When defining an ERM process tailored to the organization’s needs, it helps to have a suitable framework as a point of reference. Otherwise, management begins with a blank sheet of paper and we all know that makes it harder.
There are different frameworks from which to choose: COSO Enterprise Risk Management – Integrated Framework, ISO 31000 Risk Management – Principles and Guidelines on Implementation, BS 31100 Code of Practice for Risk Management, FERMA A Risk Management Standard, and OCEG Red Book 2.0 (GRC Capability Model), among others.
Below, we contrast the COSO and ISO 31000 frameworks. We selected these two because they are commonly used and referenced (and space doesn’t permit the consideration of others).
The COSO framework was issued in 2004 and ISO 31000 in 2009. COSO’s emphasis is on providing a flexible evaluation standard against which to evaluate the current ERM process as opposed to focusing on the specific activities of the risk management process itself. ISO 31000 is intended to provide guidance on the nature of the risk management process and how to implement it. This distinction is a crucial one to understand when comparing the two frameworks and understanding how they can be used.
ISO 31000’s focus on risk management as a process devotes more attention to implementation, which broadens its appeal for those looking for insights on that subject. To that end, COSO has subsequently issued a thought paper offering practical approaches for getting started that provides implementation guidance. Companies planning on implementing the COSO ERM framework should review ISO 31000 (and other frameworks) for additional perspective and guidance on implementation considerations.
ISO 31000 states:
“[R]isk management creates value, is an integral part of organizational processes; is part of decision making; explicitly addresses uncertainty; is systematic, structured and timely; is based on best available information; is tailored; is transparent and inclusive; is dynamic, iterative and responsive to change; and facilitates continual improvement and enhancement of the organization.”
Therefore, ISO 31000 is focused on integration and change themes. COSO states that ERM is applied in strategy setting and its definition of ERM explicitly incorporates the concept of risk appetite and aligns it with strategy. ISO 31000 makes a passing mention of risk appetite as an aspect of policy.
Most organizations that have taken serious steps to implement ERM would assert that ERM is a journey. Therefore, because ERM can’t be implemented overnight, companies must evolve their thinking based on their experience and needs. All of the frameworks can be useful as companies continue to learn and advance their risk management capabilities. Both COSO ERM and ISO 31000, because of their maturity, their holistic approach and their methodological consistency, can help organizations to realize the potential benefits connected with the application of a generic risk management standard.
The two frameworks (as well as the others mentioned earlier) touch on similar aspects of the risk management process. While there are nuances among the alternative frameworks, each is basically a representation of the same body of knowledge. All frameworks are built on the same model of selecting an objective and using that objective as a standard for evaluating risk management effectiveness and efficiency.
Whether a framework begins with quality focus or a focus on a strategic initiative, performance goal or risk, the evaluator must set down an objective by which to assess the performance of risk management capabilities. In practice, the framework of choice is often a matter of personal preference as to what’s needed to suit the enterprise’s purposes. That said, ALL of the frameworks can be useful when getting started.
One thing to keep in mind: The COSO framework is often selected because the project sponsor wants to “leverage prior work using the COSO internal control framework,” because COSO’s ERM framework incorporates its long-standing internal control framework within it. While on the surface this point of view has appeal, it also can lead to immersion of the ERM implementation into minutiae, an approach that doesn’t blend well with a strategic focus. COSO’s primary objective was to expand on internal control and provide a more robust and extensive focus on the broader subject of ERM. Used properly in strategy setting and across the enterprise, the framework can help companies accomplish that objective.
Finally, while a suitable framework has its role, it is not a panacea. What is equally important is a fully engaged board, a bought-in CEO, an approach to integrating risk management with the core management processes that matter, an open and transparent risk culture, a balanced compensation structure, and the will and discipline to act when the warning signs are clear. A framework alone cannot solve these issues, which are broader and largely cultural in nature.