Loading ...
Sorry, an error occurred while loading the content.

23229Re: [GOV DG] New COSO ERM - Governance and Culture

Expand Messages
  • Dave Tate
    5 Oct, 2017
      Thank you Norman. And thank you for the comments that you write on these and other topics - I have read your materials and comments. and from this group, for years.

      Additional background information, broadly speaking. My general belief is that people (boards, committees, executive officers, in-house lawyers, etc.) mostly only do what they are required to do (other than product and service development and sales, of course) by statute/law, regulation, or rule, and perhaps by the expectations of the community or stakeholders. I have thought for years, for example, that external and internal auditors should, and can, add more areas and issues that they audit and report about, if they enacted additional pronouncements, etc. (hopefully the SEC will approve the new proposed audit reporting requirements - I haven't seen that the SEC has approved this yet).

      Regarding COSO ERM, as a lawyer I would ask first, what does the framework explicitly cover, and second, within the areas that it explicitly covers, how broad are those areas. I understand that we are moving from a check the box or list of risks approach, to having people identify strategies and objectives and then moving to the risks to those strategies and objectives (in this sentence I may have slightly butchered the approach). Nevertheless, I believe that the people who I am communicating with (people who don't have anywhere near your background and experience) will want to know, if possible, what the framework explicitly covers (in addition to the names of the components and the principles). The writers of the ERM had things in mind (and I am thinking that they may have also had things in mind that internal audit, and possibly external audit, could also become involved in, which things could also impact the board and audit committee). If the only answer is that the company and its officers and employees (plus others) need to decide what "governance" and "conduct" cover for them, then so be it, and that is what I will work with. But I am hoping that there is more detail than that. As a lawyer, generally people ask me what they are required to do, first (duties and responsibilities), and then, maybe, what they should do, second.

      Thanks again. Off to an appearance.

      David Tate

      On Thursday, October 5, 2017 9:46 AM, "Norman Marks nmarks2@... [GOV_DG2]" <GOV_DG2-noreply@...> wrote:


      IMHO, risk management helps a board and top management navigate their way to achieving objectives.

      - Understand what might happen on that path
      - Consider whether that is desirable, acceptable, or not
      - Decide what you are going to do about it
      - Act

      It's what good managers and decision-makers have been doing their entire careers. Risk management provides more discipline to the process and considers what needs to go well if you are to be effective in performing those 4 steps with every decision - from strategy-setting to execution.

      In other words, its not really about risks - its about achieving objectives.

      I hope this helps. Its covered in more detail in World-Class Risk Management.


      Norman D. Marks, CPA, CRMA
      Author, Evangelist and Mentor for Better Run Business
      OCEG Fellow, Honorary Fellow of the Institute of Risk Management

      On Thursday, October 5, 2017, 9:15:18 AM PDT, Dave Tate tateatty@... [GOV_DG2] <GOV_DG2-noreply@...> wrote:

      Greetings all. I have started going through the new COSO ERM framework. One comment, and one question.

      1. It is a lot of material. In addition to understanding and learning the materials, I have one overriding issue, which is, if I am given 20 minutes to initially explain and interest a board, or an audit committee, or in-house attorneys in the framework and why they should use it, from a legal perspective, that seems like a pretty difficult task, so in addition to developing my own materials I will be looking for discussions or materials that I can also use from other people which will help with that task. I'm not being critical, but I am concerned that the framework is sufficiently complicated such that I will lose the audience.

      2. Focusing on governance and culture, in both the first component, and then also in the fifth component for reporting purposes, are governance and culture primarily or only from the ERM or risk management view (that is, do the entity and its leaders encourage ERM and risk management), or are we also getting into, as possible examples, ethics, integrity, tone at the top, possible rewards that are offered to employees for performance, treatment of employees and customers, whether the entity and its leaders encourage employees to speak up, compliance with work place legal requirements, and whether the entity and its leaders actually walk the talk, etc.?

      Thanks for your comments.
      David Tate, Esq. (Royse Law Firm, California (Menlo Park Office)    

    • Show all 6 messages in this topic