Thursday, October 7, 2010

5 Minute Risk Audit


by Rick Nason, PhD, CFA
Partner, RSD Solutions Inc.

Met with a senior risk manager last week for breakfast.  They have a very hectic job.  Lots of reports and analysis to do for the quarterly report for senior management and then an annual report for the Board.  Lots and lots of reports and analysis.  Templates to fill in, data to collect, charts to be drawn, results to be collated, definitions to be defined and disseminated etc. etc. etc..  24/7 job.

What if things change?  What if a paradigm changing event happens whereby management and / or the Board needs a risk status now?  Can your firm do a 5 minute risk audit?  Will your firm know where it stands on a real-time basis, or do you need to wait to see the quarterly report (or perhaps even the annual report)?  What is in the 5 minute report?  Will your 5 minute risk audit be up to the task?

Monday, October 4, 2010

Rejigging COSO (Vicente Series Part 6)


by Rick Nason, PhD, CFA
RSD Solutions Inc.

I have never been a huge fan of the COSO framework (or any framework for that matter – see my presentation Get Creative or Take the Risk, which was presented at the 2008 Treasury Management Association of Canada’s annual conference  http://www.rsdsolutions.com/rick-nason039s-presentation-slides-tmac-annual-conference-2008 ).  Despite that, the COSO framework is still the basis for most Enterprise Risk Management systems. 

Admittedly, the COSO framework is one of the best frameworks out there, and it certainly is comprehensive.  (That tends to happen when a system is designed by a committee of consultants who do not have to worry too much about implementation.)

We are all familiar with the three-sided COSO cube.  One side of the cube of course has the delineations of; 1. Entity Level, 2. Division, 3. Business Unit and 4. Subsidiary, for which each of the functions of risk management are to be examined and implemented.

In the Human Factor, author Vicente offers up what he calls the “Human-Tech Ladder”, which are the ways that humans interface with technology.   Vicente’s steps are; 1. Physical, 2. Psychological, 3. Team, 4. Organizational, and 5. Political.  I propose that these are much better delineations for consideration for the COSO framework than the ones presented in the previous paragraph.

A risk system should be usable (Physical), deal with the individual (Psychological), deal with group interactions (Team), and organizational factors (Organizational), and as well incorporate factors from the broader aspects of the marketplace and society (Political). 

For most organizations this is a much more effective conceptual framework of risk units, and much more implementable.  Perhaps it is time to form another working committee.