COSO 2013 moves in the right direction

Many organizations base their Sarbanes-Oxley (SOX) documentation on COSO’s Internal Control – Integrated Framework. This publication was originally issued in 1992 and significantly updated in 2013. In the next year these organizations must update their financial reporting internal control documentation and testing to match the newly updated framework.

This major update adds 17 newly articulated principles which support the 5 already-existing components of internal control. These new principles must all be present, functioning, and working together in order to achieve an effective system of internal controls.

In my view, an organization cannot accomplish 12 of these 17 new principles without a functioning performance and risk management environment. That’s a good thing – it seems that COSO is now heading in the right direction. Internal control isn’t simply about having a certain set of control processes. It’s about having an environment that assures an organization is meeting its performance and control objectives.

Having an effective  performance and risk environment is a little bit like having a good exercise program. Everyone knows that it’s a good idea. Sometimes we’re too lazy to do what we know we should do. But there is no doubt, once it’s in place, that we’re extremely better off because of it.

It’s time to think of COSO 2013 like a doctor’s “wake up” call. Let’s stop paying lip service to managing risk and performance; let’s actually do it.  The group at Risk Leader ( has a new approach that links risk management with performance management. They call it, not so surprisingly, Performance Risk Management and their idea is that risk management is not a separate stand-alone activity. It has a clear and distinct purpose as part of an organization’s normal management activities — to help an organization achieve its objectives better, faster, and more completely. It seems to me that a system like this solves two issues for COSO 2013:

  1. It is a risk and performance environment that, by its very existence, directly supports the organization’s ability to meet 12 of the new principles relating to organizational performance and risk management, and
  2. Because it is a risk and performance environment, it can be used to identify, assess, and monitor financial reporting risk

So is this (or something like it) the way to go for COSO 2013? I think that the accounting and investing communities expect an organization to have a real performance and risk management in place. COSO 2013 is merely reflecting this. Good job.


Risks have attributes, not categories

People like to categorize as I wrote in my prior post. But a question was left hanging — are there categories of risk? That depends on what we mean what we talk about categories.

One way of thinking about categories is to envision a number of “buckets” and every risk must fall into one of these buckets. This was where people think about whether a risk is a “Strategic Risk”, “Compliance Risk”, “Reputational Risk”, “Financial Reporting Risk”, etc. The problem with this approach is that there is an underlying assumption that the risk must be exist in only one category. Unfortunately, no matter how many buckets you come up with, sooner or later you’ll come up with a new item that doesn’t fit neatly into one of the buckets. So you create a new bucket. But then you discover that a risk that you earlier dropped into a different bucket now fits better in this new bucket. In short, this is an approach that simply doesn’t work very well because it is very difficult, probably impossible, to create a complete and exclusive system of categorizing risks in any meaningful way.

A better way of thinking about risks is through “attributes”. Rather than going through a mental process of depositing each risk into a specific bucket (which requires a sense of mutual exclusivity), consider instead what practical questions you might want to answer about your risks. What “knowledge” do you want to create?

Perhaps you will, in the future, want to know which risks occur simply because a computer is used as part of the process (e.g. “garbage in / garbage out”). Or perhaps, you want to know which risks occur simply because you choose to outsource a process to a third party (e.g. “insecure storage of sensitive data”). Or perhaps you want to know which risks might occur because of internal fraud (e.g. “expense reimbursement for the wrong amount”).

Notice that one or more of these attributes might apply to any particular risk. So, you can’t simply drop the risk into the “third party risk” bucket. It also needs to exist in the “IT risk” and “internal fraud” buckets. This is where it becomes necessary to eliminate  the idea of “buckets” think of “attributes”. Attributes are like standard sticky notes that you can attach to any risk, or perhaps  many risks.

Then, when you want to understand your risks better, this approach allows you to see see those risks that have the “internal fraud” attribute attached. Or, you can see those risks that have an “IT” attribute. Some risks will be in both lists.

This approach provides much more flexibility than going with an exclusive bucket approach.

If you don’t agree, I would love to hear your views.

The Sarbanes-Oxley lesson: doing it wrong is very expensive

One of the lessons from Sarbanes-Oxley was the sheer waste of time and energy for those organizations that tackled it the wrong way. Admittedly most organizations tried to be thoughtful and creative in addressing SOx. Some recognized that SOx requirements were not significantly different from what they were (should have been) already doing. However, given the relatively small amount of time for implementation and the very large downside, it was often approached as a ‘compliance’ issue rather than a ‘management information’ issue. It should have  been approached as a relatively easy re-design of management reporting to include  existing organizational knowledge about the internal control environment.

Public accountants and other consultants bear substantial blame for this. The CPAs were feeling pressure from their governing bodies to assure ‘compliance’ with SOx. This sometimes meant that they were in a less-than consultative mood with their clients. And third-party consultants, of course, were ready to accept fees and help assure that these public companies satisfied the requirements imposed by their public accountants.

Now let’s move forward a few years.

Many organizations are moving, in some way, into risk management. The reasons can vary … regulators are becoming more insistent, the governing board has indicated that they want it. Or, perhaps, executive leadership is intrigued by what they imagine risk management can provide to help them better run their organization.

One thing that organizations need to avoid is treating risk management implementation like they may have treated  Sarbanes-Oxley implementation. There is a natural temptation to presume that risk management is a side-project that the organization simply must accomplish and move past. There may be a presumption that there is a checklist that, once completed, will provide a risk management environment. In fact, there is … but only at a very high level. There are specific objectives that need to be achieved in order to implement risk management. But each of those objectives needs a strategy that is specific to each organization.

For those organizations considering a more formalized approach to risk management, there are three options:

  1. Spending: Creating a  risk management program that provides little value beyond the fact of its existence.
  2. Waiting: Doing nothing formal and continuing to rely on the management team to manage risk in an ad-hoc manner.
  3. Investing: Thoughtfully design and implement a risk management environment that will continually pay dividends in better organizational information and decision making.

The worst of these options is the first – spending money with little or no payback. The biggest damage is the illusion but no substance of risk management that is often created through a weak program.

The other two options are simple cost/benefit. If management believes that the organization can’t afford to improve its ability to make better decisions and achieve its objectives, it may be better to wait and not invest in risk management. However, if executives believe that the organization needs to perform better and achieve results faster then risk management is definitely a tool that they need to consider.

My advice – executive leadership should firmly reject any weak risk management process. Spending money with no clear payback is irresponsible.

Instead,  executives must consider carefully the cost and benefit of  risk management. Bring in advisers who can guide management in understanding, at a business level, the costs and benefits of risk management. Then make a decision of either waiting or investing.