It’s is very hard to talk or write intelligently about risk and its management when your language gets in the way.
A new COSO paper, written by two individuals I have known a long time and for whom I have great respect, is trapped by one awful word, a true four-letter word: ‘risk’.
Creating and Protecting Value: Understanding and Implementing Enterprise Risk Management is based on COSO’s 2017 update of its 2004 ERM Framework. Their intent is to explain how effective ERM can add value to an organization, and to give some guidance on how to implement or upgrade it.
But it is bedeviled by this four-letter word.
There is no common and shared understanding of what the word means. Is it:
- The possibility of something bad happening?
- The effect of uncertainty on objectives? (ISO 31000)
- The effect of what might happen on the achievement of enterprise objectives, effects that can be good, bad, or both? (Marks)
Let’s start with some excellent language from the document. They say (my highlights):
- COSO’s 2017 Framework, Enterprise Risk Management – Integrating with Strategy and Performance, defines enterprise risk management as: “The culture, capabilities, and practices, integrated with strategy-setting and performance that organizations rely on to manage risk in creating, preserving, and realizing…
