COSO has announced its intention to review its 2004 ERM Framework and has already started soliciting feedback. Broadly panned by the Risk fraternity, I believe it can provide a valuable contribution to the GRC landscape. Although I expect critics from both sides (COSO & ISO 31000), here are my recommendations.
I am a supporter and advocate of COSO ERM as well as also a supporter and advocate for ISO 31000, but to quote myself COSO is a framework but not ERM while ISO 31000 is ERM but not a framework. COSO need of a radical overhaul, primarily structural and approach, to make it relevant to today business environment, blending the understanding that ERM covers all forms of risk but still accepting that financial control is a regulatory fact.
The COSO vs ISO 31000 argument is well documented (and will never by settled), so I don’t intend to rehash now. As summarised by Norman Marks 2012 survey (Norman Marks on COSO vs ISO 31000):
COSO ERM is:
- It is comprehensive and has stood the test of time
- It links to the COSO internal control framework
- It has a better discussion of risk appetite
- It is stronger on corporate governance
ISO 31000:2009 is:
- Easier to understand and explain to others. User friendly
- A better ‘how to’ guide, easier to use when implementing risk management
- More focused on risk and less on audit and controls than COSO
- Flexible, less prescriptive, easily tailored
but:
- COSO ERM is too detailed and the cube is confusing. ISO 31000 is too high level
- There is little evidence that either actually works
- Neither effectively works to proactively manage risk
COSO starts off strong with its intention to integrate Governance, Risk and Compliance and its embedding of Risk Culture and Risk Attitude but can only be considered ERM because it mandates a Portfolio view of risk. But then it quickly descends to control level of management. Here is where it deviates from ISO 31000 and ultimately fails as ERM. Enterprise Risk Management has to be inclusive of all areas and forms of risk as well culture. It must reflect the real world influence of risk over the entire entity’s operations, cross border, cross framework, and cross Portfolio.
All that said I still believe it has a major role to play in molding a resilient business environment for the 21stcentury. Here are my recommendations for the COSO review of its 2004 ERM Framework:
- Restructure COSO to be a Governance and Compliance Framework
- Focus on Governance
- Mandate a Portfolio view but drop the cube
- Allow for the use of ISO 31000 as the risk framework
- Add a component for Business Continuity and Resilience
- Move from US centric to more international inclusive
- Subjugate the Internal Control Framework to the Compliance component
- Diversify COSO membership to include NACD
- Simplify – Be less prescriptive and more outcome focused
1. Restructure COSO to be a Governance and Compliance Framework
COSO, from its original aim of improvement of corporate governance and compliance, (ne fraudulent financial reporting), for which the committee was eminently qualified, strayed into the field of Risk Management for which it had limited exposure, mistitling it ERM which has dogged it ever since.
I would like to see a multiple layered approach separating Governance, Risk and Compliance components, relinquishing the Risk component to ISO 31000, leave COSO to concentrate on its integration with Governance and Compliance.
An integral part of this restructure would be COSO to take the high ground re-branding the framework asCorporate Governance and Compliance Framework.
2. Focus on Governance
Although risk may be the effect of uncertainty on objectives, it is predominantly about the management of indirect effects on objective outcomes while corporate governance provides the overwhelming contribution to objective outcomes. The framework needs to mandate ERM but not prescribe its framework. Greater focus could then be placed on governance from strategic planning, Ethics, the relationship between the Board and Executive (which I believe to be the major contributor to poor governance), remuneration, stakeholder obligations, reporting, etc., etc., etc.
3. Mandate a Portfolio view but drop the cube
Without prescribing how risk is to be managed, any governance framework would have to mandate an ERM inclusive of a Portfolio view and aggregation. Although I’m sure there are many wedded to it, COSO must drop the cube.
The COSO cube tends to segment this Portfolio view into siloed activities thereby defeating its original goal. In the real world a risk control is not only a device for risk mitigation but is itself, a risk driver, influence, as well as an effect on risk culture and attitude (the Titanic syndrome). Risk influence is 2 way as well as aggregation needs to be horizontal (contagion) as well as vertical.
4. Allow for the use of ISO 31000 as the risk framework
Within the Risk component, COSO should cater for multiple risk frameworks, including ISO 31000, referenced under a risk framework clause. This would then allow extension requirements for Framework Integration, Risk Culture and Attitude, Aggregation, and Resilience. With proper aggregation back to measurable corporate objectives, COSO can achieve its intended aim while allowing the incorporation of current disparate risk frameworks at operational levels.
5. Add component for Business Continuity and Resilience
Risk prediction based on historical data is a furphy with reliance on those predictions inevitably ending in disaster. The underlying goal of COSO is “to provide reasonable assurance regarding the achievement of entity objectives”. Flexibility, quick response and resilience in management and systems to unfolding events, is needed to assure the achievement of entity objectives as well as, control, process and mitigation frameworks. The greatest threats are from unknown/uncontrolled events. (See previous article Does anyone really understand Emerging Risks?)
6. Move from US centric to more international inclusive
We now live in a global economy which will only continue to grow in diversity. Although the US will always remain as a major economic force, the EU, China, and Russia now have major influence also and therefore need to be considered in any effective ERM. As US business becomes more integrated with these economies and cultures; varying its operations to suit local environments, ISO 31000 is the best Enterprise Risk Management framework to properly integrate global requirements.
7. Subjugate the Internal Control Framework to the Compliance component
Undeniably, the COSO committee is the preeminent body for laying out a comprehensive Audit, Internal Control, and Management Reporting framework. But just as an Audit and review framework can be developed independent of the audit subject matter, so too should the Internal Control Framework be restructured into Internal Control Management Framework, for assuring the integrity, performance and adequacy of controls. This would be similar to the segregation of Risk Model Quality Assurance from Risk Model Management.
8. Diversify COSO membership to include NACD
I’m sure no one at COSO would deny board diversity leads to healthy corporate governance and better decision making practices. COSO’s strength in its concentration of the top accounting bodies is also it weakness. In risk management the threat of environmental bias is mitigated by ensuring diversity in the decision making pool. COSO must also adopt the same practice.
No system can ever be effective without stakeholder buy in. Users such as National Association of Corporate Directors (NACD) and Risk Management bodies need to be included.
9. Simplify – Be less prescriptive and more outcome focused
As with legislative best practice, frameworks should be ‘performance based’ as opposed to the current prescriptive approach. A performance-based provision sets out the performance required or the objective to be achieved without prescribing how it is to be achieved. A prescriptive provision sets out a rigid specification for compliance.
Changing to ‘performance’ provisions not only improves its ability to be applied to a wider range of disciplines but has also proven to dramatically reduce volume and complexity needed by prescriptive regulations, improving comprehension.
I lay out this prescription as a starting point for discussion not a solution, but I believe this is an opportunity to build an international level governance framework.
Bio:
Greg Carroll - Founder & Technical Director, Fast Track Australia Pty Ltd. Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.
In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organisations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.
Mastering 21st Century Risk Management” which will be available from the www.fasttrack365.com website in a couple of weeks. Meanwhile a recent Webinar on the topic can be seen at http://www.youtube.com/watch?v=nQoJj6FBxrY&feature=youtu.be in which we show how emerging best practices provide a good picture for how enterprise risk management should look in the 21st century.