Category Archives: Enterprise Risk Management

Finally, Delta Airlines May Be Taking A Reasonable Approach To Solving Its Second Amendment Conundrum. Did It Act Too Hasty The First Time?

It’s difficult to avoid feeling a little sympathy for Delta Airlines, isn’t it? First, gun control advocates threatened to boycott the airline for offering a routine corporate air fare discount to members of the National Rifle Association (NRA). Then, after Delta rescinded the discount in the wake of the latest school shooting event, the conservative Republican government of its home state of Georgia retaliated by rescinding its corporate tax break!

So what’s an airline to do? Grant a routine discount and be attacked for supporting gun rights? Or rescind that very discount and be attacked for opposing the Second Amendment?

Fortunately, airline management may have finally decided upon a reasonable approach with its declaration of a new corporate policy. Henceforth, Delta announced that it would avoid granting fare discounts to “any group of a politically divisive nature.” It then commenced an internal review of all of its discount arrangements in order to identify any such groups.

Had such a policy been already in place, the NRA discount would not have been offered in the first place. The reason? A general corporate policy of non-partisanship, as opposed to any specific antipathy towards the NRA.

It is indeed a reasonable approach, isn’t it? So reasonable, in fact, that one can only wonder why Delta didn’t hold off on its hasty NRA discount rescission announcement until it could complete its internal review in accordance with its new policy.

Perhaps Delta rushed its announcement because of a desire to stem all criticism immediately. But had it waited to complete its internal review, the criticism may have only continued for a relatively brief amount of time. Indeed, it may have then been replaced by praise for crafting a deliberative solution to a thorny problem.

Risk Management: Cubes To Doughnuts

Let’s imagine that your private equity fund is considering a long term investment in an American energy company that ships millions of barrels of crude oil through Philippine waters each year. When Filipino President Duterte unexpectedly calls American President Obama a “son of a whore” while promising to “continually engage China in a diplomatic dialogue rather than anger officials there,” do you change your mind about the investment opportunity?

Under normal circumstances, in order to make an informed decision, you would prepare a valuation analysis that compares the investment’s immediate cost against the present value of its future benefits. But how can you possibly assess its future benefits when massive uncertainty over President Duterte’s evolving foreign policy makes it impossible to render any predictions about the future?

For guidance in managing such risks, we generally turn to the Enterprise Risk Management (ERM) framework that is promulgated by the Committee Of Sponsoring Organizations (COSO) of the accounting profession. The current cube-shaped framework prescribes eight component activities for managing such risks, with Event Identification representing the first of its four central activities.

Indeed, one of the reasons for this framework’s enduring popularity is its reliance on the identification of clearly definable risk events. Thus, when a risk factor can be defined in terms of future discrete events, the COSO cube is a natural choice for risk managers.

Worried about the impact of potential hurricane damage on a waterside property, for instance? A hurricane is a future discrete event. It will either occur or not occur, and the consequences of its occurrence or non-occurrence are relatively easy to estimate. If a hurricane occurs, there will be massive losses. And if not, the status quo will continue unabated.

But what if a risk factor cannot be defined as a discrete event? What if the long term impact of a risk factor depends on slowly evolving circumstances that are extremely difficult to even define, let alone assess? Does COSO have a different framework for such factors?

Yes, it does. A new version of the framework is only available in a draft exposure format at the moment, but it is expected to be finalized shortly. It uses a doughnut symbol, instead of a cube. And although Risk Identification continues to represent an important underlying function of ERM, it no longer appears prominently on the face of its new framework.

Whereas the older cubic framework prescribes a list of eight rigidly defined and sequenced component activities, the newer circular doughnut framework relies on 23 broad principles like “Commitment to Integrity and Ethics” and “Develops Portfolio View.” So, with these two frameworks in mind, let’s think about the political risk that is challenging our private equity investor.

On the one hand, President Duterte’s colorful comments will undoubtedly impact the short term relationship between his nation and the United States. But on the other hand, this relationship will continue to evolve over time, and will be impacted by numerous unpredictable future circumstances. So even though President Duterte’s eventful actions can influence the future Filipino-American relationship, he cannot unilaterally determine it.

That’s why we need a doughnut shaped framework, with its 23 principles, to assess such complicated circumstances. Although the event-centric cubic framework is sufficient for more easily defined risks, the circular framework is required to analyze the complex risks that challenge us in our multi-dimensional environment.

Farewell, COSO Cube

Are you familiar with the COSO cube of Enterprise Risk Management? First released in 2004 by a consortium of five accounting trade associations, the framework has survived twelve long years of volatility by nature of its utility and simplicity.

As a three dimensional shape, the cube features three sides of guidance that describe how to develop a risk management plan. One side describes the functions that should engage in risk management work. A second side describes the organizational levels that should be responsible for doing so.

And a third side is the most valuable one of all. It lists the eight tasks that any entity should complete in order to prepare a comprehensive risk management plan. The middle four tasks are the stand-outs.

And what are they? The entity should begin by identifying as many potential problems as possible. Then it should “red flag” the highest priority problems. Then it should develop response activities to limit the damage that would occur if these problems are not prevented. Finally, it should develop preventive control capabilities to reduce the likelihood that these problems might occur in the first place.

Simple and yet useful, eh? That’s exactly why the cube has lasted as long as twelve years. So, last month, when COSO released an exposure draft of its new framework, accountants and risk managers around the world eagerly scrolled through it to view the new and improved cube.

And guess what they found? The cube has vanished! There is now a three-part arrow that appears to be piercing the open hole of a five-color doughnut. Each color represents a component of risk management activity. And there are 23 (yes, 23) principles that support the five components.

Got it? If you’re thinking “not exactly,” you might wish to compare the old 2004 executive summary with the new 2016 exposure draft summary. By all means, ask yourself whether the new version — in all its complexity — represents a step forward or a step backward. Either way, it does appear that our accounting profession is about to say farewell to the COSO cube.