Tag Archives: Enterprise Risk Management

In Connecticut, Has Risk Management Gone Awry?

Connecticut has always been known as the Land of Steady Habits. Last week, however, it also became known as the Land of Miserably Unhappy Commuters.

That’s because the high voltage feeder cable that powers the New Haven (Connecticut) to Grand Central Terminal (New York City) commuter train line failed last week. Stranded passengers were told to expect little or no train service for up to three weeks.

So why is this a prime example of risk management gone awry? It appears that the Metro-North rail system has always maintained a secondary electrical system. But two weeks before the failure, engineers removed the secondary system from service for maintenance upgrade work without replacing it with any other temporary resource. Thus, when the primary feeder cable failed last week, there was no other system in place to power the train line.

Regrettably, Connecticut Governor Dan Malloy noted that Metro North officials appeared to have been taken by complete surprise. He said that “there appears to have been little plan(ning) for this type of catastrophic failure.”

The discipline of Enterprise Risk Management (ERM) embraces a few key principles. Organizations must identify potential crises before they occur. For crises that are relatively likely to occur, preventive controls must be implemented to reduce the likelihoods. And for events that will be relatively costly if they occur, crisis response functions must be implemented to contain the costs of failure.

Did the folks at Metro North follow these principles? Because a failure of the primary feeder cable could inflict so much damage on commuters, one may question whether the secondary system should ever have been removed without the temporary implementation of another crisis response function. And because the severe aging of the electrical fleet and infrastructure makes such failures relatively likely to occur, one may ask whether the primary system (as well as, or perhaps in place of, the secondary system) should have served as the focus of preventive maintenance work.

In other words, Governor Malloy’s own observations reveal that the public transportation agency was following a risk management plan that was bound to go awry. And now the commuters of Connecticut are bearing the brunt of that failure.

The IRS And The COSO Cube

Have you been following the emerging news story regarding political bias at the Internal Revenue Service (IRS)? Apparently, the agency that regulates America’s federal system of income taxation is now under investigation for purportedly mistreating conservative “tea party” groups during its reviews of tax exemption applications.

If you’re a tax accountant, you can’t help but feel a little embarrassed about the apparent dearth of internal controls at the Service. After all, many accountants are specialists in the field of risk management; they charge significant fees to their clients for advice regarding the development of systems of internal control.

Just two weeks ago, for instance, the world’s leading committee of professional accounting trade organizations issued a new cube shaped framework that defines internal control development activities. Isn’t it unfortunate, and ironic as well, that the accounting professionals at the IRS failed to implement their own profession’s frameworks?

COSO: A Brief History

The tale of these frameworks began thirty years ago, when the five major accounting trade organizations in the United States invited Wall Street veteran James Treadway to chair a Commission to assess the causes of fraudulent financial reporting practices. The resulting report of the Treadway Commission led to the development of the first control framework in 1992, which was then slightly modified two years later.

Developed in response to concerns that were raised during the Crash of 1987 and the financial scandals of the Gordon Gekko era, the paradigm was represented by the shape of a three dimensional cube. The top of the cube displayed the three perspectives (i.e. operations, reporting, and compliance) that affect internal controls, whereas the front of the cube presented the five components (i.e. the control environment, risk assessment, control activities, information and communication, and monitoring activities) that define such controls.

In 2004, in response to concerns that were raised during the financial and corporate scandals of the Enron and Worldcom era, the Council of Sponsoring Organizations (COSO) expanded its cube into a framework of enterprise risk management. They did so by adding a fourth perspective (i.e. strategic considerations) to the top of the cube, and three components (i.e. objective setting, event identification, and risk response) to its front. And then, just two weeks ago, they defined seventeen explicit principles to support a further refined framework.

Control and Risk

So there is certainly no lack of guidance regarding the implementation and maintenance of internal control and risk management systems. But what do these frameworks mean? And how can they help us assess what recently transpired at the IRS?

First and foremost, it is important to keep in mind that internal control and risk management are not synonymous phrases. In fact, internal control is a concept that is embedded within the practice of risk management.

A competent risk manager understands that many internal controls are implemented to prevent the occurrence of troublesome events. And if prevention is impossible, additional controls are employed to detect the existence of such events. Yet there are times when prevention and early detection controls simply fail to provide efffective risk management strategies.

In other words, there are occasions when competent risk managers have no choice but to respond to occurrences of troublesome events without the control benefits of prevention or early detection. Such risk response activities are not components of systems of internal controls per se, but they do play significant roles within systems of enterprise risk management.

Prevention controls, detection controls, and response activities are the three proverbial “building blocks” of enterprise risk management. So how can we relate them to the unfolding tale of political intrigue at the IRS?

Likelihood and Impact

The COSO prescriptive framework is a fairly simple one. If a potentially troublesome event is relatively likely to occur, then the organization should develop new prevention (or detection) controls to reduce this likelihood of occurrence to tolerable levels. And if the event is expected to inflict a costly impact, then the organization should also implement new response capabilities to limit its damage.

Now let’s apply this principle to the current IRS controversy. What was the likelihood that an understaffed IRS office, struggling to manage a flood of tax exemption applications, would resort to questionable assessment tactics? This was arguably a relatively likely event, and thus more might have been done to prevent (or detect) its occurrence. For instance, the IRS might have invested in enhanced training and oversight activities.

But how much damage has the controversy actually inflicted on the conservative groups that were inappropriately investigated by the IRS? Even though they appear to have been unfairly targeted for scrutiny, there is no indication that any have lost or been denied their tax exempt status as a result of the investigations.

So an application of the accounting profession’s COSO framework might not necessarily fault the IRS for its questionable response to the controversy. Nevertheless, it might lead one to question whether the Service did enough to prevent (or detect) the occurrence of the problem.

The Newtown Shootings: A Risk Management Perspective

On December 14th at 9:30 am, after shooting and killing his own mother at home, a heavily armed resident of Newtown, Connecticut forced his way into the Sandy Hook Elementary School. He killed twenty young children and six adults before committing suicide.

The global news media, of course, voraciously covered the tragedy itself, as well as the ensuing police investigation … and the funeral processions … and school security policies … and gun laws … and the violence that is embedded in American culture. All of these topics were debated relentlessly by commentators, pundits, politicians, and celebrities.

Interestingly, though, the press dedicated relatively little coverage to the government’s initial response to the immediate needs of the families of the victims. Was this response an appropriate one?

Delivering The News

At 3:00 pm on that fateful day, more than five hours after the shooting incident occurred, some of the parents of the slain children were still waiting in ignorance for news about their fate. Were their children taken to a hospital? To a morgue? Or were they still missing and unaccounted for?

The Connecticut authorities knew that the children had been taken to the local morgue, but no one had yet conveyed the heartbreaking news to all of the parents. So Governor Dan Malloy decided to speak to the families himself.

Some people have subsequently criticized the Governor for using “cold and callous” language while performing that emotionally wrenching task. Others have commended him for making the humane decision to assume the grievous responsibility of informing parents of the murders of their children.

Lost in this debate, though, is the fact that qualified human service professionals are specially trained to perform such tasks during times of crisis. Why weren’t such professionals already on the scene, communicating with the parents, by the time that Governor Malloy made his fateful decision at 3:00 pm that day?

CISM Teams

For more than fifteen years, the National Association of Social Workers and the American Red Cross have maintained a partnership “to deliver mental health services to the victims of disaster, rescue workers, military personnel and their families, and refugees.” Specifically, the partnership involves the maintenance of “a national network of … trained, licensed, or certified social workers to be mobilized in times of disaster.”

Although the network can be mobilized for “natural disasters such as hurricanes, floods, tornadoes, (and) fires,” it is also explicitly available for “school shootings, bombings, and biochemical threats.” And the Red Cross has developed crisis-specific functions as well, such as Aviation Incident Response teams to address the unique circumstances of airplane crashes.

These Critical Incident Stress Management (CISM) teams are available to work with people who are affected by natural catastrophes and other crises. Are mass shootings in public places now occurring at a level of frequency that would necessitate the development of specialized Firearms Incident Response Teams across the nation?

Enterprise Risk Management

The discipline of enterprise risk management identifies two primary considerations regarding prospective future crises. One is the anticipated frequency of such events; the other is the anticipated harm or damage that the events might wreak on society.

The general process of risk management is a simple one. If a potential crisis is a priority because it may frequently occur in the future, then society should strengthen the preventive control activities that may reduce its intolerably high frequency. Gun control laws might be strengthened, for instance, to reduce the future frequency of mass shootings.

However, if a prospective crisis is a priority because it may cause great harm or damage in the future, even though it may not occur frequently at all, then society should strengthen the crisis response activities that contain and minimize the harm. An Incident Response Team might represent one such response strategy.

Although any single mass shooting is indeed “one too many,” such incidents (thankfully) remain statistically rare events. New York City Police Commissioner Ray Kelly, for instance, has stated that he has “never seen anything” like the Newtown tragedy. A risk management analysis may thus conclude with a recommendation for the development of such Incidence Response Teams.

Prevention vs. Response

Many individuals are now focusing on new strategies for preventing school shootings in the future. California Senator Dianne Feinstein, for instance, is introducing new gun control legislation to ban certain weapons from society. Conversely, Wayne LaPierre of the National Rifle Association is proposing to increase the prevalence of such weapons by stationing armed guards in every school building in the United States.

Thus, on the one hand, there appears to be widespread agreement about the desirability of enhancing prevention activities. And yet, on the other hand, there is little or no agreement about the specific activities that should be implemented to achieve this goal.

The strengthening of the crisis response function would admittedly do nothing to prevent the recurrence of such tragedies. Nevertheless, it may indeed ensure that victims and their families, as well as first responders and other citizens who are directly affected by such events, are treated in a more humane manner during times of crisis.