COSO 2013 moves in the right direction

Many organizations base their Sarbanes-Oxley (SOX) documentation on COSO’s Internal Control – Integrated Framework. This publication was originally issued in 1992 and significantly updated in 2013. In the next year these organizations must update their financial reporting internal control documentation and testing to match the newly updated framework.

This major update adds 17 newly articulated principles which support the 5 already-existing components of internal control. These new principles must all be present, functioning, and working together in order to achieve an effective system of internal controls.

In my view, an organization cannot accomplish 12 of these 17 new principles without a functioning performance and risk management environment. That’s a good thing – it seems that COSO is now heading in the right direction. Internal control isn’t simply about having a certain set of control processes. It’s about having an environment that assures an organization is meeting its performance and control objectives.

Having an effective  performance and risk environment is a little bit like having a good exercise program. Everyone knows that it’s a good idea. Sometimes we’re too lazy to do what we know we should do. But there is no doubt, once it’s in place, that we’re extremely better off because of it.

It’s time to think of COSO 2013 like a doctor’s “wake up” call. Let’s stop paying lip service to managing risk and performance; let’s actually do it.  The group at Risk Leader ( has a new approach that links risk management with performance management. They call it, not so surprisingly, Performance Risk Management and their idea is that risk management is not a separate stand-alone activity. It has a clear and distinct purpose as part of an organization’s normal management activities — to help an organization achieve its objectives better, faster, and more completely. It seems to me that a system like this solves two issues for COSO 2013:

  1. It is a risk and performance environment that, by its very existence, directly supports the organization’s ability to meet 12 of the new principles relating to organizational performance and risk management, and
  2. Because it is a risk and performance environment, it can be used to identify, assess, and monitor financial reporting risk

So is this (or something like it) the way to go for COSO 2013? I think that the accounting and investing communities expect an organization to have a real performance and risk management in place. COSO 2013 is merely reflecting this. Good job.


The Sarbanes-Oxley lesson: doing it wrong is very expensive

One of the lessons from Sarbanes-Oxley was the sheer waste of time and energy for those organizations that tackled it the wrong way. Admittedly most organizations tried to be thoughtful and creative in addressing SOx. Some recognized that SOx requirements were not significantly different from what they were (should have been) already doing. However, given the relatively small amount of time for implementation and the very large downside, it was often approached as a ‘compliance’ issue rather than a ‘management information’ issue. It should have  been approached as a relatively easy re-design of management reporting to include  existing organizational knowledge about the internal control environment.

Public accountants and other consultants bear substantial blame for this. The CPAs were feeling pressure from their governing bodies to assure ‘compliance’ with SOx. This sometimes meant that they were in a less-than consultative mood with their clients. And third-party consultants, of course, were ready to accept fees and help assure that these public companies satisfied the requirements imposed by their public accountants.

Now let’s move forward a few years.

Many organizations are moving, in some way, into risk management. The reasons can vary … regulators are becoming more insistent, the governing board has indicated that they want it. Or, perhaps, executive leadership is intrigued by what they imagine risk management can provide to help them better run their organization.

One thing that organizations need to avoid is treating risk management implementation like they may have treated  Sarbanes-Oxley implementation. There is a natural temptation to presume that risk management is a side-project that the organization simply must accomplish and move past. There may be a presumption that there is a checklist that, once completed, will provide a risk management environment. In fact, there is … but only at a very high level. There are specific objectives that need to be achieved in order to implement risk management. But each of those objectives needs a strategy that is specific to each organization.

For those organizations considering a more formalized approach to risk management, there are three options:

  1. Spending: Creating a  risk management program that provides little value beyond the fact of its existence.
  2. Waiting: Doing nothing formal and continuing to rely on the management team to manage risk in an ad-hoc manner.
  3. Investing: Thoughtfully design and implement a risk management environment that will continually pay dividends in better organizational information and decision making.

The worst of these options is the first – spending money with little or no payback. The biggest damage is the illusion but no substance of risk management that is often created through a weak program.

The other two options are simple cost/benefit. If management believes that the organization can’t afford to improve its ability to make better decisions and achieve its objectives, it may be better to wait and not invest in risk management. However, if executives believe that the organization needs to perform better and achieve results faster then risk management is definitely a tool that they need to consider.

My advice – executive leadership should firmly reject any weak risk management process. Spending money with no clear payback is irresponsible.

Instead,  executives must consider carefully the cost and benefit of  risk management. Bring in advisers who can guide management in understanding, at a business level, the costs and benefits of risk management. Then make a decision of either waiting or investing.