When I was about 20, I was flying to see my parents from university and read a journal article on the 'plane. It was written by Karl Popper, by then an old man, on the problems with proportional representation. NZ was about to embark on electoral law reform so I decided to send the article to the deputy PM, a law professor, for his interest. I got a very brief but very polite handwritten note back. Before sending the article, I mentioned to my mother that I was going to send it. She laughed. I asked her why. She said, "Oh, Karl, he was a lovely man." I was a bit bemused. It turns out that he taught my mother philosophy while he was in NZ in the 1940s (where he wrote part of Open Society and its Enemies). Fascinated, I embarked upon Logic of Scientific Discovery, then Open Society. As a student of economics and international relations, they had quite an impact on me.
Some while later, I came across Thomas Kuhn's similarly brilliant Structure of Scientific Revolutions and was hooked. What great insight. Having been aghast at the brilliance of falsification, I was now confronted with Kuhn's realism. While many find them in conflict, I find them quite easy to reconcile.
I believe that COSO ERM, ISO 31000 and other risk management approaches will gradually make way for newer approaches that build on the lessons learned from these approaches. Pretty much like Sarbanes-Oxley showed us what not to do to avoid future Enrons or Worldcoms.
Just kicking them to the curb as irrelevant is an easy and even cheap trick which is unworthy of an academic heavyweight such as Kaplan [see earlier post here]. He certainly has a number of points where he makes a case, but he should look at how each of the current frameworks contributes and how it can be adapted, amended or even completely turned around to be used for the better of risk management.
His optimism that the linear approaches of COSO ERM, ISO and AS/NZS will gradually make way for more realistic approaches as better replaces inferior is not something I share. As evidence, I simply cite his next sentence and the flaw therein. SOX may have showed us what not to do to avoid Enrons or WorldComs, but it is still on the statute books. And it shows no sign of budging. COSO ICIF is still well in situ. Based on almost incomprehensible analysis from SEC (great research, impenetrably written up), it seems the total cost of s.404 compliance is around $9.5 billion but falling (you won't find such a figure in the study; I worked it up from their analysis). That is a lot of status quo.
Kaplan kicking ISO 31000 (and other linear risk approaches) to the curb (nice turn of phrase) is precisely the kind of altercation Kuhn describes as part of his state of disciplinary flux as an antecedent to paradigm shift. And here, again, I am not optimistic. As Kuhn describes, the counterfactuals have to become overwhelming before the luminaries and guardians of the currently-prevailing paradigm, who hold all the power and prestige in the discipline, are overturned.
Recent papers by E&Y and PwC get plenty of airplay and their perspectives will continue to dominate. This is NOT because of superior insight. They are unreformed list-makers. And the SEC data suggest the larger CA firms get about $2.2 billion per annum in s.404(b) attestation fees. That is a lot of incentive to maintain current hegemony.
I don't share Ben's sense of charity re ISO 31000. But my real point, is that without properly structured and systematic review, we'll never know. SOX s.404 may add $10 billion in economic value every year (OK, I know it doesn't, but indulge me) through improved market confidence and efficiency, making it net contributory. In which case it will be worth it, but for the moment, we just need to take it on faith. Just like ISO 31000. I say, break out the Copernican models and the telescopes and let's put that faith to the test.