Imbricate Risk Standards
An interesting comment from one of our customers today in respects to risk management standards or frameworks specifically is worth pondering on.
“Martin, when I look at these different risk management frameworks; COSO, AS/NZS 4360 and others, they all appear on the surface to be very similar, well they do look the same to me in the way they work. Is there a best of breed Enterprise Risk Management framework, which one should we adopt in our business?”
Many risk management standards, especially those mentioned above are very much cut from the same kind of crafting table and they do overlap with both their recommendations and approach to risk management.
COSO is where many practitioners believe it all began when it comes to Enterprise Risk Management guidelines, certainly as we know them as a formalised discipline of management today. COSO was formed as an outcome of work carried out from the National Commission on Fraudulent Financial Reporting way back in 1985 but it would be fair to say that these risk management standards are not stationary, evolve through time and borrow from a common ideology set.
An example of this evolving practice can be seen from COSO which recently embarked on updating its internal control framework in 2011 / 2012 and the new guidelines add some interesting tooling (Illustrative Tools for Assessing Effectiveness of a System of Internal Control) and additional clarity to the framework. More information here [LINK].
If you take a look at the Federation of European Risk Management Association guidelines, published just over a decade ago in 2002, you will also notice the similarities between FERMA and AS/NZS 4360 and ISO 31000 [LINK]. The same crafting table certainly appears to be applied among this family of standards.
Personally I see the original 2002 FERMA 2.2 ‘The Risk Management Process’ schematic as portraying itself as more extensive or detailed than 31000 or 4360 but that doesn’t mean to say that it is better or that it should replace ISO 31000.
When it comes to FERMA, it has kind of or at the very least tried to converge with the ISO standard [LINK] overtime and for the simple reason that ISO 31000 is perhaps the most internationally accepted standard. One thing that appears evident in this case is that the two standards share crafting table similarities. We have to wait see when it comes to risk management standards or the people behind them, these liaisons are occasionally politically motivated at times and interactions can be fragile.
All of these risk management guidelines are just that, guidelines and very top level documents and I recommend having a look at the all of them.
ISO 31000 for example comes with ISO 31010 (Risk assessment techniques) and that gives risk management practitioners, particularly those new to the game all sorts of ideas on how evaluate risk. If you compare the ISO 31010 list of assessment techniques with Appendix 10 of the original FERMA guide, you will again discover plenty of overlap. Mind you, ISO 31010 explores risk assessment techniques with verbose examples and that makes it invariably more useful.
COSO’s Illustrative Tools brief was a curious read too and again potentially useful for beginners in the risk management domain. All that said and done, it’s a tick list methodology and that needs to be applied to risk problems with caution.
Each risk management guideline has its own benefits and drawbacks, all of them punching at the apex level. There always seems to be plenty of practitioners out there that favor one standard over another, some of these people are orthodox in the way they borrow or interpret various texts from their favourite standard and some consultants defend a specific guideline in a doctrine like manner. It’s a bit tragic at times in these risk management communities.
Rather than comparing the semantic dissimilarities with these standards, the question you need to answer is the following; if you were to take ISO 31000, how would you make that work in your organisation? What could it give you as management benefits? That might be the best place to begin with all of this.