We need to talk about COSO (5/7): Reality & problems of linearity in risk & control

The underlying logic of COSO is linear: controls manage risks to the achievement of objectives.  For each objective, there are multiple risks; for each risk there are one or many controls.  Controls can act across different risks, but these relationships are understood; risks may affect the achievement of multiple objectives but these relationships are understood.  Lines can be drawn (metaphorically) between each objective and its attendant risks, between each risk and its attendant controls; hence, ‘linear’.  Such depictions (literally) are commonplace in COSO-related implementations and testing.  But the world only works that way under very restrictive conditions.

Within statements of account, this is a reasonable representation of reality.  Each transaction matches to at least two accounts (a debit and a credit).  Ever-present uncertainty is handled using linear rules about value change (such as depreciation) or by reference to external real phenomena (marking to market).  In only a few instances does complexity creep in, most notably around valuation of illiquid derivative instruments using ‘mark-to-model’ approaches.  It is important to note that statements of account do not seek to represent reality; they represent a stylized, rule-based interpretation of historic activity, which is a very different thing.  For this application – control over financial reporting – COSO is well suited; that is, after all, where it came from.

However, effectiveness and efficiency of operations and compliance systems are very different beasts.  Consider the following statement from COSO (para. 20):

“People do not always understand, communicate, or perform consistently.  Each individual brings to the workplace a unique background and technical ability, and each has different needs and priorities.  These individual differences can be inherently valuable and beneficial to innovation and productivity, but if not properly aligned with the entity’s objective, they can be counterproductive.  Yet, people must know their responsibilities and limits of authority.  Accordingly, a clear and close linkage needs to exist between peoples’ duties and the way in which these duties are carried out and aligned with the entity’s objectives.” (emphasis added)

This assertion rests on a simplified and idealized view of control of people individually and in groups.  Effectiveness and efficiency of operations and compliance systems are fundamentally human systems – “internal control is a process, effected by an entity’s board of directors, management and other personnel”; however, in the case of operations and compliance, there exist complex and changing (dynamic) human interpretation systems, signals and feedback at individual and group levels.  The interactions between the rules or directives and the personnel required to implement them that can and do create complex patterns of externally- and self-governed behaviour within and between group members.  These actors, and the contexts, conditions and events to which they are required to react (replete with mixed signals and messages) interact in unexpected and unpredictable ways; unexpected behaviours and outcomes emerge – hence, ‘emergent behaviour’.  These are standard descriptions of complex (sometimes ‘adapative’) systems.  In such systems, linear control routines are unreliable.

What is most interesting is when and under what conditions they are unreliable, and why that may have consequences that can be either deleterious and beneficial.

Like all complex systems, behavioural systems operate in two zones: (i) the stable zone in which outcomes appear predictable where, if the system is disturbed, it returns to its previous, stable state, and (ii) the unstable zone where a small stimulus (an external triggering event or change in underlying conditions or actor preferences) leads to behaviour that results in an outcome away from the starting point, which in turn can generate further ‘divergence’.  Technically, in physics, the movement between these states is known as a ‘phase transition’ sometimes referred to as ‘the edge of chaos’.  The important message is that the system can easily become dominated by dependencies and relationships we do not understand – by ‘unknowns’.

It is also important to note, as partially acknowledged in the COSO extract cited, that such ‘chaos’ is essential to organisational adaptation and innovation:

“For an organisation to seek stable equilibrium relationships with an environment which is inherently unpredictable is bound to lead to failure. The organisation will build on its strengths, fine-tune its adjustments – and succumb to more innovative rivals. Successful strategies, especially in the longer-term,do not result from fixing an organisational intention and mobilising around it; they emerge from complex and continuing interactions between people . . . [Hence] the importance of openness to accident, coincidence, serendipity.  Strategy is the emerging resultant.”  (Rosenhead, 1998)

The danger with the linear approach to control of effectiveness and efficiency of operations and compliance is that neither accommodates ‘accident, coincidence or serendipity’; such notions are considered antithetical to control.

Worse, COSO’s linear approach to control of risk, when applied organizationally – as occurs through PCAOB diktat – stultifies thinking about approaches to risk, reducing it to a control exercise.  This is unrealistic and potentially disastrous.  Again, it is not applying COSO as written, but is an inevitable and predictable result of (a) giving COSO a broad mandate through PCAOB diktat, (b) dominance of linear, rule-based thinking in the accounting profession, (c) affording the accounting profession the ‘box-seat’ in determining the approach to implementation of COSO, and (d) conflating the audit of firms with an opinion on internal control.

While the opinion on internal control is limited to one of COSO’s three control objectives – control over financial reporting – the COSO framework itself claims a broader relevance (expanded even further by the COSO ERM foray); COSO has done very little to delimit its applicability.  An unbiased observer might conclude either that the COSO authors (or amenders) do not recognize the limits of their knowledge and its practical utility or have a vested interest in ignoring those limits.

Thus, the PCAOB endorsement of COSO and its resulting dominance is a double-edged sword.  COSO must either encourage PCAOB to a more catholic vision of admissible control frameworks of which it will compete equally as one of many, or delimit its proclaimed utility to internal control over financial reporting – its originally-intended purpose.  Failure to do so will result in on-going expansion of the gap between necessary management understanding of organisational control and the frameworks commonly propagated to effect internal control; innovation will remain moribund.

The redraft of COSO can be viewed at here.

Our submission on the COSO framework is available at our website.

The list of submissions to COSO can be viewed here.

Feel free to subscribe to the blog to get our messages direct to your Inbox!


2 thoughts on “We need to talk about COSO (5/7): Reality & problems of linearity in risk & control

  1. Pingback: Talking about COSO (7/7): Petition to COSO, PCAOB & SEC « The risk debate

  2. Pingback: We need to talk about . . . COSO « The risk debate

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s