BROADLEAF CAPITAL INTERNATIONAL PTY LTDABN 24 054 021 117
PO Box 1098 Mitcham North VIC 3132 Australia 30 March 2012
www.Broadleaf.com.au
Tel: +61 (0) 3 9893 0011 Mobile: +61 (0) 412 121 631 Fax: +61
(0) 3 9893 0011 [email protected]
COMMENTS ON THE EXPOSURE DRAFT OF THE INTERNAL CONTROL
FRAMEWORKThe 1992 COSO Internal Control Framework made us all think
differently about risk and controls, how these are linked and how
they should be assessed and assured. However, in the last 20 years
our understanding of what is risk, how it should be managed and how
controls modify it has advanced greatly and it is disappointing
that this revision of the 1992 document does not recognise that
advancement and wishes to hold our thinking to the past. I have
worked in the practical application of risk management for the last
35 years and now divide my time between training and mentoring,
helping organisations of all sizes and sectors improve their
management of risk and in writing and contributing to international
standards and practical guides so that we build upon our experience
and do not repeat the mistakes of the past. My rsum is at Appendix
B of this submission. Most of the world has now come together to
agree a coherent and consistent formulation and vocabulary for
dealing with uncertainty and risk, so that organisations can
consciously create value and satisfy their stakeholders objectives
through sound governance. The Internal Standard, ISO 31000:2009,
and its accompanying vocabulary in ISO/IEC Guide 73 are the results
of the inputs of many thousands of practitioners and users around
the globe and reflect a true consensus on best practice. Many
countries have now adopted the standard and guide as their own
national standards, including Australia, Canada, Russia, China, UK,
France and Japan. Last year the USA also adopted them at its
national standards under the ANSI/ASSE Z690 series. It is therefore
highly regrettable that COSO now proposes to use out-dated and
anachronistic concepts and language in relation to risk and control
rather than aligning itself to the globally accepted standard. In
the appendix to this submission I discuss the major problems and
suggest how simple changes could be made that will significantly
enhance the current draft. I would implore COSO and the authors of
this document to take this opportunity to reduce the burden on
industry and avoid perpetuating further ambiguity and confusion.
Your document will become so much clearer and easier to use if you
simplify and align your language on risk and its management with
the international standard. It will also gain much wider
acceptance.
Grant Purdy Associate Director BROADLEAF CAPITAL
INTERNATIONAL
Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_
comments_Mar12_ver0.docx
Page 1 of 1330 March, 2012, 12:29 PM
COSO
Revision to the Internal Control Framework 29 March 2012
Appendix A Detailed Comments and SolutionsThe draft Executive
Summary and Framework documents repeat the same discussions and
text about risk and control in many places. Rather than deal with
every instance, I have commented here on the general concepts and
issues and suggested practical and simple solutions to the
problems. These should be applied throughout the documents in a
consistent manner. Concept or Issue The definition of risk Problems
The definition that risk is the possibility that event will occur
and adversely affect the achievement of objectives suffers from
many problems. Solution It would be so much simpler if the COSO
document adopted the ISO definition of risk. That it is the effect
of uncertainty on objectives. This definition fits the concepts in
the COSO document wonderfully and avoids all the problems inherent
in the current one.
It confuses the way we measure risk (possibilities and outcomes)
with the way we characterise it in Quite rightly, the ISO
definition focuses an organisations attention on the terms of what
could happen and what it could lead to sources of uncertainty that
affects its objectives rather than on separate, (in terms of effect
on objectives). hypothetical events. This means that the resulting
controls are broadly based and dont just attempt to deal with
isolated situations. I am sure that Using event within the
definition also focuses this is what COSO desires. attention on
specific events that may never occur. When we describe things that
might happen we are only seeking to characterise risk using
exemplars and surrogates for what could happen. It actually does
not matter what this exact event is it is the effects on our
objectives that are important. Focussing on events is bad risk
management and creates a myopic organisational culture. Most people
also consider events to be single, acute occurrences. However many
of the risks we face are associated with existing or slowly
changing situations and circumstances.
Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_
comments_Mar12_ver0.docx
Page 2 of 1330 March, 2012, 12:29 PM
COSO
Revision to the Internal Control Framework 29 March 2012
Concept or Issue
Problems Associating risk with an adverse outcome denies the
reality that organisations actively seek risk and expose
shareholders and stakeholders capital to risk to achieve benefits
and returns. If risk is bad, then removing all of it would be
really good. This is clearly not the case. The final problem is
that it is not the definition now used globally for risk, which is
enshrined in the international standard in and many national
standards. The overriding impression given in the documents is that
risk already exists and that the organisation has to find out how
it can achieve its objectives against the pre-existing background
of risk. This is not just wrong, but it also motivates the wrong
types of behaviour and culture. This problem is exacerbated by
terms such as risks that may occur which confuses risk with events
and their outcomes. Risk is risk and suggesting that risk might
have a velocity or persistence creates an even more confusing
concept. Those terms only apply to outcomes and consequences not to
risk - at this moment in time.
Solution
How risk comes about and what it is.
All organisations are exposed to internal and external factors
and influences that make it uncertain whether, when and the extent
to which they will achieve or exceed their objectives. The effect
this uncertainty has on the organisations objectives is risk. The
crucial concept that the COSO document needs to clearly explain is
that risk comes about when a decision or action is taken based on
deficient information in support of objectives. If there are no
objectives, there cannot be risk. If objectives exist but we do not
take any decisions or actions in relation to their achievement,
then the deficiency of information is irrelevant. The COSO document
should make clear that risk is neither negative nor positive.
However, the consequences associated with risk can be either
beneficial or detrimental. These can be experienced from the time
the decision or action is taken until some time in the future when
either the objectives are achieved or modified. Whether the
consequences are beneficial or detrimental may not be known when
the decision or action is made. Similarly, we may not know their
magnitude or nature.
Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_
comments_Mar12_ver0.docx
Page 3 of 1330 March, 2012, 12:29 PM
COSO
Revision to the Internal Control Framework 29 March 2012
Concept or Issue
Problems
Solution The COSO documents should make sure they do not use
language that suggests risk is: An event; A consequence; A
likelihood; A vulnerability; An exposure; A hazard, a threat or an
opportunity; A risk source; A metric. They should not say that risk
occurs, or will eventuate.
Risk and level of risk
The documents confuse risk and how it is measured. This stems
from the confusing definition used. They are separate concepts and
need explanation. Using the term risk to mean both the risk and its
level is unhelpful.
The documents should take care to clearly distinguish what is a
risk and what is its level. They could define adopt the level of
risk as the magnitude of a risk or combination of risks, expressed
in terms of the combination of consequences and their
likelihood.
Opportunities
The documents mention opportunities as being the opposite of
risks and say that identifying opportunities is not part of
Internal Control.
Opportunities, like threats are sources of risk but are not
risks themselves. They cannot be the opposite of risks. Controls
have to work to both reduce the likelihood and consequence of loss
and also promote the chance and magnitude of gain. After all,
controls are Risk management is concerned with supporting there to
enable the organisation to achieve its objectives. decisions so
that the organisation creates the optimal Broadleaf Capital
International Pty Ltd, 2012 COSO IC Draft_
comments_Mar12_ver0.docx
Opportunities are just source of risk where the organisation can
gain advantage and create value. They often present both the
possibility of detriment as well as of benefit and in making
decisions on how to deal with these organisations have to conduct
an analysis of costs and benefits in order to develop an approach
that leads to net benefit overall.
Page 4 of 1330 March, 2012, 12:29 PM
COSO
Revision to the Internal Control Framework 29 March 2012
Concept or Issue
Problems level of value. This must involve not only avoiding
losses but also seeking gains. Also, surely, controls and the
concept of Internal Control must be concerned with assisting an
organisation achieve all its objectives, not just those framed in
terms of the avoidance of harm and loss. Unless the documents
explain how Internal Control is a process of optimisation, not
minimisation, then the concept will remain irrelevant and separate
from the central concepts of enterprise and business. Im afraid
that the documents have fallen into the same trap we have seen
before with the COSO ERM Framework. The level of risk not estimated
by considering the likelihood of an event and the consequences that
might occur. This produces an unrealistic overestimate that fails
to properly consider chance and the effect of existing controls.
The level of risk is always expressed in terms of the likelihood of
some type of consequences such as $ per year or fatalities per
decade and the computation has to be consistent with those units To
arrive at the likelihood of the designated consequences requires a
conditional probability to be applied to the event frequency. Using
the event frequency on its own will overestimate the level of
Solution Leaving opportunities out of the equation is both
nonsensical and unrealistic: this is not how organisations operate.
Similarly, having different processes for threats and opportunities
does not make sense and just creates difficulties for decision
makers. If COSO wants its Internal Control framework to be a tool
that is used everyday and is relevant to all forms of
decision-making, then it has to remove this restriction. Of course,
this then means moving to a broader and more balanced definition of
risk as I have suggested above. Quite simply, the formulation given
has to be that the level of risk is estimated by combining a chosen
measure of a type of consequences with a measure of their
likelihood. This should be specified when risk criteria are derived
in the establish the context step before risk assessment. You
should also note that this is often not a simple product and the
equation of risk = consequences x likelihood or impact x
probability is often invalid.
How do you analyse risk and express its level?
Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_
comments_Mar12_ver0.docx
Page 5 of 1330 March, 2012, 12:29 PM
COSO
Revision to the Internal Control Framework 29 March 2012
Concept or Issue risk.
Problems The prescription given in the drafts leads to what are
known as phantom risks and these are at such elevated levels as to
be irrational and unbelievable.
Solution
Events
Ive commented above on the definition of risk and how this must
not focus attention on the identification of events but on the
sources of uncertainty and their effect on objectives. Events will
occur and when they do so the internal control framework should
respond by using them as a means to understand if the existing
controls were adequate and effective. This should be part of the
monitoring element of the process. However this learning lesson
activity is not mentioned at all, which is a major omission. The
COSO documents seem to suggest that periodic risk assessment is
enough for the organisation to ensure its objective are protected.
The documents do mention monitoring for changes, both internal and
external, but seem to miss the point that risks comes about through
the decisions the organisation makes in response to change, not the
changes themselves. While it is useful to establish a baseline risk
profile and thereby define the organisations critical controls,
this periodic activity does not enable the
An event is something that happens and the COSO documents should
make it clear that an event is not a risk. The ISO standard defines
event as: occurrence or change of a particular set of
circumstances. This seems an ideal and simple definition that the
COSO documents could adopt. It covers acute situations as well as
continuous and emerging circumstances. The section on monitoring
should include the investigation of events and incidents to
determine how existing controls performed and how they could be
improved. Normally this will involve the application of a
systematic process of root cause analysis. The COSO documents
should stress that an Internal Control framework must be dynamic
and allow an organisation to respond to both changes by supporting
decisions on how to respond to and manage those changes. This is
its primary function. The documents should place less emphasis on
periodic reviews and more on using risk assessment to support
decisions. The point should be made that risks come about when
decisions are made against a background of uncertainty.
Static vs. dynamic
Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_
comments_Mar12_ver0.docx
Page 6 of 1330 March, 2012, 12:29 PM
COSO
Revision to the Internal Control Framework 29 March 2012
Concept or Issue
Problems organisation to respond to change before or when it
occurs. Currently the document portrays a largely static process,
not one that responds dynamically to the needs of decision makers.
As the COSO ERM Framework reminds us, the process for the
management of risk including risk assessment, must be integrated
into the organisations system of management. Particularly in those
processes that are concerned with decisionmaking. This means that
risk assessment and risk treatment are continually applied and are
invoked by the need to make a decision. They should not only or
mainly occur because of a periodic review. There are some
considerable similarities between the COSO Internal Control process
and the normally encountered risk management process. Both involve
gathering information on the organisation, its objectives and
existing control environment, the conduct of risk assessment
leading to actions leading to better controls and then their
monitoring and review. Both also involve communications with
stakeholders. However, the COSO cube model and the descriptions
seem to suggest that this is a once through process. They really
need to stress that there is a cyclical and interactive process and
that
Solution
Risk assessment is just one part of the risk management
process
Keep the cube if you must. But please explain that before risk
assessment can take place both the external and internal factors
that affect the organisation and its objectives must be carefully
identified and their implications appreciated. Also please
emphasise that the monitoring and review step should not only
consider controls but also changes to the external and internal
environments that will change risk and hence will require a
reassessment and possibly revised or fresh controls. Finally,
please stress that this is an interactive and repetitive process
and not once through as the cube suggests. Better still; adopt the
internationally acceptable diagram for the process as shown
below.
Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_
comments_Mar12_ver0.docx
Page 7 of 1330 March, 2012, 12:29 PM
COSO
Revision to the Internal Control Framework 29 March 2012
Concept or Issue
Communicate and consult
The separate and vital step of establishing the context is
buried in the risk assessment description and because of that is
not given the prominence it requires and deserves. This is the
essential precursor to risk assessment that seeks to understand
both internal and external factors that give rise to risk.
Identify the risks Analyse the risks Evaluate the risks Treat
the risks
Where does I think we all understand that stakeholders have a
communication right to be involved in the risk assessment and come
in the process? control processes and that we gain from that
involvement. However, the cube diagram and the order of the
elements will motivate organisations to think of the communication
step as just about reporting. This weakness, as found in the
previous COSO frameworks, then supports a culture of report and
forget where risks are identified and then passed on and up without
a proper assessment or treatment. Risk assessment what it comprises
The drafts often use the phrase identify and assess risks. However,
risk assessment includes risk identification. It also includes risk
analysis and risk evaluation.
The documents should stress that communication should be planned
and should occur throughout the Internal Control process not just
after risk assessment and risk treatment as shown in the cube. A
good solution would be to add consultation to communication and
move the step further up your cube. The best solution would be to
use the internationally accepted diagram shown above.
Revise to either assess risks and give the definition of risk
assessment as the overall process of risk identification, risk
analysis and risk evaluation. Or, revise all uses of the phrase to
identify, analyse and assess risks.
Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_
comments_Mar12_ver0.docx
Monitor and review
Problems the layers of the cube are not supposed to mean that
the steps always occur in that order and that one pass only is
required.
SolutionEstablish the Context
Page 8 of 1330 March, 2012, 12:29 PM
COSO
Revision to the Internal Control Framework 29 March 2012
Concept or Issue
Problems In the (long) past we used risk assessment instead of
risk evaluation. However, the intermediate step of risk analysis is
vital to develop a sufficient understanding of the risk so that it
can be treated and new or revised controls are fashioned and
implemented. The drafts continue to use the term control
ambiguously. Undoubtedly controls can involve processes but we all
get very confused using the same term for the thing that modifies a
risk as well as the activity that involves treating risk, checking
controls and giving assurance.
Solution
Control noun or verb?
Limit the use of the term control to mean any process, policy,
device, practice, or other actions that modifies risk. These are
things that can be assured through an audit program or by control
checking or self-assurance. Controls are things in place that
modify risk. These are things that act to help us achieve our
objectives and are controlled by the organisation. They are
enablers: they help us modify the effect of uncertainty on our
objectives. This concept fits beautifully with the basis for
Internal Control.
How we deal with risk?
The drafts use the terms respond and responses as After a long
search the working group drafting the ISO standard settled upon
well as mitigate and mitigation. They also on the term risk
treatment to describe this step in the process. Risk response
occasion use the term manage in the same context. is preferred by
some organisations but risk mitigation is increasingly not used for
the reasons given aside. Mitigation implies that risk is bad and
this is not so. Risk is neutral, the consequences you choose to
Importantly, risk management should be used to describe the
organisations characterise it may be couched in negative or whole
approach to dealing with risk and should not be used just for this
step positive terms depending on your objectives. Also, of the
process. mitigation applies to the consequences and not their
likelihood. It should also be noted that controls are the outcome
of this risk treatment and this needs to be said clearly in the
documents. The purpose of the actions taken to deal with
unacceptable levels of risk is to modify them. This The options for
risk treatment given in the international standards have
Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_
comments_Mar12_ver0.docx
Page 9 of 1330 March, 2012, 12:29 PM
COSO
Revision to the Internal Control Framework 29 March 2012
Concept or Issue
Problems may involve increasing or decreasing the level of risk
or changing its nature. A neutral term is needed to describe this
activity. The documents suggest that we can deal with risk by:
Acceptance Avoidance Reduction Sharing. These only treat the risk
as a negative concept and are not that helpful. Putting Acceptance
at the beginning suggests that it is the first choice rather than
the least preferred option.
Solution gained wide acceptance; they deal with all types and
risk and are in the correct order. I would therefore strongly urge
you to use: a) avoiding the risk by deciding not to start or
continue with the activity that gives rise to the risk; b) taking
or increasing the risk in order to pursue an opportunity; c)
removing the risk source; d) changing the likelihood; e) changing
the consequences; f) sharing the risk with another party or parties
(including contracts and risk financing); and g) retaining the risk
by informed decision
Risk tolerance, risk appetite, risk acceptance and risk
criteria
Confusion reigns when it comes to these terms. The COSO ERM
Framework provides two definitions for risk appetite, Basle
requirements1 give different definitions and say they mean the same
and regulators throughout the world are now asking for risk
appetite statements without knowing what they are and why they need
them. The documents only use the term tolerance which will add to
the confusion. The documents mention acceptance of risk in
terms
The documents should define tolerance and preferably also
explain how risk criteria are developed as a precursor to risk
assessment. Risk criteria are terms of reference against which the
significance of risk is evaluated and they should embody the
organisations appetite for risk. The documents should explain that
risk tolerance is linked to acceptance and is the organisation's or
stakeholder's readiness to bear the risk after risk treatment in
order to achieve its objectives. The documents should also explain
that ultimately most decisions to accept risk are based on an
analysis of the costs associated with achieving a change
1
Operational Risk Supervisory Guidelines for the Advanced
Measurement Approaches. Basel, Basel Committee on Banking
Supervision, Bank for International Settlements, June 2011
Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_
comments_Mar12_ver0.docx
Page 10 of 1330 March, 2012, 12:29 PM
COSO
Revision to the Internal Control Framework 29 March 2012
Concept or Issue
Problems of achieving a set level or target but this is rarely
the case. Risk criteria are rarely set as fixed points or even
curves.
Solution in the level of risk when compared with the benefits of
that change. Cost and benefits include both quantifiable and
unquantifiable elements and also direct and indirect components.
The documents should say that the decision to tolerate (or accept)
a level of risk is based on the recognition that further risk
treatment will not lead to any net improvement in value or benefit
to the organisation.
Inherent, target and residual risk
It is sad to see that the authors of the draft documents still
subscribe to the need to estimate some inherent level of risk. I
thought we had all grown out of this unnecessary and confusing
concept. Risk is risk and organisations and their oversight bodies
need to know what the level of risk is now not at some hypothetical
point in time when all controls have disappeared. There are not
different types of risk. There is just the risk now.
The documents should encourage the recognition and honest
assessment of the effectiveness of existing controls as part of
risk analysis. This should then lead to an estimate of the current
level of risk. The IIA recommended measure to assist in planning
audits and assurance activities is Potential Exposure. That is, in
effect, the inherent consequences part of inherent risk. The
documents should mention this valuable concept and how it can be
used in the monitoring step to plan assurance activities and
audits. The term residual risk should only be applied to the level
of risk that remains after all risk treatment has ended. It is the
level of risk that the organisation finds acceptable and is
prepared to tolerate.
Most importantly, we do not need this concept to either
understand risk or to define better or improved controls. Spending
time defining a level of inherent The ISO definition of residual
risk is the risk remaining after risk treatment. risk is a waste.
In summary, the documents should explain that the objective of risk
analysis This has been carefully explained in many other is to
develop an understanding of the risk so that it can be treated.
This places, most notably in the Institute of Internal should be
achieved by using the organisations risk criteria to evaluate
the
Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_
comments_Mar12_ver0.docx
Page 11 of 1330 March, 2012, 12:29 PM
COSO
Revision to the Internal Control Framework 29 March 2012
Concept or Issue
Problems Solution Auditors Global Research Foundation Handbook
HB effectiveness of the current controls, the current level of risk
given those 158:2010 called Delivering Assurance.2 controls and
their effectiveness and also the Potential Exposure. There is also
little real value in expressing some target level of risk as
suggested. As discussed about an acceptable or tolerable level of
risk is generally obtained through the analysis of the costs and
benefits of further risk treatment, not by the achieving some set
point. In fact practice seems to suggest that organisations that
express a target level of risk somehow assume that they have
already achieved it and hence the risk treatment actions get
neglected. It seems that this measure creates a false sense of
security and can actually demotivate additional action. Finally it
should be noted that the term residual risk is not the level of
risk now taking into account the current controls and their
effectiveness. It is the eventual level of risk that the
organisation accepts or tolerates because no more risk treatment is
justified.
2
HB 158, Delivering Assurance Based on ISO 31000:2009. Sydney,
Standards Australia and the Institute of Internal Auditors, ISBN 0
7337, 7843 7, 2010.
Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_
comments_Mar12_ver0.docx
Page 12 of 1330 March, 2012, 12:29 PM
COSO
Appendix B Rsum for Grant PurdyGrant Purdy has worked in the
practical application of risk management for over thirty-five
years. During that time he has worked in over 25 countries as a
government inspector, business manager, consultant and a manager of
risk management. Grant is now an Associate Director of the
consultancy group, Broadleaf Capital International. Previously he
was the Group Manager of Risk Management at BHP Billiton, the
worlds largest resource sector company. While there he led the team
that created the framework for risk management that is now
recognised as world best practice in the resources sector. Grant
now works with a wide range of organisations helping them develop
and enhance ways to manage risk in support of the decisions they
make. This involves mentoring, training and advice, predominantly
with senior managers and Boards. His clients include large
international groups such as Xstrata and Anglo American and large
national government bodies such as Eskom and Transnet in South
Africa and the Abu Dhabi Department of Transport. He also works
with small organisations, particularly those in the not for profit
sector. Grant has been a member of the Standards Australia and
Standards New Zealand Joint Technical Committee on Risk Management
for over ten years and was its chair for the last seven. He is
co-author of the 2004 version of AS/NZS 4360 and has written many
other risk management handbooks and guides. He also was the
nominated expert for Australia on the Working Group that prepared
ISO 31000 and Guide 73 and now is Head of Delegation for Australia
on ISO PC 262 that is preparing ISO 31004, the implementation guide
to ISO 31000.
Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_
comments_Mar12_ver0.docx