Monthly Archives: August 2015

Archived Posts

2015-08-31 by: James Bone Categories: Risk Management The Myths of Risk Management – “Risk Man, Super Hero”

supermanchrisreeves“Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events[1] or to maximize the realization of opportunities. Risk management’s objective is to assure uncertainty does not deflect the endeavor from the business goals.[2]”

If you enter risk management into your favorite search engine of choice you will receive literally hundreds of variations on the definition of risk management. The definition above goes on to explain that risk management consists of, “Strategies to manage threats (uncertainties with negative consequences) typically include transferring the threat to another party, avoiding the threat, reducing the negative effect or probability of the threat, or even accepting some or all of the potential or actual consequences of a particular threat, and the opposites for opportunities (uncertain future states with benefits).”

If you take this and the hundreds (and growing) of definitions of risk management literally you would think that we are describing the actions of a mythical super hero with the powers to conquer our biggest villain, The Unknown! Imagine the costume of the super hero, Risk Man! Risk Man (or Risk Woman) does not wear tights or a cape, no Risk Man wears business attire and business casual on Fridays during the summer.

What are the super powers of Risk Man? Risk Man can see the villain, The Unknown, before it happens and can deflect negative consequences off Risk Man’s three piece suit while saving your firm from …. from …. some really bad things happening to your business goals?

Risk Man has one weakness, Hubris! Risk Man is not the only super hero who suffered from hubris. In the 19th century, Economists suffered the same weakness in the development of the theory “homo economicus”. Never heard of homo economicus? It is the concept in many economic theories (see they suffered from multiple definitions as well) portraying humans as consistently rational and narrowly self-interested agents who usually pursue their subjectively-defined ends optimally.

The definition has a familiar ring to it doesn’t it. Homo Economicus was the Super Hero of its day until reality caught up with the myth of the all-knowing human who takes the most optimal path to economic outcomes. Unfortunately, Homo Economicus was defeated by man’s weakness, Hubris. We have learned that businesses fail, sub-optimal activities persist, and we need technology to help us make decisions. Yet, the myth of Homo Economicus continues today because we do not learn the lessons of the past very well. We believe that we have developed new super heroes to protect us from Hubris.

Hubris may be the most cunning of the weaknesses suffered by our super heroes! Whenever we develop new technologies, like social media, data analytics, and risk management we believe that we are covering new ground. As these new technologies become norms in society we depend on the individuals who practice these dark arts because they are new or cool to talk about. Very smart people fail to question the efficacy of the promises offered of easy solutions or lofty expectations for better outcomes. No proof is requested and no proofs are presented.

Hubris allows us to believe the stories we create for our super hero status until reality reveals the truth. This is what happened to early economic theory but it took almost 100 years to disprove! A well-earned belief is not deterred by the cold hard facts of evidence.

To be fair, almost every scientific and human advancement had to experience some form of hubris to push mankind forward. Fortunately, a relative small number of individuals are actually responsible for recognizing our flaws in thinking to overcome hubris. Albert Einstein had to overcome some of the early work in Newton’s Theories before the Theory of Relativity was proved. So how do we combat Hubris? With Humility! The Anti-Villain weapon of choice!

We must admit that risk management cannot possibly achieve all that is promised in the varied definitions that exist. If that were true there would be no recessions, no failed businesses, no stock market collapse and no excitement in the world as we know it today. Risk Man would rule the world, own all wealth and decide the fate of mankind?

Risk Management is a serious function that should be given respect in every organization. However, to earn that respect risk management must become more humble in its abilities to defeat the forces of the real villain, The Unknown!

2015-08-23 by: James Bone Categories: Risk Management How COSO destroyed Risk Management


“The Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) was organized in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative that studied the causal factors that can lead to fraudulent financial reporting. It also developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.

The National Commission was sponsored jointly by five major professional associations headquartered in the United States: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]). Wholly independent of each of the sponsoring organizations, the Commission included representatives from industry, public accounting, investment firms, and the New York Stock Exchange.

COSO’s goal is to provide thought leadership dealing with three interrelated subjects: enterprise risk management (ERM), internal control, and fraud deterrence.”

This excerpt has been taken directly from the COSO Internal Control – Integrated Framework, dated December 2011.

COSO has been adopted by regulators, industry, and financial services as the “gold standard” along with its counterpart, ISO 31000 as a leading framework for designing, implementing, and evaluating the effectiveness of internal control. In 2004, COSO expanded its mandate to include Enterprise Risk Management – Integrated Framework and in its words, “In response to a need for principles-based guidance to help entities design and implement effective enterprise-wide approaches to risk management.”

COSO’s Enterprise Risk Management – Integrated Framework lists its Keys to Success as:

 #1 – Support from the Top is a necessity
 #2 – Build ERM Using incremental Steps
 #3 – Focus initially on a Small number of Top risks
 #4 – Leverage existing resources
 #5 – Build on existing Risk Management Activities
 #6 – Embed ERM into the Business Fabricate of the Organization
 #7 – Provide Ongoing ERM Updates and Continuing Education for Directors and Senior Management

COSO further suggests the initial steps and objectives for Embracing ERM:

1. Seek Board and Senior Management Leadership, Involvement and Oversight
2. Select a Strong Leader to Drive the ERM initiative
3. Conduct the initial Enterprise-wide Risk Assessment & Develop an Action Plan
4. Establish a Management Risk Committee or Working Group
5. Inventory the existing Risk Management practices
6. Develop your initial Risk Reporting
7. Develop the Next Phase of Action Plans & Ongoing Communications

COSO goes on to offer an example of a Strategic Risk Profile using risk criteria such as Likelihood, Impact, Velocity, Readiness, & Priority to assess each strategic risk.

COSO further moved beyond its role of suggesting a framework to giving advice on the role of who should be the Chief Risk Officer. “This person does not need to be a “CRO” (Chief Risk Officer). Often, it is best to initially use existing resources, for example the Chief Audit Executive or Chief Financial Officer, for this role to get ERM started. This leader will not necessarily be the person to head ERM long term, but the person to get the initiative started and to take responsibility for moving the organization’s ERM activities to the next level.”

So what is the problem?

COSO has lost sight of its original mandate from a more narrow focus on developing an internal controls – integrated framework designed to understand the causal factors that can lead to fraudulent financial reporting to a broader and rather vague Enterprise Risk framework with little substance. In the original framing of COSO’s internal controls framework risk assessments are included as a means to evaluate the effectiveness of the controls designed to ensure financial reporting and disclosures. COSO’s focus on risk based assessments of internal controls and periodic monitoring of the effectiveness of financial internal controls is appropriate however this is also the place, intentionally or unintentionally, where the corruption of risk management began. The first problem is a perennial one in business that is classically called “Scope Creep”.

Internal control design and monitoring is a critical safeguard for reducing or addressing the occurrence of fraudulent financial reporting. Had the framers devoted research into the development of robust internal control design for the enterprise instead of the broad and wide ranging outline of a framework of internal controls the intent and application might have proven more effective. COSO’s guidance is so generic and broad that even public accounting firms often fail to live up to the basic requirements advocated in its guidance. The media is replete with examples of large, well established firms who failed to properly disclose financial impropriety after successfully passing internal control attestations by management and their internal and external auditing teams. Public accounting firms use the “reasonable assurance” defense to counter this argument but there is more going here.

COSO was not intended to become the de facto risk management framework that it has become known today. In the early days of COSO, the nascent risk management community did not offer an effective alternative. There were many examples of Wall Street firms attempting to develop position papers on risk management which never seemed to take hold or evolve into a framework that was adopted broadly, in part, because the attempts were focused on financial services risks thereby limiting its appeal as an operating standard across industry. Risk management, as we now understand it, is much bigger, more diverse and infinitely more complicated than a set of internal controls over financial reporting.

Charting a new path

COSO’s failure is due primarily to its narrow focus on internal controls as a risk management tool. Internal controls should have been considered one leg of a four pronged approach to a comprehensive risk management framework. Fundamentally, internal controls should be considered one of the foundational components of enterprise risk management. What is missing in COSO and broadly across risk management are the other tools needed to execute enterprise risk management. Risk management must include mechanisms to measure and quantify real risks. The rise of quantitative analysts is the recognition that risk management is measurable and not simply assessed through the qualitative assessments advocated in COSO.

Secondly, the fraction of risks that are lest understood or harder to measure is called Uncertainty. There are methods and tools to assess uncertainty which include probability analysis using Monte Carlo simulation and or regression analysis as a means to understand the distribution of risks that fall in the long tail of the bell curve.

Lastly, the area that is least understood is the concept of Human Decision-Making under Uncertain conditions which could serve as fertile ground for discussions with senior management and the board of trustees as a tool for oversight and monitoring. These four components of Enterprise Risk Management must replace COSO and become a true unifying construct for managing the complexity and diversity of risks we now face. Internal controls, Quantitative Risk Analysis, Probability Analysis and Decision Support Tools are the four legs of Enterprise Risk Management.

These concepts are not new. In fact, big thinkers such as Frank Knight, Herbert Simon, and Dan Kahneman researched and advocated for these ideas and approaches at the turn of the 20th century however the accounting and risk management community has largely ignored this rich body of research, that is until more recently. Knight, Simon and Kahneman recognized that making decisions under uncertain conditions is the largest contributor to risk an organization faces. Their research directs us to take a multi-disciplinary approach not some mechanical internal controls process that does not truly inform the board or senior management about the complexity of risks faced by today’s organization.

COSO’s contributions should not be ignored or minimized but should be recognized for coalescing focus and attention on enterprise risk management. Now it is time for risk management practitioners to take the lead developing innovations in enterprise risk management using a multi-disciplinary approach to building an effective framework that is as dynamic as the risks it must manage.