Interview with Lucia Wind, COSO Chair and Strategic Advisory Board Member, IRM India Affiliate
Hersh: We’re seeing a series of shocks and uncertainties across the globe and this is only on the rise with the world getting more interconnected and complex. As the new Chair of the Committee of Sponsoring Organisations (COSO), that has released the international framework for enterprise risk management (ERM), what are your perspectives on ERM and its relevance to business strategy, long term survival and organisational resilience?
Lucia: I think that ERM is becoming even more important and relevant and should be considered as a function and a framework by all organization, large or small, private or public. What recent events taught us is that awareness of risks and readiness to respond to changing environments is what will differentiate success for companies. Whether we consider readiness to respond to a word-wide pandemic, the banking industry, or the upcoming environmental/sustainability reporting requirements, companies need to consider the unexpected. Taking a deeper look at your company’s strategy and linking it to the ERM framework is an important step in the readiness.
Hersh: The ERM definition under COSO 2004 is particularly close to my heart because it puts emphasis on ERM being a process effected by an entity’s board of directors, management and other personnel, so called ‘people’. How do you see people (across the enterprise) and ofcourse culture playing an important role in the implementation of ERM especially in a post-pandemic world?
Lucia: ERM and risk training across the various levels of an organization are critical. Risk identification if often the strongest at the lower levels of a company, with the ‘people’ as you mentioned, who are often the most connected to the mission and its execution based on their role in the company. The phrase “boots on the ground” is very important here for that very reason, they frequently see risks before they become significant. Linking all levels of an organization to risk management will lead to a better-informed risk register, as it will merge the big picture boards and senior leadership see with the tactical and or rising risks.
Hersh: As may know, the IRM’s Global Enterprise Risk Management qualifications / examinations cover detailed study of the COSO 2004 and COSO 2017 framework and IRM-certified professionals are emerging as ‘champions of change’ at various organisations by embedding risk-intelligence across the value chain, using these international frameworks and standards. What’s your advice for our budding students?
Lucia: Be inquisitive and bring your learning to practice. The ERM framework provides great tools you can use in your risk management journey. I am a strong believer in asking many questions, maybe that is the auditor in me, but challenge yourself to understand the risk universe your organization operates in, bring your ERM tools to the table and keep asking questions on what could go wrong. I love the name “champions of change,” I think that greatly describes a true risk professional. With change often comes discomfort, but if we don’t challenge the comfortable state, we will not effectively prepare for risks that may come.
Hersh: India is leading the way in risk-related regulations with SEBI, RBI, IRDAI mandating ERM / risk disclosures, board risk management committees and in some cases even mandatory appointment of a Chief Risk Officer. The Ministry of Corporate Affairs too may come out with a guideline for certain unlisted private limited Companies. Yet, the appreciation for an ERM function and risk-based decision making appears to be low. Any thoughts on how risk leaders should navigate this and win the confidence of the Board?
Lucia: Getting a buy-in from your Board of Directors is a very important step. It really bridges ERM with the Internal Controls Integrated Framework by COSO (ICIF) through the ‘tone at the top’. I have found that bringing real examples to a discussion is a very effective tool to support the return-on-investment discussion related to ERM. Unfortunately for many companies but fortunately for risk professionals struggling with this challenge, we are seeing many recent events such as COVID-post mortems, the banking industry scenarios and cybersecurity incidents to be helpful in those discussions.
Hersh: There’s a lot of buzz around emerging risks and scenario planning. How should Chief Risk Officers (CROs) or Risk Leaders adopt this in their ERM strategy?
Lucia: As a practitioner, I found tabletop exercise sessions very effective. It is not a new concept but bringing key leaders to a conversation dedicated to risks and having them collaborate and challenge each other in areas where their objectives and strategies merge can be very effective. It often leads to identifying new risks, opportunities and scenarios that can easily be missed in individual conversations. I recommend holding such sessions at the board level, executive management level but also the levels below. It is very valuable to compare results and assess for themes. Networking with peers is a great tool as well, we can all learn from each other.
Hersh: On a closing note, what’s your top three strategic objectives as COSO Chair that would benefit the enterprise risk management (ERM) community at large?
Lucia: I may not have three specific items as the few priorities I will mentioned will cover several longer term objectives, but I would like to make COSO more interactive with the professional communities, ERM included, and we do have several initiatives in the works that we hope to launch soon. As always, we are continuously evaluating thought leadership opportunities and I do believe that the next set of projects to come will be of great interest to risk professionals. To stay in touch on anything COSO, you can find more information on LinkedIn and by following our sponsoring organizations.