There has been criticism that the COSO risk management framework is too complex. What can be done to simplify it or change this perception?
Risk management is simple in concept but can be challenging to deal with in the real world. I may be a bit biased, but I don't think it's extraordinarily complex.
The cube in the framework brings concepts together in a meaningful way. But people who don't focus on risk on a regular basis or as a process might need to work a bit to get their arms around it.
There are other ways to do that than focusing solely on the framework; they can pursue educational and training programs to gain that understanding.
The framework's Application Techniques volume is a tool that security managers might want to look into, because there's a wealth of knowledge for specific ways to apply risk management effectively.
How pervasive are ERM programs that truly comport with the principals envisioned by the COSO risk-management framework?
Most companies practice risk management, but it's not very common for companies to have all the elements of what COSO defines as an effective ERM framework. For example, there are some that might not really relate risks to their business objectives. They might not have set forth an established risk appetite or risk tolerances, or a portfolio view of risk.
Does a company need to apply the entire framework to benefit from ERM?
There are principles set forth in the ERM framework that need to be in place in order for a company to have what is defined as an "effective" ERM process. I do think, however, that many companies take significant steps to manage their risks without having what the COSO framework defines as ERM.
In some instances, companies' risk management processes have served them well, but in other cases they have not. For example, we saw major banks in 2007 not focusing sufficiently on what are called "black swans," thereby missing what were considered unlikely events that indeed resulted in having a major negative impact on those organizations.
One of the challenges of implementing a comprehensive ERM program is what a colleague of mine calls "blank-stare syndrome." No matter how hard we try, ERM is an awful lot for folks to take in because there are so many moving parts. How do we get everyone on the same page?
That is certainly a challenge, and there are no easy answers. I'd like to start with the idea that the framework is not a primer on risk management. It's aimed at business people with some background in managing business risk. The executive summary may be helpful to boards of directors who provide oversight to get a sense of what's involved in ERM. But the framework does not attempt to take the place of what's obtained through experience, education and training.
Sign up for CIO Asia eNewsletters.