Next week, I will be sharing my experience with risk management frameworks and standards at the ISO 31000 conference in Paris. The session title is “From COSO to ISO” although my personal journey actually started before either.
My professional life began in public accounting before moving into internal audit. For the first several years, we didn’t talk about risk-based auditing or anything like that. The only time we talked about risk was when we found a control deficiency and needed to assess its potential impact on the financial statement audit (while with Coopers) or the business (while in internal audit).
This changed while I was a Vice President in internal audit at Home Savings of America in 1983, responsible (among other areas) for IT audit. The issue I was tackling was the extent to which our savings and banking systems and business processes at the bank (actually a very large savings and loan) were at risk should anybody in IT do something ‘wrong’. The CIO and the top business users, including the CAE (my boss), didn’t think there was any risk of significance. But, my intuition said otherwise.
With the approval and support of management both in IT and the business, I led a workshop based upon the then-popular concept called JAD, or joint application design. (JAD is similar to and pre-dates what we would now call by a number of names: a facilitated risk assessment workshop, a control self-assessment (CSA) workshop, control and risk self-assessment (CRSA), etc.) I facilitated the discussion among business and IT leaders and we concluded that there were multiple risks and the controls were not sufficient.
When I took my first position as chief audit executive (CAE) at Tosco Corporation in 1990, I adopted a risk-based audit plan that was designed to address the more significant risks to the business. I used only my own common sense as a guide when talking to business leadership and the board to understand and assess those risks.
In hindsight, I was influenced by Tosco’s audit committee chairman, Michael Tennenbaum: a brilliant and colorful (he drove a pink Rolls Royce Corniche) investment banker. Michael had what has proven to be incredible vision: the significant oil shale properties and the related water rights owned by the company were of tremendous future value even though at the time (1990) they were written down on the company’s books to almost zero. In fact, he held that they were among the most valuable assets of the company. If the company did not take some required actions every year to conserve the water rights, we would lose them – and thereby the value of the shale properties because the process for mining oil shale is heavily dependent on water. I put the audit on the plan and did the work myself – and followed up over the years that followed to ensure the water rights were being preserved.
In 1992, COSO released its Internal Control – Integrated Framework. While for internal auditors its definition of internal control was not new, it was new to the external audit community (who had previously considered internal control only with reference to financial reporting). The framework had immediate and significant value by bringing everybody to a single definition.
The framework also had value by relating internal controls to the achievement of organizational objectives, explaining the importance of the control environment, and more. The famous COSO cube (sometimes portrayed as a pyramid, a form I prefer) was of some use but I used it sparingly – mostly to show the reliance on the control environment as the foundation of effective internal control.
By the late 1990’s, I had moved my audit plan to support a formal, annual assessment of internal control. I provided separate opinions on the adequacy of each of the major risk areas using COSO terminology: effectiveness and efficiency of operations; reliability of financial reporting; and, compliance with applicable laws and regulations.
In 2004, COSO released the Enterprise Risk Management – Integrated Framework. Its Executive Summary explains that the new framework “expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management. While it is not intended to and does not replace the internal control framework, but rather incorporates the internal control framework within it, companies may decide to look to this enterprise risk management framework both to satisfy their internal control needs and to move toward a fuller risk management process”.
There was a lot to like in the COSO framework, including these excerpts:
"ERM is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
I like these parts of the definition:
- “ERM is a process”
- It is “applied in strategy setting and across the enterprise”
- It is “designed to identify potential events that may affect the entity” (not limited to the negative)
- The intent is to “manage risks to be within its risk appetite”, and I am fine with the COSO definition of risk appetite (although I abhor its definition of risk tolerance), and
- It is related to the achievement of entity objectives (although I don’t see it as providing assurance)
Two more solid excerpts:
“Enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.”
“Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.”
But, I found the framework itself complex and frankly not organized in a way that explains and supports the assertion that “ERM is a process”.
Finally, the internal control framework’s cube had been changed from something somewhat useful to a disaster. It is so complex that I simply could not show it to any level of management and ask them to understand it.
A couple of years later, I was asked to start a risk management function. I decided that while COSO’s principles (as described above) are OK, I simply could not use the framework to explain risk management to a management team that was unfamiliar with ERM. After searching around and with the help of friends like Arnold Schanfield, I discovered the Australian/New Zealand Standard 4360:2004 and the companion set of guidelines in HB 436:2004.
Just a quick read of the Foreword to the standard will help you understand why I like it. Here are some excerpts:
- “Risk management involves managing to achieve an appropriate balance between realizing opportunities for gains while minimizing losses. It is an integral part of good management practice and an essential element of good corporate governance.”
- “Risk management involves establishing an appropriate infrastructure and culture and applying a logical and systematic method of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organizations to minimize losses and maximize gains.”
- “To be most effective, risk management should become part of an organization's culture. It should be embedded into the organization's philosophy, practices and business processes rather than be viewed or practiced as a separate activity. When this is achieved, everyone in the organization becomes involved in the management of risk.”
- “Organizations that manage risk effectively and efficiently are more likely to achieve their objectives and do so at lower overall cost.”
Are the principles in AS/NZS 4360 different from those in COSO ERM? Not really, in my opinion.
What is different is the ease of use, especially when you compare the simplicity of the diagram of the risk management process in AS/NZS 4360 to the COSO ERM cube.
Then came the ISO standard, 31000:2009. It is built upon the foundation offered by 4360 and written by risk practitioners from around the world.
My first reaction was, frankly, disappointment. The clean and simple presentation in 4360 had been replaced, and I was troubled by two things:
- While everybody recognizes that culture is important, the standard does not address the need to assess the organization’s culture and fix it if lacking – for example, if top management is not supportive of risk management, or doesn’t understand the need to embed it in everyday decision-making
- Rather than providing guidance on risk appetite and tolerance (and ignoring the regulatory requirements for formal risk appetite statements that are approved by the board), 31000:2009 avoids the topic and instead talks about risk criteria. While I agree that the evaluation of risk should be against more than likelihood and potential impact, this is a serious limitation – not only in financial organizations that are required to use risk appetite, but organizations in parts of the world where governance codes require risk appetite statements.
But 4360 has been retired and 31000 is what we have. I do like the new focus on uncertainty and the definitions (in ISO Guide 73) of risk appetite and tolerance. Also, the process diagram in 31000 is exactly the same as that in 4360. The principles are good ones, and I like language like this:
“Risk management is part of decision-making. Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action.”
“Risk management is dynamic, iterative and responsive to change. Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear.”
Can and should 31000:2009 be improved? Definitely.
Winston Churchill (my hero), once said:
“It has been said that democracy is the worst form of government except all the others that have been tried.”
I feel much the same way about the ISO 31000:2009 risk management standard. It is not perfect, but it works and is better than COSO as a practical guide to implementing risk management and explaining it to those in management and on the board who are not familiar with ERM.
That is my story and my views. What are yours?
I recently conducted a survey of risk practitioners to see what the general feeling was about COSO ERM and ISO 31000. You can read about the results of that survey here.