Category Archives: COSO

COSOPS: COSO for the Public Service

Posted on by
3

COSOPS is a modified version of the COSO framework applied to public sector organizations. COSOPS highlights internal controls aimed at efficiency, reliability of reporting, and compliance with laws. Key changes include emphasizing public accountability, the role of civil service, fiscal matters, and external oversight, aiming for improvement in public policy functions.

Continue reading

COSO Competitors

Posted on by
1

This is the third in a series of the internal control.  The first blog, Internal Control and COSO, introduced this framework including highlighting some of its short comings.  The second blog, A List of Internal Controls, attempted to create the most comprehensive list of controls ever constructed (or that at least I could find). This blog asks the question, “does COSO have competitors or is there a better control framework out there?“.

Continue reading

Internal Control and COSO

Posted on by
5

Accountants are trained to think about and implement controls.  The classic examples are segregation of duties, reconciliations or budgets.  Generally though, these controls are to manage at the transactional level where an error or a small fraud might occur.  The big frauds of course are in the C-Suites and include such classics as off-balance sheet liabilities, rogue traders or manipulation of inventories.

Continue reading

PRMM – How is That Planning Thing Working Out for You?

Posted on by
Reply

This is the second in a series of blogs on a Practical Risk Management Method or PRMM.  At the bottom of this blog is a refresher of the other steps.  This step’s premise is don’t separate your planning activities from your risk management activities.  In other words:

Planning = Risk Management. Planning is ultimately about managing uncertainty which is a fancy name for Risk.  At this point you may be saying:

  1. Of Course: we already do this. Good on you, see you at the next blog!
  2. Great Idea: this may be incrementally more work during the planning process but ultimately over all less effort for the organization.
  3. What is This Planning Thing you Speak Of: hmmm, we may have identified your top risk.

I am afraid I can’t help you if you fall into the last category but hopefully these blogs can help you if you with the first two.

Continue reading

Practical Risk Management Model

Posted on by
1

Is traditional risk management practical?  If so, why do so many organizations struggle to do it well?  As a quick refresher here are the three steps of virtually all risk management methods:

  1. Establish business objectives.
  2. Identify and quantify some or all of the risks that may prevent the organization from achieving these objectives.
  3. Figure out what you are going to do with the resulting risks (e.g. ignore, manage, transfer, assign owners, etc.).

An Practical Risk Management Method (PRMM)

What makes risk management impractical is that it is often a bolt on and/or a parallel activity.  In addition, risk management often gets bogged down in too many risks and not enough value add (see my blog “Guns, Telephone Books and Risk?” for more on this).  PRMM recommends the following steps:

  1. Planning = Risk Management. Incorporate risk management into existing operational, tactical and strategic planning; don’t separate the two.  Why?  Because planning is how organizations manage uncertainty which is a fancy name for Risk.
  2. Are You Any Good at Change? Evaluate how well your organization responds to change (e.g. when uncertainty becomes certain).  When the unexpected happens, was your response chaotic and uncoordinated or did it go more or less to plan?
  3. How Strong is your ARM? ARM or Antifragile Risk Management is a system that focuses on building robust and resilient organizations.  While step 2 above measures the organization in action, this step anticipates your organization’s uncertainty resiliency.
  4. A Certain Test of Uncertainty.  The organization’s risk/opportunity log is used to stress test the work done above.  Testing measures the robustness of the organization and the scope and reasonableness of the collected risks.  This is the traditional risk management step in PRMM.
  5. Don’t Stop. Modify/improve your plans and keep going.  All of the above activities are meant to be both periodic (e.g. the annual planning process) or continuous.

My next blog are some thoughts on step 1 above, integrating risk management into the planning processes of the organization.

Phrankism: Documentation is a Waste of Time

Posted on by
2

In World War Two, the British counted the bullet holes in airplanes that returned from missions.  Based on where the holes were, they now knew where not to bother putting armour on their airplanes (see this Mother Jones Article).

Continue reading