BKCOSERM.RVW 20070506 "COSO Enterprise Risk Management", Robert R. Moeller, 2007, 0-471-74115-9 %A Robert R. Moeller %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2007 %G 0-471-74115-9 978-0-471-74115-2 %I John Wiley & Sons, Inc. %O 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471741159/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471741159/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471741159/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 367 p. %T "COSO Enterprise Risk Management" The inclusion of "COSO" (the Committee Of Sponsoring Organizations of the Treadway Commission) in the title indicates that this work takes a corporate, and particularly financial, perspective with respect to risk management. The fact that the first paragraph of the preface makes reference to the key (if rather vague) phrase "internal controls" reinforces this idea. It is, therefore, somewhat ironic that the introduction complains that risk management is poorly defined and understood. The concept of internal control is similarly nebulous, and a badly understood abstraction can hardly be expected to result in advice likely to lead to solid implementations by the readers of the book. Chapter one is a general introduction to the perceived need for COSO and internal controls. With yet more unintentional incongruity there is heavy emphasis on ethics and philosophy within the organization. (An ethical enterprise would presumably have no need for internal controls.) A traditional risk management process is outlined in chapter two. (There is a great deal of consideration given to surveys, but little to either hard facts or statistics.) Chapter three's review of "enterprise" risk management reiterates a good deal of the previous material. The COSO risk management components are noted, mostly in regard to the highest corporate levels. The additional COSO dimensions of objectives and entity levels are covered in chapter four. Chapter five repeats content on roles, responsibilities, and process aspects of risk management. The history of the initial (1992 version) COSO structure is given in chapter six. Chapter seven provides background on the Sarbanes-Oxley law, and some relations to the COSO framework. Audit is discussed in both chapters eight and nine, first with respect to the board, and then in regard to internal audit activities. The project management cycle is reviewed in chapter ten: unlike most similar pieces in risk management books, this one at least addresses specific functions regarding risk management. Chapter eleven purportedly ties enterprise risk management to information technology, but the topics are limited to application development, business continuity, and malware. Chapter twelve's suggestions on building a risk culture follow the usual advice on creating a security awareness program. Various national financial standards and regulations are noted in chapter thirteen. In chapter fourteen the author ruminates on what should happen with risk management in the future. This book is almost identical in content and style to numerous others on similar topics, such as Marchetti's "Beyond Sarbanes-Oxley Compliance" (cf. BKBYNSOX.RVW), "Security Controls for Sarbanes-Oxley Section 404 IT Compliance" by Brewer (cf. BKSCSOXC.RVW), Lahti and Peterson's "Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools" (cf. BKSOITCU.RVW), and the rather better "Beyond COSO", by Steven J. Root (cf. BKBECOSO.RVW). The writing and material may provide some assistance with a risk management process, but the central points could have been provided in a clearer and more concise form. copyright Robert M. Slade, 2007 BKCOSERM.RVW 20070506