Norman Marks on Governance, Risk Management, and Internal Audit

I enjoyed COSO’s latest publication, Enabling Organizational Agility in an Age of Speed and Disruption. This is how COSO described it:

As radical change transforms the world we live in, organizations should regularly align their enterprise risk management (ERM) process with the current business environment and their strategic goals, according to new guidance issued today from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Enabling Organizational Agility in an Age of Speed and Disruption is intended to serve as a guide to help organizations succeed by being more anticipatory, agile, and adaptable. The guidance highlights many of the COSO ERM risk principles and how they relate to an agile business environment, and numerous ways are identified that show how the COSO ERM principles link to agile approaches.

Frankly, while COSO has to support its own ERM framework, the important message in the document has little, if anything, to do with developing and maintaining the risk inventory (another term for a list of risks) advocated in the COSO framework.

I suggest reading the publication and setting aside the references to COSO ERM.

In fact, the overall message is correct and is quite different from maintaining a list of risks, even if that list is linked in some way to strategic objectives. To quote again:

As radical change transforms the world we live in, organizations should regularly align their enterprise risk management (ERM) process with the current business environment and their strategic goals.

The way to do this, IMHO, is to recognize that when organizations are moving at speed and with agility, it has to make decisions at speed. It also means being willing to take more risk – because it is justified on business grounds.

If you want your speedy decisions to be right (given constraints), you need quality, reliable, current, and timely information about where you are and what may lie ahead.

Risk management is all about providing decision-makers with the information they need about what might happen, and then helping them evaluate the situation and alternative actions (balancing opportunities and potential harms).

While the new COSO paper says a lot of good stuff, a search for “decision” gives you just ten mentions, while “decision-making” returns just three.

• A few ERM leaders have been pushing the identification of risk into decision-making and an agile organization seems to be a good place to continue doing that.
• Operating structures could be redone to reconsider traditional hierarchical approaches and traditional decision-making processes and replace with agile practices.
• Part of the past bureaucratic problem was too much of a silo approach within the organization that limited collaboration and slowed down decision-making.

In other words, COSO’s new guidance essentially ignores the need for quality, informed and intelligent decisions.

That is surprising and disappointing.

It also continues the focus on managing and mitigating harms, without pressing the risk practitioner to apply the same principles and techniques to opportunities – let alone helping management weigh one against the other to determine which risks should be taken.

The publication does have a lot to say, and I recommend reading it carefully. Here are a few quotes with my emphasis.

Note how the document quotes CEOs saying there should be a focus on taking risk!

• Astute leaders get this and know that long-term strategic plans and assumptions are not the best approach in times like this. Examples of this are everywhere. A recently appointed CEO at a Fortune 100 company changed the company’s motto to “Faster, stronger, and better.” A chief strategy officer of one of the world’s largest energy companies declared, “We’ve given up trying to predict the future. We just want to be agile.” A new CEO of a not-for-profit adopted a strategic vision focused on speed, adaptability, and taking risk. Other headlines in the news have CEOs telling employees to make mistakes and Wall Street analysts warning companies, “Disrupt yourselves, or else!” Further, this occurred before the pandemic, social unrest, political climate, continued calls for climate change, or ESG (environmental, social and governance) action — plus a host of other globally challenging uncertainties. It is not surprising that companies are looking for ways to improve, adapt, and become more agile as they also search for the new normal.
• The new normal likely includes new anticipatory risk skills and new agile and adaptability skills. For those responsible for understanding and managing risks — including business owners, enterprise risk management, internal audit, senior leadership, and boards — the new normal includes a rethinking of when, how, and where to apply strategic risk thinking and ERM.
• Adopting agile practices at the organizational and strategic level encompasses a few key concepts. The obvious first concept is speed. Companies believe that their world is changing, and they must adapt more quickly. A second and related key concept is direction. The combination of speed and direction is known as velocity. In guiding an organization, leaders cannot just move fast; they must also have a sense of direction. Note that this direction can be a broad window. There can be a sense that the future is fairly clear and the organization just needs to compete in that future. It can also mean that the direction is completely unclear. In this case, direction and steering the organization, even moving fast, must account for a wide variety of options and business models that could play out. This leads to other key concepts, including the ability to pivot, the ability to adapt, and the ability to accelerate (when needed). Pivoting, adapting, and accelerating all are about managing strategic and business risk but they also can create risk.
• Board members are critical in helping organizations see and understand the necessity and importance of new strategic and organizational approaches and the related risk. It is also important that the business leaders, those who provide products and services, be involved and aligned with the change and agile efforts. This could require broad acceptance and a culture change and might even mandate that the business units adopt agile practices. When external parties, senior leaders, and others are pushing agile methods, the ERM function can feel completely out of sync with the business and will need to rethink its approaches and methods. ERM leaders will be more likely to stay in sync with the business when they regularly rethink and improve their ERM approach.
• The ERM function can provide normal ERM tools to enable teams to properly understand, identify, and manage all related risks. Such tools may need to be customized and other tools may become necessary, but the basic ERM tools, technology, framework, risk cadence and reporting, risk identification templates, and action plans are still valuable and should be made available. The tools can help provide consistency. At some point, it is important that the ERM function provide the context and help others connect the risks to other risks and to the broader spectrum of risks and emerging risks facing the organization. Knowing and linking the velocity of emerging risks and other organizational risks that impact the agile teams can increase the teams’ chances of meeting objectives.
• Companies that take an agile approach of speed and empowerment in innovations can improve risk-taking and ideation by encouraging this risk and opportunity mindset. When companies define the desired culture as one that accepts and allows for failure, they are building a culture that encourages new ideas and encourages risk-taking. Companies that do not accept failure or limit creativity create a culture that is risk-averse. If the strategic environment necessitates risk-taking, speed, and new ideas, then this risk-averse culture is the wrong fit to compete in that environment.

Now contrast that with an excellent post by an esteemed friend and practitioner, Hans Læssøe. In Effective Risk Reporting he explains how the focus should be on achieving targets or objectives (very similar to what I wrote about in Risk Management for Success and elsewhere, and what Tim Leech also advocates as objective-based risk management).

As he wisely says:

Management is working with business performance rather than managing risks. As such, management does not, and should not be specially concerned about risks.

Executives know very well that there are risks and opportunities involved in whatever you do, and that every choice or decision they make becomes a choice between sets of risks and opportunities. This however does make them take their eyes off the ball – performance.

To be relevant and valuable to management, we – the risk profession, have to adjust our management reporting to be performance centric rather than risk centric.

I believe management should be focused on whether there is an acceptable likelihood of achieving each of their enterprise objectives. Hans says the same thing:

… shows a 40% likelihood of meeting the revenue target based on a 45% likelihood of having the targeted customer base.

Such a chart is certain to invoke a management discussion on whether or not this is satisfactory or something must be done to enhance the likelihood of meeting certain targets.

With this, risk management (reporting) affects decision making, which is paramount according to both the COSO and the ISO 31000 standards.

While COSO has shared some good advice about speed, I believe risk practitioners need to adapt on two fronts:

1. Focus on how they can help decision-makers, ensuring they not only have quality information but are able to use it effectively.
2. Partner with performance reporting staff to help management and the board understand whether there is an acceptable likelihood of meeting targets. At the same time, help management understand when the targets need to be moved as situations change.

I welcome your thoughts.