You may be shocked to learn that I have finally read something published by and related to COSO which is worth your time to read. (If you’re familiar with Riskczar’s Blog, you would know that I rag on the COSO ERM Framework anytime I get the chance.)
COSO’s Embracing Enterprise Risk Management: Practical Approaches for Getting Started by authors Frigo and Anderson may not be earth shattering but it is as good as anything out there on the topic of implementing ERM.
The paper focuses on the behavioural side of implementing ERM which is where I lay my hat. One of the greatest complaints about the COSO ERM framework by many (read: most) organizations in the past, was that this Framework told you what ERM needed but didn’t actually provide any guidance on how to actually implement it. If you had the time to get through hundreds of pages of text, boring graphics with arrows and boxes, and mentions the culture, you were more likely to bang your head into the wall like Dobby from Harry Potter than successfully implement ERM.
It’s always been my approach that implementing ERM is a really an exercise in change management. To that end, many professional accountants (read: most) and financial professionals with risk management experience lack the required skill set to successfully implement an ERM program.
This paper essentially says: start small, take your time and get buy-in. And anyone familiar with implementing any change effort knows this is the way to go. Embedding risk management as a systematic capability is no different than getting everyone in the office to use the new ERP system or a getting a hockey team to start playing a defensive style under a new coach. It takes leadership to get buy-in and not multi-coloured 3-D boxes like that COSO Tetris cube.