COSO ERM 2017 – full review by Alex Sidorenko (part 1)
It took me many days to finish, but at end I did it. I read the full COSO ERM 2017. Not just skimmed the text, read every page, every word. Here are my thoughts:
High level comments
COSO ERM 2017 is quite paradoxical. In a sense that, on one side, it is extremely long (257 pages), on the other side, it never goes into any level of sufficient detail to explain the ideas presented in any comprehensive way.
If I was to summarize COSO ERM in one picture, it would probably be the picture abover the article. COSO ERM 2017 is painfully obvious with no innovation. In fact, if you are working in risk management for a while, have sucessfully integrated risk analysis into some key decisions and processes, use proper quantitative risk analysis tools, familiar with the how cognitive biases affect decision making, then you will feel COSO ERM is a step back, not an improvement many claim. COSO ERM 2017 is a huge improvement on COSO ERM 2004 they say. True. However this is not a credit to COSO ERM 2017, it’s merely an indication of how horribly bad COSO ERM 2004 was.
Here is a diagram that explains where COSO ERM 2017 sits on the maturity spectrum:
Yes, the new framework’s link between risk and performance is BETTER than just doing a list of risks. And if it was 2005 I would be super excited. But it’s not. In 2017 most risk managers I know use at least some form of risk modelling, decision trees, scenarios and simulations, they have linked risk management not only to strategy and performance management (as PwC suggests in COSO), but to many other business activities and most significant decisions as well. These tools and approaches have been around since 1970s and still outperform all the new “best practices” by a landslide.
PwC is quite clever, the framework does mention both cognitive biases and the simulations techniques, acknowledging their exist and are important. I am not buying it however, this was clearly done as cop out more than anything else.
Plus COSO ERM 2017 still loses to ISO31000:2018. It has same or similar messages but in a package that is painful to read. In the detailed comments you will find a lot of captain obvious type quotes from the framework.
All in all, the professional community would not even notice if COSO ERM never existed. Rant over. Now lets put on our pragmatic hats on. Since it does exist, lets use it to our advantage. Here is what COSO ERM 2017 can be used for:
- using it as an argument to initiate a change project to move away from quarterly risk assessments, risk reports and risk mitigation plans to integrating risk analysis into actual decision making process (watch this on how to sell risk management https://www.youtube.com/watch?v=3MbJLkSlbU4)
- using sections and good messages from COSO ERM 2017 to reinforce the changes you have been proposing for a while, which were ignored by management
- show how COSO ERM 2017 reinforces the work you were already doing
- justify whatever good risk management you were doing
- getting attention from the Board or Audit Committee
- opening the door to strategic planning process (you better have your Monte-Carlo methodology set and ready to go before integrating into strategic planning, read this article about integration into strategy https://riskacademy.wordpress.com/2017/03/16/4-steps-to-integrate-risk-management-into-strategic-planning/)
- shut the auditors or consultants that were selling risk registers, risk management framework documents and risk appetite statements.
That’s probably it. If you want to learn new ideas you are better off participating in some of the webinars we run every week: https://riskacademy.wordpress.com/free-webinars/
Detailed comments
First thing you notice when reading COSO ERM 2017 is that it is less about risk management, more about corporate governance and management in general. As such, it should be benchmarked not only to ISO31000 but also to King IV report on corporate governance and any other governance code relevant to your country.
Yet again, paradoxically, while risk if not the focal point of the document overall, whenever it is the focal point (principles 7, 11, 12, etc) the authors seem to teleport back to 2005 when writing about risk management.
In the next article I will touch on every one out of 20 COSO ERM principles.
To be continued in 2018…
MD - Contr?le Permanent - Responsable Regulatory Referentials Advisory chez Société Générale
6 年Do you have a draft of iso 31000-2018 to share ?
Consultor Organizacional y Auditor de Riesgos y Sistemas, Director en WARWICK Integral Consulting Services,Conferencista
6 年ISO 31000: 2018 is a good starting point and initial reference for risk management; and COSO ERM 2017, and the new guidelines of the ISO 31000 family will provide detailed guidelines and descriptions for risk management. ISO 31000:2018 coincides with COSO ERM 2017 in the aspects related to creation of value, leadership and integration, principles, establishment and achievement of objectives and strategies, improvement of performance, corporate governance of risks, human and cultural factors. You must better use both.
Consultor Organizacional y Auditor de Riesgos y Sistemas, Director en WARWICK Integral Consulting Services,Conferencista
6 年COSO ERM 2017 (none of the publications of this encyclopedia) is not a global official standard, ISO 31000 is. But for a large number of global specialists in risk management COSO ERM has represented a de facto standard since 2004. The acceptance of COSO ERM as a de facto standard occurs in the absence of another equivalent standard, or some global standard, until 2010 , when ISO 31000:2009 starts to position itself. But ISO 31000 does not have enough supporting literature, it only has guidelines and specifications, even in the recent version. The supporting literature, little or much, we found orderly in COSO ERM.
Consultor Organizacional y Auditor de Riesgos y Sistemas, Director en WARWICK Integral Consulting Services,Conferencista
6 年COSO ERM 2017 contributes with a formal literature making definitions and proposing guidelines –about risk management- that are not found in another recognized framework. COSO ERM 2017 is American. The first thing it resolves are official definitions that the American corporate community needs. Until now, these definitions may have existed scattered in different sources but now they are gathered and ordered in a formal encyclopedia on risk management (they are several publications). Beyond US, any interested party or risk manager can also use the COSO ERM 2017 literature.