The missing element in ERM - the Human Element

---

COSO Internal Controls Integrated Framework limitations:

“An effective system of internal control demands more than rigorous adherence to policies and procedures: it requires the use of judgment. Management and boards of directors use judgment to determine how much control is enough. Management and other personnel use judgment every day to select, develop, and deploy controls across the entity. Management and internal auditors, among other personnel, apply judgment as they monitor and assess the effectiveness of the system of internal control?

The Framework recognizes that while internal control provides reasonable assurance of achieving the entity’s objectives, limitations do exist. Internal control cannot prevent bad judgment or decisions, or external events that can cause an organization to fail to achieve its operational goals. In other words, even an effective system of internal control can experience a failure. 

Limitations may result from the:  

• Suitability of objectives established as a precondition to internal control 

• Reality that human judgment in decision making can be faulty and subject to bias 

• Breakdowns that can occur because of human failure, such as simple errors • Ability of management to override internal control 

• Ability of management, other personnel, and/or third parties to circumvent controls through collusion • External events beyond the organization’s control  

These limitations preclude the board and management from having absolute assurance of the achievement of the entity’s objectives – that is, internal controls provide reasonable assurance not absolute assurance. Notwithstanding these inherent limitations, management should be aware of them when selecting, developing and deploying controls that minimize, to the extent practical, these limitations." (this is an excerpt from COSO's Internal Control Integrated Framework 2013 guidance)

The risk professionals at Global Compliance Associates recognized this massive gap in COSO's internal control integrated framework and has written and documented these gaps in two books written by the executive director of GCA in Cognitive Hack (2016)  and Cognitive Risk (coming 2022 summer) both can be found at Amazon.com.

In other words, COSO clearly recognizes that their ERM framework fails to address the biggest vulnerabilities in their framework: judgment, decision-making and risk assessment of human error. What that disclosure doesn't address is how to develop a risk program that addresses these gaps using behavioral science, cognitive science, and the human element science. 

Global Compliance Associates has developed the only Cognitive Risk Framework for Cybersecurity and Enterprise Risk Management. We would love to discuss these gaps to explain why this has been over looked for more than 40 years since the launch of COSO's framework and continues to not be addressed in any existing risk frameworks to date.