In what follows next, the ECA’s risk management experts have come up with 8 key questions and answers that will hopefully facilitate governance, operational risk and compliance practitioners to assess better the effectiveness of the new framework. In the interests of comparability, we have also uploaded the ISO 31000:2009 on risk management.
But first things first. In summary, here are the 8 key points on utility of the new ERM guide:
- Provides greater insight into the value of enterprise risk management when setting and carrying out strategy.
- Enhances alignment between performance and enterprise risk management to improve the setting of performance targets and understanding the impact of risk on performance.
- Accommodates expectations for governance and oversight.
- Recognizes the globalization of markets and operations and the need to apply a common, albeit tailored, approach across geographies.
- Presents new ways to view risk to setting and achieving objectives in the context of greater business complexity.
- Expands reporting to address expectations for greater stakeholder transparency.
- Accommodates evolving technologies and the proliferation of data and analytics in supporting decision-making.
- Sets out core definitions, components, and principles for all levels of management involved in designing, implementing, and conducting enterprise risk management practices.
Here are the corresponding 8 key questions and answers that will hopefully help our members to reflect further upon the usefulness of the new framework:
Does the update provide useful guidance that will help leaders of the organization define the mission, objectives, strategies, and plans that will deliver optimal value to stakeholders?
- If the mission is not optimal, it is unlikely that the objectives will be.
- If the objectives are not optimal, it is unlikely that strategies to achieve them will be.
- The risk of setting a wrong or sub-optimal mission, objective, or strategy, has to be at acceptable levels.
- Organisations need to periodically review their mission and change it as conditions change. For example, think of Intel, Microsoft, HP, Apple.
Does the update provide useful guidance when it comes to executing against the defined mission, objectives, strategies, and plans? Is there sufficient guidance on effective decision-making, and will it move the practice of risk management away from only reviewing, periodically, a list of risks? Will it lead to organisations practicing risk management continuously?
- In order to make good decisions, professionals need to consider all the potential consequences of the choices they make. Those include not only the harms, but also the rewards that may occur. The consideration needs to be structured and based on useful, timely, current, and reliable information.
- As COSO recommends, risk management needs to be an essential part of running the organisation and delivering performance v. risk. It should not be separate. Does the guidance enable your organisation to manage risk as part of the rhythm of the business? Does it help management entwine the consideration of risk into every business process? If yes, then you need to focus on continuous improvement and monitoring.
Will the guidance still lead professionals to only identify, assess, and address potential harms? Will risk reporting still be focused on the level of risk rather than the likelihood of achieving each objective?
- COSO suggests that the consideration of both ‘risks’ – ‘harms’ and ‘opportunities’ – ‘rewards’ is essential if risk management is to be effective.
- While that is essentially what the prior version said, its language focused almost entirely on ‘risk’ and arguably this has led to most organisations only managing potential harms.
Does the guidance explain clearly and help decision-makers understand and then evaluate all the potential effects of uncertainty?
- Many define the level of risk based on the amount of impact multiplied by its likelihood.
- But then a 5% likelihood of a £200 loss is the same as a 50% likelihood of a £20 loss. One may be acceptable but the other not.
- Does COSO discourage the assessment of risk based on this simplistic calculation? You need to reflect further upon this point further.
Will the update provide decision-makers with the structure/process they need to decide whether to ‘take the risk’ because of the potential for reward?
- In real life, people have to ‘balance’ risk and reward.
- For example, if the potential for loss is assessed as between £50 (20% likelihood) and £100 (5% likelihood), should a manager ‘take the risk’ when the potential for gain is between £50 (20%) and £250 (5%)?
Will the update lead to providing decision-makers with the guidance they need if they are to make the decisions management and the board want them to make?
- The great majority of organisations who have a ‘risk appetite statement’ at the entity level have not been able to cascade it down in a way that enables those making the decisions in real life to know what is necessary.
- Different conditions (e.g. whether there is huge public scrutiny, whether the organisation is likely to exceed or miss its earnings targets) can lead to executives wanting to change the risk decisions that are made.
- It is one thing to say that you need to avoid exceeding defined risk limits, but when the reward is high it may be appropriate to take that risk.
Is the updated COSO guidance on risk appetite and risk tolerance useful? Does COSO mirror and enable effective decision-making in real business life? Does the guidance help to establish not only the upper limit of ‘risk’ that should be taken, but the lower level as well?
- If organisations do not ‘take risk’ they will not survive. It is dangerous to be too risk averse.
- How does an organisation establish the minimum level as well as the maximum?
- The COSO definition of risk appetite in the current framework talks about an amountof risk. Sometimes risk appetite is expressed in terms like “we have no tolerance for this risk”.
- However, in real life people make decisions based not only on the ‘amount’ of risk (harm), but the likelihood of that amount of risk. For example, you might accept a 2% possibility of losing £100, but not a 20% possibility.
- Is the ISO 31000:2009 term ‘risk criteria’ better, especially as it can be applied to individual decisions?
2.22 Risk criteria
Risk criteria are terms of reference and are used to evaluate the significance or importance of an organization’s risks. They are used to determine whether a specified level of risk is acceptable or tolerable.
Risk criteria should reflect your organization’s values, policies, and objectives, should be based on its external and internal context, should consider the views of stakeholders, and should be derived from standards, laws, policies, and other requirements.
Will it be possible to assess the effectiveness of risk management in practice using the updated version?
- Any assessment should be based on whether the management of risk helps people establish the optimal vision, objectives, strategies, and plans, make better decisions and, as a result, increase the likelihood of achieving business objectives.
- Any assessment should identify the areas where the risk of failure in identifying, assessing, evaluating, or taking action to address risk is higher than desired.
We welcome risk practitioners to share their thoughts with all ECA members and to put forward any additional questions they may have on the new ERM guide.
Prof. Dr. Emmanouil Ioannidis
Governance, Risk & Regulatory Compliance Consultant
Compliance Committee Member