risk management standards1880
DESCRIPTION
Standards synopsisTRANSCRIPT
2nd European Risk Conference Università Bocconi
September 11th & 12th, 2008
Risk Management Standards – role, benefits & applicability –
Dr. Roland Franz Erben
Academic affiliation:
Bayerische Julius-Maximilians-Universität Würzburg
Lehrstuhl für BWL und Wirtschaftsinformatik
Josef-Stangl-Platz 2
D-97070 Würzburg
Germany
Address for correspondence:
Resi-Weglein-Gasse 3
D-89077 Ulm
Germany
Tel.: +49.(0)731.360808-93
Fax.: +49.(0)731.360808-94
Cell.: +49.(0)163.3733633
E-Mail: [email protected]
Risk Management Standards
Dr. Roland Franz Erben page 2 of 34
Abstract:
As every risk management system must reflect the specific circumstances of an
organization, a uniform approach can never be adequate. Nevertheless, risk
management standards can provide useful support for designing and
implementing a comprehensive and consistent risk management system. After a
short description of two standards – the “COSO Enterprise Risk Management –
Integrated Framework” (COSO ERM) as well as the “ISO/DIS 31000 – Risk
management: Principles and guidelines on implementation” – these frameworks
are compared regarding the criteria “completeness”, “generic breadth”, “usability”,
“integration” and “external assessment”. It is shown, that both standards fulfill
these requirements to a high degree, with the ISO 31000 being more generic and
flexible while the COSO ERM provides more practical guidance. As a conclusion, it
can be expected that the already well-established COSO ERM and the emerging
ISO 31000 will play a predominant role in the future.
JEL-classification:
M19, L15, L29
Keywords:
• Risk Management Standards
• Risk Management Systems
• Standardization
• COSO ERM Integrated Framework
• ISO 31000
Risk Management Standards
Dr. Roland Franz Erben page 3 of 34
Content
1 Introduction ........................................................................................ 4
2 Risk management standards – potential benefits and practical relevance ..... 7
3 COSO ERM and ISO 31000 – an overview ............................................. 10
3.1 COSO ERM Integrated Framework .................................................. 10
3.2 ISO 31000 Risk management ........................................................ 15
4 COSO ERM and ISO 31000 – a comparison ........................................... 22
5 Further developments & Conclusion ..................................................... 27
Appendix A: Elements of risk management standards ............................................... 30
Appendix B: Comparison of COSO ERM and ISO 31000 regarding their completeness .... 31
References ....................................................................................... 31
Risk Management Standards
Dr. Roland Franz Erben page 4 of 34
1 Introduction
All companies and organizations face a wide range of opportunities and risks that
may – positively or negatively – affect the achievement of their objectives. The
importance of a particular risk for a specific organization is determined by a great
variety of internal (e. g. business model, products, size, financial resources,
reputation, degree of vertical integration) and external (e. g. macroeconomic
situation, legislation and jurisdiction, exchange and interest rates, sozio-
demographic changes, quality of public infrastructure, natural disasters) factors.
Because of the diversity of these factors, their varying importance, their constant
changes and their mutual interdependency, every single organization has to deal
with a unique set of risks. To adequately handle these risks, it is a prerequisite to
design and implement a customized risk management system which reflects the
specific and characteristic attributes of the particular organization and takes into
account its individual risk appetite.
Under these circumstances, a uniform, “one size fits all” risk management
approach is inevitably bound to fail. Nevertheless, since the early 1990ies a great
(and still growing) number of efforts targeting at the standardization of risk
management and internal control systems in organizations have been developed
by standard setters (like the International Organization for Standardization,
ISO), regulatory bodies (like the Bank for International Settlement, BIS) or
professional associations and working groups (like the Institute of Risk
Management South Africa, IRMSA).
Because of the great number of bodies being involved in the development of risk
management standards, the terms and definitions used are everything but
standardized. An in-depth analysis and discussion of the differences regarding
the wording of the different standards would not contribute substantially to the
objectives of this paper. Therefore, in this context the term “standard” is used to
describe a published set of rules to solve a certain problem or to fulfill certain
requirements. More or less analogous expressions for the term “standard”
Risk Management Standards
Dr. Roland Franz Erben page 5 of 34
(admittedly sometimes with a slightly different meaning or emphasis) that can be
found in other publications, are e. g. “framework”, “guideline” or “norm”.
Although the research efforts in the field of risk management standards have
been very limited so far, it can be assumed that currently there are
approximately 80 standards in use [see Shortread 2003, p. 3]. These approaches
differ very much regarding their scope, target groups, topics and level of detail.
Based on the probably most important factor – “scope” – the following three
main types of standards can be distinguished:
• Risk category specific standards targeting at a particular type or source
of risk. Well-known examples for these risk category specific standards are
the International Standard “ISO 27000 et seq.” in the field of IT-Security,
the British Standard “BS 6079” for project risk management or a variety of
regulations aiming at the assurance of adequate product safety.
• Industry specific standards targeting at the characteristic risks of
organizations with activities in a certain area of business. These standards
are mainly applied in industries with high significance for the economy, the
environment or public health & safety (like e. g. aviation, banking,
insurance or the chemical/pharmaceutical industry). For these industries,
compliance with the relevant risk management standards is often a legal
requirement. Well-known examples for industry specific standards are
“Basel II” and “Solvency II”, which define risk management requirements
for financial institutions resp. insurance companies.
• Generic standards targeting at the standardization of risk management
systems. These standards constitute a comprehensive and holistic risk
management approach and claim to outline general requirements for a
great variety organizations, almost independent of their type, size, activities
or location. Well-known examples for generic standards are the “COSO
Enterprise Risk Management – Integrated Framework” (hereafter referred to
as “COSO ERM”), the Austrian/Swiss “ON-Regel 49000 et seq.” or the
Australian/New Zealand “AS/NZS 4360”. In recent months, significant
Risk Management Standards
Dr. Roland Franz Erben page 6 of 34
impact on the discussion about generic risk management standards arose
from the efforts by the International Organization for Standardization (ISO)
to establish a globally valid risk management standard, the “ISO 31000 –
Risk management – Principles and guidelines on implementation” (hereafter
referred to as “ISO 31000”), which is currently in the last stages of its
development and is expected to be released in the first quarter of 2009.
Risk Management Standards
Dr. Roland Franz Erben page 7 of 34
2 Risk management standards – potential benefits and practical relevance
Taking into account the fact that risk management systems have to reflect resp. be
adapted to the specific circumstances and requirements of each and every
organization, generic risk management standards do not aim at standardizing the
concrete specifications and implementation of such a system for a particular
organization. Instead, they claim to provide a universally valid guideline. Despite
the relatively high level of abstractness, the application of a risk management
standard can turn out to be quite useful as they outline generally accepted risk
management processes and components. These standards can especially offer
support regarding the following issues [see Winter 2007, p. 137; Kuhn 2006, S. 8]:
• By providing clear, unambiguous and consistent terms and definitions,
generic standards can help to establish a common understanding of the
relevant topics throughout the entire organization. Therefore they can
contribute to a better communication between the different entities of an
organization or between the organization and its stakeholders (e. g.
customers, suppliers, investors, regulators, …). This aspect proves to be
especially important in large, diversified and complex organizations, e. g.
global companies with a wide range of activities in many different countries
and therefore divergent (risk) cultures.
• By describing the essential (and maybe also the desirable) components,
processes and organizational structures of an effective and efficient
risk management system, generic standards provide a useful blueprint for
organizations aiming at designing and implementing such a system. The
consideration of a comprehensive and holistic standard can help these
organizations to avoid substantial gaps resp. to incorporate all pivotal
aspects in their individual conceptual design.
• By outlining a “best practice” risk management system, generic standards
can serve as a benchmark to which organizations can compare their
existing approaches. Therefore, generic standards can help to identify
Risk Management Standards
Dr. Roland Franz Erben page 8 of 34
potential deficiencies of existing risk management systems and gaps
between the actual status and a “best practice” approach.
• By designing and implementing its risk management system according to a
tried and tested standard, an organization can enhance the transparency
of its own approach. Additionally, the consideration of a standard can
contribute to improve the trust and confidence of internal and external
stakeholders in the risk management abilities of an organization. As risk
management standards often incorporate relevant legal requirements
and/or new regulations take into account the issues outlined in these
standards, they can also help organizations to fulfill their compliance
requirements in that area [see Weidemann/Wieben 2001, p. 1790].
As already mentioned above, despite the growing number of risk management
standards, the research efforts regarding their dissemination or use in practice
have been very limited so far. Most of all, an empirical analysis, if or to which
extent these standards are actually applied in organizations has not yet been
accomplished. A first (although admittedly scientifically not very sound)
indication of the popularity of some generic risk management standards may be
the number of results returned by Google when searching for their names. The
results of this analysis, performed on July 19th 2008, can be found in table 01
(interestingly enough – although it is still in a “draft” status – the ISO 31000
returned a remarkable number of results).
Table 01: Google search results for different risk management standards
Search term # of results
“AS/NZS 4360” 26.400 “COSO ERM” 19.900 “ISO 31000” 3.320 “ON 49000” 2.650 “JIS Q 2001” 1.680 “CAN/CSA Q850” 969 “IRMSA Code of practice” 91
Risk Management Standards
Dr. Roland Franz Erben page 9 of 34
For further analysis, this paper will focus on the COSO ERM and the ISO 31000.
First of all, a comparison between these two standards seems to be most
promising as they show some noteworthy differences [see section 4].
Furthermore, this decision can be justified by the fact that the development of
the ISO 31000 was predominantly based on the AS/NZS 4360 and strongly
influenced by the ONR 49000 [see section 3.2]. As a consequence, major
concepts and principles of these two standards can also be found in the ISO
31000. Because of their similarity to the ISO 31000, an in-depth analysis of the
Australian/New Zealand resp. Austrian/Swiss approach seems negligible. Finally,
the non-observance of the Japanese “JIS Q 2001”, the Canadian “CAN/CSA
Q850” and the “Code of practice” developed by the “Institute of Risk
Management South Africa (IRMSA)” can be justified by taking into account that
these standard have undoubtedly gained a remarkable recognition in their
regions of origin but seem to lack acceptance in the rest of the world.
Risk Management Standards
Dr. Roland Franz Erben page 10 of 34
3 COSO ERM and ISO 31000 – an overview
Prior to a comparison between the COSO ERM and the ISO 31000 in section 4, a
short overview of the structure as well as the basic concepts of the two
standards is outlined in the following sections.
3.1 COSO ERM Integrated Framework
COSO, the “Committee of Sponsoring Organizations of the Treadway
Commission“ was established in 1985 in the USA. The group was named after its
first chairman James C. Treadway Jr., the former Commissioner of the US
Securities and Exchange Commission (SEC). The “Sponsoring Organizations”
represent some of the most important US accounting and auditing associations
(the “American Accounting Association, AAA”, the “American Institute of Certified
Public Accountants, AICPA”, the “Financial Executives International, FEI”, the
“Institute of Management Accountants, IMA” and “The Institute of Internal
Auditors, IIA”). Additionally, the development of the COSO standard was
supported by a project advisory council with representatives from various
companies and the accounting & auditing firm PricewaterhouseCoopers (PwC)
[see COSO 2004a, p. iii; Ballou/Heitger 2004, p. 1].
A major objective of the Committee was the development of approaches to
prevent fraudulent or misleading financial reporting [see Janke 2007, p. 115;
Foerschler/Scherf 2007, p. 210]. To reach this objective, in 1992 COSO
published a standard called “Internal Control – Integrated Framework”
(commonly known as “COSO I”) targeting at the development and
implementation of an effective and efficient monitoring system [see COSO
2004a, p. v]. Because of its suitability for a wide range of industries and
companies, COSO I quickly gained a high level of appreciation. As it emerged as
a “de-facto” industry standard for internal control issues, its principles influenced
a wide range of other frameworks in that area and also were considered in some
regulatory requirements – as an example, the Sarbanes Oxley Act (SOX) of 2002
recommends the use of COSO I [see Sarbanes/Oxley 2002].
Risk Management Standards
Dr. Roland Franz Erben page 11 of 34
In 2004, the COSO I standard was substantially enhanced. While the original
framework primarily focused the issues of internal control and monitoring, the
updated version – the “COSO Enterprise Risk Management – Integrated
Framework” (commonly known as “COSO II” or “COSO ERM”) – expanded this
relatively narrow scope by integrating aspects of a comprehensive, holistic,
enterprise-wide risk management system. Apart from minor adjustments, all
topics of COSO I were also incorporated in COSO ERM [see COSO 2004a, p. v;
Ballou/Heitger 2004, p. 2; Foerschler/Scherf 2007, p. 210].
One of the most outstanding characteristics of the COSO-approach is its three-
dimensional view of the organization and its risk management system (often
referred to as the “COSO Cube”, see figure 01) [see COSO 2004a, p. 23].
Figure 01: COSO Cube
The first dimension of this cube represents the objectives set by the top
management of a company. COSO ERM is geared to achieving these objectives,
set forth in four categories [see COSO 2004a, p. 21]:
Risk Management Standards
Dr. Roland Franz Erben page 12 of 34
• Strategic: Obviously, the top priority of each organization is the
achievement of the objectives derived from its vision and mission. These
high-level goals also constitute the guidelines for the other components of
the first and the other dimensions.
• Operations: The effective and efficient use of its resources is a basic
requirement for every organization to create value.
• Reporting: The reliability of (financial) reporting is a basic requirement for
the effectiveness of internal controls and the information of external
stakeholders.
• Compliance: Compliance with applicable laws and regulations is a
prerequisite for every organization to make business.
The second dimension represents the components and processes of an risk
management system. According to COSO, the enterprise risk management
consists of eight interrelated building blocks. Incorporating these components
(and hereby following the guidance provided by COSO regarding their design,
implementation and operation) should enable an organization to achieve the
objectives outlined in the first dimension. The components specified by COSO are
[see COSO 2004, p. 27-81]:
• Internal Environment: The internal environment constitutes the
foundation for how risk is viewed and addressed and sets forth the general
conditions for all following steps of the risk management process.
Obviously, this component is strongly influenced by the history, the culture
and values, the risk appetite and the operating environment of an
organization [see COSO 2007, p. 27-34].
• Objective Setting: Following Nicklisch’s wide-spread definition of the term
“risk” as “the possibility of a negative deviation of the actual outcomes from
the original objectives” [see Nicklisch, 1912, p. 34], the specification of
objectives is a prerequisite for the emergence of risk: Without having
defined objectives, potential events affecting their achievements can neither
be identified nor managed. The objectives have to be measureable and
Risk Management Standards
Dr. Roland Franz Erben page 13 of 34
consistent with the organization’s mission and risk appetite and must be
aligned with the categories of the first dimension (strategy, operations,
reporting and compliance) [see COSO 2004a, p. 35-40].
• Event Identification: The setting of objectives is followed by the
identification of (internal and external) events that may affect their
achievement. During the event identification, an explicit differentiation
between risks and opportunities is made. Possible tools to facilitate this
process are e. g. checklists, questionnaires or interviews with experts. The
interdependency between different events and their mutual reinforcement
resp. dilution is to be considered. To assure efficiency and to reduce
complexity, an organization should concentrate on significant events [see
COSO 2004a, p. 41-47].
• Risk Assessment: During the next process step, the identified risks are
analyzed and quantitatively evaluated according to their “probability” and
“impact”. For this purpose, the use of existing (internal or external)
information, empirical data, estimates etc. is recommended. Possible
correlations between different events are also to be taken into account. As a
result of these activities, an overview of the risks of an organization is
generated, listed according to their priorities [see COSO 2004a, p. 49-54].
• Risk Response: Based on the results of the risk assessment, adequate
measures (avoid, reduce, transfer/share, accept/self carry) for an
appropriate risk mitigation have to be defined and implemented to align the
existing risks with the organization’s risk tolerance and risk appetite and –
at the same time – find an optimal balance between risks and the
corresponding opportunities [see COSO 2004a, p. 55-60].
• Control Activities: The implemented mitigation/risk response measures
have to be continuously monitored using appropriate procedures to assure
that they are carried out effectively. A differentiation is made between
measures aiming at preventing or detecting potentially undesired impacts
and measures aiming at correcting damages resulting from incidents that
Risk Management Standards
Dr. Roland Franz Erben page 14 of 34
already have occurred [see see COSO 2004a, p. 61-66; Ruud/Sommer
2006, p. 129].
• Information and Communication: The responsible managers an, if
necessary, other internal and external stakeholders (e. g. employees resp.
customers, suppliers, investors, regulators, media, …) have to be informed
about all relevant risks, incidents, damages etc. as well as other important
aspects of the risk management process. The relevant information for this
purpose has to be identified, captured and communicated in a timely,
comprehensible and accurate manner. As not all of the stakeholders above
should receive the same kind and amount of information, an appropriate
filtering of information has to be applied [see COSO 2004a, p. 67-74;
Neubeck 2003, p. 88].
• Monitoring: Finally, the risk management system has to be monitored,
reviewed and – if necessary – modified and improved to meet changing
requirements. A major objective of this process step is to assure the
effectiveness and efficiency of the system as a whole. Monitoring is
accomplished through ongoing management activities, separate
evaluations, or both. Furthermore, monitoring does not only refer to the risk
management system itself, but also has to consider the external
environment of an organization to assure that possible changes are
adequately reflected by the risk management [see COSO 2004a, p. 75-81].
The third and last dimension of the COSO Cube finally represents the
organizational structure. By taking this dimension into account, it shall be
assured that the objectives and processes defined in the resp. second dimension
are implemented and executed on all levels of the organization. In this context
the levels “entity”, “division”, “business-unit” and “subsidiary” are mentioned as
examples [see COSO 2004a, p. 24; Foerschler/Scherf 2007, p. 212].
Risk Management Standards
Dr. Roland Franz Erben page 15 of 34
3.2 ISO 31000 Risk management
ISO, the International Organization for Standardization (Organisation
internationale de normalisation), is an international standard setter composed of
representatives from 157 national standardization bodies. The organization
promulgates world-wide proprietary industrial and commercial standards [see
ISO 2008a]. The development of the international standard ISO 31000 started in
2005, when the Australian and New Zealand standard setting bodies proposed to
upraise their existing AS/NZS 4360 to an international standard. ISO decided
that a globally valid risk management standard was desirable, but argued against
a simple adoption of the AS/NZS 4360. Instead, the development of a new
standard was initiated, which, however, should incorporate the proven and
established concepts and components of the major existing frameworks. To
achieve this objective, a working group was founded and presented a first
proposal for a standard in September 2005 [see ISO 2005]. After passing
through several cycles of improvement, the current draft is now in the stage of a
“Draft International Standard (DIS)” [see ISO 2008b]. It is expected that it will
be upraised to the status of a “Final Draft International Standard (FDIS)” in the
upcoming meeting of the working group in December 2008 and – after another
round of consultation – the final document will be released as an ISO standard in
the first quarter of 2009 [see Brühwiler 2008, p. 14].
The main objective of the ISO working group is to “provide a document which
provides principles and practical guidance to the risk management process. The
document is applicable to all organizations, regardless of type, size, activities and
location and should apply to all type of risk“ [see ISO 2005, p. 1]. In contrast to
its ambitious claim, the working group right away excluded aspects of business
continuity/crisis management from their program, as these issues are already
subject to the efforts of another ISO working group resp. standard development
(the “ISO 22399 – Societal security – Guideline for incident preparedness and
operational continuity management”) [see ISO 2005, p. 2].
As the ISO 31000 aims at establishing a common understanding regarding risk
and risk management, it outlines a high-level framework instead of dealing with
Risk Management Standards
Dr. Roland Franz Erben page 16 of 34
operational issues. Due to this objective, it sees itself as a generic guideline
containing recommendations rather than explicit requirements and is therefore not
intended to be used as a basis for external certification by independent third
parties [see ISO 2008b, ln. 172; Brühwiler 2008, p. 15].
The content of the ISO 31000 is structured according to the following sections [see
ISO 2008b, p. iii]:
Introduction
Foreword
1. Scope
2. Normative References
3. Terms and Definitions
4. Principles of Managing Risk
5. Framework for Managing Risk
6. Process for Managing Risk
Annex: Attributes of enhanced Risk Management
1. Scope: The first section of the document provides a general overview standard
and claims its universal applicability “to any public, private or community enterprise,
association, group or individual” as well as “throughout the life of an organization,
and to a wide range of activities, processes, functions, projects, products, services,
assets, operations and decisions”. [see ISO 2008b, lines 159-164].
2. Normative References: The second section of the document refers to the
“ISO/IEC Guide 73, Risk management – Vocabulary (ISO 73)” [see below] as a
document, which is seen as “indispensable” for the application of the ISO 31000
[see ISO 2008b, ln. 173-176].
3. Terms and definitions: The third section of the document contains a simple
reference to the ISO 73 mentioned above [see ISO 2008b, ln. 178]. The reason
for including this reference to a separate document instead of including all the
necessary terms and definitions in the ISO 31000 itself was the fact, that risk
(management) related vocabulary shows a wide-spread relevance and is also used
in many other international standards (like the ISO 22399 already mentioned
Risk Management Standards
Dr. Roland Franz Erben page 17 of 34
above or several standards in the field of IT security or product safety). To assure
a consistent use of terms and definitions in all theses standards, it seemed to
make sense to define the vocabulary in one separate document, which then is
referenced to by other standards [see Brühwiler 2008, p. 14].
Unfortunately, meanwhile the development of the ISO 73 is substantially lagging
behind the progress of the ISO 31000 (e. g. approximately 40 percent of the
definitions included in the ISO 73 have not even been discussed until today).
This situation results in a major dilemma: Firstly, the ISO 31000 could be
released as scheduled but would then contain a reference to a document, which
is still in a “draft” status and thus subject to changes, although it is seen as
“indispensable” for the application of the ISO 31000. Secondly, the final release
of the ISO 31000 could be postponed until the ISO 73 is finished, which would
cause a substantial delay of approximately 1 ½ years. Thirdly, the most relevant
terms and definitions of the ISO 73 could be included in the ISO 31000 (and
similar standards) accepting that the terms and definitions for one and the same
subject may become inconsistent while the particular standards are further
developed. While currently there seems to be a certain tendency to favor the
latter approach, this problem is still unsolved and will be a predominant issue at
the upcoming meeting of the working group in December 2008.
4. Principles of Managing risks: The fourth section of the document outlines the
following eleven basic principles for managing risk [see ISO 2008b, ln. 179-220]:
(a) Risk management creates value.
(b) Risk management is an integral part of organizational processes.
(c) Risk management is part of decision making.
(d) Risk management explicitly addresses uncertainty.
(e) Risk management is systematic, structured and timely.
(f) Risk management is based on the best available information.
(g) Risk management is tailored.
(h) Risk management takes human and cultural factors into account.
Risk Management Standards
Dr. Roland Franz Erben page 18 of 34
(i) Risk management is transparent and inclusive.
(j) Risk management is dynamic, iterative and responsive to change.
(k) Risk management facilitates continual improvement and enhancement of
the organization.
5. Framework for Managing risks: The fifth section of the document outlines
a risk management framework, providing the foundations and organizational
arrangements that will embed risk management throughout the organization at
all levels (see figure 02) [see ISO 2008b, ln. 221-359]:
Figure 02: ISO 31000 – framework for managing risks
6. Process for Managing risks: The sixth (and most extensive) section of the
document outlines the risk management process considering the following five
main activities (see figure 03) [see ISO 2008b, ln. 360-600]:
Risk Management Standards
Dr. Roland Franz Erben page 19 of 34
• Communication and Consultation: Communication and consultation is
seen as an integral part of all risk management activities and therefore
should take place at all stages of the risk management process involving all
relevant internal and external stakeholders. It is recommended that a
communication and consultation plan is developed, addressing issues
relating to the risk itself as well as to its consequences and the measures
being taken to manage it. Furthermore, there’s strong emphasis on the fact
that communication and consultation with stakeholders is especially
important as they make judgments about a certain risk based on their
perceptions, which can vary to a great extend due to differences in values,
needs, assumptions, concepts and concerns [see ISO 2008b, ln. 369-395].
• Establishing the Context: In this step, the organization defines the internal
and external parameters to be taken into account when managing risk. The
context should include both internal and external parameters relevant for the
organization (e. g. capabilities/know-how, information systems or policies
resp. the cultural, political, legal, regulatory, financial, technological,
economic, natural or competitive environment as well as the perceptions and
values of both internal and external stakeholders). Furthermore, the context
for the risk management process itself has to be developed (by defining e. g.
roles and responsibilities, scope, depth and breadth of the risk management
activities, risk assessment methodologies, …). A last important aspect of this
process step is the development of risk criteria. These criteria should be
consistent with the organization’s risk management policy and should
continually be reviewed [see ISO 2008b, ln. 396-469].
• Risk Assessment: Risk assessment is the overall process of risk
identification, risk analysis and risk evaluation. The aim of the first activity –
risk identification – is to generate a comprehensive list of risks which may
affect the achievement of the organization’s objectives. In this context, it is
pointed out, that it’s important to identify the risks associated with not
pursuing an opportunity [see ISO 2008b, ln. 473-485]. The second activity
– risk analysis – provides input to risk evaluation as well as to decisions on
the most appropriate risk treatment measures. A particular risk is analyzed
Risk Management Standards
Dr. Roland Franz Erben page 20 of 34
by determining its consequences and their likelihood. It is also emphasized
that the confidence in the determination of risks and their sensitivity to
preconditions and assumptions should be considered in the analysis and
communicated effectively [see ISO 2008b, ln. 486-511]. The third activity –
risk evaluation – involves comparing the level of risk determined during the
risk analysis and risk evaluation with the defined risk criteria to prioritize
the implementation of adequate measures for treating/mitigating the risk
[see ISO 2008b, ln. 512-524].
• Risk treatment: Risk treatment involves the selection of one or more
options to avoid, reduce, transfer/share or accept/self carry risks, as well as
the implementation of appropriate measures. The choice of the most
appropriate risk treatment option involves balancing the costs and efforts of
implementation against its benefits (which not necessarily need to be
exclusively monetary). When selecting risk treatment options, the
organization should also consider the values and perceptions of stakeholders
and the most appropriate ways to communicate with them. Finally, it should
be taken into account that risk treatment itself can introduce new risks, like
the failure or ineffectiveness of risk treatment measures. Therefore, adequate
monitoring also needs to be an integral part of the risk treatment plan.
Finally, the context of the risk treatment plan (e. g the expected benefits,
performance measures, resource requirements, timing and schedule, …)
should be documented [see ISO 2008b, ln. 525-573].
• Monitoring and review: Regular and ad hoc monitoring and review
activities should encompass all aspects of the risk management process and
refers to all the steps described above. This process aims e. g. at analyzing
and learning lessons from events, detecting changes in the external and
internal context, ensuring that the risk treatment measures are effective
and identifying emerging risks [see ISO 2008b, ln. 574-590].
Risk Management Standards
Dr. Roland Franz Erben page 21 of 34
Figure 03: ISO 31000 – process for managing risks
Annex – Attributes of enhanced Risk Management: The closing section of
the document contains a collection of attributes representing a high level of
performance in managing risk. These attributes are:
a) Emphasis on continual improvement in risk management,
b) Comprehensive, fully defined and fully accepted accountability for risks,
risk controls and risk treatment tasks.
c) All decision making within the organization, whatever the level of
importance and significance, involves the explicit consideration of risks,
d) Continual communications with internal and external stakeholders.
e) Risk management is viewed as central to the organization's management
processes.
With the help of this list, organizations should be supported in measuring their
own performance against the criteria outlined herein. For this purpose, some
tangible indicators are given for each attribute [see ISO 2008b, ln. 601-659].
Risk Management Standards
Dr. Roland Franz Erben page 22 of 34
4 COSO ERM and ISO 31000 – a comparison
As already mentioned above, generic risk management standards should – first of
all – provide clear, unambiguous and consistent terms and definitions and describe
essential components, processes and organizational structures. Moreover, they
should meet the following requirements [see Winter 2007, pp. 137-138]:
• Completeness: The principles described by a standard should cover all
aspects of the implementing and operating a risk management system.
• Generic Breadth: The principles described by a standard should not set
any constraints limiting its applicability but instead be suitable for a
preferably wide range of organizations (i. e. independent of their industry,
legal structure, activities, products, location, size, …).
• Usability: The principles described by a standard should be comprehensible
and practicable.
• Integration: The principles described by a standard should make clear,
how the risk management system can interact or can be integrated in other
management systems (e. g. quality management, internal control, …)
• External Assessment: The principles described by a standard should
provide an adequate basis for an independent, objective assessment by
(external) experts, e. g. by being suitable for a third party certification.
As all standards refer to the same subject, it is not surprising that the elements
described by them are – to a large extent – quite similar. Nevertheless, the
particular standards do show some significant differences. In this context, a
predominant role can be assigned to the criteria of “completeness”. If a standard
should not be limited to certain risk-categories or industries (as outlined in section
1), but instead serve as a robust basis for the design and implementation of a
really comprehensive risk management system, the complete coverage of all risk
management related topics is a prerequisite. Therefore, special attention will be
paid to this issue by the following comparison between COSO ERM and ISO 31000.
Risk Management Standards
Dr. Roland Franz Erben page 23 of 34
Completeness: To outline the differences between particular standards
regarding their completeness, it seems useful to compare them on the basis of a
standardized catalogue containing the most important components a truly
comprehensive risk management standard should incorporate. Possible
taxonomies for structuring these requirements was e. g. proposed by
Weidemann and Wieben [see Weidemann/Wieben 2001] and Neubeck [see
Neubeck 2003]. In addition, some of these requirements are also reflected in the
relevant accounting & auditing standards (e. g. the German IDW PS 340 [see
IDW 2000]), which are mainly used for compliance assessments of risk
management systems. Further input to this topic can also be found in the
evaluation schemes of rating agencies to assess the adequacy and efficiency of
enterprise-wide risk management systems [see e. g. S&P 2006].
The most comprehensive evaluation scheme for risk management systems by
now was developed by Winter [see Winter 2007, p. 149]. Throughout the last
months, a special interest group of the German “Risk Management Association
(RMA) e. V.” – a professional organization of academics and risk managers from
a wide range of industries – worked on expanding and refining this scheme [see
RMA 2008]. Appendix A contains an overview of the results of these efforts. To
assess the (quantitative and qualitative) completeness of risk management
standards, the criteria outlined in this catalogue will be applied to the COSO ERM
and the ISO 31000. By using the scale shown in Appendix B to evaluate the
elements shown in Appendix A, a comparison between the COSO ERM and the
ISO 31000 can be accomplished. The results – which again are mainly based on
an assessment by the special interest group of the Risk Management Association
already mentioned above – of this effort are shown in Appendix B [see also
Winter 2007, p 150; RMA 2008].
It becomes clear that both the COSO ERM and the ISO 31000 cover a wide range
of topics and almost completely meet the requirements outlined in the catalogue.
Nevertheless, COSO ERM as well as ISO 31000 show substantial gaps regarding
the element “business continuity/crisis management”. In case of IS0 31000 this
can be explained – as already mentioned – by the explicit exclusion of these
issues as they are subject to the ISO 22399. However, by neglecting this area
Risk Management Standards
Dr. Roland Franz Erben page 24 of 34
and its integration with other components of a risk management system, a
organization might lose sight of pivotal issues, possibly leading to a reduced
efficiency of the risk management system and its acceptance by internal and
external stakeholders [see Winter 2007, p. 151].
Generic Breadth & Usability: As the next two requirements show a significant
trade-off, it seems to make sense to jointly examine them. When analyzing the
criteria “completeness” (as documented in Appendix B), this issue was not only
considered in a mere quantitative way. By assessing if, resp. to which extend, a
particular standard provides detailed descriptions of certain elements and
practical guidance for their implementation, it is also possible to draw some
conclusions regarding the generic breadth and the practical usability of the COSO
ERM and the ISO 31000.
In general, the evaluation shows that the COSO ERM covers most of the topics
on a more detailed level and with a higher attention to practical relevance than
the ISO 31000. In addition to the original standard, COSO also provides a
document called “Application Techniques”, which contains detailed descriptions,
practical illustrations and examples of how to implement the different concepts,
components an processes outlined by the COSO ERM [see COSO 2004b].
The perceivable deficiencies of the ISO 31000 regarding the usability of the standard
are mainly due to the fact that the ISO 31000 follows a very broad approach with
great emphasis of the standard’s universal applicability. However, while the COSO
ERM seems to be very much focused on “typical” enterprises, the generic approach
chosen by the ISO 31000 shows a higher flexibility and should therefore be better
adaptable to the needs of other entities, like e. g. non-government/non-profit
organizations & associations or companies in the public sector.
Although the ISO 31000 is not finalized yet, it seems very unlikely that its
generic/high-level approach will be changed to incorporate more operational
aspects. Moreover, it seem equally unlikely that the ISO 31000 will be
supplemented with additional guidelines, tools, examples, checklists or similar
material providing support for the practical implementation of the standard (in
Risk Management Standards
Dr. Roland Franz Erben page 25 of 34
case of the ONR 49000 and the AS/NZS 4360 e. g. this was primarily
accomplished by including Annexes covering certain topics in detail).
However, as the ISO seems to be very much aware that an improvement of the
usability of its risk management standard is crucial for its success, it started a
initiative to develop sub-standards which should provide a more in-depth view on
the practical aspects of implementing a risk management system. The first of
these projects – which was started in December 2006 as a joint effort of the ISO
and the International Electrotechnical Commission (IEC) – focuses on the
development of a standard covering the process step of “risk assessment” (the
“IEC 31010 – Risk Management – Risk Assessment Techniques”). Meanwhile this
standard reached the status of a “Committee Draft” (the third of the six-stage
approval process) with its final version scheduled to be released by mid-2009
[see IEC 2008]. The document contains a relatively detailed description of 31
different approaches for risk assessment (e. g. Markov analysis, Monte Carlo
simulation, Bayesian statistics and Bayes nets, Event Tree Analysis (ETA), Fault
Modes and Effects Analysis (FMEA), …) [see IEC 2008, pp. 33-93]. As it is not yet
decided, which other aspects of the ISO 31000 should be covered by particular
sub-standards, improving the usability of the ISO 31000 remains a major issue.
Integration: Regarding the criterion of “integration”, both the COSO ERM as
well as the ISO 31000 emphasize the importance of connecting the risk
management system with existing management (sub-)systems. Obviously due to
the different background of the two standard setters – and therefore not
surprisingly – the COSO ERM focuses more on the relationship between risk
management and strategic planning as well as internal controls while the ISO
31000 emphasizes the link between risk management and operative systems (e.
g. quality management). However, both standards extensively point out, that the
objectives of the risk management system should be aligned to and be consistent
with the strategic objective of an organization and should exchange information
with other management systems.
External Assessment: Unlike other popular standards (e. g. the “ISO 9000 –
Quality Management Systems”) neither the COSO ERM nor the ISO 31000 are
Risk Management Standards
Dr. Roland Franz Erben page 26 of 34
intended to be used for a formal certification of an organization’s risk
management system. In case of the ISO 31000, this even stated explicitly [see
ISO 2008b, ln. 172]. Nevertheless – as already mentioned above – the COSO
ERM has substantially influenced major regulatory requirement, so many
concepts of this framework can also be found in the relevant guidelines and
standards for auditing and accounting professionals. Therefore, some kind of
“de-facto” certification – at least for certain components of a risk management
system – has emerged, e. g. if an auditor certifies that the internal controls used
by an organization comply with the relevant legal requirements, which again are
based on the COSO ERM framework.
For a quick overview of the results regarding the comparison between the COSO
ERM and the ISO 31000, table 02 shortly summarizes the findings described
above [see also Winter 2007, p. 151]
Table 02: Comparison between COSO ERM and ISO 31000
Element COSO ERM ISO 31000
Completeness Generic Breadth ☺ Usability ☺ Integration ☺ ☺ External Assessment
Risk Management Standards
Dr. Roland Franz Erben page 27 of 34
5 Conclusion & Outlook
As shown in the sections above, both the “COSO Enterprise Risk Management –
Integrated Framework” as well as the “ISO 31000 – Risk management –
Principles and guidelines on implementation” can provide useful support for
organizations aiming at designing and implementing an appropriate enterprise-
wide risk management system. Except for the element “business continuity/crisis
management”, both standards provide an almost complete and consistent
framework incorporating all important aspects of a comprehensive risk
management system. Because of their maturity, their holistic approach and their
methodological consistency, both the COSO ERM and the ISO 31000 can help
organizations to actually realize the potential benefits connected with the
application of a generic risk management standard (see section 2).
By pointing out some differences between the COSO ERM and the ISO 31000 it
became clear that both approaches have certain advantages and disadvantages.
Therefore, finally some potential future developments of the “risk management
standards landscape” will be discussed. Given the situation, that – on the one
hand – there’s a well-established standard and – on the other – there’s an
emerging new one (which in fact incorporates a great variety of concepts that
can be found in well-established standards), one of following three scenarios
(resp. a combination of these) may seem likely:
(a) The ISO 31000 turns out to be “just another standard”, (more or less
“peacefully”) coexisting along other frameworks,
(b) the ISO 31000 becomes some kind of “meta-standard”, acting as a
reference point or generic basis upon which other standards are enhanced
and further developed,
(c) the ISO 31000 gradually substitutes other standards.
Scenario (a) seems most likely for the relationship between the ISO 31000 and
the COSO ERM. Organizations which already have implemented a risk
management framework according to the COSO ERM will probably see only little
Risk Management Standards
Dr. Roland Franz Erben page 28 of 34
benefits in occupying themselves with another standard. Furthermore, as the
COSO ERM has also influenced a remarkable number of regulatory requirements,
its continuing popularity and wide-spread use seems to be guaranteed. Finally,
there seems to be no incentive for the US auditing and accounting associations
as the predominant promoters of the COSO ERM to skip the standard they have
been working on throughout the last 20 years and replace it by a new one.
Nevertheless, as ISO points out some new aspects (e. g. the emphasis of the
efficiency of risk management systems) and works on detailing some existing
ones (e. g. the in-depth description of risk assessment in the IEC 31010), having
a close look at the new standard might be worth the effort – even for
organizations which already have implemented the COSO ERM. Finally, due to its
generic breadth and high flexibility, the ISO 31000 could prove more adequate
for organizations looking for a standard which is less focused on the needs of a
“typical” company with “typical” business. Therefore, the ISO 31000 could be an
interesting option especially non-profit/non government organizations &
associations as well as entities in the public sector.
Scenario (b) seems most likely for the relationship between the ISO 31000 and
both the AS/NZS 4360 and the ONR 49000, at least in the near future. A first
indication to affirm this assumption might be the updated version of the “ONR
49000:2008 – Anwendung von ISO/DIS 31000 in der Praxis” [“practical
application of the ISO/DIS 31000”], which was released on June 1st, 2008 by the
Austrian standard setting body (“Österreichisches Normungsinstitut, ON”) [see
ON 2008, p. 3]. In this new release, the ONR 49000 was aligned with the ISO
31000 while at the same time the original concept of providing additional
“hands-on” guidelines and tools for the implementation was continued resp. even
enhanced. This kind of “job sharing” (the ISO provides a generic document, while
other standard setters provide concrete guidelines for its practical
implementation) could turn out to be a reasonable approach for the next few
years – at least, until the ISO itself is able to accomplish this efforts, e. g. by
developing a set of sub-standards for different areas like the IEC 31010 for risk
assessment. While the Austrian standard setting body apparently has already
Risk Management Standards
Dr. Roland Franz Erben page 29 of 34
decided to move in this direction, the position of the Australian and New Zealand
standardization committees still seems to be unclear.
Finally, scenario (c) seems most likely for the relationship between the ISO
31000 and the remaining standards. As most of the other frameworks (e. g. the
“IRMSA Code of practice”) show some noticeable deficiencies regarding the
criteria outlined in section 4, a decision to use one of these standards it will be
hard to justify for an organization, when a mature, comprehensive and
consistent standard for risk management becomes available.
Generally, a consolidation of the “standards landscape” seems quite probable in
the long run, with the COSO ERM and the ISO 31000 (supplemented by a variety
of sub-standards and – in the near-term – by updated versions of the ONR
49000 and eventually the AS/NZS 4360) remaining as the two relevant generic
standards for the design and implementation of a holistic, consistent and
comprehensive risk management systems.
Risk Management Standards
Dr. Roland Franz Erben page 30 of 34
Appendix A: Elements of risk management standards
Category No. Element Description
basic principles
1 corporate strategy consideration of risk management aspects within the corporate strategy & vision
2 risk policy basic principles regarding the handling of risks and the risk appetite, according to strategic objectives
3 risk program risk management objectives and activities
4 organization/ responsibilities organizational elements, roles and responsibilities
planning
5 risk identification methods, instruments and processes for the identification of risks
6 risk assessment methods, instruments and processes for the assessment of risks
7 risk aggregation methods, instruments and processes for the aggregation of risks
8 risk mitigation methods, instruments and processes for the mitigation of risks (avoid, reduce, transfer, self-carry)
control 9 implementation/ controlling
implementation of a risk management system with adequate and efficient methods and processes
monitoring
10 continuous monitoring continuous monitoring of all risks and counter measures
11 periodical checks and reviews
periodical checks and reviews of the risk management system and structures
12 management assessment
assessment of risk management efficiency and adequacy by top management
13 system efficiency assessment of risk management efficiency and adequacy by external parties (e. g. auditors)
information & communication
14 information supply gathering of all necessary risk management information
15 documentation documentation of the assumptions, information, methods, processes, results ... related to risk management
16 recording recording and storage of the information attained
17 internal reporting/ communication
communication of risk management related topics to internal stakeholders (e. g. board, employees, …)
18 external reporting/ communication
communication of risk management related topics to external stakeholders (e. g. investors, regulators, ... )
management of resources
19 human resources skills necessary to implement and operate the risk management system
20 other resources other resources necessary to implement and operate the risk management system (e. g. IT, consulting, …)
other aspects 21 business continuity/
crises management reactive measures after damages have occurred to limit their impact and restore normal operations
22 interfaces to other management systems
relations and interactions with other management systems (e. g. accounting, quality management, …)
Risk Management Standards
Dr. Roland Franz Erben page 31 of 34
Appendix B: Comparison of COSO ERM and ISO 31000 regarding their completeness
Category No. Element COSO ERM ISO 31000
basic principles
1 corporate strategy
2 risk policy
3 risk program
4 organization/ responsibilities
planning
5 risk identification
6 risk assessment
7 risk aggregation
8 risk mitigation
control 9 implementation/ controlling
monitoring
10 continuous monitoring
11 periodical checks and reviews
12 management assessment
13 system efficiency
information & communication
14 information supply
15 documentation
16 recording
17 internal reporting/ communication
18 external reporting/ communication
management of resources
19 human resources
20 other resources
other aspects 21 business continuity/
crises management
22 interfaces to other management systems
no coverage The particular element is not covered.
low coverage
The particular element is covered, definitions and descriptions remain fragmentary.
medium coverage
The particular element is covered, definitions and descriptions are sufficient, practical guidance remains fragmentary.
good coverage
The particular element is covered, definitions and descriptions as well as practical guidance are sufficient.
Risk Management Standards
Dr. Roland Franz Erben page 32 of 34
References:
Ballou, B./Heitger, D. (2004): A Building-Block Approach for Implementing
COSO‘s Enterprise Risk Management – Integrated Framework, in: Management
Accounting Quarterly, Vol. 6/2004, No. 2, S. 1-10.
Brühwiler, B. (2008): Der neue Risikomanagement-Standard ISO 31000, in:
ZRFG, 3. Jg. 2008, H. 01, S. 14-17.
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
[ed.] (2004a): Enterprise Risk Management – Integrated Framework Framework,
New York 2004.
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
[ed.] (2004b): Enterprise Risk Management – Integrated Framework –
Application Techniques, New York 2004.
Eckert, S./Möller, K. (2006): COSO Enterprise Risk Management Framework, in:
Controlling, H. 3/2006, S. 161-163.
Erben, R. F. (2008): Das COSO-ERM-Framework als Ansatz zur Standardisierung
von Risikomanagementsystemen, in: Bachert, R./Peters, A./Speckert, M. [Hrsg.]:
Risikomanagement in Non-Profit-Organisationen, Baden-Baden 2008.
Foerschler, D./Scherf, C. (2007): COSO II – Enterprise Risk Management
Framework in der operativen Revisionspraxis, in: ZRFG, 2. Jg. 2007, H. 05, S.
209-215.
International Electrotechnical Commission (IEC)/ International Organization for
Standardization (ISO) [eds.]: IEC 31010 Ed. 1.0: Risk Management – Risk
Assessment Techniques, Document No. 56/1268/CDV, May 23rd, 2008.
International Organization for Standardization (ISO)/WG on General Guidelines
for Principles and Implementation of Risk Management [ed.] (2005): Terms of
Reference as adopted by the ISO/TMB, Document No. NA 095-04-02 N 0007,
June 22nd , 2005.
Risk Management Standards
Dr. Roland Franz Erben page 33 of 34
International Organization for Standardization (ISO) [ed.] (2008a): About ISO,
published electronically: http://www.iso.org/iso/about.htm.
International Organization for Standardization (ISO) [ed.] (2008b): Risk
management – Principles and guidelines on implementation, Draft International
Standard ISO/DIS 31000, Geneva 2007.
Institut der Deutschen Wirtschaftsprüfer (IDW) [ed.] (2000): IDW 340 - Die
Prüfung des Risikofrüherkennungssystems nach § 317 Abs. 4 HGB, Düsseldorf
2000.
Kuhn, H. (2006): Risikomanagement für Unternehmen – Was bringen die neuen
Normen?, in: MQ Management und Qualität, H. 6/2006, S. 8-10.
Neubeck G. (2003): Prüfung von Risikomanagementsystemen in: Marten, K.-U.;
Quick, R.; Ruhnke K. [Hrsg.]: Hochschulschriften zur Wirtschaftsprüfung,
Düsseldorf 2003, S. 85 f.
Nicklisch, H. (1912): Allgemeine Betriebslehre als Privatwirtschaftslehre des
Handels und der Industrie, Band 1, Leipzig 1912.
Östereichisches Normeninstitut (ON) [ed.] (2008): Zur Neuausgabe der ON-
Regeln ONR 49000 – Anwendung von ISO/DIS 31000 in der Praxis
(Facinformation 06), Wien 2008.
Risk Management Association e. V. (2008) [ed.]: Bewertungsschema für Risiko
Management Standards, München 2008 (internal document, unpublished).
Ruud T. F.; Sommer K. (2006): Enterprise Risk Management – Das COSO-ERM-
Framework, in: Der Schweizer Treuhänder, 3/2006, S. 127-128.
Sarbanes, Paul S.; Oxley, M.; US Dept. of Justice [ed.] (2002): An Act to protect
investors by improving the accuracy and reliability of corporate disclosures made
pursuant to the securities laws, and for other purposes, Washington 2002,
published electronically: www.usdoj.gov
Risk Management Standards
Dr. Roland Franz Erben page 34 of 34
Schmid, W. (2005): Risk Management Down Under (AS/NZS 4360:2004), in:
RISKNEWS, H. 03/05, S. 25-28.
Shortread, J. H. et al. (2003): Basic Frameworks for Risk Management, Network
for Environmantal risk management [eds.], 2003
Simister, T. (2000): Risk Management – the need to set standards, in: Balance
Sheet vol. 8, no. 4, S. 9-10.
Standard & Poors (2006) [ed.]: Insurance Criteria: Refining The Focus Of Insurer
Enterprise Risk Management Criteria, London 2006.
Weidemann, M./Wieben, H.-J. (2001): Zur Zertifizierbarkeit von
Risikomanagement-Systemen, in: Der Betrieb, 54. Jg. 2001, H. 34, S. 1789-
1795.
Weidemann, M. (2001): Der australisch-neuseeländische Standard AS/NZS
4360:1999 zum Risikomanagement, in: Der Betrieb, 54. Jg. 2001, H. 50, S.
2613-2618.
Winter, P. (2007): Risikocontrolling in Nicht-Finanzunternehmen – Entwicklung
einer tragfähigen Risikocontrolling-Konzeption und Vorschlag zur Gestaltung
einer Risikorechnung, Lohmar/Köln 2007.