COSO Aligning Risk with Strategy and Performance

COSO Aligning Risk with Strategy and Performance, dealing with public exposure, appeared in June 2016 within the frame of Enterprise Risk Management.

COSO Aligning Risk with Strategy and Performance

We have read with enormous interest the document which very eloquently explains the benefits of ERM and its interactions with business strategy, operations, etc.

Defining Risk and Uncertainty

We started balking when we arrived at the section entitled “Defining Risk and Uncertainty”. Not because of the general concepts, but because of the logic of some definitions.

Glossary and definitions

Let’s start at the beginning, i.e. #22 transcribed literally here:

“There is risk in not knowing how an entity’s strategy and business objectives may be affected by potential events. The risk of an event occurring (or not), creates uncertainty. In business, uncertainty exists whenever an entity sets out to achieve future strategies and business objectives. In this context, risk is defined as: The possibility that events will occur and affect the achievement of strategy and business objectives.“

Let’s translate the above in plain language:

• 22.1 There is a risk each time one does not know how potential events could affect his/her business. Example: if I own a sawmill and I do not know how a fire, flooding, hurricane could damage it, then there is a risk…
• 22.2 The risk of an event occurring (or not) creates uncertainty. Question: this cannot be a risk, right? We defined Risk above. They must be meaning “likelihood or probability” right? Also note that in #23 below they define an event as an occurrence. So we are looking at a circular reference. Quite confusing, right? So, if corrected, the translation could be “the probability of an event creates uncertainty”. In #23 below they define uncertainty as the state of not knowing HOW potential events may or may not manifest. This definition includes two concepts: “how” and “may or may not”. If we look at “how”, then let’s imagine, for example the following: how would a quake occur? How would a fire occur? If that’s what they mean to ask, then they should give some explanations. As per the “may or may not”, well are we referring again to the likelihood/probability of “how” the event would manifest? We are confused to say the least and in a state of high uncertainty!
• 22.3 But then we are told that in business, uncertainty exists if one tries to do anything. At Riskope we could definitely agree on that point!
• 22.4 Finally we are told that risk is apparently a conditional/joint (which one do they mean to state?) probability that something will occur and/given it occurred, reaching our objectives will be more difficult. Now we are really confused: which one is the right definition of risk adopted in the manual? And why no one bothers talking about the consequences of the “difficulties”. No worries, the box of definitions #23 talks about severity. It could probably help, but unfortunately it adds to the confusion as it defines severity as likelihood and impacts of events….

Here is the box present on the page #23 which adds to the confusion:

“contains terms that expand on and support the definition of risk as follows:

Event: An occurrence or set of occurrences.
Uncertainty: the state of not knowing how potential events may or may not manifest.
Severity: A measurement of considerations such as the likelihood and impacts of events or the time it takes to recover from events.”

Finally the same document informs the readers that #24

“events are more than routine transactions, they are broader business matters such as changes in the governance and operating model, geopolitical and social influences,and contracting negotiations among other things”.

to conclude that events may be difficult to discern and it may be difficult to identify specific events related to, for example, global warming. Thank you, now we know!

Conclusions

As we have stated so many times in the past, this type of weaknesses in the basic definitions of a technical glossary certainly does not shed light on the risks. And that is for any business, project, organizations. The results can only be confusion, misleading consideration and either inaction or squandering of precious resources.

Before it is too late, we have to elvate risk assessment and ERM  at the level of science with robust definitions and glossary shoring any endeavor.

Source

COSO Enterprise Risk Management — Aligning Risk with Strategy and Performance

Tagged with: coso, Defining Risk and Uncertainty, Enterprise Risk Management, ERM, glossary, public exposure, Strategy and Performance

Category: Probabilities, Risk analysis, Risk management