BROADLEAF CAPITAL INTERNATIONAL PTY LTDABN 24 054 021 117

PO Box 1098 Mitcham North VIC 3132 Australia 30 March 2012

www.Broadleaf.com.au

Tel: +61 (0) 3 9893 0011 Mobile: +61 (0) 412 121 631 Fax: +61 (0) 3 9893 0011 Purdy@Broadleaf.com.au

COMMENTS ON THE EXPOSURE DRAFT OF THE INTERNAL CONTROL FRAMEWORKThe 1992 COSO Internal Control Framework made us all think differently about risk and controls, how these are linked and how they should be assessed and assured. However, in the last 20 years our understanding of what is risk, how it should be managed and how controls modify it has advanced greatly and it is disappointing that this revision of the 1992 document does not recognise that advancement and wishes to hold our thinking to the past. I have worked in the practical application of risk management for the last 35 years and now divide my time between training and mentoring, helping organisations of all sizes and sectors improve their management of risk and in writing and contributing to international standards and practical guides so that we build upon our experience and do not repeat the mistakes of the past. My rsum is at Appendix B of this submission. Most of the world has now come together to agree a coherent and consistent formulation and vocabulary for dealing with uncertainty and risk, so that organisations can consciously create value and satisfy their stakeholders objectives through sound governance. The Internal Standard, ISO 31000:2009, and its accompanying vocabulary in ISO/IEC Guide 73 are the results of the inputs of many thousands of practitioners and users around the globe and reflect a true consensus on best practice. Many countries have now adopted the standard and guide as their own national standards, including Australia, Canada, Russia, China, UK, France and Japan. Last year the USA also adopted them at its national standards under the ANSI/ASSE Z690 series. It is therefore highly regrettable that COSO now proposes to use out-dated and anachronistic concepts and language in relation to risk and control rather than aligning itself to the globally accepted standard. In the appendix to this submission I discuss the major problems and suggest how simple changes could be made that will significantly enhance the current draft. I would implore COSO and the authors of this document to take this opportunity to reduce the burden on industry and avoid perpetuating further ambiguity and confusion. Your document will become so much clearer and easier to use if you simplify and align your language on risk and its management with the international standard. It will also gain much wider acceptance.

Grant Purdy Associate Director BROADLEAF CAPITAL INTERNATIONAL

Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_ comments_Mar12_ver0.docx

Page 1 of 1330 March, 2012, 12:29 PM

COSO

Revision to the Internal Control Framework 29 March 2012

Appendix A Detailed Comments and SolutionsThe draft Executive Summary and Framework documents repeat the same discussions and text about risk and control in many places. Rather than deal with every instance, I have commented here on the general concepts and issues and suggested practical and simple solutions to the problems. These should be applied throughout the documents in a consistent manner. Concept or Issue The definition of risk Problems The definition that risk is the possibility that event will occur and adversely affect the achievement of objectives suffers from many problems. Solution It would be so much simpler if the COSO document adopted the ISO definition of risk. That it is the effect of uncertainty on objectives. This definition fits the concepts in the COSO document wonderfully and avoids all the problems inherent in the current one.

It confuses the way we measure risk (possibilities and outcomes) with the way we characterise it in Quite rightly, the ISO definition focuses an organisations attention on the terms of what could happen and what it could lead to sources of uncertainty that affects its objectives rather than on separate, (in terms of effect on objectives). hypothetical events. This means that the resulting controls are broadly based and dont just attempt to deal with isolated situations. I am sure that Using event within the definition also focuses this is what COSO desires. attention on specific events that may never occur. When we describe things that might happen we are only seeking to characterise risk using exemplars and surrogates for what could happen. It actually does not matter what this exact event is it is the effects on our objectives that are important. Focussing on events is bad risk management and creates a myopic organisational culture. Most people also consider events to be single, acute occurrences. However many of the risks we face are associated with existing or slowly changing situations and circumstances.

Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_ comments_Mar12_ver0.docx

Page 2 of 1330 March, 2012, 12:29 PM

COSO

Revision to the Internal Control Framework 29 March 2012

Concept or Issue

Problems Associating risk with an adverse outcome denies the reality that organisations actively seek risk and expose shareholders and stakeholders capital to risk to achieve benefits and returns. If risk is bad, then removing all of it would be really good. This is clearly not the case. The final problem is that it is not the definition now used globally for risk, which is enshrined in the international standard in and many national standards. The overriding impression given in the documents is that risk already exists and that the organisation has to find out how it can achieve its objectives against the pre-existing background of risk. This is not just wrong, but it also motivates the wrong types of behaviour and culture. This problem is exacerbated by terms such as risks that may occur which confuses risk with events and their outcomes. Risk is risk and suggesting that risk might have a velocity or persistence creates an even more confusing concept. Those terms only apply to outcomes and consequences not to risk - at this moment in time.

Solution

How risk comes about and what it is.

All organisations are exposed to internal and external factors and influences that make it uncertain whether, when and the extent to which they will achieve or exceed their objectives. The effect this uncertainty has on the organisations objectives is risk. The crucial concept that the COSO document needs to clearly explain is that risk comes about when a decision or action is taken based on deficient information in support of objectives. If there are no objectives, there cannot be risk. If objectives exist but we do not take any decisions or actions in relation to their achievement, then the deficiency of information is irrelevant. The COSO document should make clear that risk is neither negative nor positive. However, the consequences associated with risk can be either beneficial or detrimental. These can be experienced from the time the decision or action is taken until some time in the future when either the objectives are achieved or modified. Whether the consequences are beneficial or detrimental may not be known when the decision or action is made. Similarly, we may not know their magnitude or nature.

Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_ comments_Mar12_ver0.docx

Page 3 of 1330 March, 2012, 12:29 PM

COSO

Revision to the Internal Control Framework 29 March 2012

Concept or Issue

Problems

Solution The COSO documents should make sure they do not use language that suggests risk is: An event; A consequence; A likelihood; A vulnerability; An exposure; A hazard, a threat or an opportunity; A risk source; A metric. They should not say that risk occurs, or will eventuate.

Risk and level of risk

The documents confuse risk and how it is measured. This stems from the confusing definition used. They are separate concepts and need explanation. Using the term risk to mean both the risk and its level is unhelpful.

The documents should take care to clearly distinguish what is a risk and what is its level. They could define adopt the level of risk as the magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood.

Opportunities

The documents mention opportunities as being the opposite of risks and say that identifying opportunities is not part of Internal Control.

Opportunities, like threats are sources of risk but are not risks themselves. They cannot be the opposite of risks. Controls have to work to both reduce the likelihood and consequence of loss and also promote the chance and magnitude of gain. After all, controls are Risk management is concerned with supporting there to enable the organisation to achieve its objectives. decisions so that the organisation creates the optimal Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_ comments_Mar12_ver0.docx

Opportunities are just source of risk where the organisation can gain advantage and create value. They often present both the possibility of detriment as well as of benefit and in making decisions on how to deal with these organisations have to conduct an analysis of costs and benefits in order to develop an approach that leads to net benefit overall.

Page 4 of 1330 March, 2012, 12:29 PM

COSO

Revision to the Internal Control Framework 29 March 2012

Concept or Issue

Problems level of value. This must involve not only avoiding losses but also seeking gains. Also, surely, controls and the concept of Internal Control must be concerned with assisting an organisation achieve all its objectives, not just those framed in terms of the avoidance of harm and loss. Unless the documents explain how Internal Control is a process of optimisation, not minimisation, then the concept will remain irrelevant and separate from the central concepts of enterprise and business. Im afraid that the documents have fallen into the same trap we have seen before with the COSO ERM Framework. The level of risk not estimated by considering the likelihood of an event and the consequences that might occur. This produces an unrealistic overestimate that fails to properly consider chance and the effect of existing controls. The level of risk is always expressed in terms of the likelihood of some type of consequences such as $ per year or fatalities per decade and the computation has to be consistent with those units To arrive at the likelihood of the designated consequences requires a conditional probability to be applied to the event frequency. Using the event frequency on its own will overestimate the level of

Solution Leaving opportunities out of the equation is both nonsensical and unrealistic: this is not how organisations operate. Similarly, having different processes for threats and opportunities does not make sense and just creates difficulties for decision makers. If COSO wants its Internal Control framework to be a tool that is used everyday and is relevant to all forms of decision-making, then it has to remove this restriction. Of course, this then means moving to a broader and more balanced definition of risk as I have suggested above. Quite simply, the formulation given has to be that the level of risk is estimated by combining a chosen measure of a type of consequences with a measure of their likelihood. This should be specified when risk criteria are derived in the establish the context step before risk assessment. You should also note that this is often not a simple product and the equation of risk = consequences x likelihood or impact x probability is often invalid.

How do you analyse risk and express its level?

Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_ comments_Mar12_ver0.docx

Page 5 of 1330 March, 2012, 12:29 PM

COSO

Revision to the Internal Control Framework 29 March 2012

Concept or Issue risk.

Problems The prescription given in the drafts leads to what are known as phantom risks and these are at such elevated levels as to be irrational and unbelievable.

Solution

Events

Ive commented above on the definition of risk and how this must not focus attention on the identification of events but on the sources of uncertainty and their effect on objectives. Events will occur and when they do so the internal control framework should respond by using them as a means to understand if the existing controls were adequate and effective. This should be part of the monitoring element of the process. However this learning lesson activity is not mentioned at all, which is a major omission. The COSO documents seem to suggest that periodic risk assessment is enough for the organisation to ensure its objective are protected. The documents do mention monitoring for changes, both internal and external, but seem to miss the point that risks comes about through the decisions the organisation makes in response to change, not the changes themselves. While it is useful to establish a baseline risk profile and thereby define the organisations critical controls, this periodic activity does not enable the

An event is something that happens and the COSO documents should make it clear that an event is not a risk. The ISO standard defines event as: occurrence or change of a particular set of circumstances. This seems an ideal and simple definition that the COSO documents could adopt. It covers acute situations as well as continuous and emerging circumstances. The section on monitoring should include the investigation of events and incidents to determine how existing controls performed and how they could be improved. Normally this will involve the application of a systematic process of root cause analysis. The COSO documents should stress that an Internal Control framework must be dynamic and allow an organisation to respond to both changes by supporting decisions on how to respond to and manage those changes. This is its primary function. The documents should place less emphasis on periodic reviews and more on using risk assessment to support decisions. The point should be made that risks come about when decisions are made against a background of uncertainty.

Static vs. dynamic

Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_ comments_Mar12_ver0.docx

Page 6 of 1330 March, 2012, 12:29 PM

COSO

Revision to the Internal Control Framework 29 March 2012

Concept or Issue

Problems organisation to respond to change before or when it occurs. Currently the document portrays a largely static process, not one that responds dynamically to the needs of decision makers. As the COSO ERM Framework reminds us, the process for the management of risk including risk assessment, must be integrated into the organisations system of management. Particularly in those processes that are concerned with decisionmaking. This means that risk assessment and risk treatment are continually applied and are invoked by the need to make a decision. They should not only or mainly occur because of a periodic review. There are some considerable similarities between the COSO Internal Control process and the normally encountered risk management process. Both involve gathering information on the organisation, its objectives and existing control environment, the conduct of risk assessment leading to actions leading to better controls and then their monitoring and review. Both also involve communications with stakeholders. However, the COSO cube model and the descriptions seem to suggest that this is a once through process. They really need to stress that there is a cyclical and interactive process and that

Solution

Risk assessment is just one part of the risk management process

Keep the cube if you must. But please explain that before risk assessment can take place both the external and internal factors that affect the organisation and its objectives must be carefully identified and their implications appreciated. Also please emphasise that the monitoring and review step should not only consider controls but also changes to the external and internal environments that will change risk and hence will require a reassessment and possibly revised or fresh controls. Finally, please stress that this is an interactive and repetitive process and not once through as the cube suggests. Better still; adopt the internationally acceptable diagram for the process as shown below.

Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_ comments_Mar12_ver0.docx

Page 7 of 1330 March, 2012, 12:29 PM

COSO

Revision to the Internal Control Framework 29 March 2012

Concept or Issue

Communicate and consult

The separate and vital step of establishing the context is buried in the risk assessment description and because of that is not given the prominence it requires and deserves. This is the essential precursor to risk assessment that seeks to understand both internal and external factors that give rise to risk.

Identify the risks Analyse the risks Evaluate the risks Treat the risks

Where does I think we all understand that stakeholders have a communication right to be involved in the risk assessment and come in the process? control processes and that we gain from that involvement. However, the cube diagram and the order of the elements will motivate organisations to think of the communication step as just about reporting. This weakness, as found in the previous COSO frameworks, then supports a culture of report and forget where risks are identified and then passed on and up without a proper assessment or treatment. Risk assessment what it comprises The drafts often use the phrase identify and assess risks. However, risk assessment includes risk identification. It also includes risk analysis and risk evaluation.

The documents should stress that communication should be planned and should occur throughout the Internal Control process not just after risk assessment and risk treatment as shown in the cube. A good solution would be to add consultation to communication and move the step further up your cube. The best solution would be to use the internationally accepted diagram shown above.

Revise to either assess risks and give the definition of risk assessment as the overall process of risk identification, risk analysis and risk evaluation. Or, revise all uses of the phrase to identify, analyse and assess risks.

Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_ comments_Mar12_ver0.docx

Monitor and review

Problems the layers of the cube are not supposed to mean that the steps always occur in that order and that one pass only is required.

SolutionEstablish the Context

Page 8 of 1330 March, 2012, 12:29 PM

COSO

Revision to the Internal Control Framework 29 March 2012

Concept or Issue

Problems In the (long) past we used risk assessment instead of risk evaluation. However, the intermediate step of risk analysis is vital to develop a sufficient understanding of the risk so that it can be treated and new or revised controls are fashioned and implemented. The drafts continue to use the term control ambiguously. Undoubtedly controls can involve processes but we all get very confused using the same term for the thing that modifies a risk as well as the activity that involves treating risk, checking controls and giving assurance.

Solution

Control noun or verb?

Limit the use of the term control to mean any process, policy, device, practice, or other actions that modifies risk. These are things that can be assured through an audit program or by control checking or self-assurance. Controls are things in place that modify risk. These are things that act to help us achieve our objectives and are controlled by the organisation. They are enablers: they help us modify the effect of uncertainty on our objectives. This concept fits beautifully with the basis for Internal Control.

How we deal with risk?

The drafts use the terms respond and responses as After a long search the working group drafting the ISO standard settled upon well as mitigate and mitigation. They also on the term risk treatment to describe this step in the process. Risk response occasion use the term manage in the same context. is preferred by some organisations but risk mitigation is increasingly not used for the reasons given aside. Mitigation implies that risk is bad and this is not so. Risk is neutral, the consequences you choose to Importantly, risk management should be used to describe the organisations characterise it may be couched in negative or whole approach to dealing with risk and should not be used just for this step positive terms depending on your objectives. Also, of the process. mitigation applies to the consequences and not their likelihood. It should also be noted that controls are the outcome of this risk treatment and this needs to be said clearly in the documents. The purpose of the actions taken to deal with unacceptable levels of risk is to modify them. This The options for risk treatment given in the international standards have

Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_ comments_Mar12_ver0.docx

Page 9 of 1330 March, 2012, 12:29 PM

COSO

Revision to the Internal Control Framework 29 March 2012

Concept or Issue

Problems may involve increasing or decreasing the level of risk or changing its nature. A neutral term is needed to describe this activity. The documents suggest that we can deal with risk by: Acceptance Avoidance Reduction Sharing. These only treat the risk as a negative concept and are not that helpful. Putting Acceptance at the beginning suggests that it is the first choice rather than the least preferred option.

Solution gained wide acceptance; they deal with all types and risk and are in the correct order. I would therefore strongly urge you to use: a) avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; b) taking or increasing the risk in order to pursue an opportunity; c) removing the risk source; d) changing the likelihood; e) changing the consequences; f) sharing the risk with another party or parties (including contracts and risk financing); and g) retaining the risk by informed decision

Risk tolerance, risk appetite, risk acceptance and risk criteria

Confusion reigns when it comes to these terms. The COSO ERM Framework provides two definitions for risk appetite, Basle requirements1 give different definitions and say they mean the same and regulators throughout the world are now asking for risk appetite statements without knowing what they are and why they need them. The documents only use the term tolerance which will add to the confusion. The documents mention acceptance of risk in terms

The documents should define tolerance and preferably also explain how risk criteria are developed as a precursor to risk assessment. Risk criteria are terms of reference against which the significance of risk is evaluated and they should embody the organisations appetite for risk. The documents should explain that risk tolerance is linked to acceptance and is the organisation's or stakeholder's readiness to bear the risk after risk treatment in order to achieve its objectives. The documents should also explain that ultimately most decisions to accept risk are based on an analysis of the costs associated with achieving a change

1

Operational Risk Supervisory Guidelines for the Advanced Measurement Approaches. Basel, Basel Committee on Banking Supervision, Bank for International Settlements, June 2011

Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_ comments_Mar12_ver0.docx

Page 10 of 1330 March, 2012, 12:29 PM

COSO

Revision to the Internal Control Framework 29 March 2012

Concept or Issue

Problems of achieving a set level or target but this is rarely the case. Risk criteria are rarely set as fixed points or even curves.

Solution in the level of risk when compared with the benefits of that change. Cost and benefits include both quantifiable and unquantifiable elements and also direct and indirect components. The documents should say that the decision to tolerate (or accept) a level of risk is based on the recognition that further risk treatment will not lead to any net improvement in value or benefit to the organisation.

Inherent, target and residual risk

It is sad to see that the authors of the draft documents still subscribe to the need to estimate some inherent level of risk. I thought we had all grown out of this unnecessary and confusing concept. Risk is risk and organisations and their oversight bodies need to know what the level of risk is now not at some hypothetical point in time when all controls have disappeared. There are not different types of risk. There is just the risk now.

The documents should encourage the recognition and honest assessment of the effectiveness of existing controls as part of risk analysis. This should then lead to an estimate of the current level of risk. The IIA recommended measure to assist in planning audits and assurance activities is Potential Exposure. That is, in effect, the inherent consequences part of inherent risk. The documents should mention this valuable concept and how it can be used in the monitoring step to plan assurance activities and audits. The term residual risk should only be applied to the level of risk that remains after all risk treatment has ended. It is the level of risk that the organisation finds acceptable and is prepared to tolerate.

Most importantly, we do not need this concept to either understand risk or to define better or improved controls. Spending time defining a level of inherent The ISO definition of residual risk is the risk remaining after risk treatment. risk is a waste. In summary, the documents should explain that the objective of risk analysis This has been carefully explained in many other is to develop an understanding of the risk so that it can be treated. This places, most notably in the Institute of Internal should be achieved by using the organisations risk criteria to evaluate the

Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_ comments_Mar12_ver0.docx

Page 11 of 1330 March, 2012, 12:29 PM

COSO

Revision to the Internal Control Framework 29 March 2012

Concept or Issue

Problems Solution Auditors Global Research Foundation Handbook HB effectiveness of the current controls, the current level of risk given those 158:2010 called Delivering Assurance.2 controls and their effectiveness and also the Potential Exposure. There is also little real value in expressing some target level of risk as suggested. As discussed about an acceptable or tolerable level of risk is generally obtained through the analysis of the costs and benefits of further risk treatment, not by the achieving some set point. In fact practice seems to suggest that organisations that express a target level of risk somehow assume that they have already achieved it and hence the risk treatment actions get neglected. It seems that this measure creates a false sense of security and can actually demotivate additional action. Finally it should be noted that the term residual risk is not the level of risk now taking into account the current controls and their effectiveness. It is the eventual level of risk that the organisation accepts or tolerates because no more risk treatment is justified.

2

HB 158, Delivering Assurance Based on ISO 31000:2009. Sydney, Standards Australia and the Institute of Internal Auditors, ISBN 0 7337, 7843 7, 2010.

Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_ comments_Mar12_ver0.docx

Page 12 of 1330 March, 2012, 12:29 PM

COSO

Appendix B Rsum for Grant PurdyGrant Purdy has worked in the practical application of risk management for over thirty-five years. During that time he has worked in over 25 countries as a government inspector, business manager, consultant and a manager of risk management. Grant is now an Associate Director of the consultancy group, Broadleaf Capital International. Previously he was the Group Manager of Risk Management at BHP Billiton, the worlds largest resource sector company. While there he led the team that created the framework for risk management that is now recognised as world best practice in the resources sector. Grant now works with a wide range of organisations helping them develop and enhance ways to manage risk in support of the decisions they make. This involves mentoring, training and advice, predominantly with senior managers and Boards. His clients include large international groups such as Xstrata and Anglo American and large national government bodies such as Eskom and Transnet in South Africa and the Abu Dhabi Department of Transport. He also works with small organisations, particularly those in the not for profit sector. Grant has been a member of the Standards Australia and Standards New Zealand Joint Technical Committee on Risk Management for over ten years and was its chair for the last seven. He is co-author of the 2004 version of AS/NZS 4360 and has written many other risk management handbooks and guides. He also was the nominated expert for Australia on the Working Group that prepared ISO 31000 and Guide 73 and now is Head of Delegation for Australia on ISO PC 262 that is preparing ISO 31004, the implementation guide to ISO 31000.

Broadleaf Capital International Pty Ltd, 2012 COSO IC Draft_ comments_Mar12_ver0.docx