It took me many days to finish, but at end I did it. I read the full COSO ERM 2017. Not just skimmed the text, read every page, every word. Here are my thoughts:
High level comments
Detailed comments
First thing you notice when reading COSO ERM 2017 is that it is less about risk management, more about corporate governance and management in general. As such, it should be benchmarked not only to ISO31000 but also to King IV report on corporate governance and any other governance code relevant to your country.
Yet again, paradoxically, while risk if not the focal point of the document overall, whenever it is the focal point (principles 7, 11, 12, etc) the authors seem to teleport back to 2005 when writing about risk management.
Section: Applying the Framework
It starts really well with “Integrating enterprise risk management practices throughout an organization improves decision-making in governance, strategy, objective-setting, and day-to-day operations. It helps to enhance performance by more closely linking strategy and business objectives to risk.”
Then for some unknown reason it goes into textbook mode, stating a number of obvious point on how value is created, preserved, eroded and realized. Waste of space.
Then another textbook section on what mission, vision and core values. What are the chances a person looking for the definition and meaning of mission, vision and core values will search for them on page 38 of COSO ERM? Exactly.
Then another good point “An organization that integrates enterprise
risk management practices into setting strategy provides management
with the risk information it needs to consider alternative strategies and,
ultimately, to adopt a chosen strategy.” Pity this message is not consistent throughout the framework.
Then yet another textbook section on what governance, performance management and internal controls are. Not in the context of risk management either, just generic definitions. At this stage COSO ERM reminds me of a bad copy of wikipedia.
Benefits of ERM section is border line naive. Do yourself a favour, don’t repeat that to your executives if you want to be taken seriously. Reducing performance variability and improving resource deployment are probably the only real ones.
Then some more blah blah.
Section: Understanding the Terms: Risk and Enterprise Risk Management
Risk is defined as the possibility that events will occur and affect the achievement of
strategy and business objectives. Fine, similar to ISO31000:2009. No idea why make a point of reinventing the wheel instead of just using the definition that was around since 2009.
On the other hand, Enterprise risk management is defined as the culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.
Why just strategy-setting and performance I have no idea. Why not procurement or IT or millions other processes and decisions that equally affected by uncertainty? Anyway, I still think ERM is a completely artificial concept with no useful application other than marketing. More in this video:
If you want to know a better definition of risk management without the enterprise bit, watch this video:
Then again more textbook section on culture and then just purely random text. I promised you some captain obvious quotes, here you go “An organization sets strategy that aligns with and supports its mission and vision. It also sets business objectives that flow from the strategy, cascading to the entity’s business units, divisions, and functions.” Thanks PwC, you really know how to waste pages of text and readers time :)))
Then this weird statement “An organization must manage risk to strategy and business objectives in relation to its risk appetite—that is, the types and amount of risk, on a
broad level, it is willing to accept in its pursuit of value.” PwC continues driving it’s absolutely artificial notion of risk appetite. In reality it’s the most basic decision making tool, I have written about it here The whole concept of risk-appetite is total nonsense. Read the article to see how this statement in COSO is actually missing the point.
Section: Strategy, Business Objectives, and Performance
It starts with an interesting statement “An organization that understands its mission and vision can set strategies that will yield the desired risk profile.” I’ll leave that up to you, but maybe it’s the other way around? Strategies don’t yield the desired risk profile, the risks drive the desired strategy?
And another one “The organization needs to evaluate how the chosen strategy could affect the entity’s risk profile, specifically the types and amount of risk to which the organization is potentially exposed.” Maybe I am just nit-picking, but anyway.
This statement seems the opposite of what should be done “Wherever possible, the organization should use similar units for measuring risk for each objective. Doing so will help to align the severity of the risk with established performance measures.”
“The organization should initially understand the potential risk profile when evaluating alternative strategies. Once a strategy is chosen, the focus shifts to understanding the current risk profile for that chosen strategy and related business objectives.” this is so weird. Shouldn’t the strategy be chosen based on risks? Why does the risk profile needs to be understood after the strategy is chosen? I cannot make sense out of it, except the fact the authors don’t have much clue about how to really integrate risk mangement into strategic planning.
Time for one more captain obvious quote? “The relationship between risk and performance is rarely linear. Incremental changes in performance targets do not always result in corresponding changes in risk (or vice versa).” COSO ERM could’ve been less than 10 pages if only important messages were left without all the water around it.
Then the concept of risk profile is introduced. Supposedly, risk profile graph is the key innovation created by PwC. I did a short video about it, make sure you watch it:
Section: Integrating Enterprise Risk Management
I had big hopes for this section, as this, in my mind, the only reason to do risk management in the first place. It starts well “Integrating enterprise risk management with business activities and processes results in better information that supports improved decision making and leads to enhanced performance.”
Then it goes to textbook obvious naive statements again and there is no detail on how to actually integrate, where to start and what pitfalls to avoid. The sections on integrating into culture, capability and practices are just water. Here is the full section on integrating risk management into practices:
Enterprise risk management practices are integrated when:
- Setting strategy explicitly considers risk when evaluating options.
- Management actively addresses risk in pursuit of its performance targets.
- Activities are developed to regularly and consistently monitor performance results and changes in the risk profile throughout the entity.
- Management is able to make decisions that are in line with the speed and scope of changes in the entity.
Thanks Captain Obvious. How do you actually do it? I have my answer Free risk management training and webinars in Q1 2018
Section: Components and Principles
Then the framework provides a summary of 5 components and 20 principles. At this stage of the document I just think to myself, why 20 principles, why not 150?
There are good points “Enterprise risk management is not static. It is integrated into the development of strategy, formulation of business objectives, and the implementation of
those objectives through day-to-day decision-making.” and not so good “An organization should have a means to reliably provide to the entity’s stakeholders with a reasonable expectation that it is able to manage risk to an acceptable amount.”
I can’t take it any longer. Reading COSO ERM is more painful than listening about cognitive biases from a neuroeconomics professor :)) I will cover the actual framework and it’s 20 principles next week.
To be continued…
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
I totally agree with you Alex. I’m an Oil & Gas professional with 40 years experience in upstream operations and risk management . I’ve been an Offshore Installation Manager (OIM) for 13 years and for the past 12 years I’m with ERM function. I’ve never read such a confused standards in my life.
After reading this COSO 2017 version I feel like running away from ERM and not to fool others. Surprised to find a body of professionals producing such a fake document. When ever we go to leadership committee or Board they really feel that they are wasting their time on ERM and no value. If ERM standards are so confused how can we get buy in from the top management ?
Sorry for this outburst. I took a week and 15 times reading to understand the executive summary. Believe me I didn’t understand what they want to convey, except the fact that ERM should start with strategy setting . But how ? Should CRO be the final approving / vetting authority ? No answer. Even a primary school text book will be more clear on what you read.
Thanks for your review.
Ravi