The Problems That Plague Us

Imagine this scenario. One terrible morning, you wake up with a shooting pain in your chest, a badly leaking roof on your house, and a text message on your mobile device that you lost your job.

What would you do? Undoubtedly, you would prioritize. First, you would go to the emergency room. If your diagnosis is “merely a bad case of indigestion,” you would quickly patch the roof with a temporary plug. Then you would get your resume in order and change your LinkedIn status to “available.”

After a couple of days, what would you do? You would reassess your risks and reprioritize these challenges. Is your indigestion now chronic and severe, making it impossible for you to get any sleep? It might become your short term priority. But what if the temporary roof patch is leaking badly? Then you might shift gears and focus on a more permanent solution.

Finally, what if you learn that you are about to receive no severance pay and no continuation of employer-paid health benefits? Then a new job – any new job – might become your top priority.

You would not actually attempt to manage all concerns simultaneously. Multi-tasking, after all, is not a feasible strategy because it prevents you from focusing on any single consideration. Instead, you would frequently reassess each of your concerns and continually shift your attention to the issue that represents your new immediate priority.

Analogous challenges now confront us at the global level. Instead of confronting the personal risks of heart and digestive failure, house infrastructure failure, and job failure, we are confronting the communal risks of coronavirus, wildfires and hurricanes, and economic recession. How can we possibly solve all problems simultaneously?

Indeed, we cannot solve them all at once. Not if we wish to “do it well.” Thus, we must be prepared to frequently reassess these crises and then refocus on our reframed priorities.

This sounds like a game of Whack-A-Mole, doesn’t it? Over time, though, the proverbial “moles” may become progressively smaller, and we may expend considerably less energy when we deliver each “whack.”

We can, indeed, find guidance to help us plan this approach. Page 7 of the Executive Summary of COSO’s 2017 Enterprise Risk Management: Integrating with Strategy and Performance lists twenty practices for managing risk. The eleventh through thirteenth practices are: Identifies Risk, Assesses Severity of Risk, and Prioritizes Risk.

As a society, we have already identified the crises that bedevil us. But there is no national strategy for assessing and prioritizing the problems, and thus no plan for expending scarce resources on potential solutions.

If we can simply apply the proven COSO guidance to the challenges that now face us, we may be able to devise effective solutions. If we cannot, we will continue to lurch from crisis to crisis, unable to solve the problems that plague us.

Accounting for Coronavirus Risk

As Queen Elizabeth makes her emergency address to the British people from her safe zone in Windsor Castle, and as the U.S. Surgeon General Jerome Adams warns the American people of an impending “Pearl Harbor Moment,” is it reasonable to ask why governments and businesses were caught blindsided by the coronavirus catastrophe?

Perhaps it’s unfair to expect foresight in the face of such a menace. But why weren’t health care providers and other organizations prepared to respond promptly? Why the shortages of such basic items as face masks and nasal swabs? Where was the contingency plan to increase production of such essentials at a time of dire need?

If we review the reporting standards of the Global Reporting Institute (GRI), we can find disclosure requirements that address these readiness considerations. GRI Standard 204 on Procurement Practices, for instance, states that:

When reporting its management approach for procurement practices, the reporting organization can … describe actions taken to identify and adjust the organization’s procurement practices that cause or contribute to negative impacts in the supply chain … (these) can include stability or length of relationships with suppliers, lead times, ordering and payment routines, purchasing prices, changing or cancelling orders.”

Consider the many health care providers that rely on unstable Asian suppliers to provide face masks under terms that permit long lead times, uncertain ordering routines, and the imposition of extreme price increases when products are scarce. If they are required to disclose these procurement relationships under GRI Standard 204, we would be aware of the resulting social risk.

Likewise, GRI Standard 403 on Occupational Health and Safety states that:

The reporting organization shall report … whether the (occupational health and safety management) system has been implemented based on recognized risk management and/or management system standards / guidelines and, if so, a list of the standard guidelines.”

Consider the employees of our food and delivery companies who are now protesting that their employers are not providing satisfactory protections against the coronavirus. If the employers are required to disclose the standards and systems that they utilize to keep their employees healthy and safe, we would be aware of the extent of their preparedness (or lack thereof) in the face of pandemic threat.

There are other GRI Standards that come close to addressing pandemic concerns, but that fall just short of the mark. GRI Standard 201 on Economic Performance, for instance, states that:

The reporting organization shall report … risks and opportunities posed by climate change that have the potential to generate substantive changes in operations, revenue, or expenditure, including a description of the risk … a description of the impact associated with the risk … the financial implications of the risk … the methods used to manage the risk … (and) the costs of actions taken to manage the risk.”

Although Standard 201 refers to climate change, it would represent an ideal disclosure requirement for pandemic preparedness if the GRI simply adds the words “and pandemics” to “climate change.”

It may be comforting to know that disclosure defining entities like the GRI have issued standards that address our readiness to fight the current pandemic. But we cannot reap the benefits of these disclosure requirements if organizations simply ignore their reporting responsibilities.

Finally, Delta Airlines May Be Taking A Reasonable Approach To Solving Its Second Amendment Conundrum. Did It Act Too Hasty The First Time?

It’s difficult to avoid feeling a little sympathy for Delta Airlines, isn’t it? First, gun control advocates threatened to boycott the airline for offering a routine corporate air fare discount to members of the National Rifle Association (NRA). Then, after Delta rescinded the discount in the wake of the latest school shooting event, the conservative Republican government of its home state of Georgia retaliated by rescinding its corporate tax break!

So what’s an airline to do? Grant a routine discount and be attacked for supporting gun rights? Or rescind that very discount and be attacked for opposing the Second Amendment?

Fortunately, airline management may have finally decided upon a reasonable approach with its declaration of a new corporate policy. Henceforth, Delta announced that it would avoid granting fare discounts to “any group of a politically divisive nature.” It then commenced an internal review of all of its discount arrangements in order to identify any such groups.

Had such a policy been already in place, the NRA discount would not have been offered in the first place. The reason? A general corporate policy of non-partisanship, as opposed to any specific antipathy towards the NRA.

It is indeed a reasonable approach, isn’t it? So reasonable, in fact, that one can only wonder why Delta didn’t hold off on its hasty NRA discount rescission announcement until it could complete its internal review in accordance with its new policy.

Perhaps Delta rushed its announcement because of a desire to stem all criticism immediately. But had it waited to complete its internal review, the criticism may have only continued for a relatively brief amount of time. Indeed, it may have then been replaced by praise for crafting a deliberative solution to a thorny problem.

Risk Management: Cubes To Doughnuts

Let’s imagine that your private equity fund is considering a long term investment in an American energy company that ships millions of barrels of crude oil through Philippine waters each year. When Filipino President Duterte unexpectedly calls American President Obama a “son of a whore” while promising to “continually engage China in a diplomatic dialogue rather than anger officials there,” do you change your mind about the investment opportunity?

Under normal circumstances, in order to make an informed decision, you would prepare a valuation analysis that compares the investment’s immediate cost against the present value of its future benefits. But how can you possibly assess its future benefits when massive uncertainty over President Duterte’s evolving foreign policy makes it impossible to render any predictions about the future?

For guidance in managing such risks, we generally turn to the Enterprise Risk Management (ERM) framework that is promulgated by the Committee Of Sponsoring Organizations (COSO) of the accounting profession. The current cube-shaped framework prescribes eight component activities for managing such risks, with Event Identification representing the first of its four central activities.

Indeed, one of the reasons for this framework’s enduring popularity is its reliance on the identification of clearly definable risk events. Thus, when a risk factor can be defined in terms of future discrete events, the COSO cube is a natural choice for risk managers.

Worried about the impact of potential hurricane damage on a waterside property, for instance? A hurricane is a future discrete event. It will either occur or not occur, and the consequences of its occurrence or non-occurrence are relatively easy to estimate. If a hurricane occurs, there will be massive losses. And if not, the status quo will continue unabated.

But what if a risk factor cannot be defined as a discrete event? What if the long term impact of a risk factor depends on slowly evolving circumstances that are extremely difficult to even define, let alone assess? Does COSO have a different framework for such factors?

Yes, it does. A new version of the framework is only available in a draft exposure format at the moment, but it is expected to be finalized shortly. It uses a doughnut symbol, instead of a cube. And although Risk Identification continues to represent an important underlying function of ERM, it no longer appears prominently on the face of its new framework.

Whereas the older cubic framework prescribes a list of eight rigidly defined and sequenced component activities, the newer circular doughnut framework relies on 23 broad principles like “Commitment to Integrity and Ethics” and “Develops Portfolio View.” So, with these two frameworks in mind, let’s think about the political risk that is challenging our private equity investor.

On the one hand, President Duterte’s colorful comments will undoubtedly impact the short term relationship between his nation and the United States. But on the other hand, this relationship will continue to evolve over time, and will be impacted by numerous unpredictable future circumstances. So even though President Duterte’s eventful actions can influence the future Filipino-American relationship, he cannot unilaterally determine it.

That’s why we need a doughnut shaped framework, with its 23 principles, to assess such complicated circumstances. Although the event-centric cubic framework is sufficient for more easily defined risks, the circular framework is required to analyze the complex risks that challenge us in our multi-dimensional environment.

Farewell, COSO Cube

Are you familiar with the COSO cube of Enterprise Risk Management? First released in 2004 by a consortium of five accounting trade associations, the framework has survived twelve long years of volatility by nature of its utility and simplicity.

As a three dimensional shape, the cube features three sides of guidance that describe how to develop a risk management plan. One side describes the functions that should engage in risk management work. A second side describes the organizational levels that should be responsible for doing so.

And a third side is the most valuable one of all. It lists the eight tasks that any entity should complete in order to prepare a comprehensive risk management plan. The middle four tasks are the stand-outs.

And what are they? The entity should begin by identifying as many potential problems as possible. Then it should “red flag” the highest priority problems. Then it should develop response activities to limit the damage that would occur if these problems are not prevented. Finally, it should develop preventive control capabilities to reduce the likelihood that these problems might occur in the first place.

Simple and yet useful, eh? That’s exactly why the cube has lasted as long as twelve years. So, last month, when COSO released an exposure draft of its new framework, accountants and risk managers around the world eagerly scrolled through it to view the new and improved cube.

And guess what they found? The cube has vanished! There is now a three-part arrow that appears to be piercing the open hole of a five-color doughnut. Each color represents a component of risk management activity. And there are 23 (yes, 23) principles that support the five components.

Got it? If you’re thinking “not exactly,” you might wish to compare the old 2004 executive summary with the new 2016 exposure draft summary. By all means, ask yourself whether the new version — in all its complexity — represents a step forward or a step backward. Either way, it does appear that our accounting profession is about to say farewell to the COSO cube.

Risk Management, Army Style

Are you a risk manager who is tired of reading hyper-technical, statistically dense manuals of corporate policies and procedures? Are you looking for a conceptually vivid and highly readable alternative?

You might be surprised to learn that the United States Army has just released such a text. Army Tactics, Techniques, and Procedures Publication # ATP 5-19 walks the reader through a wide variety of high risk military scenarios, from: (a) leading troops in heavy vehicles over bridges in enemy held territories (see Figure 3-4 on page 3-6), to (b) planning air assaults with attack helicopters and field artillery on insurgent forces that have seized airfields (see Figures 4-1 and 4-2 on pages 4-4 and 4-5).

The fundamental framework of the risk management function closely follows the COSO cube paradigm that defines the business world’s approach to the discipline. For example, each potential risk event is evaluated and assessed in terms of its probability / expected frequency and its severity / expected consequence (see Table 1-1 on page 1-7).

Nevertheless, there are some intriguing differences between the military model of risk management and its analogous business model. For instance, the business model posits that organizations should plan preventive control activities to reduce unacceptably large probabilities, and should plan crisis response activities to manage unacceptable levels of severity.

The Army framework, though, refers to “controls” in a collective manner (see Figure 1-2 on page 1-4). It doesn’t differentiate between preventive controls and crisis response activities; instead, it simply refers to “controls and risk decisions” in a unified manner (see Figure 1-2 on page 1-4).

Why no distinction between prevention and responsiveness by the Army? It isn’t entirely clear why the Army adopts this approach, though it does distinguish between “deliberate” (i.e. long term, advance planning) and “real time” (i.e. immediate, time constrained) situations.

Although both situations are addressed in the manual, the vivid examples appear to call for more “real time” decisions, when it can be difficult to differentiate between preventive and responsive activities. Indeed, while crises are exploding around us, all we can do is make quick decisions and take immediate actions, while hoping for occasional opportunities to observe outcomes.

In any event, the Army manual provides a helpful illustrative guide for all risk management professionals. COSO itself has acknowledged public sentiment that its model is “overly theoretical … overly vague … (and) unnecessarily complicated … (producing a) need for more templates and tools to help with the implementation” of risk management. The Army’s ATP 5-19 publication certainly appears to heed the call for such tools.

Power Blackout: Mark Your Calendars!

Why do the managers and employees of our electrical energy companies always seem to be taken by surprise when catastrophic events black out the power grid?

In retrospect, so many of their improvised responses seem feckless. Who can forget the awkward attempts of the Japanese military to drop giant buckets of water from helicopters on the Fukushima nuclear power plants?

And what of Connecticut Governor Dan Malloy during the blizzard of Fall 2011? He demanded that utility executives meet their own self-defined deadline in the aftermath of the storm, and then reacted with frustration when they failed to do so.

If you have felt enraged by the inability of the power companies to plan for such events, you’ll be pleased to learn that they are taking steps to address these challenges. For instance, on November 13, the North American Electric Reliability Corporation (NERC) will conduct a simulation exercise called GridEx to practice its planned response to a massive cyber security attack.

Simulation exercises, of course, are not always constructive planning activities. Some of these protocols, such as the one that Tokyo’s Tama Zoo utilizes to practice its responses to dangerous animal escapes, have become exercises in silliness. But a serious simulation activity can help any organization identify weaknesses in its own emergency response plans.

In fact, the risk response planning process is a core activity of the COSO integrated framework of Enterprise Risk Management. It’s embedded in the front of COSO’s iconic cube as the fifth of eight core steps.

So on November 13, if you hear a news update about a power blackout, please don’t panic … it’s just a drill! And in fact, it will likely help the electrical energy companies respond to a crisis during the next monster storm.