Farewell, COSO Cube

Are you familiar with the COSO cube of Enterprise Risk Management? First released in 2004 by a consortium of five accounting trade associations, the framework has survived twelve long years of volatility by nature of its utility and simplicity.

As a three dimensional shape, the cube features three sides of guidance that describe how to develop a risk management plan. One side describes the functions that should engage in risk management work. A second side describes the organizational levels that should be responsible for doing so.

And a third side is the most valuable one of all. It lists the eight tasks that any entity should complete in order to prepare a comprehensive risk management plan. The middle four tasks are the stand-outs.

And what are they? The entity should begin by identifying as many potential problems as possible. Then it should “red flag” the highest priority problems. Then it should develop response activities to limit the damage that would occur if these problems are not prevented. Finally, it should develop preventive control capabilities to reduce the likelihood that these problems might occur in the first place.

Simple and yet useful, eh? That’s exactly why the cube has lasted as long as twelve years. So, last month, when COSO released an exposure draft of its new framework, accountants and risk managers around the world eagerly scrolled through it to view the new and improved cube.

And guess what they found? The cube has vanished! There is now a three-part arrow that appears to be piercing the open hole of a five-color doughnut. Each color represents a component of risk management activity. And there are 23 (yes, 23) principles that support the five components.

Got it? If you’re thinking “not exactly,” you might wish to compare the old 2004 executive summary with the new 2016 exposure draft summary. By all means, ask yourself whether the new version — in all its complexity — represents a step forward or a step backward. Either way, it does appear that our accounting profession is about to say farewell to the COSO cube.

Power Blackout: Mark Your Calendars!

Why do the managers and employees of our electrical energy companies always seem to be taken by surprise when catastrophic events black out the power grid?

In retrospect, so many of their improvised responses seem feckless. Who can forget the awkward attempts of the Japanese military to drop giant buckets of water from helicopters on the Fukushima nuclear power plants?

And what of Connecticut Governor Dan Malloy during the blizzard of Fall 2011? He demanded that utility executives meet their own self-defined deadline in the aftermath of the storm, and then reacted with frustration when they failed to do so.

If you have felt enraged by the inability of the power companies to plan for such events, you’ll be pleased to learn that they are taking steps to address these challenges. For instance, on November 13, the North American Electric Reliability Corporation (NERC) will conduct a simulation exercise called GridEx to practice its planned response to a massive cyber security attack.

Simulation exercises, of course, are not always constructive planning activities. Some of these protocols, such as the one that Tokyo’s Tama Zoo utilizes to practice its responses to dangerous animal escapes, have become exercises in silliness. But a serious simulation activity can help any organization identify weaknesses in its own emergency response plans.

In fact, the risk response planning process is a core activity of the COSO integrated framework of Enterprise Risk Management. It’s embedded in the front of COSO’s iconic cube as the fifth of eight core steps.

So on November 13, if you hear a news update about a power blackout, please don’t panic … it’s just a drill! And in fact, it will likely help the electrical energy companies respond to a crisis during the next monster storm.

Goldman Sachs’ Risk: The Press Hates Us!

If you were Goldman Sachs CEO Lloyd Blankfein, what would you be doing right now?

No, this is not a personal question, though you might enjoy speculating about how you’d spend the $53.4 million bonus that Blankfein earned in 2006. This is a business question: how would you spend your time?

Considering the overwhelming levels of instability and volatility that percolate throughout the world of global finance, you would probably spend a lot of time worrying about risk. But what type of risk would you focus on?

The risk that Goldman’s investment portfolio might (once again) plummet in value? Or that a critically important external party doing business with Goldman, like AIG, might (again) collapse? Or that the global economy might lurch into a double dip recession and drive up losses?

All of these risks are undoubtedly high on Blankfein’s list, but Goldman surprised the financial world last week by publicly acknowledging a different concern. Namely, they proclaimed that bad publicity represents one of the most significant critical risk factors they confront today.

A Long History

In a sense, Goldman’s pronouncement about bad press places them squarely within in a longstanding tradition of blame the messenger, a game that numerous people and organizations have played over decades of mass media coverage. For instance, General Motors spent years complaining that the press refused to cover news about their improving product lines, even as they blindly fell through their fiscal black hole towards bankruptcy. And President Richard Nixon once bitterly proclaimed that the press “won’t have Nixon to kick around any more” after he lost the 1962 election for Governor of California.

Nevertheless, public relations specialists have long (and accurately) noted that mass media strategies are often highly effective mechanisms for managing risk. Nixon himself once sidestepped calls for his resignation from the Vice Presidency of the United States by making a national televised speech about Checkers, his family’s pet dog. And firms like McDonald’s have skyrocketed to global dominance on the strength of mass media campaigns that feature McDonaldLand characters like Ronald McDonald, Mayor McCheese, and the Hamburglar.

So it’s no surprise that a global firm like Goldman Sachs, one that epitomizes the type of aggressive Wall Street investment house that made billions of dollars on risky trades and then received billions more in government bailout funds, would worry about bad publicity. But why would they publicly acknowledge their concerns about such a risk?

Going Public

Goldman’s decision to “go public” in a media sense with their concerns about poor publicity can actually be traced back to its 1999 decision to “go public” in an ownership sense. It was then, at the peak of the Clinton era bubble in technology and finance, that the private partnership of Goldman Sachs decided to launch an Initial Public Offering of its shares to public investors.

At the time, that decision was perceived as a brilliant feat of financial timing and engineering, considering that Goldman received top dollar for the sale of its own stock near the peak of a stock market bubble. But by becoming a publicly traded firm, Goldman voluntarily agreed to accept a wide range of disclosure requirements that are imposed by the U.S. Securities and Exchange Commission on all public corporations.

One particular disclosure requirement involves the need for publicly traded firms to issue periodic financial statements to the public, accompanied by a retrospective management discussion and analysis of historical trends and a prospective assessment of significant risk factors. As a public company, Goldman was required to file its annual report (known as a Form 10-K) last week, and thus was compelled to disclose the risk of bad press in the section that contained their assessment of risk factors.

The COSO Cube

Of course, the simple disclosure of a risk in a Form 10-K does not necessarily shed insight about why a firm is compelled to disclose it in the first place. In other words, firms are not necessarily required to reveal their internal risk management deliberations, nor to describe how they reached a decision to “go public” with certain concerns by adding specific issues to their disclosures of significant risk factors.

To glean some insight into how such decisions are made, it is necessary to understand the integrated framework of Enterprise Risk Management that has been developed by the American accounting profession. COSO, a consortium of five major accounting trade organizations, has developed a three dimensional cube that describes this decision making process.

The process doesn’t contain any surprises. It simply emphasizes the need to understand one’s internal environment and business objectives before identifying specific risk factors, and then to prioritize and focus on factors that cannot be addressed easily through crisis prevention or response activities.

Thus, Goldman must now believe that its internal people and priorities will inevitably continue to place them at risk of incurring public enmity; they must also believe that there is relatively little that they can do to prevent or address such events. In other words, Blankfein himself must be looking forward to many more days of bad publicity in the future.