The Miseducation of Risk Management
Enterprise risk management (ERM) is the practice of assessing the full spectrum of risks that impact organizational performance. ERM has been around for 18 years and was first formalized by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 2004. Coincidentally, the rise of ERM emerged 2 years after the Sarbanes-Oxley Act was enacted into law by Congress. COSO is a consortium of professional organizations made up of the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Internal Auditors, and the National Association of Accountants.
What do these groups have to do with enterprise risk management? Nothing really, and that partly explains the miseducation of risk management. In 37 years since the formation of COSO,. and 18 years after the introduction of ERM fraud and risks have grown exponentially and unabated with little to no end in sight alongside little to no moral outrage by politicians, the public or risk professionals. COSO was formed in 1985 to propose solutions to Congress and the Securities and Exchange Commission to prevent fraud and enhance internal controls over financial reporting.
The miseducation of enterprise risk management has become a meme in risk management as a “best practice” without any evidence that it mitigates risk or reduces the opportunity of fraud. This blog post is designed to bring light to the miseducation of risk management and to raise awareness that the oldest discipline of risk management needs to replace COSO’s ERM framework with real science. Let me explain.
Risk management has grown in spite of COSO’s ERM framework, but risk management has not grown in respect, expertise, or effectiveness with the exception of isolated examples. Why is that? Risk management is not a focus on internal controls. True, risk management is the process of thinking, choosing, and selecting appropriate risks that either, moves the organization forward or reduces the factors that limit growth. No existing framework does either and that is why cyber risks and operational risks have only grown and not become an afterthought.
The “cyber paradox” is one example of how poorly organizations understand and manage risk. The cyber paradox is the phenomenon of cyber threats growing faster than the solutions to mitigate or address them effectively. The same is true in enterprise risk. The paradox is that no one seems to know what the root cause of the problem is, but everyone seems intent on focuses on the easy part — assessing internal controls and audit? Have you ever heard the story of the person who lost their car keys?
“A policeman sees a drunk man searching for something under a streetlight and asks what the drunk has lost. He says he lost his keys and they both look under the streetlight together. After a few minutes the policeman asks if he is sure he lost them here, and the drunk replies, no, and that he lost them in the park. The policeman asks why he is searching here, and the drunk replies, “this is where the light is”.
This is the current state of ERM and cybersecurity, but it gets worse. The “light” is considered a best practice by novice risk professionals who don’t know better, which is 80% — 90% of risk professionals.
If risk management is about thinking, decision-making and selection this is a good time to suggest that if you lost your keys in the park looking under the light won’t help. Unfortunately, today’s risk professional is only following the leader. The psychology of risk management practice is part of the problem. You have all heard about misinformation and disinformation? Yes! Well, it is alive and doing well in enterprise risk management. Critical thinking has taken a backseat to following what everyone else is doing. It may feel safe to do what others are doing but following the herd only leads to slaughter.
Marketers, advertising experts and politicians have all learned that if you repeat the same story over and over again in authoritative advertising people will begin to believe the story no matter the evidence it is false. Sort of expecting a different result no matter if the outcome always proves the opposite.
I too was caught up in the cult of COSO’s ERM to bring credibility to senior executives who had no idea what risk management did or contributed to the organization. The problem was the more I tried to make COSO’s ERM framework work the more I realized the failure of the entire system. The failure in COSO’s ERM framework is actually embedded in its guidance. COSO states plainly and specifically that the framework does not address human behavior! Bingo! Human behavior, not internal controls is the real focus of risk management and COSO acknowledges this vulnerability right in its guidance. But no one notices!?
This is the last article that I will ever write about the failure of COSO because it is ignored. I am beginning to feel like the street corner preacher calling for redemption to the sinners. From now on, I will only focus on what works and has worked for millennia. A focus on human behavior, decision-making, risk selection and a new risk management framework that I call a Cognitive Risk Framework for Enterprise Risk Management and Cybersecurity. You can learn more in my book, Cognitive Hack: The New Battleground in Cybersecurity and Enterprise Risk Management on Amazon and my new book, coming the summer of 2022, Cognitive Risk. I also write about the risk at the intersection of humans and technology.
I am no longer going to try to save the souls of the wayward sinner and focus only on the believers who seek a more enlightened approach to ERM and cybersecurity — the Human Element!
