It took me many days to finish, but at end I did it. I read the full COSO ERM 2017. Not just skimmed the text, read every page, every word. Here are my thoughts:
High level comments
COSO ERM 2017 is quite paradoxical. In a sense that, on one side, it is extremely long (257 pages), on the other side, it never goes into any level of sufficient detail to explain the ideas presented in any comprehensive way.
If I was to summarize COSO ERM in one picture, it would probably be the picture abover the article. COSO ERM 2017 is painfully obvious with no innovation. In fact, if you are working in risk management for a while, have sucessfully integrated risk analysis into some key decisions and processes, use proper quantitative risk analysis tools, familiar with the how cognitive biases affect decision making, then you will feel COSO ERM is a step back, not an improvement many claim. COSO ERM 2017 is a huge improvement on COSO ERM 2004 they say. True. However this is not a credit to COSO ERM 2017, it’s merely an indication of how horribly bad COSO ERM 2004 was.
Here is a diagram that explains where COSO ERM 2017 sits on the maturity spectrum:
Yes, the new framework’s link between risk and performance is BETTER than just doing a list of risks. And if it was 2005 I would be super excited. But it’s not. In 2017 most risk managers I know use at least some form of risk modelling, decision trees, scenarios and simulations, they have linked risk management not only to strategy and performance management (as PwC suggests in COSO), but to many other business activities and most significant decisions as well. These tools and approaches have been around since 1970s and still outperform all the new “best practices” by a landslide.
PwC is quite clever, the framework does mention both cognitive biases and the simulations techniques, acknowledging their exist and are important. I am not buying it however, this was clearly done as cop out more than anything else.
Plus COSO ERM 2017 still loses to ISO31000:2018. It has same or similar messages but in a package that is painful to read. In the detailed comments you will find a lot of captain obvious type quotes from the framework.
All in all, the professional community would not even notice if COSO ERM never existed. Rant over. Now lets put on our pragmatic hats on. Since it does exist, lets use it to our advantage. Here is what COSO ERM 2017 can be used for:
- using it as an argument to initiate a change project to move away from quarterly risk assessments, risk reports and risk mitigation plans to integrating risk analysis into actual decision making process (watch this on how to sell risk management https://www.youtube.com/watch?v=3MbJLkSlbU4)
- using sections and good messages from COSO ERM 2017 to reinforce the changes you have been proposing for a while, which were ignored by management
- show how COSO ERM 2017 reinforces the work you were already doing
- justify whatever good risk management you were doing
- getting attention from the Board or Audit Committee
- opening the door to strategic planning process (you better have your Monte-Carlo methodology set and ready to go before integrating into strategic planning, read this article about integration into strategy https://riskacademy.wordpress.com/2017/03/16/4-steps-to-integrate-risk-management-into-strategic-planning/)
- shut the auditors or consultants that were selling risk registers, risk management framework documents and risk appetite statements.
That’s probably it. If you want to learn new ideas you are better off participating in some of the webinars we run every week: https://riskacademy.wordpress.com/free-webinars/
First thing you notice when reading COSO ERM 2017 is that it is less about risk management, more about corporate governance and management in general. As such, it should be benchmarked not only to ISO31000 but also to King IV report on corporate governance and any other governance code relevant to your country.
Yet again, paradoxically, while risk if not the focal point of the document overall, whenever it is the focal point (principles 7, 11, 12, etc) the authors seem to teleport back to 2005 when writing about risk management.