By Tim J. Leech – Managing Director at Risk Oversight Solutions Inc
Boards can be excused if they are growing increasingly weary of the exponential explosion of new things they are being told they should read and do. The list seems to grow each year as regulators and standards-setters tell boards they must oversee yet another dimension of business more rigorously, more transparently, more aggressively or, simply put, better.
The enactment of the Sarbanes-Oxley Act (SOX) in 2002 in the US is a classic example of this trend. Following a perfect storm of corporate failures and scandals, US Congress concluded boards were not doing enough to oversee risks to the goal of reliable financial statements. The Dodd-Frank act in the US was added shortly after SOX. It runs to more than 800 gruelling pages.
The global financial crisis of 2008 resulted in regulators around the world concluding boards were still not doing enough to oversee financial risk. This conclusion resulted in enactment of thousands of pages of new laws and regulations with a heavy focus on board oversight of risk and, more recently, oversight of what is increasingly referenced as culture risk., Now boards are being bombarded with messages indicating they need to do a better job overseeing cyber risk. More high-profile governance disasters, such as Target and Equifax, will likely result in a new round of regulatory intervention to address cyber risk as yet another silo with a heavy focus on the importance of board oversight.
How can boards and directors cope with expectations?
COSO (Committee of Sponsoring Organisations), a US-based committee comprised primarily of accounting and auditing association members, decided three years ago that an update to its 2004 Enterprise Risk Management (ERM) guidance was needed to help boards and companies discharge rapidly expanding ERM and board oversight expectations. After two years of research, consultations, deliberations, debates, criticisms and a June 2016 exposure draft that was followed by another year of revisions, COSO released its newest guidance Enterprise Risk Management: Integrating With Strategy And Performance in August of 2017. The executive summary is 16 pages long but not particularly helpful to boards that want to know specifically what needs to change. The full COSO ERM guidance is a daunting 200-plus pages in length. This article focusses on a simple question: In a world where board oversight expectations and guidance are proliferating exponentially, should boards know and care about this new and lengthy COSO ERM guidance? The short answer is YES – but perhaps not for the reasons many directors might think.
A positive endorsement of a COSO work product is not a conclusion I have arrived at lightly. I have been highly vocal and critical of COSO outputs in the past, particularly COSO’s 1992 and 2013 internal control frameworks. I have often and very publicly called COSO’s internal control frameworks sub-optimal at best, even potentially dangerous.
The real reason boards should care about the new COSO ERM guidance is that important institutional investors controlling many trillions of dollars are increasingly saying they want evidence that companies and CEOs are defining strategic objectives that will drive long-term value and, most importantly, demanding evidence that boards are overseeing risks to those strategies. Simply put, how institutional investors perceive a company’s risk management framework and the board’s oversight of risk management is now significantly influencing share price.
COSO ERM 2017 is the first authoritative framework to focus and provide some guidance on the critical role of risk management to long-term value creation and preservation. Many ERM frameworks that companies have implemented globally have not done a good job of focussing on strategic value creation objectives – objectives many highly influential institutional investors now consider key to long-term success. Unfortunately, in addition to not putting much focus on top strategic objectives, many risk-centric/risk-register based ERM initiatives have also failed miserably at identifying key risks to top- value preservation objectives, including reliable financial statements, compliance with the law and data security.
A letter from Larry Fink, CEO of BlackRock – the largest money manager in the world with more than $5.1trillion assets under management – sent on 1 February 2016 to thousands of CEOs of the biggest companies in the world is a good proxy for the movement.
It read: “We are asking that every CEO lay out for shareholders each year a strategic framework for long-term value creation. Additionally, because boards have a critical role to play in strategic planning, we believe CEOs should explicitly affirm that their boards have reviewed these plans. BlackRock’s corporate governance team, in their engagement with companies, will be looking for this framework and board review.”
In August of 2017 a similar letter to CEOs was issued by F. William McNab, CEO of Vanguard, another investment management behemoth. In that letter McNab states: “We believe that well-governed companies are more likely to perform well over the long run. To this end, we consider four pillars when we evaluate corporate governance practices: (1) The board: A high-functioning, well-composed, independent, diverse and experienced board with effective ongoing evaluation practices. (2) Governance structures: Provisions and structures that empower shareholders and protect their rights. (3) Appropriate compensation: Pay that incentivises relative outperformance over the long term. (4) Risk oversight: Effective, integrated and ongoing oversight of relevant industry- and company-specific risks”
“More high-profile governance disasters, such as Target and Equifax, will likely result in a new round of regulatory intervention to address cyber risk as yet another silo with a heavy focus on the importance of board oversight”
McNab goes on to state: “Directors are shareholders’ eyes and ears on risk. Risk and opportunity shape every business. Shareholders rely on a strong board to oversee the strategy for realising opportunities and mitigating risks. Thorough disclosure of relevant and material risks – a key board responsibility – enables share prices to fully reflect all significant known (and reasonably foreseeable) risks and opportunities.”
COSO gets it right — this time
As someone who has worked with organisations globally to implement ERM frameworks for more than 30 years and invested more than 40 hours authoring a highly critical response to COSO’s June 2016 ERM exposure draft, I have very publicly endorsed this new COSO ERM release in a growing number of presentations, articles and social media posts – to the surprise of many, including Institute of Internal Auditors CEO Richard Chambers, as he openly declared in this Tweet:
A summary of the 20 principles contained in the new COSO ERM framework is reproduced below. Readers can get the executive summary as a free download. The full COSO ERM framework guidance is a hefty $150.
What I like most about COSO ERM 2017
The main theme of the report is that an effective ERM framework should start by defining an organisation’s most important business objectives after evaluating alternative strategies (principles 8 and 9); then identify and assess risks to those objectives, including identifying and evaluating the full range of risk responses (principles 10-13); and, perhaps most importantly, link risk assessment to the best available performance information (principle 16). Institutional investors around the world are increasingly demanding evidence of top strategic value creation objectives are being defined, assigned, risk assessed and overseen by the board of directors. I believe, based on my 30-plus years of global experience, that many organisations that have claimed to have effective ERM frameworks have not focussed on strategic long-term value creation objectives or linked their risk assessments to objectives and performance.
After watching how hundreds of thousands of organisations globally have publicly claimed to have implemented ERM by creating and maintaining risk registers/risk lists, the COSO shift to more clearly endorsing ‘objective-centric’ ERM and supporting the view that all risk assessments should be linked to objectives and performance, is such an important development that it causes me to give COSO ERM 2017 my endorsement, in spite of still having some major unresolved concerns. COSO, although heavily influenced by consultants that have made billions of dollars helping to install risk-register/risk-list based ERM around the world and senior management that want less regulatory intervention not more, has stated, for the record, that risk-centric/risk-register approaches to ERM are the least integrated and, arguably, least effective form of ERM.
For those that want to know more about the business case for the objective-centric approach to ERM we promote, see my Ethical Boardroom Spring 2017 paper Building Businesses For The Long Term: Focussing ERM and Internal Audit On What Really Matters – Long Term Value Creation And Preservation and the July 2017 conference Board Directions notes Board Oversight Of Long-Term Value Creation And Preservation: What Needs To Change?. The ERM approach recommended in these papers is aligned with the core theme of COSO ERM 2017, but goes well beyond it.
What I dislike most about COSO ERM 2017
1. No guidance how to transition from risk-centric to objective-centric ERM
COSO has done little to define how the large majority of organisations that have been risk centric and have used risk registers as their ERM foundation, should transition to the objective-centric approach to ERM that COSO now apparently favours.
Ironically, COSO ERM 2004 is very likely one of the primary causes of global adoption of risk registers as a foundation, for ERM. There are hundreds of thousands, perhaps even millions of organisations, that claim to be using COSO ERM 2004 and/or ISO 31000 global risk management standard that have held annual or semi-annual interviews and/or risk workshops, populated and maintained risk registers, and provided periodic risk profiles and risk maps to senior management and the board with little linkage to the objectives most key to top long-term value creation objectives or actual performance that call their approach ERM and claim they use COSO ERM guidance.
We reference methods that use risk registers as a foundation for their ERM framework as being risk centric. In spite of many denials from the authors/sponsors, I believe COSO’s 2004 ERM framework and ISO 31000 2009 have caused many to believe that these risk registers/risk lists and risk heat maps, largely drawn from simply asking people what they see as the biggest risks to something, qualify, at least for regulatory purposes, as having an effective ERM framework.
Unfortunately, or fortunately, depending on your perspective, many securities and financial sector regulators around the world also appear to have agreed and allowed these risk register/risk heat map approaches to risk management to get a passing grade as effective ERM frameworks. Unfortunately, many of these risk-centric/risk-register based approaches endorsed by regulators have failed massively in thousands of high-profile cases resulting in trillions of dollars of damage to investors and other stakeholders.
2. No guidance about what the role of the internal audit should be and what internal audit needs to do differently to fill that role
The new COSO guidance says little about what the role of internal audit should be in an effective ERM framework, in spite of pleadings in my September 2016 comment letter to COSO for more guidance on this dimension. Objective-centric ERM, at least as we envision it with active involvement of the C-suite and board, unlike the very popular and dangerously incomplete three lines of defence approach, defines five key roles. The focus of effective ERM should not be fixated on defence but a balanced focus on how to better achieve top value creation and preservation objectives while still operating within the organisation’s risk appetite/tolerance. A visual depiction of roles when ERM focusses on both top value creation as well as value preservation objectives is shown above in the Five lines of assurance diagram below.Unfortunately, I believe that the vast majority of internal audit departments are not currently equipped to provide boards with reliable opinions on the effectiveness of management’s ERM frameworks. The reason is simple: the vast majority of internal auditors today cannot themselves complete reliable risk assessments that consider the full range of risk responses/risk treatments and many have believed and reported to their boards that having/using a risk-centric/risk-register approach that has not put much focus on top strategic objectives constitutes having an effective ERM framework.
I recently asked a room full of senior level risk specialists and internal auditors how many in the room have had even one day of formal training on risk financing/insurance coverage or using contract clauses to transfer/share risk. The answer: none. How can internal audit be expected to grade how well management is doing risk management when they lack the knowledge to do it themselves? Most internal auditors have only been trained on internal controls. Internal controls are only one form of risk response/risk treatment, a response that focusses on risk mitigation with little regard for risk transfer/share/avoidance/acceptance.
Many internal auditors don’t know how, or even think it is important, to link risk assessments to top value creation and preservation objectives or performance. COSO has acknowledged that its internal control framework is only a subset of the full range of risk responses and is not suitable risk response guidance in an effective ERM framework. The new COSO guidance states on page 36 of 202: “Enterprise risk management incorporates some concepts of internal control. ‘Internal control’ is the process put into effect by an entity to provide reasonable assurance that objectives will be achieved. Internal control helps the organisation to identify and analyse the risks to achieving those objectives and how to manage risks. It allows management to stay focussed on the entity’s operations and the pursuit of its performance targets while complying with relevant laws and regulations. Note, however, that some concepts relating to enterprise risk management are not considered within internal control (e.g. concepts of risk appetite, tolerance, strategy and objectives are set within enterprise risk management but viewed as preconditions of internal control).”
COSO, in spite of some very significant conflicts of interest, needs, as the expression says, to ‘come clean’ and go much further. COSO needs to state that internal control assessments that focus only on risk mitigation as a mechanism to treat/respond to risk are technically flawed and potentially dangerous. Traditionally, many internal control assessments have focussed heavily on mitigating risks, often skipping the step of actually identifying relevant end result objectives; seriously identifying and analysing using multiple fact-based methods identifies significant risks to those objectives and related risk likelihood and risk consequence; linking significant risks to the full range of risk treatments in place/use; describing a picture of the current residual risk status; and identifying the best available performance data linked to the current risk treatment/response design.
3. COSO claims ERM covers all forms of objectives and related risks but not risks to the objective of reliable financial statements or other value preservation objectives where traditionally internal controls assessments have been used.
In response to numerous calls for clarity on the relationship between ERM frameworks and internal control frameworks and why ERM cannot/should not be used for objectives like reliable financial statement, IT security and other traditional audit focus areas, COSO ERM 2017 authors (PwC) provide a rationalisation on The Relationship Of Enterprise Risk Management To Internal Control (see the panel below).I am sorry to say, but as an attempt to provide a reasonable and well-supported rebuttal of why ERM can and should be used by organisations around the world, but not for certain types of objectives that have traditionally been the subject of internal and external audit evaluation (such as SOX section 404 and other areas where internal and external auditors have conducted internal control assessments) this explanation is nonsensical at best, ridiculous at worst. I can only conclude that conflicts of interest are preventing COSO from clearly stating that the core ERM framework can and should be used for all types of important value creation and preservation objectives, including the important value preservation goal of producing reliable financial disclosures. Only then can the goal of ERM driving better and more efficient resource allocation be achieved. Refusing to admit corporations around the world all regularly take risks linked to the goal of publishing reliable financial statements is ludicrous.
ERM-based approaches, particularly ERM that links objectives, risks, risk treatment/responses and residual risk status, has potential to produce much more reliable conclusions from external auditors and management on reliability of financial statements and security of data than the current internal control assessments.
What CEOS and boards need to do now
In the wake of the issuance of the new COSO ERM guidance, CEOs and boards need to be ask two simple questions. Are we using an integrated/strategic ERM framework focussed on our top strategic value creation and preservation objectives consistent with the vision COSO ERM 2017 has painted? And, of even greater importance, is it the type of enterprise risk management framework major institutional investors now expect? Even if that is the only thing COSO ERM 2017 accomplishes with this new guidance, it is a major step forward in the pursuit of better risk governance globally.
About the Author:
For more than 25 years, Tim Leech – Managing Director at Risk Oversight Solutions Inc has helped hundreds of public and private organisations find better, more cost-effective risk management and risk oversight solutions to meet emerging expectations. His analysis of where the risk and assurance profession and public and private organisations should be headed has regularly been proven correct by world events.
1.See Conference Board Director Notes article The Next Frontier For Boards: Oversight Of Risk Culture, Parveen Gupta and Tim Leech, 2015.
2.See new NACD Blue Ribbon Commission report Culture As A Corporate Asset
3.See Board Cyber Risk Oversight: What Needs To Change? Lauren Hanlon and Tim Leech, 2016 Wiley Handbook of Board Governance.
4.COSO is comprised of five members – Association of Certified Public Accountants, Institute of Management Accountants, Institute of Internal Auditors, Financial Executives Institute, American Accounting Association.
5.For an example, see COSO: Is ‘It’ Fit For Purpose?, Tim Leech, Wiley, Governance, Risk And Compliance Handbook: Technology, Finance, Environmental and International Guidance And Best Practices
6.Text of Larry Fink’s 2016 Corporate Governance Letter to CEOs, February 1, 2016,
7.Text of a August 31, 2017 letter from F. William McNabb, CEO of Vanguard Investments to CEOs
8.Comments on the June 2016 COSO draft Enterprise Risk Management: Aligning Risk With Strategy And Performance, Tim J. Leech, September 7, 2016 as at Oct 10 2017
9.Ibid, page 8 of 9.
10.Three Lines of Defense vs Five Lines of Assurance: Elevating the Role of the Board and CEO in Risk Governance, Lauren Hanlon and Tim Leech, Handbook On Board Governance, Richard Leblanc editor, Wiley 2016
11.Note: COSO uses the term ‘risk responses’ and ISO 31000 and ISO GUIDE 76 use the term ‘risk treatments’
12.From the COSO Enterprise Risk Management Framework, ©2017 COSO. Used by permission. All rights reserved.
13.Enterprise Risk Management: Integrating Strategy and Performance, COSO June 2017, Page182/202