Back in October 2014, COSO announced that it would be reviewing and updating its famous Enterprise Risk Management framework and it has recently proposed additional guidelines to the wider community of risk managers for their feedback. Since its conception and inaugural recommendations in 1987, the COSO framework is occasionally updated. Sometimes these improvements are spawned as an outcome of the ever changing landscape that generally surrounds the faculty of risk management, risk is rarely a stationary management discipline as those that work in it know all too well. More often than not, guidance enhancements originate from the ERM practice directly, just as it appears to be the case this time round.

PWC have extended the 2004 Integrated Framework into a modified brief coined Aligning Risk with Strategy and Performance which we'll refer to as ARSP for the time being and, this new chapter in the COSO story claims to be a complimentary document for the Integrated Framework rather than a replacement of it. All good yes, well from the theoretical corner of COSO we are evolving, no doubt there but one also has this feeling that far more is to come from the COSO chronicle beyond this work. There is plenty of risk management advisory I would have liked to have seen put forward in this draft, especially in the risk assessment end of the game and I suppose we might have to wait a little longer for that gritty type of detailing to emerge unfortunately.

Nonetheless, while measuring risk is important, the risk management community shouldn't be too negative on this recent COSO achievement in my opinion. The document does read well, it is loaded with examples, albeit basic mini cases that evidence why a specific principle has been crafted in and, this 'stakeholder friendly' approach to technical writing is likely to be celebrated by more than just a few.

In some respects I also have this sense that the ISO 31000 community have imprinted some influence on the crafting of this work, indirectly speaking that is as the Global Risk Standard is not mentioned in ARSP. For ISO 31000 practitioners, this document is an ideal peruse and definitely worth pondering on, it broadens the scope of risk management and also cements some commonly accepted ideas that they should be familiar with.

Before I leap into a technical discussion, one question does beg for an answer. Who is this document actually written for?

I believe Enterprise Risk Managers will take solace in some of the mechanisms that are described within the guideline but for the seasoned practitioner, I would be concerned if they are needing to derive too much insight from it. For stakeholders and people away from risk management, this document is an interesting but also a long read.

Figure 5.2 Principles Figure | COSO ERM [LINK]

I did find the Principles Figure 5.2 an alluring contemplation that maintains the infamous COSO colour scheme, just for consistency sake one can assume and it summarises twenty three aspects of risk management that are then 'story told' throughout the heart of the document.

What is likely to happen here is that consultants will use these 23 pillars of supposed Best Practice as gold and with great purpose we can expect this to be the starting position for industry wide gap studies that drive out work from prospective clients. I can even hear the dialogue and rhetoric emanating from sharp guys in stiff suits; "your risk management framework must have twenty three pillars of ideal practice to be sufficient" ... Whatever sufficient translates to is itself up for debate. All that aside, I like it and there is some grand advice within the guideline.

Figure 4.2 Risk Profiling | COSO ERM [LINK]

As a risk analyst, Figure 4.2 titled "Risk Profile" is most interesting for me and directly connects Risk to Return or performance as the COSO team prefer to label it. Certainly, the academia around such thinking is deep-seated in the history of risk management, perhaps all management of commercial venture. There are a few important points to note with this risk profile chart, in fact I could write a book on this subject but for time sake, I will keep it brief.

This convex risk profile curve may not and should not fit that shape in a world made good by effective risk management. It could fit any shape but only a dangerously rigged system of more pain than gain would have risk increasing at a faster rate of growth than performance. This is the world best described by Nassim Taleb and he has taken to write several publications on the subject and I like to refer to one of his articles here:

"There needs to be a significant asymmetry between the gains (as they need to be large) and the errors (small or harmless), and it is from such asymmetry that luck and trial and error can produce results."

Understanding is a poor substitute for convexity | Nassim Taleb [LINK]

What I am seeing with the COSO Risk ~ Performance curve is not what Nassim describes but a place where the more you perform, the more risky you become and as a model template for any business; I am not sure too many from the domain of sanity would have an appetite for such systemic structures. These systems do of course exist, the global banking system seems to be skewed in such a way but that doesn't mean we should be accepting the shape of this curve as a default model or modus operandi to work within.

So yes, we welcome the Risk and Return (Performance) chart but details on deriving this chart are omitted from the guideline and that renders this document incomplete. Be this as it may, I still like the way in which ASRP describes the depiction of a risk profile and the plotting of risk capacity is an activity I would recommend all risk managers to engage in, assuming they have; the data, models, scenarios, knowledge and time to do so.

Causal Capital will soon be running a masterclass on Enterprise Risk Management and we will be delivering a huge detailed a session on the COSO ASRP guideline along with the models and techniques to correct it where it falls flat. All faring well, we should be able to share some of these presentations up here with our clients in the coming months ahead.