Loading ...
Sorry, an error occurred while loading the content.
 

RE: [GOV DG] New COSO ERM - Governance and Culture

Expand Messages
  • Deon Binneman
    Hi Norman, What a nice way of simplifying WHY risk management is important. Simon Sinek says it so nicely - https://www.youtube.com/watch?v=IPYeCltXpxw Every
    Message 1 of 6 , Oct 4

      Hi Norman,

       

      What a nice way of simplifying WHY risk management is important.

       

      Simon Sinek says it so nicely - https://www.youtube.com/watch?v=IPYeCltXpxw

       

      Every tool or technique we have must have an outcome. I got into trouble a few years ago at a conference when I said the only purpose of good corporate governance is to be known as an admired company. ( As the late Stephen Covey said – Start with the end purpose in mind).

       

      Just look at the impact on McKinsey, KPMG and others right now.

       

      I would venture to say that achieving objectives and being admired are the two most important goals.

       

      Kind Regards,

       

      Deon Binneman

      The Reputation Go-to Guy

      Speaker | Facilitator

      Reputation Management Consultant

      M: 083 4254318 | O: +27-11- 4753515

      www.deonbinneman.com

      Johannesburg, South Africa

      ----------------------------------------------------------

      Because your Reputation matters!......
      ----------------------------------------------------------

      + About Me & Reputation - My mission is to help businesses and individuals around

      the globe build, sustain and protect their reputations. Reputations are not only a vital asset,

      but it can be easily destroyed. I provide speaking, training, thought leadership, business

      intelligence, and consulting services and through my writings and services seek to educate,

      coach and challenge management teams to build and protect this asset.

       

      + To Keep Getting Mails - To ensure that you continue receiving my emails, please add

      deonbin@... to your address book.

       

      + To Unsubscribe - If you do not want to receive communications about reputation please

      send a blank e-mail with "UNSUBSCRIBE" in the subject line to reputationeducation@...

      so that I can remove your details. I apologise if this message has been sent to you inadvertently.

       

       

       

       

      From: GOV_DG2@... [mailto:GOV_DG2@...] On Behalf Of Norman Marks nmarks2@... [GOV_DG2]
      Sent: Thursday, 05 October 2017 18:46
      To: GOV DG2; Dave Tate; Dave Tate tateatty@... [GOV_DG2]
      Subject: Re: [GOV DG] New COSO ERM - Governance and Culture

       

       

      Dave,

       

      IMHO, risk management helps a board and top management navigate their way to achieving objectives.

       

      - Understand what might happen on that path

      - Consider whether that is desirable, acceptable, or not

      - Decide what you are going to do about it

      - Act

       

      It's what good managers and decision-makers have been doing their entire careers. Risk management provides more discipline to the process and considers what needs to go well if you are to be effective in performing those 4 steps with every decision - from strategy-setting to execution.

       

      In other words, its not really about risks - its about achieving objectives.

       

      I hope this helps. Its covered in more detail in World-Class Risk Management.

       

      Best

      Norman

       

      Norman D. Marks, CPA, CRMA

      Author, Evangelist and Mentor for Better Run Business

      OCEG Fellow, Honorary Fellow of the Institute of Risk Management

       

      Join me online: IIA Governance blog | GRC and Audit blog | Twitter | LinkedIn

       

       

      On Thursday, October 5, 2017, 9:15:18 AM PDT, Dave Tate tateatty@... [GOV_DG2] <GOV_DG2-noreply@...> wrote:

       

       

       

      Greetings all. I have started going through the new COSO ERM framework. One comment, and one question.

       

      1. It is a lot of material. In addition to understanding and learning the materials, I have one overriding issue, which is, if I am given 20 minutes to initially explain and interest a board, or an audit committee, or in-house attorneys in the framework and why they should use it, from a legal perspective, that seems like a pretty difficult task, so in addition to developing my own materials I will be looking for discussions or materials that I can also use from other people which will help with that task. I'm not being critical, but I am concerned that the framework is sufficiently complicated such that I will lose the audience.

       

      2. Focusing on governance and culture, in both the first component, and then also in the fifth component for reporting purposes, are governance and culture primarily or only from the ERM or risk management view (that is, do the entity and its leaders encourage ERM and risk management), or are we also getting into, as possible examples, ethics, integrity, tone at the top, possible rewards that are offered to employees for performance, treatment of employees and customers, whether the entity and its leaders encourage employees to speak up, compliance with work place legal requirements, and whether the entity and its leaders actu ally walk the talk, etc.?

       

      Thanks for your comments.

      David Tate, Esq. (Royse Law Firm, California (Menlo Park Office)    

    • Dave Tate
      Greetings all. I have started going through the new COSO ERM framework. One comment, and one question. 1. It is a lot of material. In addition to understanding
      Message 2 of 6 , Oct 5
        Greetings all. I have started going through the new COSO ERM framework. One comment, and one question.

        1. It is a lot of material. In addition to understanding and learning the materials, I have one overriding issue, which is, if I am given 20 minutes to initially explain and interest a board, or an audit committee, or in-house attorneys in the framework and why they should use it, from a legal perspective, that seems like a pretty difficult task, so in addition to developing my own materials I will be looking for discussions or materials that I can also use from other people which will help with that task. I'm not being critical, but I am concerned that the framework is sufficiently complicated such that I will lose the audience.

        2. Focusing on governance and culture, in both the first component, and then also in the fifth component for reporting purposes, are governance and culture primarily or only from the ERM or risk management view (that is, do the entity and its leaders encourage ERM and risk management), or are we also getting into, as possible examples, ethics, integrity, tone at the top, possible rewards that are offered to employees for performance, treatment of employees and customers, whether the entity and its leaders encourage employees to speak up, compliance with work place legal requirements, and whether the entity and its leaders actually walk the talk, etc.?

        Thanks for your comments.
        David Tate, Esq. (Royse Law Firm, California (Menlo Park Office)    
      • Norman Marks
        Dave, IMHO, risk management helps a board and top management navigate their way to achieving objectives. - Understand what might happen on that path- Consider
        Message 3 of 6 , Oct 5
          Dave,

          IMHO, risk management helps a board and top management navigate their way to achieving objectives.

          - Understand what might happen on that path
          - Consider whether that is desirable, acceptable, or not
          - Decide what you are going to do about it
          - Act

          It's what good managers and decision-makers have been doing their entire careers. Risk management provides more discipline to the process and considers what needs to go well if you are to be effective in performing those 4 steps with every decision - from strategy-setting to execution.

          In other words, its not really about risks - its about achieving objectives.

          I hope this helps. Its covered in more detail in World-Class Risk Management.

          Best
          Norman

          Norman D. Marks, CPA, CRMA
          Author, Evangelist and Mentor for Better Run Business
          OCEG Fellow, Honorary Fellow of the Institute of Risk Management



          On Thursday, October 5, 2017, 9:15:18 AM PDT, Dave Tate tateatty@... [GOV_DG2] <GOV_DG2-noreply@...> wrote:


           

          Greetings all. I have started going through the new COSO ERM framework. One comment, and one question.

          1. It is a lot of material. In addition to understanding and learning the materials, I have one overriding issue, which is, if I am given 20 minutes to initially explain and interest a board, or an audit committee, or in-house attorneys in the framework and why they should use it, from a legal perspective, that seems like a pretty difficult task, so in addition to developing my own materials I will be looking for discussions or materials that I can also use from other people which will help with that task. I'm not being critical, but I am concerned that the framework is sufficiently complicated such that I will lose the audience.

          2. Focusing on governance and culture, in both the first component, and then also in the fifth component for reporting purposes, are governance and culture primarily or only from the ERM or risk management view (that is, do the entity and its leaders encourage ERM and risk management), or are we also getting into, as possible examples, ethics, integrity, tone at the top, possible rewards that are offered to employees for performance, treatment of employees and customers, whether the entity and its leaders encourage employees to speak up, compliance with work place legal requirements, and whether the entity and its leaders actually walk the talk, etc.?

          Thanks for your comments.
          David Tate, Esq. (Royse Law Firm, California (Menlo Park Office)    
        • Dave Tate
          Thank you Norman. And thank you for the comments that you write on these and other topics - I have read your materials and comments. and from this group, for
          Message 4 of 6 , Oct 5
            Thank you Norman. And thank you for the comments that you write on these and other topics - I have read your materials and comments. and from this group, for years.

            Additional background information, broadly speaking. My general belief is that people (boards, committees, executive officers, in-house lawyers, etc.) mostly only do what they are required to do (other than product and service development and sales, of course) by statute/law, regulation, or rule, and perhaps by the expectations of the community or stakeholders. I have thought for years, for example, that external and internal auditors should, and can, add more areas and issues that they audit and report about, if they enacted additional pronouncements, etc. (hopefully the SEC will approve the new proposed audit reporting requirements - I haven't seen that the SEC has approved this yet).

            Regarding COSO ERM, as a lawyer I would ask first, what does the framework explicitly cover, and second, within the areas that it explicitly covers, how broad are those areas. I understand that we are moving from a check the box or list of risks approach, to having people identify strategies and objectives and then moving to the risks to those strategies and objectives (in this sentence I may have slightly butchered the approach). Nevertheless, I believe that the people who I am communicating with (people who don't have anywhere near your background and experience) will want to know, if possible, what the framework explicitly covers (in addition to the names of the components and the principles). The writers of the ERM had things in mind (and I am thinking that they may have also had things in mind that internal audit, and possibly external audit, could also become involved in, which things could also impact the board and audit committee). If the only answer is that the company and its officers and employees (plus others) need to decide what "governance" and "conduct" cover for them, then so be it, and that is what I will work with. But I am hoping that there is more detail than that. As a lawyer, generally people ask me what they are required to do, first (duties and responsibilities), and then, maybe, what they should do, second.

            Thanks again. Off to an appearance.

            David Tate


            On Thursday, October 5, 2017 9:46 AM, "Norman Marks nmarks2@... [GOV_DG2]" <GOV_DG2-noreply@...> wrote:


             
            Dave,

            IMHO, risk management helps a board and top management navigate their way to achieving objectives.

            - Understand what might happen on that path
            - Consider whether that is desirable, acceptable, or not
            - Decide what you are going to do about it
            - Act

            It's what good managers and decision-makers have been doing their entire careers. Risk management provides more discipline to the process and considers what needs to go well if you are to be effective in performing those 4 steps with every decision - from strategy-setting to execution.

            In other words, its not really about risks - its about achieving objectives.

            I hope this helps. Its covered in more detail in World-Class Risk Management.

            Best
            Norman

            Norman D. Marks, CPA, CRMA
            Author, Evangelist and Mentor for Better Run Business
            OCEG Fellow, Honorary Fellow of the Institute of Risk Management



            On Thursday, October 5, 2017, 9:15:18 AM PDT, Dave Tate tateatty@... [GOV_DG2] <GOV_DG2-noreply@...> wrote:


             
            Greetings all. I have started going through the new COSO ERM framework. One comment, and one question.

            1. It is a lot of material. In addition to understanding and learning the materials, I have one overriding issue, which is, if I am given 20 minutes to initially explain and interest a board, or an audit committee, or in-house attorneys in the framework and why they should use it, from a legal perspective, that seems like a pretty difficult task, so in addition to developing my own materials I will be looking for discussions or materials that I can also use from other people which will help with that task. I'm not being critical, but I am concerned that the framework is sufficiently complicated such that I will lose the audience.

            2. Focusing on governance and culture, in both the first component, and then also in the fifth component for reporting purposes, are governance and culture primarily or only from the ERM or risk management view (that is, do the entity and its leaders encourage ERM and risk management), or are we also getting into, as possible examples, ethics, integrity, tone at the top, possible rewards that are offered to employees for performance, treatment of employees and customers, whether the entity and its leaders encourage employees to speak up, compliance with work place legal requirements, and whether the entity and its leaders actually walk the talk, etc.?

            Thanks for your comments.
            David Tate, Esq. (Royse Law Firm, California (Menlo Park Office)    


          • Hirth, Robert (10040)
            COSO ERM framework executive summary attached which is the initial suggested level of material for a board and senior management. Understandably, some may
            Message 5 of 6 , Oct 5

              COSO ERM framework executive summary attached which is the initial suggested level of material for a board and senior management. Understandably, some may choose to synthesize this even more to make their point in just a few minutes, which would be unfortunate for such an opportunity to improve organizational performance. That is up to each person and organization, of course. There are some slides available on the COSO website which could help with this.

               

              COSO considers its material to be guidance and not a standard or regulation as it has no such authority to  require the use of its materials for any purpose.  Our mission of thought leadership is stated on the COSO website. Therefore, organizations should determine if or how the COSO material might help them and, in many cases, it will need to be adapted to more effectively consider their objectives and circumstances. Therefore, the COSO ERM framework should be used as a starting point to a deeper discussion and planned actions.

               

              The most pervasive ERM related requirement regardless of industry or regulator is the SEC Board Risk Oversight disclosure issued in 2009 for US stock exchange companies. This disclosure tends to interest boards since it refers to them in an SEC filed document. It is an interesting exercise to look at this disclosure of peer, competitor and other leading companies.

               

              Thank you for your continued interest in our material.

               

               

              Robert B. Hirth, Jr.

              Chairman

              Committee of Sponsoring Organizations of the Treadway Commission

              imagesCAGUUQ6K

              Office: 415 402 3621

              Mobile: 650 291 3393

               

              From: GOV_DG2@... [mailto:GOV_DG2@...] On Behalf Of Dave Tate tateatty@... [GOV_DG2]
              Sent: Thursday, October 5, 2017 10:14 AM
              To: Norman Marks <nmarks2@...>; GOV DG2 <gov_dg2@...>; Dave Tate tateatty@... [GOV_DG2] <GOV_DG2-noreply@...>
              Subject: Re: [GOV DG] New COSO ERM - Governance and Culture

               

               

              Thank you Norman. And thank you for the comments that you write on these and other topics - I have read your materials and comments. and from this group, for years.

               

              Additional background information, broadly speaking. My general belief is that people (boards, committees, executive officers, in-house lawyers, etc.) mostly only do what they are required to do (other than product and service development and sales, of course) by statute/law, regulation, or rule, and perhaps by the expectations of the community or stakeholders. I have thought for years, for example, that external and internal auditors should, and can, add more areas and issues that they audit and report about, if they enacted additional pronouncements, etc. (hopefully the SEC will approve the new proposed audit reporting requirements - I haven't seen that the SEC has approved this yet).

               

              Regarding COSO ERM, as a lawyer I would ask first, what does the framework explicitly cover, and second, within the areas that it explicitly covers, how broad are those areas. I understand that we are moving from a check the box or list of risks approach, to having people identify strategies and objectives and then moving to the risks to those strategies and objectives (in this sentence I may have slightly butchered the approach). Nevertheless, I believe that the people who I am communicating with (people who don't have anywhere near your background and experience) will want to know, if possible, what the framework explicitly covers (in addition to the names of the components and the principles). The writers of the ERM had things in mind (and I am thinking that they may have also had things in mind that internal audit, and possibly external audit, could also become involved in, which things could also impact the board and audit committee). If the only answer is that the company and its officers and employees (plus others) need to decide what "governance" and "conduct" cover for them, then so be it, and that is what I will work with. But I am hoping that there is more detail than that. As a lawyer, generally people ask me what they are required to do, first (duties and responsibilities), and then, maybe, what they should do, second.

               

              Thanks again. Off to an appearance.

               

              David Tate

               

              On Thursday, October 5, 2017 9:46 AM, "Norman Marks nmarks2@... [GOV_DG2]" <GOV_DG2-noreply@...> wrote:

               

               

              Dave,

               

              IMHO, risk management helps a board and top management navigate their way to achieving objectives.

               

              - Understand what might happen on that path

              - Consider whether that is desirable, acceptable, or not

              - Decide what you are going to do about it

              - Act

               

              It's what good managers and decision-makers have been doing their entire careers. Risk management provides more discipline to the process and considers what needs to go well if you are to be effective in performing those 4 steps with every decision - from strategy-setting to execution.

               

              In other words, its not really about risks - its about achieving objectives.

               

              I hope this helps. Its covered in more detail in World-Class Risk Management.

               

              Best

              Norman

               

              Norman D. Marks, CPA, CRMA

              Author, Evangelist and Mentor for Better Run Business

              OCEG Fellow, Honorary Fellow of the Institute of Risk Management

               

               

               

              On Thursday, October 5, 2017, 9:15:18 AM PDT, Dave Tate tateatty@... [GOV_DG2] <GOV_DG2-noreply@...> wrote:

               

               

               

              Greetings all. I have started going through the new COSO ERM framework. One comment, and one question.

               

              1. It is a lot of material. In addition to understanding and learning the materials, I have one overriding issue, which is, if I am given 20 minutes to initially explain and interest a board, or an audit committee, or in-house attorneys in the framework and why they should use it, from a legal perspective, that seems like a pretty difficult task, so in addition to developing my own materials I will be looking for discussions or materials that I can also use from other people which will help with that task. I'm not being critical, but I am concerned that the framework is sufficiently complicated such that I will lose the audience.

               

              2. Focusing on governance and culture, in both the first component, and then also in the fifth component for reporting purposes, are governance and culture primarily or only from the ERM or risk management view (that is, do the entity and its leaders encourage ERM and risk management), or are we also getting into, as possible examples, ethics, integrity, tone at the top, possible rewards that are offered to employees for performance, treatment of employees and customers, whether the entity and its leaders encourage employees to speak up, compliance with work place legal requirements, and whether the entity and its leaders actually walk the talk, etc.?

               

              Thanks for your comments.

              David Tate, Esq. (Royse Law Firm, California (Menlo Park Office)    

               

              NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.
            • Dave Tate
              Thank you for your helpful responses Bob and Norman. And I also purchased the much more extensive COSO ERM framework materials, which I am going through as
              Message 6 of 6 , Oct 5
                Thank you for your helpful responses Bob and Norman. And I also purchased the much more extensive COSO ERM framework materials, which I am going through as time permits.

                Best, David Tate


                On Thursday, October 5, 2017 10:38 AM, "Hirth, Robert (10040)" <Robert.Hirth@...> wrote:


                 
                COSO considers its material to be guidance and not a standard or regulation as it has no such authority to  require the use of its materials for any purpose.  Our mission of thought leadership is stated on the COSO website. Therefore, organizations should determine if or how the COSO material might help them and, in many cases, it will need to be adapted to more effectively consider their objectives and circumstances. Therefore, the COSO ERM framework should be used as a starting point to a deeper discussion and planned actions.
                 
                The most pervasive ERM related requirement regardless of industry or regulator is the SEC Board Risk Oversight disclosure issued in 2009 for US stock exchange companies. This disclosure tends to interest boards since it refers to them in an SEC filed document. It is an interesting exercise to look at this disclosure of peer, competitor and other leading companies.
                 
                Thank you for your continued interest in our material.
                 
                 
                Robert B. Hirth, Jr.
                Chairman
                Committee of Sponsoring Organizations of the Treadway Commission
                imagesCAGUUQ6K
                Office: 415 402 3621
                Mobile: 650 291 3393
                 
                From: GOV_DG2@... [mailto:GOV_DG2@...] On Behalf Of Dave Tate tateatty@... [GOV_DG2]
                Sent: Thursday, October 5, 2017 10:14 AM
                To: Norman Marks <nmarks2@...>; GOV DG2 <gov_dg2@...>; Dave Tate tateatty@... [GOV_DG2] <GOV_DG2-noreply@...>
                Subject: Re: [GOV DG] New COSO ERM - Governance and Culture
                 
                 
                Thank you Norman. And thank you for the comments that you write on these and other topics - I have read your materials and comments. and from this group, for years.
                 
                Additional background information, broadly speaking. My general belief is that people (boards, committees, executive officers, in-house lawyers, etc.) mostly only do what they are required to do (other than product and service development and sales, of course) by statute/law, regulation, or rule, and perhaps by the expectations of the community or stakeholders. I have thought for years, for example, that external and internal auditors should, and can, add more areas and issues that they audit and report about, if they enacted additional pronouncements, etc. (hopefully the SEC will approve the new proposed audit reporting requirements - I haven't seen that the SEC has approved this yet).
                 
                Regarding COSO ERM, as a lawyer I would ask first, what does the framework explicitly cover, and second, within the areas that it explicitly covers, how broad are those areas. I understand that we are moving from a check the box or list of risks approach, to having people identify strategies and objectives and then moving to the risks to those strategies and objectives (in this sentence I may have slightly butchered the approach). Nevertheless, I believe that the people who I am communicating with (people who don't have anywhere near your background and experience) will want to know, if possible, what the framework explicitly covers (in addition to the names of the components and the principles). The writers of the ERM had things in mind (and I am thinking that they may have also had things in mind that internal audit, and possibly external audit, could also become involved in, which things could also impact the board and audit committee). If the only answer is that the company and its officers and employees (plus others) need to decide what "governance" and "conduct" cover for them, then so be it, and that is what I will work with. But I am hoping that there is more detail than that. As a lawyer, generally people ask me what they are required to do, first (duties and responsibilities), and then, maybe, what they should do, second.
                 
                Thanks again. Off to an appearance.
                 
                David Tate
                 
                On Thursday, October 5, 2017 9:46 AM, "Norman Marks nmarks2@... [GOV_DG2]" <GOV_DG2-noreply@...> wrote:
                 
                 
                Dave,
                 
                IMHO, risk management helps a board and top management navigate their way to achieving objectives.
                 
                - Understand what might happen on that path
                - Consider whether that is desirable, acceptable, or not
                - Decide what you are going to do about it
                - Act
                 
                It's what good managers and decision-makers have been doing their entire careers. Risk management provides more discipline to the process and considers what needs to go well if you are to be effective in performing those 4 steps with every decision - from strategy-setting to execution.
                 
                In other words, its not really about risks - its about achieving objectives.
                 
                I hope this helps. Its covered in more detail in World-Class Risk Management.
                 
                Best
                Norman
                 
                Norman D. Marks, CPA, CRMA
                Author, Evangelist and Mentor for Better Run Business
                OCEG Fellow, Honorary Fellow of the Institute of Risk Management
                 
                 
                 
                On Thursday, October 5, 2017, 9:15:18 AM PDT, Dave Tate tateatty@... [GOV_DG2] <GOV_DG2-noreply@...> wrote:
                 
                 
                 
                Greetings all. I have started going through the new COSO ERM framework. One comment, and one question.
                 
                1. It is a lot of material. In addition to understanding and learning the materials, I have one overriding issue, which is, if I am given 20 minutes to initially explain and interest a board, or an audit committee, or in-house attorneys in the framework and why they should use it, from a legal perspective, that seems like a pretty difficult task, so in addition to developing my own materials I will be looking for discussions or materials that I can also use from other people which will help with that task. I'm not being critical, but I am concerned that the framework is sufficiently complicated such that I will lose the audience.
                 
                2. Focusing on governance and culture, in both the first component, and then also in the fifth component for reporting purposes, are governance and culture primarily or only from the ERM or risk management view (that is, do the entity and its leaders encourage ERM and risk management), or are we also getting into, as possible examples, ethics, integrity, tone at the top, possible rewards that are offered to employees for performance, treatment of employees and customers, whether the entity and its leaders encourage employees to speak up, compliance with work place legal requirements, and whether the entity and its leaders actually walk the talk, etc.?
                 
                Thanks for your comments.
                David Tate, Esq. (Royse Law Firm, California (Menlo Park Office)    
                 
                NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.


              Your message has been successfully submitted and would be delivered to recipients shortly.