Blog

Critique of draft COSO Corporate Governance Framework: Principle 21

Posted by Alex Sidorenko on June 4, 2025 at 11:00
Critique of draft COSO Corporate Governance Framework: Principle 21

Risk management should help us make better decisions, not create more paperwork. Yet Principle 21 of COSO’s draft framework, while containing some good ideas, pushes companies toward the same old mistakes that have plagued risk management for years. Let me be clear: linking risk to strategy is smart. Looking at both threats and opportunities makes sense. Getting timely updates to the board is important. But the way COSO suggests doing these things? That’s where we run into trouble.

The problem: risk management as a side project

COSO’s framework treats risk like it’s something separate from running your business. They want you to create special processes, assign special owners, and write special reports. But here’s what really happens when companies do this:

They waste money and time. Studies show companies spend 60-70% of their risk budget on documentation that doesn’t help anyone make better decisions. Some blow over $1.3 million a year on busywork with nothing to show for it.

They create false comfort. When you have a separate risk department churning out reports, executives think risks are “being handled.” Meanwhile, the people making actual business decisions aren’t thinking about risk at all. This false security contributed to disasters at companies like Carillion and Wirecard.

They miss the whole point. Risk isn’t something that exists separately from your business—it’s woven into every decision you make. Treating it as an add-on is like trying to bolt wings onto a car and calling it an airplane.

Where COSO goes wrong (and what to do instead)

The “separate process” trap

COSO tells you to “establish and maintain a structured risk management process.” This creates an artificial wall between risk thinking and real work. Remember the BP Texas City refinery explosion? They had mountains of risk documentation. But none of it connected to daily decisions about equipment maintenance or safety shutdowns. The paperwork said one thing; the operators did another. People died.

What actually works: Don’t create a separate process. Instead:

  • When planning strategy, always ask “what could happen?” and explore different scenarios
  • When setting budgets, show ranges like “$10 million plus or minus $1.5 million” instead of pretending you know exact numbers
  • When approving projects, run simulations to see how they might play out
  • When reviewing results, figure out why your predictions were wrong so you can do better next time

The “risk owner” fantasy

COSO wants “clear roles and responsibilities for risk ownership.” But think about this: How can someone “own” a risk if they can’t control the business activity causing it? The Deepwater Horizon disaster showed this perfectly. Safety experts spotted problems but couldn’t force changes because they didn’t run operations. The people who did run operations didn’t feel responsible for safety—that was the “risk owner’s” job. Eleven people died.

What actually works: The person running an activity should handle its risks too:

  • Sales managers manage sales risks
  • Project leaders handle project uncertainties
  • Include risk management in everyone’s performance reviews
  • Give people tools and training to manage their own risks

The isolation of risk information

COSO says “risk information is updated regularly and communicated.” But when risk lives in separate reports from your regular business updates, nobody connects the dots.

During the 2008 crisis, Lehman Brothers had detailed risk reports warning about real estate problems. But these reports used different language, came at different times, and went to different meetings than their investment reports. The warnings never influenced actual decisions. The company collapsed.

What actually works: Put risk information where people need it:

  • Add uncertainty ranges to your regular dashboards
  • Show best, expected, and worst cases in the same report
  • Track how accurate your forecasts are so you can improve
  • Discuss risks in your regular business meetings, not separate ones

The “top 10 risks” nonsense

COSO suggests tracking “10 to 15 key risks.” Why 10 to 15? Why not 8 or 23? This arbitrary limit creates blind spots. The 2008 financial crisis proved it—banks had their neat lists of 10-15 risks but completely missed how they all connected to create disaster.

Here’s the kicker: 78% of executives admit they never look at their company’s risk register when making decisions. If it’s not helping people choose better paths, why bother?

What actually works: Focus on decisions, not lists:

  • Before big decisions, identify what could affect the outcome
  • Analyze uncertainties specific to each decision
  • Update your analysis when you need to decide, not on some arbitrary schedule
  • Don’t limit yourself to a magic number

The chief risk officer problem

COSO wants you to “designate an individual to oversee day-to-day risk management.” But when you put one person in charge of all risk, everyone else stops thinking about it.

Companies with centralized risk functions take 70% longer to fix problems. Why? Because the people who spot risks can’t fix them, and the people who can fix them aren’t thinking about risks.

What actually works: Spread risk thinking throughout your company:

  • Train all managers to analyze uncertainty
  • Put risk experts in business teams, not a separate tower
  • Keep a small central team for coordination, but let teams manage their own risks
  • Make risk thinking part of everyone’s job, not one person’s burden

Risk appetite statements that say nothing

COSO wants boards to “review and approve the entity’s risk appetite.” These statements usually contain meaningless phrases like “low appetite for compliance risks” or “moderate appetite for strategic risks.”

JP Morgan had a beautiful risk appetite statement. It didn’t stop the “London Whale” from losing $6 billion because the statement never translated into actual trading limits that traders could use.

What actually works: Create specific, measurable guidelines:

  • “New products need >60% chance of breaking even within 2 years”
  • “Projects can’t have >20% chance of exceeding budget by 15%”
  • Different activities need different risk levels (early research can fail 70% of the time; manufacturing needs 99% reliability)
  • Update these based on real business conditions, not annual rituals

Monitoring everything, fixing nothing

COSO says to “monitor key risks.” Companies often track hundreds of indicators, creating massive reports nobody reads. Without clear triggers for action, they wait until risks become crises.

The BP Texas City disaster had this problem—they monitored safety indicators but never linked them to decisions about when to shut down for maintenance.

What actually works: Monitor with purpose:

  • Identify which decisions need risk information
  • Set clear triggers: “If supplier delays exceed 15%, activate backup plan”
  • Monitor at the right frequency for each decision
  • Make someone responsible for acting when triggers hit

Technology risk in its own bubble

COSO wants separate “governance structures to assess and manage risks related to technology.” But technology risk isn’t separate from business risk—it’s the same thing.

The 2017 Equifax breach happened partly because cybersecurity governance was disconnected from the people actually installing software patches. The risk team identified the problem; the operations team didn’t act on it. 143 million people had their data stolen.

What actually works: Make technology risk part of technology decisions:

  • Include risk analysis when choosing systems
  • Train IT teams to think about uncertainty
  • Make business and IT leaders jointly responsible for tech risks
  • Stop pretending technology is somehow different from the rest of your business

The real path forward

Here’s what COSO gets right: Risk management should support strategy, consider opportunities, and provide timely information. But their approach of creating separate structures, processes, and roles undermines these good intentions.

Real risk management isn’t a compliance exercise or a specialized function. It’s thinking clearly about uncertainty whenever you make important decisions. It means:

  • Teaching everyone to consider what might happen, not just the “risk people”
  • Building uncertainty into all your planning and budgeting
  • Making decision-makers responsible for their own uncertainties
  • Turning risk appetitefrom empty words into clear rules and limits
  • Monitoring what matters for decisions you actually need to make

Start simple. Pick one important recurring decision—maybe project approvals or new product launches. Build uncertainty thinking right into that process. Use ranges instead of single numbers. Set clear thresholds. Make the decision owner responsible for the uncertainties.

When people see how this improves decisions, they’ll want to use it everywhere. Soon, thinking about uncertainty becomes as natural as thinking about costs or schedules.

COSO’s Principle 21 perpetuates the myth that risk management is something you do alongside your business rather than within it. This separation creates bureaucracy without benefit, documentation without decisions, and oversight without insight.

Companies that thrive don’t pretend they can predict the future perfectly. They build organizations that make good decisions despite uncertainty. That’s not a risk management process—that’s just good business.

The real question isn’t whether you’ll implement COSO’s framework. It’s whether you’ll have the courage to do something better: make risk thinking an inseparable part of how you run your business. Because in the end, every business decision involves uncertainty. Pretending otherwise is the biggest risk of all.

Upcoming events and courses:

  • Join us at the Quantitative Risk Virtual Summit, hosted by Vose Software and The Ferryfield Group—an event designed for professionals ready to elevate their risk management game with ModelRisk. This dynamic virtual experience features expert-led sessions on real-world applications and advanced modeling techniques used by leading organizations. https://events.teams.microsoft.com/event/a0267764-1ac2-46c8-956b-8d123e56ec11@7a78bd33-d8ac-4a49-bec7-97e770034789
  • The Board Members’ Course on Risk is a multi-session on-demand board development program focused on the positive and effective governance of risk-taking by boards of directors. The program trains current and aspiring board members to govern effectively and raises the profile of directors with a specialization in the governance of risk-taking. https://dcroinstitute.activehosted.com/f/28
Views: 35
Votes: 0
E-mail me when people leave their comments –
Follow
Posted by Alex Sidorenko

Alex is an experienced executive across strategic, investment and operational risks and insurance working within multibillion dollar corporations in Australia, GCC and Europe. Successfully implemented changes to quantitative risk analysis, risk-based decision making and neuroscience.

Saved more than $13 million per year in premiums on cargo and PD/BI insurance through industry leading quantitative risk analysis without changing deductibles or limits. Successfully presenting corporate risk profile at the Ministry of finance and helping secure more than $1B in extra funding.

Author of the most popular free risk management book in the world, more than 150K downloads in 3 languages. Risk manager of the year, FERMA, 2021, Honourable mention 2021, RIMS. Risk manager of the year, RUSRISK, 2014, Best ERM Implementation, RUSRISK, 2014, Best risk management training, RUSRISK, 2013, 2014, 2015, finalist in risk management awards in 2018 and 2019.

YOUTUBE: <a href="https://www.youtube.com/channel/UCog9jkDZdiRps2w27MZ5Azg">https://www.youtube.com/channel/UCog9jkDZdiRps2w27MZ5Azg</a>
BLOG: <a href="https://riskacademy.blog">https://riskacademy.blog</a>

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

FEATURED BLOG POSTS

LATEST BLOG POSTS

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead