|
Executive Summary: Step 2 – COSO Risk Assessment If the control environment is the soil in which governance takes root, risk assessment is the radar that continuously scans the horizon. It gives direction and foresight, telling organizations not only what lies ahead but also which storms may approach, which opportunities might appear as new markets, and which hidden icebergs could endanger the voyage. Without such a radar, even the most powerful organization resembles a ship in dense fog: confident in the strength of its engines, proud of its speed, but blind to the iceberg directly in its path. History shows that confidence without vision often leads to disaster. Within the COSO Internal Control – Integrated Framework, risk assessment is positioned as the essential second building block, directly after the control environment. Where the control environment creates the ethical and cultural soil, risk assessment transforms that foundation into a practical tool for resilience. It provides a disciplined, structured process for identifying risks, analyzing their likelihood and impact, and prioritizing which ones deserve urgent attention. Yet risk assessment should never be mistaken for a mechanical checklist. When applied as intended, it becomes a cultural discipline and part of the organization’s DNA—an early warning system that turns weak signals into actionable insights. In that role, risk assessment ensures that small disturbances are managed before they grow into existential crises, safeguarding both performance and trust. |
Where are we? At its core, the COSO Internal Control Framework identifies five integrated components:
These five components function as an integrated system. Weakness in one undermines the others. |
From Compliance to Strategy: The COSO ERM 2017 Update
In 2017, COSO reframed risk management with its Enterprise Risk Management (ERM) – Integrating with Strategy and Performance update. It recognized that risk is not only about what can go wrong, but also about what drives value creation.
-
Risk appetite became central: how much uncertainty is the organization willing to accept in pursuit of objectives?
-
Integration with strategy was emphasized: risk assessment must happen during planning, not after.
-
Dynamic reassessment was stressed: risks evolve, and radar must be kept switched on.
The failures of Lehman Brothers and Silicon Valley Bank show what happens when radar is turned off. Lehman’s board underestimated the consequences of excessive leverage in 2008, while Silicon Valley Bank failed to reassess interest rate and liquidity risks in 2023. Both were sailing fast, but blind.
Read the The COSO ERM 2017 Update on coso.org.
How Risk Assessment Works
COSO defines risk assessment as the identification and analysis of risks to the achievement of objectives. These objectives fall into three categories: operations, reporting, and compliance. A structured risk assessment ensures that risks are not dismissed as noise but evaluated for likelihood and impact.
The Core Steps of Risk Assessment (with Examples)
1. Identify Risks
Recognize events that could disrupt objectives, such as cyberattacks on payment systems or geopolitical tensions disrupting energy supply chains. Risk identification should be broad and inclusive.
2. Analyze Risks
Evaluate likelihood and potential impact, both financial and reputational. Banks, for example, stress-test liquidity under various economic scenarios, while ESG-sensitive firms assess exposure to regulatory shifts.
3. Evaluate Risks
Compare risks against appetite and tolerance. A board considering expansion into politically unstable regions must weigh the potential reputational damage against expected growth.
4. Prioritize Risks
Allocate scarce resources to what matters most. Audit committees, for instance, should focus on systemic IT vulnerabilities rather than minor process delays.
5. Respond to Risks
Choose how to address risk: mitigate, transfer, accept, or exploit. Currency risk may be hedged, cybersecurity may be enhanced, or emerging markets may be entered despite volatility if opportunity outweighs danger.
These steps are simple in theory but challenging in practice, particularly when leadership is blinded by optimism or pressured by markets.
Not directly business like but maybe for the differences very interesting from the Health and Safety Executive from the UK – Risk assessment: Steps needed to manage risk – it should not be all that different.
Stories from the Past: When Radar Failed
Barings Bank (1995)
Barings collapsed because senior leadership had no radar on derivatives trading in Singapore. A single trader accumulated unchecked positions that went unnoticed until it was too late. There were no processes to identify or analyze such concentrated risk.
Lehman Brothers (2008)
The bank’s failure was a consequence of ignoring leverage risk. Risk assessment was nominally present but disconnected from strategy. When housing markets turned, the absence of credible stress tests exposed the firm’s fragility.
Wirecard (2020)
Wirecard dismissed repeated external warnings of fabricated revenues. Its radar was turned inward, focused on growth targets rather than independent signals. Proper risk assessment would have investigated anomalies in cash balances and third-party relationships.
Silicon Valley Bank (2023)
SVB’s radar was fixed on short-term growth, ignoring the shift in interest rate dynamics. When depositors fled, risk assessment failures in liquidity and hedging cascaded into collapse within days.
These cases show a pattern: radar existed, but management chose to ignore or disable it.
Challenges in Modern Risk Assessment
-
Emerging Risks
Climate change, AI, and cybersecurity generate threats that are fast-moving and hard to quantify. Boards often underestimate these because historical models offer little guidance. -
Bias and Groupthink
Leaders may ignore inconvenient truths. In every major collapse, warning signs existed but were dismissed as pessimism. -
Complex Global Operations
Multinationals face overlapping regulatory and cultural risks. Achieving consistency in risk assessment across geographies requires coordination and robust governance. -
Dynamic Environment
Risks evolve continuously. Yesterday’s low-priority issue can become tomorrow’s existential threat, demanding constant vigilance.
Best Practices: Keeping the Radar On
-
Embed in Strategy: Risk assessment must guide planning and investment decisions, not trail behind them.
-
Active Board Oversight: Boards and audit committees must demand regular risk reviews and challenge management assumptions.
-
Mixed Tools: Use both quantitative methods (stress testing, models) and qualitative insights (stakeholder input, expert panels).
-
Cross-Functional Approach: Risk assessment cannot be confined to finance or compliance; it must include operations, technology, and sustainability.
-
Transparent Communication: Findings must be reported clearly to both internal and external stakeholders, including in financial and sustainability disclosures.
When these practices are combined, the radar stays active, enabling organizations to detect weak signals and act before they become crises.
Conclusion: The Strategic Role of Risk Assessment
Risk assessment is more than a compliance task—it is the radar that scans the horizon and warns of storms. When organizations ignore or disable this radar, as seen at Barings, Lehman, Wirecard, and Silicon Valley Bank, they are left blind until disaster strikes.
By embedding COSO’s principles and aligning with the ERM 2017 update, boards and executives can turn risk assessment into a value-creating discipline. It provides foresight, prepares organizations for shocks, and strengthens trust with stakeholders.
In the next article, we turn to Step 3 – Control Activities, exploring how organizations translate risk insights into concrete policies and procedures that prevent, detect, and respond to threats.
COSO Risk Assessment
COSO Risk Assessment
COSO Risk Assessment
COSO Risk Assessment COSO Risk Assessment COSO Risk Assessment COSO Risk Assessment COSO Risk Assessment COSO Risk Assessment COSO Risk Assessment COSO Risk Assessment COSO Risk Assessment COSO Risk Assessment