This post discusses the misconceptions on COSO's key concepts and how modern and traditional risks managers perceive and interpret risks.
The Committee of Sponsoring Organizations of the Treadway Commission(COSO) has established a common internal control model against which companies and organizations may assess their control systems. COSO focuses on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting.
RISK ASSESSMENT
1. Traditional risk assessment frameworks assess risks based on likelihood and impact.
2. COSO identify high risk areas as high likelihood and high impact.
3. Organization utilizing this method (of multiplying likelihood percentage with estimated losses) only indicates the probability weighted damage from an incident without providing the actual risks level.
4. Likelihood and impact analysis' main objective is to identify control weaknesses that would prevent an organization from meeting its objectives and goals and not risks in the environment.
5. Below are few reasons to support the shift from traditional to modern ORM methodology.
5. Risk managers should label scenarios with low likelihood but high impact as high risks. As these are tail events and sometimes close to black swan events which have happened more often then managers perceived.
7. To account for managers not answering accurately during the risk assessment process, risk managers should categorize low likelihood and high impact as high risks.
OTHER PERSPECTIVE
1. Instead of looking at the risks assessment from a matrix POV, we could go 1 step further and take the results of likelihood and impact in totality and plot them on a graph and you would get a severity distribution.
2. Modern ORM measures likelihood with a frequency distribution (AKA probability distribution) indicating probabilities of events occurring during a time period.
3. And to combine the frequency distribution and severity distribution indicating the expected loss (amount lost in a year on average) and unexpected loss (amount lost in a bad year) which managers need to focus on.
3. And to combine the frequency distribution and severity distribution indicating the expected loss (amount lost in a year on average) and unexpected loss (amount lost in a bad year) which managers need to focus on.
4.Expected loss is obtained by multiplying frequency mean by severity mean which produces aggregate loss mean.
QUESTIONS TO RISK MANAGERS
1. Are objective information available to help managers identify the risks before being quantified by risk managers.
2. To what extend are manager's risks being managed factoring costs vs benefits. Are the controls appropriate in regards to Costs vs benefits. Organizations have to learn to accept residual risks.
3. Is the monitoring and reporting process transparent.
