A discussion of the latest COSO paper on the development of organizations’ resilience to risk.
Feb 17th, 2010
COSO recently published a thorough PAPER. COSO paper on the development of organizations’ resilience to risk is intended to help foster new dialog between boards and senior executive leadership as they partner to more fully develop their organization’s resilience to risk.
We think the paper does address the critical issues, however:
1) it lacks a Glossary, thus it may be misinterpreted by readers that have not been educated in risk.
2) as a consequence of 1), some terms (for example “risk tolerance”) can be misunderstood.
3) Risk appetite is a nice wording, but for historic reasons and to avoid misunderstandings it should be compared/defined together with Risk Tolerance and Risk Acceptability
4) The “non linear shape” of the “risk appetite” curves displayed on the “heat maps” from page 14 on deserves some explanations. The shape is such only on a log-log likelihood-impact plot (not defined). We have spent years of research, pushed by our clients to study tolerance curves.
We would recommend you have a look at this Presentation and at this Document to see how we use tolerance in real world examples.
Finally, in this Document you will see how risks can be properly prioritized by comparing their “intolerable portion” rather than their “face value”. This type of analysis shows that rational prioritization often brings counter-intuitive results, but generally great sensibility in the proportioning of mitigative funds. It is not unusual that “first priority risks” only represent a small portion of the entire risk portfolio of a corporation.
As one of the delegates to our Courses said “Once I was blind and now I see”
Our claim is indeed that ready to use methodologies exist to support those tasks, as demonstrated by a number of real life applications, and thanks to those methodologies “we can see” way better!
In order to get to a more coherent and integrated level of critical components management, one needs to “see better”, understand which are the real critical exposures, prioritize them, etc. We claim that’s only possible if the appropriate techniques are used, which have to define, in a very transparent way, the tolerance of the client.
Our view is that too much reliance is given to qualitative approaches that actually end up blurring the perspectives and allowing very costly biases to be taken in risk mitigation decisions. It’s indeed “funny” that multi-million dollar decisions or strategic options may be taken based on qualitative appreciations of risks, unclear definitions of tolerance, “color based” prioritizations!
Some may find it unfortunate that some maths and quantitative approaches are needed, but the final result is definitely worth the effort. A properly done prioritization may save millions of dollars that could be spent in other areas, or avoid the selection of a ill-fated strategic alternative.
Oh, one more thing: it is not necessary to kill the client with unsustainable data gathering to deploy these methodologies, as they accommodate incomplete data sets. Uncertainties are considered in the process and can be reduced when more data come in, after the first preliminary approach.
Thank you for starting this very interesting discussion. I get really passionate when I see all the wasted money these days, or corporations reducing their risk management programs because they feel (and in many cases they may be right), that it’s too expensive (actually, it’s not too expensive: most of the time it addresses the wrong issues because the risk prioritization is wrong!).
Tagged with: Acceptability, alternative, assessment, coaching, decision, development, economic, management, risk, tolerance
Category: Risk analysis, Risk management, Tolerance/Acceptability
[…] A discussion of the latest COSO paper on the development of organizations’ resiliency to risk…. February 2010 […]
[…] curves are used by Riskope (www.riskope.com ) on a routine basis to support client’s decisions at facility […]
[…] of numerous web-based resources, such as for example ANSSI (French), which leads to a qualitative, colour based obsolete risk assessment, or the US-CERT (American) “software”, which apparently only works on […]
[…] that PIGs correspond to State of the Art, yet we do not know any Risk Management Standard (ISO, COSO, ONR) that would formally advise to use PIGs, neither we know of any standard formal definition of […]