How COSO Destroyed Risk Management

“The Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) was organized in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative that studied the causal factors that can lead to fraudulent financial reporting. It also developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.

The National Commission was sponsored jointly by five major professional associations headquartered in the United States: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]). Wholly independent of each of the sponsoring organizations, the Commission included representatives from industry, public accounting, investment firms, and the New York Stock Exchange.

COSO’s goal is to provide thought leadership dealing with three interrelated subjects: enterprise risk management (ERM), internal control, and fraud deterrence.”

This excerpt has been taken directly from the COSO Internal Control – Integrated Framework, dated December 2011.

COSO has been adopted by regulators, industry and financial services as the “gold standard” along with its counterpart, ISO 31000, as a leading framework for designing, implementing and evaluating the effectiveness of internal control.  In 2004, COSO expanded its mandate to include Enterprise Risk Management – Integrated Framework and in its words, “In response to a need for principles-based guidance to help entities design and implement effective enterprise-wide approaches to risk management.”

COSO’s Enterprise Risk Management – Integrated Framework lists its keys to success as:

1. Support from the top is a necessity
2. Build ERM using incremental steps
3. Focus initially on a small number of top risks
4. Leverage existing resources
5. Build on existing risk management activities
6. Embed ERM into the business fabric of the organization
7. Provide ongoing ERM updates and continuing education for directors and senior management

COSO further suggests the initial steps and objectives for embracing ERM:

1. Seek Board and senior management leadership, involvement and oversight
2. Select a strong leader to drive the ERM initiative
3. Conduct the initial enterprise-wide risk assessment and develop an action plan
4. Establish a management risk committee or working group
5. Inventory the existing risk management practices
6. Develop your initial risk reporting
7. Develop the next phase of action plans and ongoing communications

COSO goes on to offer an example of a strategic risk profile using risk criteria such as likelihood, impact, velocity, readiness and priority to assess each strategic risk.

COSO moved beyond its role of suggesting a framework to giving advice on the role of who should be the Chief Risk Officer. “This person does not need to be a ‘CRO’ (Chief Risk Officer). Often, it is best to initially use existing resources, for example the Chief Audit Executive or Chief Financial Officer, for this role to get ERM started. This leader will not necessarily be the person to head ERM long term, but the person to get the initiative started and to take responsibility for moving the organization’s ERM activities to the next level.”

So what is the problem?

COSO has lost sight of its original mandate from a more narrow focus on developing an internal controls framework, moving from an integrated framework designed to understand the causal factors that can lead to fraudulent financial reporting to a broader and rather vague Enterprise Risk framework with little substance. 

In the original framing of COSO’s internal controls framework, risk assessments are included as a means to evaluate the effectiveness of the controls designed to ensure financial reporting and disclosures.  COSO’s focus on risk-based assessments of internal controls and periodic monitoring of the effectiveness of financial internal controls is appropriate; however, this is also the place, intentionally or unintentionally, where the corruption of risk management began.  The first problem is a perennial one in business that is classically called “scope creep.”

Internal control design and monitoring is a critical safeguard for reducing or addressing the occurrence of fraudulent financial reporting.  Had the framers devoted research to the development of robust internal control design for the enterprise instead of the broad and wide-ranging outline of a framework of internal controls, the intent and application might have proven more effective.  COSO’s guidance is so generic and broad that even public accounting firms often fail to live up to the basic requirements advocated in its guidance.  The media is replete with examples of large, well-established firms who failed to properly disclose financial impropriety after successfully passing internal control attestations by management and their internal and external auditing teams.  Public accounting firms use the “reasonable assurance” defense to counter this argument, but there is more going on here.

COSO was not intended to become the de facto risk management framework that it has become known today.  In the early days of COSO, the nascent risk management community did not offer an effective alternative.  There were many examples of Wall Street firms attempting to develop position papers on risk management that never seemed to take hold or evolve into a framework that was adopted broadly.  This was, in part, because the attempts were focused on financial services risks, thereby limiting the appeal as an operating standard outside of the industry. Risk management, as we now understand it, is much bigger, more diverse and infinitely more complicated than a set of internal controls over financial reporting.

Charting a new path

COSO’s failure is due primarily to its narrow focus on internal controls as a risk management tool.  Internal controls should have been considered one leg of a four-pronged approach to a comprehensive risk management framework.  Fundamentally, internal controls should be considered one of the foundational components of enterprise risk management.  What is missing in COSO and broadly across risk management are the other tools needed to execute ERM.  Risk management must include mechanisms to measure and quantify real risks.  The rise of quantitative analysts is the recognition that risk management is measureable and not simply assessed through the qualitative assessments advocated in COSO.

Secondly, the fraction of risks that are less understood or harder to measure is called uncertainty.  There are methods and tools to assess uncertainty which include probability analysis using a Monte Carlo simulation and/or regression analysis as a means to understand the distribution of risks that fall in the long tail of the bell curve.

Lastly, the area that is least understood is the concept of human decision making under uncertain conditions, which could serve as fertile ground for discussions with senior management and the Board of Trustees as a tool for oversight and monitoring.  These four components of ERM must replace COSO and become a true unifying construct for managing the complexity and diversity of risks we now face.  Internal controls, quantitative risk analysis, probability analysis and decision support tools are the four legs of ERM.

These concepts are not new.  In fact, big thinkers such as Frank Knight, Herbert Simon and Dan Kahneman researched and advocated for these ideas and approaches at the turn of the 20th century.  However, the accounting and risk management community has largely ignored this rich body of research; that is, until more recently.  Knight, Simon and Kahneman recognized that making decisions under uncertain conditions is the largest contributor to risk an organization faces.  Their research directs us to take a multidisciplinary approach, not some mechanical internal controls process that does not truly inform the Board or senior management about the complexity of risks faced by today’s organization.

COSO’s contributions should not be ignored or minimized, but recognized for coalescing focus and attention on enterprise risk management. Now it is time for risk management practitioners to take the lead in developing innovations in ERM using a multidisciplinary approach to building an effective framework that is as dynamic as the risks it must manage.