REVIEW: "COSO Enterprise Risk Management", Robert R. Moeller
- BKCOSERM.RVW 20070506
"COSO Enterprise Risk Management", Robert R. Moeller, 2007,
%A Robert R. Moeller
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%G 0-471-74115-9 978-0-471-74115-2
%I John Wiley & Sons, Inc.
%O 416-236-4433 fax: 416-236-4448
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 367 p.
%T "COSO Enterprise Risk Management"
The inclusion of "COSO" (the Committee Of Sponsoring Organizations of
the Treadway Commission) in the title indicates that this work takes a
corporate, and particularly financial, perspective with respect to
risk management. The fact that the first paragraph of the preface
makes reference to the key (if rather vague) phrase "internal
controls" reinforces this idea. It is, therefore, somewhat ironic
that the introduction complains that risk management is poorly defined
and understood. The concept of internal control is similarly
nebulous, and a badly understood abstraction can hardly be expected to
result in advice likely to lead to solid implementations by the
readers of the book.
Chapter one is a general introduction to the perceived need for COSO
and internal controls. With yet more unintentional incongruity there
is heavy emphasis on ethics and philosophy within the organization.
(An ethical enterprise would presumably have no need for internal
controls.) A traditional risk management process is outlined in
chapter two. (There is a great deal of consideration given to
surveys, but little to either hard facts or statistics.) Chapter
three's review of "enterprise" risk management reiterates a good deal
of the previous material. The COSO risk management components are
noted, mostly in regard to the highest corporate levels. The
additional COSO dimensions of objectives and entity levels are covered
in chapter four. Chapter five repeats content on roles,
responsibilities, and process aspects of risk management. The history
of the initial (1992 version) COSO structure is given in chapter six.
Chapter seven provides background on the Sarbanes-Oxley law, and some
relations to the COSO framework. Audit is discussed in both chapters
eight and nine, first with respect to the board, and then in regard to
internal audit activities. The project management cycle is reviewed
in chapter ten: unlike most similar pieces in risk management books,
this one at least addresses specific functions regarding risk
management. Chapter eleven purportedly ties enterprise risk
management to information technology, but the topics are limited to
application development, business continuity, and malware.
Chapter twelve's suggestions on building a risk culture follow the
usual advice on creating a security awareness program. Various
national financial standards and regulations are noted in chapter
thirteen. In chapter fourteen the author ruminates on what should
happen with risk management in the future.
This book is almost identical in content and style to numerous others
on similar topics, such as Marchetti's "Beyond Sarbanes-Oxley
Compliance" (cf. BKBYNSOX.RVW), "Security Controls for Sarbanes-Oxley
Section 404 IT Compliance" by Brewer (cf. BKSCSOXC.RVW), Lahti and
Peterson's "Sarbanes-Oxley IT Compliance Using COBIT and Open Source
Tools" (cf. BKSOITCU.RVW), and the rather better "Beyond COSO", by
Steven J. Root (cf. BKBECOSO.RVW). The writing and material may
provide some assistance with a risk management process, but the
central points could have been provided in a clearer and more concise
copyright Robert M. Slade, 2007 BKCOSERM.RVW 20070506
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
...a State, which dwarfs its men, in order that they may be more
docile instruments in its hands even for beneficial purposes,
will find that with small men no great thing can really be
- John Stuart Mill (1806-1873), On Liberty and Utilitarianism