My good friend Paul Sobel and I generally see eye-to-eye on matters relating to risk management. Over the years, we have chatted over meals, at conferences, and on the phone.
He is now the chair of COSO, which has to be a very tough job. Not only does he have to deal with the competing interests of its five members (the AICPA, FEI, AMA, AAA, and IIA), but he has inherited the COSO ERM Framework (and the Internal Control Framework, but I am not discussing that today).
Paul decided to share a series of pieces on LinkedIn a couple of weeks ago. His initial post started by saying “Many wonder whether the current pandemic is another example of ERM failing”. It got (as of today) 133 comments!
Now I don’t think Paul expected to receive that level of response. I am also pretty sure he didn’t expect to see so many comments about the general failures of risk management (ERM) programs.
Personally, I see the growing chorus as progress!
We now have a new COSO document that should receive a similar greeting. More and more people are recognizing that the traditional ERM programs typified by COSO’s guidance are simply not helping organizations succeed. They are seen by a growing number of executives and practitioners as a compliance activity. They look good, satisfy regulators, but don’t help leaders make the…