More to Risk Management Than COSO ERM

BY ARNOLD H. SCHANFIELD, CPA, CIA, CFE

The authors of “ERM: Opportunities for Improvement” (Sept. 09, page 28) only discuss/reference the COSO ERM Framework.

 

The body of risk management knowledge includes many other sources, including lectures and books from recognized thought leaders, such as Robert Shiller, Nassim Taleb and others; at least 15 professional risk-related organizations such as the Casualty Actuarial Society, the Federation of European Risk Management Associations, the Global Association of Risk Professionals, and the Institute of Internal Auditors; and at least 15 other risk-related frameworks, including ISO 31000 and AS/NZS (Australian/New Zealand standard) 4360:2004. The authors suggest a COSO-driven risk management process without any regard for this body of knowledge. Why?

 

These are some of the problems with the COSO ERM Framework:

 

  • It is 125 pages long as compared to 28 and 24 pages, respectively, for AS/NZS 4360:2004 and ISO 31000—too cumbersome for the average professional.
  • It uses lengthy paragraphs instead of easy-to-read bullets with far fewer words.
  • The ERM definition in the COSO framework is 62 words—missing commas with run-on sentences. It should be bulleted, at a minimum. Compare its verbose definition with that from ISO 31000: “All activities in an organization involve risks that must be managed. The risk management process aids decision making by taking account of uncertainty and the possibility of future events or circumstances (intended or unintended) and their effects on agreed objectives.” The definition in AS/NZS 4360:2004 is similarly easy to follow.
  • It contains in excess of 100 principles of an effective ERM system.
  • The upside of risk is not well-considered in the COSO framework, but it is considered in the other frameworks.
  • The application ERM book contains numerous examples that are unintegrated into one flowing case.

 

In the past several years we have witnessed an implosion of companies and wasted significant expenditures on excessive Sarbanes-Oxley implementation efforts and made little progress in implementing ERM in the United States. It is difficult to comprehend why an entire body of risk management knowledge has been ignored. In the end analysis, a company’s stakeholders pay the price for an inability of the various risk professions to “drive in unison” what is best for a company. Just as in many professions there is one voice that speaks for the profession, so do we need to have this for the risk profession.

 

We need a vast improvement in learning and sharing among the different risk organizations. It is time that COSO dropped its armor and began to network with the rest of the risk management community and vice versa. There are many individuals within an organization—both CPAs and non-CPAs—that are involved in the risk management process. Implementation of risk management practices in the United States should follow one of the two frameworks suggested above, while the COSO ERM Framework, unless rewritten, can perhaps still be used as a reference guide. Incidentally, ISO 31000 will be released in final form shortly after the new year.

 

Arnold H. Schanfield, CPA, CIA, CFE

Fort Lee, N.J.

 

SPONSORED REPORT

How to make the most of a negotiation

Negotiators are made, not born. In this sponsored report, we cover strategies and tactics to help you head into 2017 ready to take on business deals, salary discussions and more.

VIDEO

Will the Affordable Care Act be repealed?

The results of the 2016 presidential election are likely to have a big impact on federal tax policy in the coming years. Eddie Adkins, CPA, a partner in the Washington National Tax Office at Grant Thornton, discusses what parts of the ACA might survive the repeal of most of the law.

QUIZ

News quiz: Scam email plagues tax professionals—again

Even as the IRS reported on success in reducing tax return identity theft in the 2016 season, the Service also warned tax professionals about yet another email phishing scam. See how much you know about recent news with this short quiz.