2nd European Risk Conference Università Bocconi September 11th & 12th, 2008
Risk Management Standards – role, benefits & applicability –
Dr. Roland Franz Erben
Academic affiliation: Bayerische Julius-Maximilians-Universität Würzburg Lehrstuhl für BWL und Wirtschaftsinformatik Josef-Stangl-Platz 2 D-97070 Würzburg Germany Address for correspondence: Resi-Weglein-Gasse 3 D-89077 Ulm Germany Tel.:
+49.(0)731.360808-93
Fax.:
+49.(0)731.360808-94
Cell.:
+49.(0)163.3733633
E-Mail:
[email protected]
Risk Management Standards
Abstract: As every risk management system must reflect the specific circumstances of an organization, a uniform approach can never be adequate. Nevertheless, risk management
standards
can
provide
useful
support
for
designing
and
implementing a comprehensive and consistent risk management system. After a short description of two standards – the “COSO Enterprise Risk Management – Integrated Framework” (COSO ERM) as well as the “ISO/DIS 31000 – Risk management: Principles and guidelines on implementation” – these frameworks are compared regarding the criteria “completeness”, “generic breadth”, “usability”, “integration” and “external assessment”. It is shown, that both standards fulfill these requirements to a high degree, with the ISO 31000 being more generic and flexible while the COSO ERM provides more practical guidance. As a conclusion, it can be expected that the already well-established COSO ERM and the emerging ISO 31000 will play a predominant role in the future.
JEL-classification: M19, L15, L29
Keywords: •
Risk Management Standards
•
Risk Management Systems
•
Standardization
•
COSO ERM Integrated Framework
•
ISO 31000
Dr. Roland Franz Erben
page 2 of 34
Risk Management Standards
Content
1
Introduction........................................................................................ 4
2
Risk management standards – potential benefits and practical relevance ..... 7
3
COSO ERM and ISO 31000 – an overview ............................................. 10 3.1 COSO ERM Integrated Framework .................................................. 10 3.2 ISO 31000 Risk management ........................................................ 15
4
COSO ERM and ISO 31000 – a comparison ........................................... 22
5
Further developments & Conclusion ..................................................... 27
Appendix A: Elements of risk management standards ............................................... 30 Appendix B: Comparison of COSO ERM and ISO 31000 regarding their completeness .... 31 References ....................................................................................... 31
Dr. Roland Franz Erben
page 3 of 34
Risk Management Standards
1
Introduction
All companies and organizations face a wide range of opportunities and risks that may – positively or negatively – affect the achievement of their objectives. The importance of a particular risk for a specific organization is determined by a great variety of internal (e. g. business model, products, size, financial resources, reputation, degree of vertical integration) and external (e. g. macroeconomic situation, legislation and jurisdiction, exchange and interest rates, soziodemographic changes, quality of public infrastructure, natural disasters) factors. Because of the diversity of these factors, their varying importance, their constant changes and their mutual interdependency, every single organization has to deal with a unique set of risks. To adequately handle these risks, it is a prerequisite to design and implement a customized risk management system which reflects the specific and characteristic attributes of the particular organization and takes into account its individual risk appetite. Under these circumstances, a uniform, “one size fits all” risk management approach is inevitably bound to fail. Nevertheless, since the early 1990ies a great (and still growing) number of efforts targeting at the standardization of risk management and internal control systems in organizations have been developed by standard setters (like the International Organization for Standardization, ISO), regulatory bodies (like the Bank for International Settlement, BIS) or professional associations and working groups (like the Institute of Risk Management South Africa, IRMSA). Because of the great number of bodies being involved in the development of risk management standards, the terms and definitions used are everything but standardized. An in-depth analysis and discussion of the differences regarding the wording of the different standards would not contribute substantially to the objectives of this paper. Therefore, in this context the term “standard” is used to describe a published set of rules to solve a certain problem or to fulfill certain requirements. More or less analogous expressions for the term “standard”
Dr. Roland Franz Erben
page 4 of 34
Risk Management Standards
(admittedly sometimes with a slightly different meaning or emphasis) that can be found in other publications, are e. g. “framework”, “guideline” or “norm”. Although the research efforts in the field of risk management standards have been very limited so far, it can be assumed that currently there are approximately 80 standards in use [see Shortread 2003, p. 3]. These approaches differ very much regarding their scope, target groups, topics and level of detail. Based on the probably most important factor – “scope” – the following three main types of standards can be distinguished: • Risk category specific standards targeting at a particular type or source of risk. Well-known examples for these risk category specific standards are the International Standard “ISO 27000 et seq.” in the field of IT-Security, the British Standard “BS 6079” for project risk management or a variety of regulations aiming at the assurance of adequate product safety. • Industry specific standards targeting at the characteristic risks of organizations with activities in a certain area of business. These standards are mainly applied in industries with high significance for the economy, the environment or public health & safety (like e. g. aviation, banking, insurance or the chemical/pharmaceutical industry). For these industries, compliance with the relevant risk management standards is often a legal requirement. Well-known examples for industry specific standards are “Basel II” and “Solvency II”, which define risk management requirements for financial institutions resp. insurance companies. • Generic standards targeting at the standardization of risk management systems. These standards constitute a comprehensive and holistic risk management approach and claim to outline general requirements for a great variety organizations, almost independent of their type, size, activities or location. Well-known examples for generic standards are the “COSO Enterprise Risk Management – Integrated Framework” (hereafter referred to as “COSO ERM”), the Austrian/Swiss “ON-Regel 49000 et seq.” or the Australian/New Zealand “AS/NZS 4360”. In recent months, significant Dr. Roland Franz Erben
page 5 of 34
Risk Management Standards
impact on the discussion about generic risk management standards arose from the efforts by the International Organization for Standardization (ISO) to establish a globally valid risk management standard, the “ISO 31000 – Risk management – Principles and guidelines on implementation” (hereafter referred to as “ISO 31000”), which is currently in the last stages of its development and is expected to be released in the first quarter of 2009.
Dr. Roland Franz Erben
page 6 of 34
Risk Management Standards
2
Risk management standards – potential benefits and practical relevance
Taking into account the fact that risk management systems have to reflect resp. be adapted to the specific circumstances and requirements of each and every organization, generic risk management standards do not aim at standardizing the concrete specifications and implementation of such a system for a particular organization. Instead, they claim to provide a universally valid guideline. Despite the relatively high level of abstractness, the application of a risk management standard can turn out to be quite useful as they outline generally accepted risk management processes and components. These standards can especially offer support regarding the following issues [see Winter 2007, p. 137; Kuhn 2006, S. 8]: • By providing clear, unambiguous and consistent terms and definitions, generic standards can help to establish a common understanding of the relevant topics throughout the entire organization. Therefore they can contribute to a better communication between the different entities of an organization or between the organization and its stakeholders (e. g. customers, suppliers, investors, regulators, …). This aspect proves to be especially important in large, diversified and complex organizations, e. g. global companies with a wide range of activities in many different countries and therefore divergent (risk) cultures. • By describing the essential (and maybe also the desirable) components, processes and organizational structures of an effective and efficient risk management system, generic standards provide a useful blueprint for organizations aiming at designing and implementing such a system. The consideration of a comprehensive and holistic standard can help these organizations to avoid substantial gaps resp. to incorporate all pivotal aspects in their individual conceptual design. • By outlining a “best practice” risk management system, generic standards can serve as a benchmark to which organizations can compare their existing approaches. Therefore, generic standards can help to identify Dr. Roland Franz Erben
page 7 of 34
Risk Management Standards
potential deficiencies of existing risk management systems and gaps between the actual status and a “best practice” approach. • By designing and implementing its risk management system according to a tried and tested standard, an organization can enhance the transparency of its own approach. Additionally, the consideration of a standard can contribute to improve the trust and confidence of internal and external stakeholders in the risk management abilities of an organization. As risk management standards often incorporate relevant legal requirements and/or new regulations take into account the issues outlined in these standards, they can also help organizations to fulfill their compliance requirements in that area [see Weidemann/Wieben 2001, p. 1790]. As already mentioned above, despite the growing number of risk management standards, the research efforts regarding their dissemination or use in practice have been very limited so far. Most of all, an empirical analysis, if or to which extent these standards are actually applied in organizations has not yet been accomplished. A first (although admittedly scientifically not very sound) indication of the popularity of some generic risk management standards may be the number of results returned by Google when searching for their names. The results of this analysis, performed on July 19th 2008, can be found in table 01 (interestingly enough – although it is still in a “draft” status – the ISO 31000 returned a remarkable number of results). Table 01: Google search results for different risk management standards Search term “AS/NZS 4360”
26.400
“COSO ERM”
19.900
“ISO 31000”
3.320
“ON 49000”
2.650
“JIS Q 2001”
1.680
“CAN/CSA Q850” “IRMSA Code of practice”
Dr. Roland Franz Erben
# of results
969 91
page 8 of 34
Risk Management Standards
For further analysis, this paper will focus on the COSO ERM and the ISO 31000. First of all, a comparison between these two standards seems to be most promising
as
they
show
some
noteworthy
differences
[see
section
4].
Furthermore, this decision can be justified by the fact that the development of the ISO 31000 was predominantly based on the AS/NZS 4360 and strongly influenced by the ONR 49000 [see section 3.2]. As a consequence, major concepts and principles of these two standards can also be found in the ISO 31000. Because of their similarity to the ISO 31000, an in-depth analysis of the Australian/New Zealand resp. Austrian/Swiss approach seems negligible. Finally, the non-observance of the Japanese “JIS Q 2001”, the Canadian “CAN/CSA Q850” and the “Code of practice” developed by the “Institute of Risk Management South Africa (IRMSA)” can be justified by taking into account that these standard have undoubtedly gained a remarkable recognition in their regions of origin but seem to lack acceptance in the rest of the world.
Dr. Roland Franz Erben
page 9 of 34
Risk Management Standards
3
COSO ERM and ISO 31000 – an overview
Prior to a comparison between the COSO ERM and the ISO 31000 in section 4, a short overview of the structure as well as the basic concepts of the two standards is outlined in the following sections.
3.1 COSO,
COSO ERM Integrated Framework the
“Committee
of
Sponsoring
Organizations
of
the
Treadway
Commission“ was established in 1985 in the USA. The group was named after its first chairman James C. Treadway Jr., the former Commissioner of the US Securities and Exchange Commission (SEC). The “Sponsoring Organizations” represent some of the most important US accounting and auditing associations (the “American Accounting Association, AAA”, the “American Institute of Certified Public Accountants, AICPA”, the “Financial Executives International, FEI”, the “Institute of Management Accountants, IMA” and “The Institute of Internal Auditors, IIA”). Additionally, the development of the COSO standard was supported by a project advisory council with representatives from various companies and the accounting & auditing firm PricewaterhouseCoopers (PwC) [see COSO 2004a, p. iii; Ballou/Heitger 2004, p. 1]. A major objective of the Committee was the development of approaches to prevent fraudulent or misleading financial reporting [see Janke 2007, p. 115; Foerschler/Scherf 2007, p. 210]. To reach this objective, in 1992 COSO published (commonly
a
standard known
as
called
“Internal
“COSO I”)
Control
targeting
– at
Integrated the
Framework”
development
and
implementation of an effective and efficient monitoring system [see COSO 2004a, p. v]. Because of its suitability for a wide range of industries and companies, COSO I quickly gained a high level of appreciation. As it emerged as a “de-facto” industry standard for internal control issues, its principles influenced a wide range of other frameworks in that area and also were considered in some regulatory requirements – as an example, the Sarbanes Oxley Act (SOX) of 2002 recommends the use of COSO I [see Sarbanes/Oxley 2002].
Dr. Roland Franz Erben
page 10 of 34
Risk Management Standards
In 2004, the COSO I standard was substantially enhanced. While the original framework primarily focused the issues of internal control and monitoring, the updated version – the “COSO Enterprise Risk Management – Integrated Framework” (commonly known as “COSO II” or “COSO ERM”) – expanded this relatively narrow scope by integrating aspects of a comprehensive, holistic, enterprise-wide risk management system. Apart from minor adjustments, all topics of COSO I were also incorporated in COSO ERM [see COSO 2004a, p. v; Ballou/Heitger 2004, p. 2; Foerschler/Scherf 2007, p. 210]. One of the most outstanding characteristics of the COSO-approach is its threedimensional view of the organization and its risk management system (often referred to as the “COSO Cube”, see figure 01) [see COSO 2004a, p. 23]. Figure 01: COSO Cube
The first dimension of this cube represents the objectives set by the top management of a company. COSO ERM is geared to achieving these objectives, set forth in four categories [see COSO 2004a, p. 21]: Dr. Roland Franz Erben
page 11 of 34
Risk Management Standards
• Strategic:
Obviously,
the
top
priority
of
each
organization
is
the
achievement of the objectives derived from its vision and mission. These high-level goals also constitute the guidelines for the other components of the first and the other dimensions. • Operations: The effective and efficient use of its resources is a basic requirement for every organization to create value. • Reporting: The reliability of (financial) reporting is a basic requirement for the effectiveness of internal controls and the information of external stakeholders. • Compliance: Compliance with applicable laws and regulations is a prerequisite for every organization to make business. The second dimension represents the components and processes of an risk management system. According to COSO, the enterprise risk management consists of eight interrelated building blocks. Incorporating these components (and hereby following the guidance provided by COSO regarding their design, implementation and operation) should enable an organization to achieve the objectives outlined in the first dimension. The components specified by COSO are [see COSO 2004, p. 27-81]: • Internal
Environment:
The
internal
environment
constitutes
the
foundation for how risk is viewed and addressed and sets forth the general conditions for all following steps of the risk management process. Obviously, this component is strongly influenced by the history, the culture and values, the risk appetite and the operating environment of an organization [see COSO 2007, p. 27-34]. • Objective Setting: Following Nicklisch’s wide-spread definition of the term “risk” as “the possibility of a negative deviation of the actual outcomes from the original objectives” [see Nicklisch, 1912, p. 34], the specification of objectives is a prerequisite for the emergence of risk: Without having defined objectives, potential events affecting their achievements can neither be identified nor managed. The objectives have to be measureable and Dr. Roland Franz Erben
page 12 of 34
Risk Management Standards
consistent with the organization’s mission and risk appetite and must be aligned with the categories of the first dimension (strategy, operations, reporting and compliance) [see COSO 2004a, p. 35-40]. • Event Identification: The setting of objectives is followed by the identification of (internal and external) events that may affect their achievement. During the event identification, an explicit differentiation between risks and opportunities is made. Possible tools to facilitate this process are e. g. checklists, questionnaires or interviews with experts. The interdependency between different events and their mutual reinforcement resp. dilution is to be considered. To assure efficiency and to reduce complexity, an organization should concentrate on significant events [see COSO 2004a, p. 41-47]. • Risk Assessment: During the next process step, the identified risks are analyzed and quantitatively evaluated according to their “probability” and “impact”. For this purpose, the use of existing (internal or external) information, empirical data, estimates etc. is recommended. Possible correlations between different events are also to be taken into account. As a result of these activities, an overview of the risks of an organization is generated, listed according to their priorities [see COSO 2004a, p. 49-54]. • Risk Response: Based on the results of the risk assessment, adequate measures
(avoid,
reduce,
transfer/share,
accept/self carry)
for
an
appropriate risk mitigation have to be defined and implemented to align the existing risks with the organization’s risk tolerance and risk appetite and – at the same time – find an optimal balance between risks and the corresponding opportunities [see COSO 2004a, p. 55-60]. • Control Activities: The implemented mitigation/risk response measures have to be continuously monitored using appropriate procedures to assure that they are carried out effectively. A differentiation is made between measures aiming at preventing or detecting potentially undesired impacts and measures aiming at correcting damages resulting from incidents that Dr. Roland Franz Erben
page 13 of 34
Risk Management Standards
already have occurred [see see COSO 2004a, p. 61-66; Ruud/Sommer 2006, p. 129]. • Information and Communication: The responsible managers an, if necessary, other internal and external stakeholders (e. g. employees resp. customers, suppliers, investors, regulators, media, …) have to be informed about all relevant risks, incidents, damages etc. as well as other important aspects of the risk management process. The relevant information for this purpose has to be identified, captured and communicated in a timely, comprehensible and accurate manner. As not all of the stakeholders above should receive the same kind and amount of information, an appropriate filtering of information has to be applied [see COSO 2004a, p. 67-74; Neubeck 2003, p. 88]. • Monitoring: Finally, the risk management system has to be monitored, reviewed and – if necessary – modified and improved to meet changing requirements. A major objective of this process step is to assure the effectiveness and efficiency of the system as a whole. Monitoring is accomplished
through
ongoing
management
activities,
separate
evaluations, or both. Furthermore, monitoring does not only refer to the risk management
system
itself,
but
also
has
to
consider
the
external
environment of an organization to assure that possible changes are adequately reflected by the risk management [see COSO 2004a, p. 75-81]. The third and last dimension of the COSO Cube finally represents the organizational structure. By taking this dimension into account, it shall be assured that the objectives and processes defined in the resp. second dimension are implemented and executed on all levels of the organization. In this context the levels “entity”, “division”, “business-unit” and “subsidiary” are mentioned as examples [see COSO 2004a, p. 24; Foerschler/Scherf 2007, p. 212].
Dr. Roland Franz Erben
page 14 of 34
Risk Management Standards
3.2
ISO 31000 Risk management
ISO,
the
International
Organization
for
Standardization
(Organisation
internationale de normalisation), is an international standard setter composed of representatives from 157 national standardization bodies. The organization promulgates world-wide proprietary industrial and commercial standards [see ISO 2008a]. The development of the international standard ISO 31000 started in 2005, when the Australian and New Zealand standard setting bodies proposed to upraise their existing AS/NZS 4360 to an international standard. ISO decided that a globally valid risk management standard was desirable, but argued against a simple adoption of the AS/NZS 4360. Instead, the development of a new standard was initiated, which, however, should incorporate the proven and established concepts and components of the major existing frameworks. To achieve this objective, a working group was founded and presented a first proposal for a standard in September 2005 [see ISO 2005]. After passing through several cycles of improvement, the current draft is now in the stage of a “Draft International Standard (DIS)” [see ISO 2008b]. It is expected that it will be upraised to the status of a “Final Draft International Standard (FDIS)” in the upcoming meeting of the working group in December 2008 and – after another round of consultation – the final document will be released as an ISO standard in the first quarter of 2009 [see Brühwiler 2008, p. 14]. The main objective of the ISO working group is to “provide a document which provides principles and practical guidance to the risk management process. The document is applicable to all organizations, regardless of type, size, activities and location and should apply to all type of risk“ [see ISO 2005, p. 1]. In contrast to its ambitious claim, the working group right away excluded aspects of business continuity/crisis management from their program, as these issues are already subject to the efforts of another ISO working group resp. standard development (the “ISO 22399 – Societal security – Guideline for incident preparedness and operational continuity management”) [see ISO 2005, p. 2]. As the ISO 31000 aims at establishing a common understanding regarding risk and risk management, it outlines a high-level framework instead of dealing with Dr. Roland Franz Erben
page 15 of 34
Risk Management Standards
operational issues. Due to this objective, it sees itself as a generic guideline containing recommendations rather than explicit requirements and is therefore not intended to be used as a basis for external certification by independent third parties [see ISO 2008b, ln. 172; Brühwiler 2008, p. 15]. The content of the ISO 31000 is structured according to the following sections [see ISO 2008b, p. iii]: Introduction Foreword 1. Scope 2. Normative References 3. Terms and Definitions 4. Principles of Managing Risk 5. Framework for Managing Risk 6. Process for Managing Risk Annex: Attributes of enhanced Risk Management 1. Scope: The first section of the document provides a general overview standard and claims its universal applicability “to any public, private or community enterprise, association, group or individual” as well as “throughout the life of an organization, and to a wide range of activities, processes, functions, projects, products, services, assets, operations and decisions”. [see ISO 2008b, lines 159-164]. 2. Normative References: The second section of the document refers to the “ISO/IEC Guide 73, Risk management – Vocabulary (ISO 73)” [see below] as a document, which is seen as “indispensable” for the application of the ISO 31000 [see ISO 2008b, ln. 173-176]. 3. Terms and definitions: The third section of the document contains a simple reference to the ISO 73 mentioned above [see ISO 2008b, ln. 178]. The reason for including this reference to a separate document instead of including all the necessary terms and definitions in the ISO 31000 itself was the fact, that risk (management) related vocabulary shows a wide-spread relevance and is also used in many other international standards (like the ISO 22399 already mentioned Dr. Roland Franz Erben
page 16 of 34
Risk Management Standards
above or several standards in the field of IT security or product safety). To assure a consistent use of terms and definitions in all theses standards, it seemed to make sense to define the vocabulary in one separate document, which then is referenced to by other standards [see Brühwiler 2008, p. 14]. Unfortunately, meanwhile the development of the ISO 73 is substantially lagging behind the progress of the ISO 31000 (e. g. approximately 40 percent of the definitions included in the ISO 73 have not even been discussed until today). This situation results in a major dilemma: Firstly, the ISO 31000 could be released as scheduled but would then contain a reference to a document, which is still in a “draft” status and thus subject to changes, although it is seen as “indispensable” for the application of the ISO 31000. Secondly, the final release of the ISO 31000 could be postponed until the ISO 73 is finished, which would cause a substantial delay of approximately 1 ½ years. Thirdly, the most relevant terms and definitions of the ISO 73 could be included in the ISO 31000 (and similar standards) accepting that the terms and definitions for one and the same subject may become inconsistent while the particular standards are further developed. While currently there seems to be a certain tendency to favor the latter approach, this problem is still unsolved and will be a predominant issue at the upcoming meeting of the working group in December 2008. 4. Principles of Managing risks: The fourth section of the document outlines the following eleven basic principles for managing risk [see ISO 2008b, ln. 179-220]: (a) Risk management creates value. (b) Risk management is an integral part of organizational processes. (c) Risk management is part of decision making. (d) Risk management explicitly addresses uncertainty. (e) Risk management is systematic, structured and timely. (f) Risk management is based on the best available information. (g) Risk management is tailored. (h) Risk management takes human and cultural factors into account. Dr. Roland Franz Erben
page 17 of 34
Risk Management Standards
(i) Risk management is transparent and inclusive. (j) Risk management is dynamic, iterative and responsive to change. (k) Risk management facilitates continual improvement and enhancement of the organization. 5. Framework for Managing risks: The fifth section of the document outlines a risk management framework, providing the foundations and organizational arrangements that will embed risk management throughout the organization at all levels (see figure 02) [see ISO 2008b, ln. 221-359]: Figure 02: ISO 31000 – framework for managing risks
6. Process for Managing risks: The sixth (and most extensive) section of the document outlines the risk management process considering the following five main activities (see figure 03) [see ISO 2008b, ln. 360-600]:
Dr. Roland Franz Erben
page 18 of 34
Risk Management Standards
• Communication and Consultation: Communication and consultation is seen as an integral part of all risk management activities and therefore should take place at all stages of the risk management process involving all relevant internal and external stakeholders. It is recommended that a communication and consultation plan is developed, addressing issues relating to the risk itself as well as to its consequences and the measures being taken to manage it. Furthermore, there’s strong emphasis on the fact that communication and consultation with stakeholders is especially important as they make judgments about a certain risk based on their perceptions, which can vary to a great extend due to differences in values, needs, assumptions, concepts and concerns [see ISO 2008b, ln. 369-395]. • Establishing the Context: In this step, the organization defines the internal and external parameters to be taken into account when managing risk. The context should include both internal and external parameters relevant for the organization (e. g. capabilities/know-how, information systems or policies resp.
the
cultural,
political,
legal,
regulatory,
financial,
technological,
economic, natural or competitive environment as well as the perceptions and values of both internal and external stakeholders). Furthermore, the context for the risk management process itself has to be developed (by defining e. g. roles and responsibilities, scope, depth and breadth of the risk management activities, risk assessment methodologies, …). A last important aspect of this process step is the development of risk criteria. These criteria should be consistent with the organization’s risk management policy and should continually be reviewed [see ISO 2008b, ln. 396-469]. • Risk Assessment: Risk assessment is the overall process of risk identification, risk analysis and risk evaluation. The aim of the first activity – risk identification – is to generate a comprehensive list of risks which may affect the achievement of the organization’s objectives. In this context, it is pointed out, that it’s important to identify the risks associated with not pursuing an opportunity [see ISO 2008b, ln. 473-485]. The second activity – risk analysis – provides input to risk evaluation as well as to decisions on the most appropriate risk treatment measures. A particular risk is analyzed Dr. Roland Franz Erben
page 19 of 34
Risk Management Standards
by determining its consequences and their likelihood. It is also emphasized that the confidence in the determination of risks and their sensitivity to preconditions and assumptions should be considered in the analysis and communicated effectively [see ISO 2008b, ln. 486-511]. The third activity – risk evaluation – involves comparing the level of risk determined during the risk analysis and risk evaluation with the defined risk criteria to prioritize the implementation of adequate measures for treating/mitigating the risk [see ISO 2008b, ln. 512-524]. • Risk treatment: Risk treatment involves the selection of one or more options to avoid, reduce, transfer/share or accept/self carry risks, as well as the implementation of appropriate measures. The choice of the most appropriate risk treatment option involves balancing the costs and efforts of implementation against its benefits (which not necessarily need to be exclusively
monetary).
When
selecting
risk
treatment
options,
the
organization should also consider the values and perceptions of stakeholders and the most appropriate ways to communicate with them. Finally, it should be taken into account that risk treatment itself can introduce new risks, like the failure or ineffectiveness of risk treatment measures. Therefore, adequate monitoring also needs to be an integral part of the risk treatment plan. Finally, the context of the risk treatment plan (e. g the expected benefits, performance measures, resource requirements, timing and schedule, …) should be documented [see ISO 2008b, ln. 525-573]. • Monitoring and review: Regular and ad hoc monitoring and review activities should encompass all aspects of the risk management process and refers to all the steps described above. This process aims e. g. at analyzing and learning lessons from events, detecting changes in the external and internal context, ensuring that the risk treatment measures are effective and identifying emerging risks [see ISO 2008b, ln. 574-590].
Dr. Roland Franz Erben
page 20 of 34
Risk Management Standards
Figure 03: ISO 31000 – process for managing risks
Annex – Attributes of enhanced Risk Management: The closing section of the document contains a collection of attributes representing a high level of performance in managing risk. These attributes are: a) Emphasis on continual improvement in risk management, b) Comprehensive, fully defined and fully accepted accountability for risks, risk controls and risk treatment tasks. c) All decision making within the organization, whatever the level of importance and significance, involves the explicit consideration of risks, d) Continual communications with internal and external stakeholders. e) Risk management is viewed as central to the organization's management processes. With the help of this list, organizations should be supported in measuring their own performance against the criteria outlined herein. For this purpose, some tangible indicators are given for each attribute [see ISO 2008b, ln. 601-659]. Dr. Roland Franz Erben
page 21 of 34
Risk Management Standards
4
COSO ERM and ISO 31000 – a comparison
As already mentioned above, generic risk management standards should – first of all – provide clear, unambiguous and consistent terms and definitions and describe essential components, processes and organizational structures. Moreover, they should meet the following requirements [see Winter 2007, pp. 137-138]: • Completeness: The principles described by a standard should cover all aspects of the implementing and operating a risk management system. • Generic Breadth: The principles described by a standard should not set any constraints limiting its applicability but instead be suitable for a preferably wide range of organizations (i. e. independent of their industry, legal structure, activities, products, location, size, …). • Usability: The principles described by a standard should be comprehensible and practicable. • Integration: The principles described by a standard should make clear, how the risk management system can interact or can be integrated in other management systems (e. g. quality management, internal control, …) • External Assessment: The principles described by a standard should provide an adequate basis for an independent, objective assessment by (external) experts, e. g. by being suitable for a third party certification. As all standards refer to the same subject, it is not surprising that the elements described by them are – to a large extent – quite similar. Nevertheless, the particular standards do show some significant differences. In this context, a predominant role can be assigned to the criteria of “completeness”. If a standard should not be limited to certain risk-categories or industries (as outlined in section 1), but instead serve as a robust basis for the design and implementation of a really comprehensive risk management system, the complete coverage of all risk management related topics is a prerequisite. Therefore, special attention will be paid to this issue by the following comparison between COSO ERM and ISO 31000.
Dr. Roland Franz Erben
page 22 of 34
Risk Management Standards
Completeness:
To
outline
the
differences
between
particular
standards
regarding their completeness, it seems useful to compare them on the basis of a standardized catalogue containing the most important components a truly comprehensive taxonomies
for
risk
management
structuring
these
standard
should
requirements
was
incorporate. e.
g.
Possible
proposed
by
Weidemann and Wieben [see Weidemann/Wieben 2001] and Neubeck [see Neubeck 2003]. In addition, some of these requirements are also reflected in the relevant accounting & auditing standards (e. g. the German IDW PS 340 [see IDW 2000]), which are mainly used for compliance assessments of risk management systems. Further input to this topic can also be found in the evaluation schemes of rating agencies to assess the adequacy and efficiency of enterprise-wide risk management systems [see e. g. S&P 2006]. The most comprehensive evaluation scheme for risk management systems by now was developed by Winter [see Winter 2007, p. 149]. Throughout the last months, a special interest group of the German “Risk Management Association (RMA) e. V.” – a professional organization of academics and risk managers from a wide range of industries – worked on expanding and refining this scheme [see RMA 2008]. Appendix A contains an overview of the results of these efforts. To assess the (quantitative and qualitative) completeness of risk management standards, the criteria outlined in this catalogue will be applied to the COSO ERM and the ISO 31000. By using the scale shown in Appendix B to evaluate the elements shown in Appendix A, a comparison between the COSO ERM and the ISO 31000 can be accomplished. The results – which again are mainly based on an assessment by the special interest group of the Risk Management Association already mentioned above – of this effort are shown in Appendix B [see also Winter 2007, p 150; RMA 2008]. It becomes clear that both the COSO ERM and the ISO 31000 cover a wide range of topics and almost completely meet the requirements outlined in the catalogue. Nevertheless, COSO ERM as well as ISO 31000 show substantial gaps regarding the element “business continuity/crisis management”. In case of IS0 31000 this can be explained – as already mentioned – by the explicit exclusion of these issues as they are subject to the ISO 22399. However, by neglecting this area Dr. Roland Franz Erben
page 23 of 34
Risk Management Standards
and its integration with other components of a risk management system, a organization might lose sight of pivotal issues, possibly leading to a reduced efficiency of the risk management system and its acceptance by internal and external stakeholders [see Winter 2007, p. 151]. Generic Breadth & Usability: As the next two requirements show a significant trade-off, it seems to make sense to jointly examine them. When analyzing the criteria “completeness” (as documented in Appendix B), this issue was not only considered in a mere quantitative way. By assessing if, resp. to which extend, a particular standard provides detailed descriptions of certain elements and practical guidance for their implementation, it is also possible to draw some conclusions regarding the generic breadth and the practical usability of the COSO ERM and the ISO 31000. In general, the evaluation shows that the COSO ERM covers most of the topics on a more detailed level and with a higher attention to practical relevance than the ISO 31000. In addition to the original standard, COSO also provides a document called “Application Techniques”, which contains detailed descriptions, practical illustrations and examples of how to implement the different concepts, components an processes outlined by the COSO ERM [see COSO 2004b]. The perceivable deficiencies of the ISO 31000 regarding the usability of the standard are mainly due to the fact that the ISO 31000 follows a very broad approach with great emphasis of the standard’s universal applicability. However, while the COSO ERM seems to be very much focused on “typical” enterprises, the generic approach chosen by the ISO 31000 shows a higher flexibility and should therefore be better adaptable to the needs of other entities, like e. g. non-government/non-profit organizations & associations or companies in the public sector. Although the ISO 31000 is not finalized yet, it seems very unlikely that its generic/high-level approach will be changed to incorporate more operational aspects. Moreover, it seem equally unlikely that the ISO 31000 will be supplemented with additional guidelines, tools, examples, checklists or similar material providing support for the practical implementation of the standard (in Dr. Roland Franz Erben
page 24 of 34
Risk Management Standards
case of the ONR 49000 and the AS/NZS 4360 e. g. this was primarily accomplished by including Annexes covering certain topics in detail). However, as the ISO seems to be very much aware that an improvement of the usability of its risk management standard is crucial for its success, it started a initiative to develop sub-standards which should provide a more in-depth view on the practical aspects of implementing a risk management system. The first of these projects – which was started in December 2006 as a joint effort of the ISO and the International Electrotechnical Commission (IEC) – focuses on the development of a standard covering the process step of “risk assessment” (the “IEC 31010 – Risk Management – Risk Assessment Techniques”). Meanwhile this standard reached the status of a “Committee Draft” (the third of the six-stage approval process) with its final version scheduled to be released by mid-2009 [see IEC 2008]. The document contains a relatively detailed description of 31 different approaches for risk assessment (e. g. Markov analysis, Monte Carlo simulation, Bayesian statistics and Bayes nets, Event Tree Analysis (ETA), Fault Modes and Effects Analysis (FMEA), …) [see IEC 2008, pp. 33-93]. As it is not yet decided, which other aspects of the ISO 31000 should be covered by particular sub-standards, improving the usability of the ISO 31000 remains a major issue. Integration: Regarding the criterion of “integration”, both the COSO ERM as well as the ISO 31000 emphasize the importance of connecting the risk management system with existing management (sub-)systems. Obviously due to the different background of the two standard setters – and therefore not surprisingly – the COSO ERM focuses more on the relationship between risk management and strategic planning as well as internal controls while the ISO 31000 emphasizes the link between risk management and operative systems (e. g. quality management). However, both standards extensively point out, that the objectives of the risk management system should be aligned to and be consistent with the strategic objective of an organization and should exchange information with other management systems. External Assessment: Unlike other popular standards (e. g. the “ISO 9000 – Quality Management Systems”) neither the COSO ERM nor the ISO 31000 are Dr. Roland Franz Erben
page 25 of 34
Risk Management Standards
intended to be used for a formal certification of an organization’s risk management system. In case of the ISO 31000, this even stated explicitly [see ISO 2008b, ln. 172]. Nevertheless – as already mentioned above – the COSO ERM has substantially influenced major regulatory requirement, so many concepts of this framework can also be found in the relevant guidelines and standards for auditing and accounting professionals. Therefore, some kind of “de-facto” certification – at least for certain components of a risk management system – has emerged, e. g. if an auditor certifies that the internal controls used by an organization comply with the relevant legal requirements, which again are based on the COSO ERM framework. For a quick overview of the results regarding the comparison between the COSO ERM and the ISO 31000, table 02 shortly summarizes the findings described above [see also Winter 2007, p. 151] Table 02: Comparison between COSO ERM and ISO 31000 Element
COSO ERM
ISO 31000
Completeness
☺
Generic Breadth Usability
☺
Integration
☺
☺
External Assessment
Dr. Roland Franz Erben
page 26 of 34
Risk Management Standards
5
Conclusion & Outlook
As shown in the sections above, both the “COSO Enterprise Risk Management – Integrated Framework” as well as the “ISO 31000 – Risk management – Principles and guidelines on implementation” can provide useful support for organizations aiming at designing and implementing an appropriate enterprisewide risk management system. Except for the element “business continuity/crisis management”, both standards provide an almost complete and consistent framework
incorporating
all
important
aspects
of
a
comprehensive
risk
management system. Because of their maturity, their holistic approach and their methodological consistency, both the COSO ERM and the ISO 31000 can help organizations to actually realize the potential benefits connected with the application of a generic risk management standard (see section 2). By pointing out some differences between the COSO ERM and the ISO 31000 it became clear that both approaches have certain advantages and disadvantages. Therefore, finally some potential future developments of the “risk management standards landscape” will be discussed. Given the situation, that – on the one hand – there’s a well-established standard and – on the other – there’s an emerging new one (which in fact incorporates a great variety of concepts that can be found in well-established standards), one of following three scenarios (resp. a combination of these) may seem likely: (a) The ISO 31000 turns out to be “just another standard”, (more or less “peacefully”) coexisting along other frameworks, (b) the ISO 31000 becomes some kind of “meta-standard”, acting as a reference point or generic basis upon which other standards are enhanced and further developed, (c) the ISO 31000 gradually substitutes other standards. Scenario (a) seems most likely for the relationship between the ISO 31000 and the
COSO
ERM.
Organizations
which
already
have
implemented
a
risk
management framework according to the COSO ERM will probably see only little Dr. Roland Franz Erben
page 27 of 34
Risk Management Standards
benefits in occupying themselves with another standard. Furthermore, as the COSO ERM has also influenced a remarkable number of regulatory requirements, its continuing popularity and wide-spread use seems to be guaranteed. Finally, there seems to be no incentive for the US auditing and accounting associations as the predominant promoters of the COSO ERM to skip the standard they have been working on throughout the last 20 years and replace it by a new one. Nevertheless, as ISO points out some new aspects (e. g. the emphasis of the efficiency of risk management systems) and works on detailing some existing ones (e. g. the in-depth description of risk assessment in the IEC 31010), having a close look at the new standard might be worth the effort – even for organizations which already have implemented the COSO ERM. Finally, due to its generic breadth and high flexibility, the ISO 31000 could prove more adequate for organizations looking for a standard which is less focused on the needs of a “typical” company with “typical” business. Therefore, the ISO 31000 could be an interesting
option
especially
non-profit/non
government
organizations
&
associations as well as entities in the public sector. Scenario (b) seems most likely for the relationship between the ISO 31000 and both the AS/NZS 4360 and the ONR 49000, at least in the near future. A first indication to affirm this assumption might be the updated version of the “ONR 49000:2008 – Anwendung von ISO/DIS 31000 in der Praxis” [“practical application of the ISO/DIS 31000”], which was released on June 1st, 2008 by the Austrian standard setting body (“Österreichisches Normungsinstitut, ON”) [see ON 2008, p. 3]. In this new release, the ONR 49000 was aligned with the ISO 31000 while at the same time the original concept of providing additional “hands-on” guidelines and tools for the implementation was continued resp. even enhanced. This kind of “job sharing” (the ISO provides a generic document, while other
standard
setters
provide
concrete
guidelines
for
its
practical
implementation) could turn out to be a reasonable approach for the next few years – at least, until the ISO itself is able to accomplish this efforts, e. g. by developing a set of sub-standards for different areas like the IEC 31010 for risk assessment. While the Austrian standard setting body apparently has already
Dr. Roland Franz Erben
page 28 of 34
Risk Management Standards
decided to move in this direction, the position of the Australian and New Zealand standardization committees still seems to be unclear. Finally, scenario (c) seems most likely for the relationship between the ISO 31000 and the remaining standards. As most of the other frameworks (e. g. the “IRMSA Code of practice”) show some noticeable deficiencies regarding the criteria outlined in section 4, a decision to use one of these standards it will be hard to justify for an organization, when a mature, comprehensive and consistent standard for risk management becomes available. Generally, a consolidation of the “standards landscape” seems quite probable in the long run, with the COSO ERM and the ISO 31000 (supplemented by a variety of sub-standards and – in the near-term – by updated versions of the ONR 49000 and eventually the AS/NZS 4360) remaining as the two relevant generic standards for the design and implementation of a holistic, consistent and comprehensive risk management systems.
Dr. Roland Franz Erben
page 29 of 34
Risk Management Standards
Appendix A: Elements of risk management standards
Category
No. Element 1
corporate strategy
2
risk policy
basic principles regarding the handling of risks and the risk appetite, according to strategic objectives
3
risk program
risk management objectives and activities
4
organization/ responsibilities
organizational elements, roles and responsibilities
5
risk identification
methods, instruments and processes for the identification of risks
6
risk assessment
methods, instruments and processes for the assessment of risks
7
risk aggregation
methods, instruments and processes for the aggregation of risks
8
risk mitigation
methods, instruments and processes for the mitigation of risks (avoid, reduce, transfer, self-carry)
9
implementation/ controlling
implementation of a risk management system with adequate and efficient methods and processes
10
continuous monitoring
continuous monitoring of all risks and counter measures
11
periodical checks and reviews
periodical checks and reviews of the risk management system and structures
12
management assessment
assessment of risk management efficiency and adequacy by top management
13
system efficiency
assessment of risk management efficiency and adequacy by external parties (e. g. auditors)
14
information supply
gathering of all necessary risk management information
15
documentation
documentation of the assumptions, information, methods, processes, results ... related to risk management
16
recording
recording and storage of the information attained
17
internal reporting/ communication
communication of risk management related topics to internal stakeholders (e. g. board, employees, …)
18
external reporting/ communication
communication of risk management related topics to external stakeholders (e. g. investors, regulators, ... )
19
human resources
skills necessary to implement and operate the risk management system
20
other resources
other resources necessary to implement and operate the risk management system (e. g. IT, consulting, …)
21
business continuity/ crises management
reactive measures after damages have occurred to limit their impact and restore normal operations
22
interfaces to other management systems
relations and interactions with other management systems (e. g. accounting, quality management, …)
basic principles
planning
control
monitoring
information & communication
management of resources
other aspects
Dr. Roland Franz Erben
Description consideration of risk management aspects within the corporate strategy & vision
page 30 of 34
Risk Management Standards
Appendix B: Comparison of COSO ERM and ISO 31000 regarding their completeness Category
No.
Element
1
corporate strategy
2
risk policy
3
risk program
4
organization/ responsibilities
5
risk identification
6
risk assessment
7
risk aggregation
8
risk mitigation
9
implementation/ controlling
COSO ERM
ISO 31000
basic principles
planning
control
10
continuous monitoring
11
periodical checks and reviews
12
management assessment
13
system efficiency
14
information supply
15
documentation
16
recording
17
internal reporting/ communication
18
external reporting/ communication
19
human resources
20
other resources
21
business continuity/ crises management
22
interfaces to other management systems
monitoring
information & communication
management of resources
other aspects
no coverage
The particular element is not covered.
low coverage
The particular element is covered, definitions and descriptions remain fragmentary.
medium coverage
The particular element is covered, definitions and descriptions are sufficient, practical guidance remains fragmentary.
good coverage
The particular element is covered, definitions and descriptions as well as practical guidance are sufficient.
Dr. Roland Franz Erben
page 31 of 34
Risk Management Standards
References: Ballou, B./Heitger, D. (2004): A Building-Block Approach for Implementing COSO‘s Enterprise Risk Management – Integrated Framework, in: Management Accounting Quarterly, Vol. 6/2004, No. 2, S. 1-10. Brühwiler, B. (2008): Der neue Risikomanagement-Standard ISO 31000, in: ZRFG, 3. Jg. 2008, H. 01, S. 14-17. Committee of
Sponsoring Organizations of the Treadway Commission (COSO)
[ed.] (2004a): Enterprise Risk Management – Integrated Framework Framework, New York 2004. Committee of [ed.]
Sponsoring Organizations of the Treadway Commission (COSO)
(2004b):
Enterprise
Risk
Management
–
Integrated
Framework
–
Application Techniques, New York 2004. Eckert, S./Möller, K. (2006): COSO Enterprise Risk Management Framework, in: Controlling, H. 3/2006, S. 161-163. Erben, R. F. (2008): Das COSO-ERM-Framework als Ansatz zur Standardisierung von Risikomanagementsystemen, in: Bachert, R./Peters, A./Speckert, M. [Hrsg.]: Risikomanagement in Non-Profit-Organisationen, Baden-Baden 2008. Foerschler, D./Scherf, C. (2007): COSO II – Enterprise Risk Management Framework in der operativen Revisionspraxis, in: ZRFG, 2. Jg. 2007, H. 05, S. 209-215. International Electrotechnical Commission (IEC)/ International Organization for Standardization (ISO) [eds.]: IEC 31010 Ed. 1.0: Risk Management – Risk Assessment Techniques, Document No. 56/1268/CDV, May 23rd, 2008. International Organization for Standardization (ISO)/WG on General Guidelines for Principles and Implementation of Risk Management [ed.] (2005): Terms of Reference as adopted by the ISO/TMB, Document No. NA 095-04-02 N 0007, June 22nd , 2005.
Dr. Roland Franz Erben
page 32 of 34
Risk Management Standards
International Organization for Standardization (ISO) [ed.] (2008a): About ISO, published electronically: http://www.iso.org/iso/about.htm. International
Organization
for
Standardization
(ISO)
[ed.]
(2008b):
Risk
management – Principles and guidelines on implementation, Draft International Standard ISO/DIS 31000, Geneva 2007. Institut der Deutschen Wirtschaftsprüfer (IDW) [ed.] (2000): IDW 340 - Die Prüfung des Risikofrüherkennungssystems nach § 317 Abs. 4 HGB, Düsseldorf 2000. Kuhn, H. (2006): Risikomanagement für Unternehmen – Was bringen die neuen Normen?, in: MQ Management und Qualität, H. 6/2006, S. 8-10. Neubeck G. (2003): Prüfung von Risikomanagementsystemen in: Marten, K.-U.; Quick, R.; Ruhnke K. [Hrsg.]: Hochschulschriften zur Wirtschaftsprüfung, Düsseldorf 2003, S. 85 f. Nicklisch, H. (1912): Allgemeine Betriebslehre als Privatwirtschaftslehre des Handels und der Industrie, Band 1, Leipzig 1912. Östereichisches Normeninstitut (ON) [ed.] (2008): Zur Neuausgabe der ONRegeln
ONR
49000
–
Anwendung
von
ISO/DIS
31000
in
der
Praxis
(Facinformation 06), Wien 2008. Risk Management Association e. V. (2008) [ed.]: Bewertungsschema für Risiko Management Standards, München 2008 (internal document, unpublished). Ruud T. F.; Sommer K. (2006): Enterprise Risk Management – Das COSO-ERMFramework, in: Der Schweizer Treuhänder, 3/2006, S. 127-128. Sarbanes, Paul S.; Oxley, M.; US Dept. of Justice [ed.] (2002): An Act to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes, Washington 2002, published electronically: www.usdoj.gov
Dr. Roland Franz Erben
page 33 of 34
Risk Management Standards
Schmid, W. (2005): Risk Management Down Under (AS/NZS 4360:2004), in: RISKNEWS, H. 03/05, S. 25-28. Shortread, J. H. et al. (2003): Basic Frameworks for Risk Management, Network for Environmantal risk management [eds.], 2003 Simister, T. (2000): Risk Management – the need to set standards, in: Balance Sheet vol. 8, no. 4, S. 9-10. Standard & Poors (2006) [ed.]: Insurance Criteria: Refining The Focus Of Insurer Enterprise Risk Management Criteria, London 2006. Weidemann,
M./Wieben,
H.-J.
(2001):
Zur
Zertifizierbarkeit
von
Risikomanagement-Systemen, in: Der Betrieb, 54. Jg. 2001, H. 34, S. 17891795. Weidemann, M. (2001): Der australisch-neuseeländische Standard AS/NZS 4360:1999 zum Risikomanagement, in: Der Betrieb, 54. Jg. 2001, H. 50, S. 2613-2618. Winter, P. (2007): Risikocontrolling in Nicht-Finanzunternehmen – Entwicklung einer tragfähigen Risikocontrolling-Konzeption und Vorschlag zur Gestaltung einer Risikorechnung, Lohmar/Köln 2007.
Dr. Roland Franz Erben
page 34 of 34