZ Risk Management Standard remains one of the most valuable documents
for organizations wishing to improve their own processes: it is brief,
simple and acknowledges the ability, and necessity, of each organization
adapting these principles to its own situation.
For more information and a copy of the draft, contact Standards Australia
at www.standards.com.au. See
also my prior comments in RMR March 1995, February 1996 and January
Now consider a contrast in length, premises, and clarity. The Committee
of Sponsoring Organizations of the Treadway Commission (known as COSO)
started a project in January 2002 to define and describe “enterprise risk
management” framework. The participating organizations include the American
Institute of Certified Public Accountants, the Institute of Internal Auditors,
Financial Executives International, the Institute of Management Accountants
and the American Accounting Association, plus an Advisory Council composed
of academics, financial executives, auditors and consultants. PricewaterhouseCoopers
is the principal author. This team produced an initial draft in late 2002
and a second in early winter 2003, both of which I reviewed. The third,
dated July 2003, is the current version. COSO plans a final document in
In marked contrast to the Australia-New Zealand draft, reading this effort
feels like an elephant stepped on me! Instead of 23 pages, it stretches
to 139. Its Executive Summary, once a manageable seven pages, is now 23.
It personifies the “thud” factor: the noise made when an unnecessarily
long consultant’s report hits the desk. It cries out for serious editing:
within the first 5 pages I stumbled over seven split infinitives (a personal
pique); passive sentences abound; the word “impact” is misused, and “data”
crops up as a singular noun. It is an exercise in cranial congestion:
too many words, too much jargon and too little clarity.
Furthermore it starts with flawed premises. The Executive Summary states
that “no common terminology” for risk management exists. This is not true.
The authors apparently did not read or deliberately overlooked the ISO
definitions published in 2001, developed after an exhaustive global study.
Even worse, COSO defines risk in a narrow and negative context: “the possibility
that an event will occur and adversely (my italics) affect the
achievement of objectives.” While the draft emphasizes that decisions
are made in the joint context of opportunities and “risks,” it confuses
matters within the document saying that “events may have a negative impact,
a positive impact, or both,” while repeating its weak definition of risk.
Later, the text acknowledges that individuals “have different responses
to potential losses compared to potential gains. How a risk is framed
– focusing on the upside (a potential gain) or downside (a potential loss)
– often will influence the response.” This implies that risk itself incorporates
both sides, something contrary to its definition.
This obsession with downside results leads to a comparable over-focus
on “control,” understandable because of the make-up of the Council and
its advisors. But it creates a document that undercuts the real benefits
of risk management and leads to a narrow vision of the discipline. A reader
of Risk Management Reports remarked on this problem to me in
early July, after she read this draft.
"This tone and the focus on 'control' permeate every guidance document
and research paper published by the member organizations of this project.
This is to be expected, since accounting and auditing organizations exist
for the sole purpose of 'providing assurance of adequate control.' Quite
frankly, it is self-serving, detracts from the important messages (at
least for me), and suggests that ERM is primarily inwardly focused."
She elaborated further on the importance of viewing risk in both its
facets, plus and minus:
" . . in our experiences, ERM allows our management team to understand
better the intricacies of issues over which we have limited control -
our relationships with government and stakeholders, and the unknowns in
pursuing new investment opportunities."
I harp on these points because they lie at the core of what risk management
is and what it can achieve for organizations – better decision-making
in the face of uncertainty. The September 6, 2003, issue of The Economist
illustrated this idea: “Innovators who keep their eyes open for unexpected
results—and quickly take advantage of them—reap the biggest rewards.”
This newspaper also reported on a recent study that confirmed that “taking
advantage of random events . . . generated 13 times more successes than
Risk management is not a narrowly restricted effort to contain
or control the downside effects of events; it is a discipline for building
improved resilience and flexibility in the face of continued uncertainty.
To deny the upside face, as this COSO draft does, greatly reduces its
One other caveat: COSO lists various resources in its extensive bibliography,
but again they are one-sided. It listed no citations to the numerous papers
and books of the public policy sector, represented by the Society for
Despite its excessive length and archaic verbosity, the COSO “Enterprise
Risk Management Framework” has certain merits. First, its description
of the process confirms much of the recent literature:
- Internal environment
- Objective setting
- Event identification
- Risk assessment
- Risk response (a term I much prefer to “risk treatment”)
- Control activities
- Information and communication
We now have a consensus on the process itself, a contribution of this
Second, the Framework’s section on Information and Communication correctly
emphasizes the need for “effective communication and exchange of relevant
information with external parties, such as customers, suppliers, regulators
and shareholders.” “Exchange” is the key word here. We need a continuing
two-way dialogue with these, and other, external groups. Stating that
communication about risks and responses should be “meaningful, pertinent
and timely, and conform to legal and regulatory requirements” is obvious.
The problem is how to do it. COSO, despite its length, contributes little
to this important discussion, leaving it to each organization. Some serious
and detailed reading of the extensive SRA materials on risk communication
The COSO draft lacks brevity, clarity and solid premises. The authors
might make a dramatic alteration in this document before they issue it
in 2004, but I remain pessimistic. For readers who want to read or comment
on this draft, go to www.erm.coso.org.
I make the observation that a well governed, progressive and
organization will be best placed to respond to unexpected shocks
or opportunities. Risk
management is an important element in ensuring (that) organizations
get to that position
P. J. Barrett, Auditor-General, Australia, “Strategic Insights
into Enterprise Risk Management,” in address to the Australasian Institute
of Risk Management, June 13, 2003