COSO Publishes Two New Papers on ERM. How Valuable Are They?

COSO has released two new risk management thought leadership papers (see the press release). The first provides practical guidance on establishing a de novo risk management function. The second discusses key risk indicators (KRI).

I must admit that I prefer the ISO 31000:2009 risk management standard to the COSO ERM framework. I think the ISO definitions are better and find their model much easier to understand than the infamous COSO cube.

Having said which, there continues to be value in the COSO work, including these two papers. Risk professionals, executives, directors, and internal auditors should read and consider both documents, but with their normal skeptical attitude — because while they are good they are not perfect (IMHO).

One of the problems I have with Embracing Enterprise Management: Practical Approaches for Getting Started is that it doesn’t propose starting with a firm foundation — understanding what the organization wants to achieve with risk management. For example, it suggests starting with periodic assessments of a few top risks. But is that right for the organization? I have previously written about the need for organizations to include risk as it makes decisions every day: they need to manage risk at the speed of business. Is it not wise to understand the nature and extent of risks to the business, and to the achievement of its strategies, goals, and objectives? What are the needs of the board and executive management when it comes to understanding and responding to risk? Can the organization afford to wait while risk management is built incrementally? If risks are changing rapidly and the organization needs to be able to respond quickly, is it reasonable to build risk management processes to support quarterly risk assessments? Perhaps something more dynamic is required, where management is trained to monitor risks on a frequent (if not continuous) basis, and inject the consideration of risk into decisions every day.

My answer is to identify the more significant risks (not limited to a handful) and as part of the design of the continuing process consider how often I need to monitor and adjust as risks change.

The Getting Started document does not address the fact that risk management is not just about anticipating and preparing for potential adverse events. Risk management is about that, yes, but it is also about being ready to seize opportunities.

Where is the reference to technology? Recent advances in software for risk management have made building a robust risk management program (i.e., one that is able to identify and assess risks on a timely basis and drive prompt action) a great deal easier. As an example, the KRI discussed in the second paper can now be automated, linked to risk assessments, and drive workflow to act on any change in risk information.

Technology now enables firms to link risks and strategy, so that as risk levels change they can see the potential impact on achievement of their strategies and optimization of performance.

Risk management enables an organization to be agile: able to respond promptly as potential adverse events or opportunities appear. It also enables sustained, optimized performance: risk is considered in setting strategies and plans, and the monitoring and optimization of performance.

Will the Getting Started program set organizations on the path to achieving agile, sustained, optimized performance? I am not convinced it will work for most organizations. Instead, it may influence organizations to be satisfied with risk assessment by internal audit; risk assessments performed in silos – separate assessments by IT, finance, manufacturing, etc without an enterprise view of risk across the organization; and, occasional rather than continuous risk management.

Read it. Think about it. Consider its suggestions. It has some solid thinking (what I would expect from Mark and Richard). But, make sure you understand what you want your organization’s risk management program to look like, and what you want it to drive in terms of improved business performance, before you start developing the program. Have a plan and design before you build.

The Developing Key Risk Indicators to Strengthen Enterprise Risk Management has similar issues. There is, again, a lot of valuable discussion about KRI and their importance. But, my advice is to read it skeptically.

For example, it suggests asking risk owners to develop one or two KRI for each of their risks. While that may be a way to get started, it is essential that the KRI provide a clear picture of the level of risk. If you start with just one or two that may be easy to develop, will they provide that clear picture?

KRI are important. I like them but take a simpler approach: for each risk, how can I tell when the risk level is changing? What do I have to monitor and how? How reliable are the indicators?

The authors of the two guides are well-respected and knowledgeable academics (Richard Anderson had a fine first career with PwC). The information in the guides is valuable. But, this is not the entire story, and I suggest reading with a skeptical eye.

Most important is to ask yourself what you want ERM to achieve in your organization. Will this guidance get you there, or should you learn from it and adapt to your specific needs?

I welcome your opinion.


Additional links:


Posted on Jan 17, 2011 by Norman Marks

Share This Article:    

  1. Norman,

    I will take your comments one step further... If these papers do not begin in the right place as you indirectly note, then how can they be valuable or contribute to Governance Risk Management Oversight. In my breif skimming of the material I feel the guidance is too complicated and perpetuates, without intending to, the siloed approach to risk management and oversight. It's possible my investigation was too breif.

    I too am a great fan of ISO 31000. For a company to have a better chance at achieving their objectives they need to fully see and understand risk. However to accomplish risk transparency we first need to define what is "at risk", or we risk (excuse the pun) defining and rating many irrelevant hazards that have little to do with what the organization is trying to accomplish (no matter how sophisticated we make them). ISO 31000 clarifies the dependency of risk's very definition on the acheivement of strategic and operations objectives. It subordinates risk to the business objective, which subordinates risk management to management in general. Therefore risk management becomes both the state of business objective management, and the inclusion of hazards-threats into business considerations.


  1. Ideal Risk Management Guidance would clarify Good Governance Expectations, Good Management Expectations (they exist today in business management philosophy) and the proper consideration of risk within these expectations. Only then would it recommend formal development of an Executive Level process for accumulating and reporting risk related detail... unfortunately we are still approaching this backwards by starting with the reporting expected and not considering how it flows out of natural accountable business mechanisms. I see little progress in integrating this approach without redundancy.

    May I suggest that a financial, assurance and analyst skill set is too narrow to reach this future. I would recommend COSO seek partnership with governance and business management organizations. We will not lose our importance or scope of impact by reaching outside, rather we will cement our opportunity to assist in better measuring risk management within the operational framework they define going forward.  

    My thoughts,

    Dan Clayton




  1. Norman:

    Many of the problems with this document (getting started with ERM) stem from the earlier errors in thinking in COSO 2004.  These errors in concepts are generally well understood by those not in the “COSO world” (e.g. the continued use of the concept of “inherent risk” which is both false and patently impractical). 

     There are some good bits of advice and if an organization had nothing else to refer to, this paper could point them in a direction that could ultimately lead to ERM, assuming the implementers realize and correct for the errors and omissions.  The problem is that many of these COSO-type ideas do lead down erroneous paths that can de-rail ERM implementation.

     It is unfortunate that the authors, although clearly sincere and well intentioned, do not reach outside of their relatively narrow theoretical world to take advantage of the demonstrably better (correct?) ways of doing ERM.

     I am left wondering whether this is intended to help new implementers or whether it is a brochure leading to readers feeling they need to hire consultants to help them as it is so complex and unclear what to really do. If this had been produced in 2004 when there were few real life examples to follow, it would have been understandable. Today, the vagueness should be considered unacceptable.

    (continued below)



  1.  continued from above


    If you can provide me with the opportunity of writing a guest blog, I will be able to articulate all the major problems I see in this paper. From my perspective, it is no brainer to now gravitate to ISO 31000.

    Best regards,



  1. Arnold, you and agree most but not all the time. For example, the concept of "inherent risk" is just fine. It's precisely the same as maximum exposure, or the exposure if related controls are not functioning at all. I don't mind which term is used as long as the concept is understood. A focus that is limited to residual risk does not allow an understanding of how great the reliance is on controls - the degree by which they reduce risk to current residual risk levels. I like the approach some internal audit departments take of considering that delta (the difference between maximum exposure and residual risk) when developing the audit plan.

    For example, Brisbane City Council works with the ERM to identify the gross exposure (G) and residual risk (R) levels. That means the effect of controls is to reduce risk by (G-R).Then, they use factors such as the results of the last audit, the level of turnover of management and staff, etc. to estimate their level of comfort that the controls are adequately designed and operating effectively. Let's say they estimate it at 80%. They will calculate an audit-adjusted-residual-risk level as G - 80%(G-R). They do that to all the risk areas to determine which are the greater business risks.

  1.  Nor man:

    I think that you are missing the point on inherent risks and I will be pleased to take it off line with you because this is one of the more complicated problems with the COSO ERM Framework. The context/premise for remarks above on this document "getting started with ERM" is that the COSO-ERM  Framework is "filled with deadly sins" an expression coined by a mutual colleague of ours and previously posted up as a blog. Of these 10-15 deadly sins, Inherent risk referred to above was only one example (and not in itself "the straw that broke the camels back". The point is that the document just issued is just building on these sins. So either the sins need to be corrected or the framework and the resulting document above need to be scrapped. 

    If I had to give my opinion on "the greatest sin of all" within the COSO ERM books of 2004, it is the failure to distinguish between the risk management process and the risk management framework. This simple yet complex statement has in itself produced a myriad of misunderstandings and non value added approaches- spin offs of the COSO ERM approach. Internal auditors will continue to abandon the COSO ERM  approach because quite simply "it does not leave you in a better place"


    Best regards,



  1. Arnold, thank you for sharing your views. Can you privide a link to our friend's blog about the deadly sins?

    While you and I believe (perhaps for different reasons and to different extents) that the ISO standard is better than the COSO ERM framework, I don't believe this is the best place for such a discussion. May I suggest that you team with a COSO advocate and write a point-counterpoint article?

    Perhaps we can leave this discussion with an agreement that the community would be better off if the groups 'owning' the various standards (including BIS and others) would initiate a convergence project. We need a single set of agreed-upon terms and language, a single standard and framework, etc.

  1. Norman, I like your last suggestion a lot. Because of the different perspectives each of the constituents have and roles at play in ERM, it seems that any single entity even with designed cross pollination of participants, comes up with guidance and standards that have limited appeal and relevance to other real life perspectives as you and Arnold have clearly pointed out. With the diversity of perspectives relative to ERM, GRC and other similar concepts and approaches, the community of thought leadership should at minimum strive for achieving the 80/20 rule. If 80% can agree then we have truly created a consistent method that can benefit the majority of stakeholders and improvements will more likely occur. 

    Ultimatley although not singularly, COSO, ISO, AICPA, OCEG, SCCE, BITS and other organizations are trying to create resources to help businesses and individuals. There must be a realization that some of what is being preached or conveyed through their respective resources may be creating conflict and confusion in the business and academic communities. I really don't think we will see total agreeance among these parties on the overlaps and perhaps the business world is big enough for all of them. This diversity and our ability to learn and make our own decisions is what makes us great - not a singular (Right) approach. With any guidance or set of standards, we must all learn and adapt, not simply follow the recipe. Which is a great analogy in cooking. Do a search on grilling steaks and you will find many different recipe's. A person reads and selects the recipe that they feel best about and may even make some changes of their own. When the meal is completed and if you are satisfied the outcome, you will have confidence in what you have accomplished. This is buy-in-large how most of these organizations and standards were started in the first place.

Leave a Reply