Question

What two reasons can be attributed to the less than enthusiastic reception of the COSO ERM Framework?

1. Published during the same year as SOX, criticized for being too specific

2.Published during the same year as SOX, criticized for being too general

3. Published during the same year as the Foreign Corrupt Practices Act, criticized for being too general

Pick one.

Answer 1

COSO is to be congratulated on a document that was produced with public consultation and tries hard to recognize a wide variety of alternative ways to manage risk. It shows great knowledge of risk management techniques and contains many interesting examples.

Unfortunately, with two volumes totaling 246 pages, it is so large that it is hard to see how every part of it can have received adequate comment during the consultation phase. Although the published documents reveal that there were 78 responses to the consultation, the responses themselves have not been made public, so we cannot know how much of the documents was seriously considered.

My impression of the two volumes is that there are a lot of ideas there that are new or different from usual practice, and some distinctions that will not be understood by most readers. For example, many people will not notice on initial reading that "risk tolerances" do not relate to risks (because there is no element of uncertainty). The distinction between "risk responses" and "control activities" will also be confusing.

In short, the ERM framework is far too big for a first version. Not surprisingly, it contains some obvious technical flaws. For example, although keen to talk about "opportunities," it doesn't have the logic worked out properly and the crucial paragraphs on what to do with them are unclear. The document explains that if an event happens that is favorable, then this is an opportunity that is sent to strategic planning so that plans can be made to take the opportunity. There is no such comment on what happens if an event happens that is unfavorable. Does that mean plans are left unchanged?

The crucial paragraphs on what happens to upside risks are unclear. My best guess is that some get taken out of risk management to be looked at elsewhere, while others stay in risk management. This appears to exclude the possibility of integrated uncertainty management that deals with both unexpected good and bad events in one approach.

Another problem is the many examples of rating risk items for their probability and impact. When risk register items are rated using (1) a number for probability of occurrence, and (2) a number for impact on occurrence, their risk is systematically understated. It is hard to see the problem when ratings are as rough as High/Medium/Low, but when numbers are given, the fault is obvious.

2. Published during the same year as SOX, Critised for being too general