COSO has released two new risk management thought leadership papers (see the press release (PDF)). The first provides practical guidance on establishing a de novo risk management function. The second discusses key risk indicators (KRI).
I must admit that I prefer the ISO 31000:2009 risk management standard to the COSO ERM framework. I think the ISO definitions are better and find their model much easier to understand than the infamous COSO cube.
Having said which, there continues to be value in the COSO work, including these two papers. Risk professionals, executives, directors, and internal auditors should read and consider both documents, but with their normal skeptical attitude — because while they are good they are not perfect (IMHO).
One of the problems I have with Embracing Enterprise Management: Practical Approaches for Getting Started is that it doesn’t propose starting with a firm foundation — understanding what the organization wants to achieve with risk management. For example, it suggests starting with periodic assessments of a few top risks. But is that right for the organization? I have previously written about the need for organizations to include risk as it makes decisions every day: they need to manage risk at the speed of business. Is it not wise to understand the nature and extent of risks to the business, and to the achievement of its strategies, goals, and objectives? What are the needs of the board and executive management when it comes to understanding and responding to risk? Can the organization afford to wait while risk management is built incrementally? If risks are changing rapidly and the organization needs to be able to respond quickly, is it reasonable to build risk management processes to support quarterly risk assessments? Perhaps something more dynamic is required, where management is trained to monitor risks on a frequent (if not continuous) basis, and inject the consideration of risk into decisions every day.
My answer is to identify the more significant risks (not limited to a handful) and as part of the design of the continuing process consider how often I need to monitor and adjust as risks change.
The Getting Started document does not address the fact that risk management is not just about anticipating and preparing for potential adverse events. Risk management is about that, yes, but it is also about being ready to seize opportunities.
Where is the reference to technology? Recent advances in software for risk management have made building a robust risk management program (i.e., one that is able to identify and assess risks on a timely basis and drive prompt action) a great deal easier. As an example, the KRI discussed in the second paper can now be automated, linked to risk assessments, and drive workflow to act on any change in risk information.
Technology now enables firms to link risks and strategy, so that as risk levels change they can see the potential impact on achievement of their strategies and optimization of performance.
Risk management enables an organization to be agile: able to respond promptly as potential adverse events or opportunities appear. It also enables sustained, optimized performance: risk is considered in setting strategies and plans, and the monitoring and optimization of performance.
Will the Getting Started program set organizations on the path to achieving agile, sustained, optimized performance? I am not convinced it will work for most organizations. Instead, it may influence organizations to be satisfied with risk assessment by internal audit; risk assessments performed in silos — separate assessments by IT, finance, manufacturing, etc without an enterprise view of risk across the organization; and, occasional rather than continuous risk management.
Read it. Think about it. Consider its suggestions. It has some solid thinking (what I would expect from Mark and Richard). But, make sure you understand what you want your organization’s risk management program to look like, and what you want it to drive in terms of improved business performance, before you start developing the program. Have a plan and design before you build.
The Developing Key Risk Indicators to Strengthen Enterprise Risk Management has similar issues. There is, again, a lot of valuable discussion about KRI and their importance. But, my advice is to read it skeptically.
For example, it suggests asking risk owners to develop one or two KRI for each of their risks. While that may be a way to get started, it is essential that the KRI provide a clear picture of the level of risk. If you start with just one or two that may be easy to develop, will they provide that clear picture?
KRI are important. I like them but take a simpler approach: for each risk, how can I tell when the risk level is changing? What do I have to monitor and how? How reliable are the indicators?
The authors of the two guides are well-respected and knowledgeable academics (Richard Anderson had a fine first career with PwC). The information in the guides is valuable. But, this is not the entire story, and I suggest reading with a skeptical eye.
Most important is to ask yourself what you want ERM to achieve in your organization. Will this guidance get you there, or should you learn from it and adapt to your specific needs?
I welcome your opinion.