Tag Archives: coso enterprise risk management
If you spend any time on social media, viewing online news stories or read blog posts from pundits and self-described experts and consultants [present company included] you will notice that the ratio of “jargon” to information is rising rapidly. This is especially true in enterprise risk management, machine learning, artificial intelligence, data analysis and other fields where opinions are diverse because real expertise is in short supply.
This is a real problem on many fronts because jargon obscures the transfer of actionable information and makes it harder to make decisions that really matter. So I looked up the definition of “jargon”.
“Jargon: special words or expressions that are used by a particular profession or group and are difficult for others to understand.”
Well intended people use jargon to portray a sense of expertise in a particular subject-matter to those of us seeking to learn more and understand how to make sense of the information we are reading. The problem is that neither the speaker nor the listener is really exchanging meaningful information. In an era where vast amounts of misinformation is a mouse click away we must begin to speak clearly.
Critical thinking is the product of objective analysis and the evaluation of an issue to make an informed decision. However, because we are human what we believe can be based on biased information from peer groups, background, experience, political leanings, family experience and other factors both conscious and sub-conscious.
In an era where “truth” is malleable critical thinkers are more important than ever. This is especially relevant to risk professionals. The jargon in risk management is destroying the practice and profession of risk management.
Yes, these are strong words but we must be honest about what is not working. We, the collective “we”, use words like Risk Appetite, Risk Register, Risk Value, Risk Insights, or my favorite, “the ability to look around corners”; as if everyone understands what they mean and how to use these words to define some process that leads to awareness. The practice of risk management does not endow the practitioner with the ability to see the future. Done well, risk management, is the process of reducing uncertainty BUT only in certain situations!
Let’s stop expecting super human feats of wisdom in risk management that no one has ever demonstrated consistently over time.
We call risk frameworks a risk program when it is only an aspirational guide for what goes in a risk program not what you do to understand and address risks. The truth is the reason that there is so much jargon in risk management is because we know very little about how to do it well. Fortunately, the truth is much more simple than the jargon from uninformed pundits who would have you believe otherwise. Risk management is much more simple and less omniscient than the hype surrounding it. This may be disappointing to hear and many may argue against this narrative but let’s examine the truth.
Think of risk management as an Oak tree with one trunk but many branches. Economics is the trunk of the Oak tree of risk management with many branches of decision science that include the science of advanced analytics and human behavior among many others.
Economists and a Psychologist are the only ones who have ever won a Nobel Prize in the science of risk management.
Risk management was NOT invented by COSO ERM, consultants like McKinsey & Co. or applied mathematicians however many disciplines have played an active role in advancing the practice of risk management which is still in its infancy of development. Risk management is challenging because unlike the laws of physics which can be understood and modeled according to scientific methods the laws of human nature consistently defy logic. One look at today’s headlines is all you need to understand the complexity of risk management in any organization.
As the Oak tree of risk management grows new branches are needed such as data science, data management, cognitive system design, ergonomics, intelligent technology and many other disciplines. I created the Cognitive Risk Framework for Enterprise Risk Management and Cybersecurity to make room for the inevitable growth and diversity of disciplines that will evolve through the practice of risk management. It too is an aspiration of what a risk program can become. Risks are not some static “thing” that can be tamed into obedience by one approach, a simple focus on internal controls or the next hot trend in technology. Risk management must continue to evolve and so must those of us who are passionate about learning to get better at managing risks.
Let me leave you with one new word of jargon that is growing rapidly. Signal. The word Signal is being used in Big Data conversations to distinguish how to separate out the noise of Big Data from real insights to understand what customers want, identify trends and insights in data, and understand risks. How is that for a multi-jargonistic sentence?
Not surprisingly, McKinsey has jumped on this band wagon to tell the listener they too must separate the signal from the noise. Like all jargon, few tell you how only that you must do these things. What only a few will tell you is that the challenge of identifying the signal, insight, value or substitute whatever jargon you like is to develop a multi-disciplinary approach.
The cognitive risk framework for enterprise risk and cyber security was developed to start a conversation about how to begin the “how” of the evolution of risk management into what it will become not some imaginary end state of risk management.
Over the last 7 years the one constant corporate executives have complained about has been uncertainty in economic recovery, geopolitical risks, global competition and expanding government regulation however each of these perceived risks has paled in comparison to human behavior in the executive suite. In other words, while concerns have been externally focused the true cause of corporate pain has been self-inflicted by bad corporate behavior.
The most recent example of internal control weakness at Walmart and Toshiba were cited as a wake-up call for external audit firms in an article from a Fortune magazine article. A letter dated Sept. 9 addressed to Securities and Exchange Commission Chair Mary Jo White and the SEC Commissioners was no ordinary letter. Its signers included heavy-
hitters such as former Federal Reserve Chairman Paul Volcker, Vanguard founder Jack Bogle, and former SEC Chairmen Arthur Levitt and Richard Breeden. Former Comptroller General of the U.S. Charles Bowsher, former board member and acting chair of the Public Company Accounting Oversight Board (PCAOB) Chuck Niemeir, and former Chair of the International Accounting Standards Board Sir David Tweedie, along with a host of other luminaries, also signed the letter.
In it they wrote that they have “an interest in the auditing and financial reporting quality of companies listed in the U.S. and internationally … Our purpose in sending this letter is to express our support for Chair [James] Doty’s reappointment [as Chair of the PCAOB] and to explain the reasons for this support.”
With very minor exceptions, no firm fails to attain “reasonable assurance” attestations from their external auditors when evaluating internal controls, even firms who eventually experience massive financial fraud, financial restatements or financial internal control weakness findings after the fact. Why does this happen so frequently and what prevents external auditors from detecting fraud?
After debating this issue with auditors and researching the PCABO website for answers it has become clear that the standard for “reasonable assurance” is one key contributor to failure. To find answers I looked at accounting standards in the U.K. and U.S. to better understand the guidance given to external auditors to formulate reasonable assurance. Here is what I found:
‘Reasonable assurance’ is the level of confidence that the financial statements are not materially misstated that an auditor, exercising professional skill and care, is expected to attain from an audit. The confidence that an auditor attains is subjective and is the basis for offering an audit opinion. Users of financial statements derive their own confidence in the audited financial statements from many sources, including a knowledge that the auditors work to professional standards within a framework of regulation and that the auditors have felt sufficiently confident that the financial statements are not materially misstated to issue an opinion.
As a consequence of their confidence that financial statements are not materially misstated, users of financial statements may also gain confidence that the management of the entity are conducting its affairs in the knowledge that the financial consequences of their actions will be reported.
The assurance the auditor obtains from performing procedures and the assurance the auditor expresses in the report on the financial statements vary based on the type of service the auditor provides. An audit is the highest level of service an auditor can provide. An audit allows the auditor to express an opinion about whether the financial statements are free of material misstatement. In contrast, the objective of a review of interim financial information is to provide the auditor with a basis for communicating whether, as a result of the procedures performed, the auditor became aware of any modifications that should be made to the interim financial information for it to conform with generally accepted accounting principles (“GAAP”).
The procedures performed in a review do not provide the auditor with a basis for expressing an opinion on the financial statements. Thus, the assurance the auditor provides to financial statement users based on a review is more limited than the assurance that can be provided as a result of an audit.
In both cases, the standards boards for both the UK and the US have punted on “reasonable assurance” even though boards of directors and senior executives, not to mention regulators, in the SEC, Department of Treasury and other regulatory agencies depend in these assessments. The UK standard specifically states that reasonable assurance is “subjective” while the US standard is more muddled suggesting that “depending on the level of services provided” the attainment of “reasonable assurance” is varied?
Basically, these standards are legal cover for whatever a firm wants them to mean. If one external audit firm concludes “reasonable assurance” is sufficient and another audit using more advanced audit procedures comes to a completely different conclusion both opinions are acceptable, that is, until the firm restates earnings and lays off thousands of employees to fix the problem.
Auditors frequently argue that “reasonable assurance” is well-established by corporations and broadly accepted. This may be true but blood-letting was also an accepted medical practice in the 17th and 18th century until more patients died from the procedure than were cured! Is reasonable assurance the 21st century’s version of blood-letting? Just because it is accepted as standard practice does not mean that the practice is efficacious!
Blood-letting has since been discredited and would be considered malpractice in medical circles as a result of scientifically advanced procedures for curing health ailments. Isn’t it time that the accounting industry subject its practice to more advanced procedures using a combination of cognitive and analytical processes to give corporate boards and senior executives confidence in their work product? Otherwise, reasonable assurance should be treated more like collusion with management to give the appearance of compliance with little substance whatsoever to demonstrate confidence that internal controls are operating properly.
The Institute of Internal Audit has published an article that promotes the assessment of the adequacy of risk management programs using a risk frameworks, such as, ISO 31000. On the surface, there appears to be valid justification for making the case for an “audit” of risk management to provide assurance to management that the risk programs that are reasonable, effective and are designed to address the changing landscape of risks inherent in most organizations. However, let’s explore the outcomes of such an exercise to determine the value and consequences of an audit.
A brief history of COSO, or the “Committee of Sponsoring Organizations” may help put this in perspective. As a result of banking failures and financial risk taking industry and public accounting firms saw fit to create a framework for organizations to think about how to codify internal controls over financial reporting, regulatory compliance, and firm governance. The framers of COSO hoped that firms would use their framework to adopt internal controls processes to “self-adjust” as the business sought out risk and profit opportunities. COSO continues to serve as a foundation for starting a risk framework and others have followed. ISO 31000, and many other variations on this model now exist globally.
As COSO has become adopted and grown into an Enterprise Risk Framework for corporate governance the roles of risk and audit have become blurred. Audit firms were better organized and enjoyed the attention of boards of trustees. Risk professionals are only now establishing the credibility to have a place at the table. It is interesting that the formal study of risk management grew out of the field of economics yet external auditors chose not to adopt this approach of risk management. Risk managers have done no better! Risk managers have ignored until more recently the research of 19th century, decision analysis & forecasting, computer science, psychology, and work of decision making under conditions of uncertainty.
This is important only in that the call for an audit of risk management misses the point. Auditing risk management is like taking an autopsy of the patient after she has died. Yes, you can learn valuable insights but you learn only about the mistakes, errors, and inevitable missteps that will happen in any risk taking organization.
Therefore, is an assessment of risk management a valuable exercise? And the answer is, maybe, if the assessment reaches beyond the conventional concepts of audit. What does that mean? An audit or assessment is not simply a test of the existence of processes taken by an oversight function. Risk management is a process used by management to achieve reasonable assurance. Reasonable assurance of what? It depends! Assurance is conditioned on the perceived or actual risky endeavor being taken. The higher the risk the lower the level of assurance of achieving one’s goals. Management must choose among risky endeavors and decide what is the acceptable level of risk to assume and what steps must be taken to minimize those risks to an acceptable level.
To assume that an audit of risk management is focused at a department level is the missed opportunity. The role that audit and risk management could play is one of testing the assumptions that all risky endeavors include and developing tools to calibrate risk taking.
An assessment of any risk program must begin with a clearly stated set of management objectives that have been promulgated to achieve specific outcomes. Without a clear mandate from management no risk framework or assessment is credible. It would be impossible to assess a program in a vacuum but that is exactly what is suggested. Generic models based on aspirational goals are no more than a professional wish list of To Dos.
Risk management therefore is a collaborative process between senior management; risk professionals, audit and other oversight groups who must help inform the process of risk taking. Informed risk taking does not assume the elimination of risks it only anticipates both sides of the risk coin that is tossed for each risky venture.
The COSO Enterprise Risk Framework for is a great reference for senior management to begin its process of codifying risk management practice within a firm but was never implied as the only solution or approach to managing risks. COSO or any other risk framework should not become a checklist from which one simply connects steps in a process. Risk management, like competition is more dynamic and challenging which require a level of responsiveness that exceeds a static frame of reference.
The audit team is part of the risk management process as well and begs the question of who audits the auditors? The argument becomes a circular one and misses the point. The debate seems to ask the question of how do you reduce the risk of failure on one’s watch? The answer is you can’t but you can understand what failure could look like and developed a set of approaches to understand the likelihood of their occurrence. The data that could be provided by internal audit or external audit to help inform this level of decision-making has tremendous value.
As risk management evolved beyond existing frameworks for thinking about risk to operational models of risk taking the role that audit, risk and oversight plays will undoubtedly grow and evolve as well. Until then management should consider how risk and audit functions help inform which risks are taken and who must assume responsibility for managing appropriate risky events.
You must be logged in to view this document. Click here to login
OCEG, the Open Compliance & Ethics Group has developed standards for the structure of GRC (Governance, Risk & Compliance). Although initially focused on GRC as a risk practice OCEG has shifted focus to a new concept called Principled Performance. OCEG has modified Enterprise Risk into a Principled Performance model that is inclusive of the COSO Enterprise Risk framework. This shift in focus appears to imply that risk management is responsible for firm performance.