COSO ERM in a COVID 19 World

Many wonder whether the current pandemic is another example of ERM failing. The same question was asked more than a decade ago during the financial crisis. While there will undoubtedly be risk management lessons learned from this crisis, it’s a reminder that ERM is more art than science. As long as people are involved, some risks will be missed and failed judgments will occur. But ERM and internal control frameworks can still provide valuable principles and insights as organizations start to emerge from this crisis. Over the next several days I’ll be posting thoughts on how COSO frameworks can help during the coming months.

Paul Sobel Chairman of COSO in LinkedIn

Why COSO ERM Will Not and Cannot Help People Make Better Decisions About COVID-19

Paul, ERM is not even an ‘art’. Its just a belief system with no settled, academically-supported or proven global body of knowledge.

Although aspects of ‘ERM’ activity might well draw on scientific and other validated areas of true knowledge – such as the mathematical calculation of probabilities – this does not validate the belief system envelope in which these skills are applied. ERM was a label invented by RIMS to distinguish a new business offering from its original insurance-based services. It’s just a three letter acronym invented for marketing purposes!

COSO just jumped on the concept when it wanted to make its ‘Internal Control Framework’ more relevant and its members wanted to counter the drop in revenue after the failure of Enron and subsequent restrictions on provided conflicting services.


All belief systems with three letter acronyms that attempt to resolve uncertainty in decision making via the constructs of ‘risk’ and ‘managing risk’ will not only fail but ultimately, can never succeed. This is also borne out by multiple surveys that show that ERM ‘maturity’ (whatever that means) is persistently low.

There are two obvious reasons for the failure of ERM and other forms ‘risk management’ to produce good decisions:

  1. the foundation word ‘risk’ has literally dozens of meanings and so has no utility or transactional value;
  2. it is fanciful to imagine that any approach based on a one-size-fits-all complicated systems of ‘risk management’ can or will be ‘integrated’ into the highly individual ways through which organisations function. 

Indeed, across my 40+ year career I’ve realised that I’ve yet to find an organisation asserting to practice ‘risk management’ that did not, in reality, have separate processes for ‘risk management’ and for actual decision-making.  Whatever ERM is thought or claimed to be, it neither does, nor can ensure effective decision-making. So why waste so much time and money on it? 


You’ve got to wonder, if COSO ERM was so good and useful, why every survey, every year seems to show such a low level of ‘maturity’ (whatever that word means) and why the constant response is that management and Boards don’t ‘get it’.

On the other hand, there is clear evidence that these people do ‘get it’, and realise it’s a con job that destroys rather than creates value – except for the consultants who are called in to help ‘implement’ it. Organisation’s only spend the minimum on the ERM artefacts, just to keep regulators happy and so that they can boast about it in annual reports.

The bottom line is that there is no evidence that ERM improves organisational performance. Although there are some faint correlations between organisations that are successful and those that adopt the risk management paraphernalia, correlation is not causation.

Any apparent correlations could be explained by already-successful organisations being able to afford to construct a ‘risk management’ edifice or being subjected to regulatory coercion.


None of the organisations I deal reached for their risk register when they had to decide how to respond to the disruption caused by COVID-19. Also, none of them consulted their risk appetite statement or ‘risk matrix either. Interestingly, none of them seemed to use their business continuity plans!

This is not surprising actually because what they all wanted to do is reduce their vulnerability to such disruptions and not, necessarily, return to their post-disruption state.

Many also saw and decided how to exploit the opportunities resulting from the disruption and, in some cases, the decided to exploit the vulnerability of others to gain an advantage. While clearly COVID-19 is having a devastating effect on organisations (and people) across the world, in the words of Winston Churchill: “never let a good crisis go to waste”!