As far as international risk management standards go, the best choice for any non-financial organisation is by far the ISO 31000:2018. At the time of writing the standard had been officially translated and adopted in 70+ countries, making it truly global. ISO 31000:2018 is an international standard that provides principles and guidelines for effective risk management. It is not specific to any industry or sector and is intended to be tailored to meet the needs of the organisation. The standard is a very powerful document and reinforces the message of integrating risk management into business activities and decision making. Here are just some useful extracts:
- The purpose of risk management is the creation and protection of value. It improves performance, encourages innovation and supports the achievement of objectives.
- The purpose of the risk management framework is to assist the organization in integrating risk management into all its activities and functions.
- The effectiveness of risk management will depend on its integration into the governance and all activities of the organization, including decision-making. This requires support from stakeholders, particularly top management.
- Integrating risk management into an organization is a dynamic and iterative process, and should be customized to the organization’s needs and culture. Risk management should be a part of, and not separate from, the organizational purpose, governance, leadership and commitment, strategy, objectives and operations.
- The organization implement the risk management framework by:
- developing an appropriate plan including timing;
- identifying where, when and how different types of decisions are made across the organization, and by whom;
- modifying the applicable decision-making processes where necessary;
- ensuring that the organization’s arrangements for managing risk are clearly understood and practiced.
- The risk management process should be an integral part of management and decision-making and should be integrated into the structure, operations and processes of the organization.
- It can be applied at strategic, operational, program or project levels.
- There can be many applications of the risk management process within an organization, customized to achieve objectives and to suit the external and internal context in which they are applied.
- The dynamic and variable nature of human behaviour and culture should be considered throughout the risk management process.
COSO has also published its COSO ERM in autumn of 2017. It has same or similar messages with no additional value, however it is packaged in a very complex document that is more than 250 pages long and very painful to read. We have provided detailed COSO ERM overview on the RISK_ACADEMY website for anyone interested. Nevertheless, risk managers shouldn’t disregard new COSO ERM. Just like it is a marketing tool for PwC, risk managers should be using it as such as well. Here is what COSO ERM 2017 can be used for:
- using it as an argument to initiate a change project to move away from quarterly risk assessments, risk reports and risk mitigation plans to integrating risk analysis into actual decision making process
- using sections and good messages from COSO ERM 2017 to reinforce the changes you have been proposing for a while, which were ignored by management
- showing how COSO ERM 2017 reinforces the work you were already doing
- justifying whatever good risk management you were doing
- getting attention from the Board or Audit Committee
- opening the door to strategic planning process
- combating the auditors or consultants that were selling outdated concepts and tools like risk registers, risk management framework documents and risk appetite statements.
Risk management is about using uncertainty to your advantage, so don’t miss an opportunity to use the update of both major integrational standard and framework to your advantage and to better achieve the goal of integrating risk management into decision making.
In addition, some industries have additional risk management related standards or guidelines. These are usually published by the industry associations, such as the Risk Management Guidelines developed by the European Private Equity & Venture Capital Association. And some countries, Germany for example, have specific laws and regulations related to risk management. All this additional guidance should be taken into account when implementing risk management in any given company.
The complexity and the risk management framework selected should be proportional to the size and risk profile of your business as well as the overall risk management maturity. Now, don’t take this last sentence to mean that only mature organizations should integrate risk management into the actual decision making. No, that’s a given. The depth and breadth of the integration into decision making should depend on the organizational maturity.