COSO released a new thought paper in October, authored by representatives from Deloitte, titled Risk Assessment in Practice. [Download the paper here.]
This could be a game changer for ERM assessments. The thought paper [that] “provides the latest thinking on risk assessment approaches and techniques that have emerged as the most useful and sustainable for decision-making.”
WHO IS COSO?
COSO is no light-weight organization. COSO comprises The Institute of Internal Auditors (IIA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), and the Institute of Management Accountants (IMA).
COSO provides thought leadership and guidance via its frameworks on Enterprise Risk Management, Internal Controls and Fraud Deterrence [http://www.coso.org/guidance.htm] which are widely used by companies and auditors in structuring internal controls for corporate governance and financial risk management.
OPTIMAL RISK TAKING
The thought paper discusses ‘Optimal Risk Taking’, which views risks not as something to avoid, but rather to ”manage risk exposures across all parts of their organizations so that, at any given time, they incur just enough of the right kinds of risk—no more, no less—to effectively pursue strategic goals.” Enterprises are in the business of creating value, which is a function of both risk and return. Thus every decision either increases, preserves, or decreases value. Since risk is integral to the pursuit of value, strategic-minded enterprises “do not strive to eliminate risk or even to minimize it, a perspective that represents a critical change from the traditional view of risk as something to avoid.”
Risk assessment and risk management techniques can thus be applied equally to value creation as well as to the avoidance of undesired results.
Following the principles of COSO’s Enterprise Risk Management – Integrated Framework, risk assessment in the risk process follows event identification and precedes risk response. The outcome of risk assessment is to focus management attention on the most important threats and risks facing the organization so that an appropriate risk response can be developed.
ERM MODIFIED PROCESS
The thought paper presents a modified risk process that involves (a) developing risk assessment criteria, (b) assessing risks, (c) assessing risk interactions, and (d) prioritizing risks.
The paper adds the step of risk interaction assessment to the risk assessment process flow, introduces the concept of “risk interaction mapping” and incorporates “risk onset speed” into development of heat maps.
As recent events have shown, risk interactions need to be considered when making a risk assessment. At Fukushima, the fact that the ground would drop ten feet while a 30 foot tidal wave would simultaneously hit was not considered in determining the height of the barrier wall.
ADDITIONAL AREAS OF RISK EVALUATION
The paper describes a risk assessment process that includes four aspects. In addition to likelihood and impact, the paper recommends that vulnerability, and speed of onset criteria should also be assessed.
Vulnerability refers to the susceptibility of an organization to a risk event in terms of criteria related to the organization’s preparedness, agility in response, and adaptability. Vulnerability is related to impact and likelihood. The more vulnerability to the risk, the higher the impact will be should the event occur.
Vulnerability can be measured on a five step qualitative scale: Very Low to Very High.
Speed of Onset refers to the time it takes for a risk event to manifest itself, the elapsed time from the occurrence of an event and the point at its effects are felt or recognized. The speed of onset can be instrumental in developing risk response plans. Speed can also be measured on a five step qualitative scale: Very Low to Very High.
In the paper a risk assessment process is described that includes: data analysis, interviews and/or cross-functional workshops, surveys, benchmarking and scenario analysis.
The addition of scenario analysis supports the concept of risk interactions. Scenario analysis has traditionally been used in strategic planning. However, it can also be used for assessing risks and tying them back to strategic objectives. The process described involves defining the risk scenario(s), listing the key assumptions (e.g. conditions or drivers) that determine the severity of impact, and estimating the impact on a key organizational objective.
The risk interaction map is a simple table with the same list of risks on the x and y axes. Risk interactions are indicated by an ‘X’ or other qualitative indicator (e.g. ‘H,M,L’) in the intersections in the table.
COSO also has a revision of their landmark 1992 Internal Control – Integrated Framework (ICIF) authored by PriceWaterhouseCoopers planned for Q1 2013. The updates involve information on: adapting to increasing complexity and pace of change; mitigating risks to the achievement of specified operations compliance and reporting objectives; and providing reliable information to support sound decision making. Internal control is an integral part of enterprise risk management and the issuance of the updated Framework is not intended to alter that relationship. This update will affect how organizations handle risk and define and structure their internal controls.