Full feedback on COSO ERM draft

Summary of comments

STRUCTURED AND LOGICAL – I believe the content of any document, let alone an international guideline document, should be logically structured, should follow the MECE principle, shouldn’t have any unnecessary repetition or duplication. This was certainly not the case with the current COSO:ERM draft. Note to the authors.

While the high level structure Applying the framework and Framework seem fine. The text inside each Principle however is pure mayhem. I found it extremely difficult to follow why certain blocks were grouped together while others were excluded. Plus, some of the messages seem to be repeated again and again, unnecessary adding to the volume of the document.

PRACTICAL AND PRAGMATIC – I also expected the draft COSO:ERM to be business-focused, actionable and pragmatic. This, again, was definitely not the case. It seems authors went for the quantity and not the quality. As a consultant myself in the past and one of the co-authors of the global PwC risk methodology, I think I can be forgiven for calling it what it is. We used to call this particular style of writing “consulting BS talk”.

70% of the draft consist of feel good slogans and high level, yet meaningless, statement, which are impossible to turn into actions in real business environment. The document is 138 pages long which is completely artificial, since you can easily cut it by almost 2/3 without losing anything important.

I found most examples given in the text border line naive and quite detached from reality. The current draft definitely is not suitable for both experienced and new risk managers. I must admit, reading the document was both painful and even a bit insulting.

ALIGNED WITH ISO31000:2009 – Despite the fact that ISO31000:2009 is officially adopted by USA in the form of ANSI/ASSE/ISO31000 and still is the most popular risk management standard in the world, I found it very strange that not only ISO31000 is not even mentioned by the authors, some of the definitions and elements are clearly contradicting the standard.

I find this rather strange, because as most of you know ISO standards are based on a global consensus, which means that more than 30 countries, including USA, participated in its initial publication. To add to that ISO TC 262 is currently working on updating the ISO31000:2009 with the representation from all major global economies. And yet, while COSO representatives and some of the authors had ample opportunity to participate in the global discussion, it seems, they chose to ignore it and came up with a document, that is misaligned with the major international standard on risk management.

CONSISTENT AND NOT CONTRADICTIVE – Overall, I found the document to be quite contradictive. While it says all the right things in the very beginning, like the need to integrate risk management into decision making, day-to-day activities, strategy and performance management, the body of the document does not follow up on the promise.

Just some of the issues that I noticed are:

  • completely artificial concept of risk appetite, which ignores how appetite for certain risk types, limits and tolerances are normally set up by management
  • the document talks about the influence of cognitive biases on decision making and risk management, while at the same time proposes the use of highly subjective tools that totally ignore the effect of such cognitive biases
  • risk treatment and risk reporting seems to be stand-alone processes and not part of normal, everyday management performance reporting and activities
  • the concept of risk ownership seems to be mentioned just briefly in the document

Overall I had a feeling that throughout the document risk management was being artificially separated from the day-to-day business of the organization.

DESIGNED FOR BUSINESS OWNERS, NOT JUST RISK MANAGERS – While the draft talks about the fact that risk management is everyone’s responsibility, the document is most definitely not designed for a wide audience and hence would not appeal to business and risk owners. This in itself is a major drawback, as risk managers for years have been struggling to switch from risk to business language. Authors should consider using plain language and avoid excessive technical jargon, try and flip the document around if they were writing for the CEO and not the risk manager.

INNOVATIVE – It is 2016, so I think it’s quite reasonable to expect the draft to propose new and innovative ways to integrate risk management into existing business processes and decision making. Alas, the authors, it seems, went the opposite way. The draft framework does propose innovative ways to capture risk profile, risk appetite and so on. However, this completely ignores how to apply innovation in integrating risk management thinking and analysis into day-to-day decisions and business activities. In fact, while it probably wasn’t the intention of the authors, it could be interpreted by some as further detaching risk management from the business.

CONSENSUS-BASED – The framework was written by PwC, a company, just like the other Big 4, primarily focused on consulting and audit. And while I am not going to argue whether it is good or bad, the fact remains – a lot of the text in the framework is highly theoretical and sometimes detached from the business reality. As a Head of risk I would hate to even attempt to implement some of the suggestions in the document. While all suggestions sound reasonable, it’s just not how things are done.

SIMPLE TO USE – The draft framework is overly complicated, sometimes even confusing to reinforce the use of external consultants. I found this both artificial and unnecessary.

MODERN AND UP-TO-DATE – Some of my comments may appear bitter. That’s because I was genuinely disappointed after reading the draft framework. When I was a young risk manager, I used to look up to Big 4 as the thought-leader in risk. I expected the draft document to take into account latest thinking in risk management, data analytics, cognitive science, risk phycology, financial modelling, quantitative analysis and other disciplines. The framework did not deliver. In fact, it seems the authors went backwards: the definition of risk reminds me of year 2002 and the whole concept of inherent / target / residual risk is simply a joke.

Detailed comments

Introduction

1.      The document starts really well by “Integrating enterprise risk management throughout an organization improves decision‑making in governance, strategy, objective‑setting, and day-to-day operations.” Unfortunately, this feel good slogan is contradicted by the remainder of the document.

2.      Introduction is unnecessary long with a lot of water, however most of the slogans resonate well. Points 4 to 12 could all be said in 2 sentences or less.

3.      Points 14 “benefits” are rather naïve. Much more pragmatic risk management benefits are:

a.      Transparent decision making

b.      Savings on financing costs

c.      Savings on insurance costs

d.      Allocation of ownership for risk taking

4.      Point 15 “There is no one-size-fits-all approach available for all entities. However, implementing enterprise risk management will generally help an organization achieve its performance and profitability targets and prevent or reduce the loss of resources.” This is an example of language to avoid throughout the document – stating the obvious. Statements like these devalue the document.

Understanding the Terms

5.      Point 22, the new definition of risk is very strange and unnecessary. Despite the fact that ISO31000:2009 is officially adopted by USA in the form of ANSI/ASSE/ISO31000 and still is the most popular risk management standard in the world (officially translated and adopted by more that 60 largest countries in the world), I found it very strange that not only ISO31000 is not even mentioned by the authors, some of the definitions and elements are clearly contradicting the standard. I find this rather strange, because as most of you know ISO standards are based on a global consensus, which means that more than 30 countries, including USA, participated in its initial publication. To add to that ISO TC 262 is currently working on updating the ISO31000:2009 with the representation from all major global economies. And yet, while COSO representatives and some of the authors had ample opportunity to participate in the global discussion, it seems, they chose to ignore it and came up with a document, that is misaligned with the major international standard on risk management.

6.      Point 27, same as above. This one is actually a huge issue. Risk management is about making business processes and decision making risk based (changing how organizations plan and operate), not creating risk management culture, capabilities and practices. Huge mistake by the authors again reinforcing the wrong message that risk management is about managing risks not about making decisions with risks in mind. Overall I had a feeling that throughout the document risk management was being artificially separated from the day-to-day business of the organization.

7.      Point 32 naïve slogans.

8.      Point 33 “At the highest level, enterprise risk management is integrated with strategy-setting, with management considering the implications of each strategy to the entity’s risk profile.” This is just nonsense, pretty much the opposite of how risk management works in real life. It helps management understand the risks associated with each strategic alternative, not the other way around.

9.      Point 34 good point overall, but so much naïve slogans, like “In a highly competitive marketplace, such cost savings can be crucial to a business’s success.”

10.  Point 38 “An organization must manage risk to strategy and business objectives in relation to its risk appetite” again shows lack of understanding of how risk management works in practice. There is no single risk appetite, different appetites for different risk types, situations, projects, etc. The concept as it is documented is completely artificial.

Enterprise Risk Management and Strategy

11.  Point 49 contradicts other sections of the document. Overall, I found the document to be quite contradictive. While it says all the right things in the very beginning, like the need to integrate risk management into decision making, day-to-day activities, strategy and performance management, the body of the document does not follow up on the promise. Also, the phrase “The organization needs to evaluate how the chosen strategy could affect the entity’s risk profile” again completely incorrectly puts the emphasis on risk profile.

12.  Point 53 naïve slogans.

13.  Point 54 makes no sense.

Considering Risk and Entity Performance

14.  Point 67 steers the document in a completely wrong direction, making us believe that risk profiles are important and are the objective of the process. It is 2016, so I think it’s quite reasonable to expect the draft to propose new and innovative ways to integrate risk management into existing business processes and decision making. Alas, the authors, it seems, went the opposite way. The draft framework does propose innovative ways to capture risk profile, risk appetite and so on. However, this completely ignores how to apply innovation in integrating risk management thinking and analysis into day-to-day decisions and business activities. In fact, while it probably wasn’t the intention of the authors, it could be interpreted by some as further detaching risk management from the business.

15.  Point 73, the whole section on risk appetite is totally artificial.

Components and Principles

16.  I also expected the draft COSO:ERM to be business-focused, actionable and pragmatic. This, again, was definitely not the case. It seems authors went for the quantity and not the quality. As a consultant myself in the past and one of the co-authors of the global PwC risk methodology, I think I can be forgiven for calling it what it is. We used to call this particular style of writing “consulting BS talk”. 70% of the draft consist of feel good slogans and high level, yet meaningless, statement, which are impossible to turn into actions in real business environment. The document is 138 pages long which is completely artificial, since you can easily cut it by almost 2/3 without losing anything important.  I found most examples given in the text border line naive and quite detached from reality. The current draft definitely is not suitable for both experienced and new risk managers. I must admit, reading the document was both painful and even a bit insulting.

17.  The text inside each Principle is pure mayhem. I found it extremely difficult to follow why certain blocks were grouped together while others were excluded. Plus some of the messages seem to be repeated again and again, unnecessary adding to the volume of the document. I believe the content of any document, let alone an international guideline document, should be logically structured, should follow the MECE principle, shouldn’t have any unnecessary repetition or duplication. This was certainly not the case with the current COSO:ERM draft.

18.  Section 85 is again about risk management, not about making organizations work better with risks in mind. The focus on risk is totally wrong.

19.  Principles breakdown is totally artificial and doesn’t make sense.

Risk Governance and Culture

20.  While the draft talks about the fact that risk management is everyone’s responsibility, the document is most definitely not designed for a wide audience and hence would not appeal to business and risk owners. This in itself is a major drawback, as risk managers for years have been struggling to switch from risk to business language. Authors should consider using plain language and avoid excessive technical jargon, try and flip the document around if they were writing for the CEO and not the risk manager.

21.  Each principle could be condensed to a couple of sentences. Way too much water.

22.  Section 103 “Bias in decision-making has always existed and always will.” – example of a language a 15-year old would use, not a PwC director. Same comment for the majority of the document. Also completely ignorant of the fact that cognitive biases have been discovered and the term coined in the 1970s. More importantly the draft talks about biases, yet all the tools and approaches proposed by the authors completely ignore them during the implementation.

23.  Section 122 is nonsense. Risk aversion vs risk aggressive will be different for different projects, circumstances, managers and risk types. No such thing as entity’s culture spectrum.

Risk, Strategy, and Objective-Setting

24.  Again puts risk profile first and strategy second. “By integrating enterprise risk management with strategy-setting, an organization gains insight into the risk profile associated with strategy and its execution.” – no, this is not why risk management is integrated into strategy, it is done to validate and adjust strategy. Shows total lack of understanding the foundations of risk management.

25.  Missing the point big on the risk appetite. Risk Appetite Continuum is completely artificial concept.

26.  Section 206 pretty much ignores all of the research done in neuroeconomics and the work 2 Noble laureates in economics. Shows total lack of understanding how cognitive biases and risk perception affect decision making and risk management.

Risk in Execution

27.  Risk identification seems to be missing few important and simple tools like testing assumptions, strategy sensitivity analysis, objective decomposition.

28.  Inherent, Target, and Residual Risk feels like I just time travelled back to 2002. There is a reason why no one expect consultants uses such nonsense.

29.  Very poor coverage of modern day tools like decision trees, risk modelling and simulations, while excessive and unnecessary information of absolutely flawed heat mapping.

Risk Information, Communication and Reporting

30.  Great statement in 332 “Information needs to be available to decision-makers in time to be of use.”, yet all else in the document contradicts this, as the approaches and tools suggested by PwC are overly bureaucratic, unnecessary and do not provide timely and quality analysis.

Monitoring Enterprise Risk Management Performance

31.  Good point in 386, but yet again not consistent with what the rest of the document.

Prepared by Alex Sidorenko, ISAR https://ru.linkedin.com/in/alexsidorenko

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s