2nd European Risk Conference Universit Bocconi September 11th & 12th, 2008

Risk Management Standards

role, benefits & applicability

Dr. Roland Franz Erben

Academic affiliation: Bayerische Julius-Maximilians-Universitt Wrzburg Lehrstuhl fr BWL und Wirtschaftsinformatik Josef-Stangl-Platz 2 D-97070 Wrzburg Germany Address for correspondence: Resi-Weglein-Gasse 3 D-89077 Ulm Germany Tel.: Fax.: Cell.: +49.(0)731.360808-93 +49.(0)731.360808-94 +49.(0)163.3733633

E-Mail: rerben@wiinf.uni-wuerzburg.de

Risk Management Standards

Abstract: As every risk management system must reflect the specific circumstances of an organization, a uniform approach can never be adequate. Nevertheless, risk management standards can provide useful support for designing and implementing a comprehensive and consistent risk management system. After a short description of two standards the COSO Enterprise Risk Management Integrated Framework (COSO ERM) as well as the ISO/DIS 31000 Risk management: Principles and guidelines on implementation these frameworks are compared regarding the criteria completeness, generic breadth, usability, integration and external assessment. It is shown, that both standards fulfill these requirements to a high degree, with the ISO 31000 being more generic and flexible while the COSO ERM provides more practical guidance. As a conclusion, it can be expected that the already well-established COSO ERM and the emerging ISO 31000 will play a predominant role in the future.

JEL-classification: M19, L15, L29

Keywords: Risk Management Standards Risk Management Systems Standardization COSO ERM Integrated Framework ISO 31000

Dr.RolandFranzErben

page 2 of 34

Risk Management Standards

Content

1 2 3

Introduction........................................................................................ 4 Risk management standards potential benefits and practical relevance ..... 7 COSO ERM and ISO 31000 an overview ............................................. 10 3.1 COSO ERM Integrated Framework .................................................. 10 3.2 ISO 31000 Risk management ........................................................ 15

4 5

COSO ERM and ISO 31000 a comparison ........................................... 22 Further developments & Conclusion ..................................................... 27 Appendix A: Elements of risk management standards ............................................... 30 Appendix B: Comparison of COSO ERM and ISO 31000 regarding their completeness .... 31 References ....................................................................................... 31

Dr.RolandFranzErben

page 3 of 34

Risk Management Standards

Introduction

All companies and organizations face a wide range of opportunities and risks that may positively or negatively affect the achievement of their objectives. The importance of a particular risk for a specific organization is determined by a great variety of internal (e. g. business model, products, size, financial resources, reputation, degree of vertical integration) and external (e. g. macroeconomic situation, legislation and jurisdiction, exchange and interest rates, soziodemographic changes, quality of public infrastructure, natural disasters) factors. Because of the diversity of these factors, their varying importance, their constant changes and their mutual interdependency, every single organization has to deal with a unique set of risks. To adequately handle these risks, it is a prerequisite to design and implement a customized risk management system which reflects the specific and characteristic attributes of the particular organization and takes into account its individual risk appetite. Under these circumstances, a uniform, one size fits all risk management approach is inevitably bound to fail. Nevertheless, since the early 1990ies a great (and still growing) number of efforts targeting at the standardization of risk management and internal control systems in organizations have been developed by standard setters (like the International Organization for Standardization, ISO), regulatory bodies (like the Bank for International Settlement, BIS) or professional associations and working groups (like the Institute of Risk Management South Africa, IRMSA). Because of the great number of bodies being involved in the development of risk management standards, the terms and definitions used are everything but standardized. An in-depth analysis and discussion of the differences regarding the wording of the different standards would not contribute substantially to the objectives of this paper. Therefore, in this context the term standard is used to describe a published set of rules to solve a certain problem or to fulfill certain requirements. More or less analogous expressions for the term standard

Dr.RolandFranzErben

page 4 of 34

Risk Management Standards

(admittedly sometimes with a slightly different meaning or emphasis) that can be found in other publications, are e. g. framework, guideline or norm. Although the research efforts in the field of risk management standards have been very limited so far, it can be assumed that currently there are approximately 80 standards in use [see Shortread 2003, p. 3]. These approaches differ very much regarding their scope, target groups, topics and level of detail. Based on the probably most important factor scope the following three main types of standards can be distinguished: Risk category specific standards targeting at a particular type or source of risk. Well-known examples for these risk category specific standards are the International Standard ISO 27000 et seq. in the field of IT-Security, the British Standard BS 6079 for project risk management or a variety of regulations aiming at the assurance of adequate product safety. Industry specific standards targeting at the characteristic risks of organizations with activities in a certain area of business. These standards are mainly applied in industries with high significance for the economy, the environment or public health & safety (like e. g. aviation, banking, insurance or the chemical/pharmaceutical industry). For these industries, compliance with the relevant risk management standards is often a legal requirement. Well-known examples for industry specific standards are Basel II and Solvency II, which define risk management requirements for financial institutions resp. insurance companies. Generic standards targeting at the standardization of risk management systems. These standards constitute a comprehensive and holistic risk management approach and claim to outline general requirements for a great variety organizations, almost independent of their type, size, activities or location. Well-known examples for generic standards are the COSO Enterprise Risk Management Integrated Framework (hereafter referred to as COSO ERM), the Austrian/Swiss ON-Regel 49000 et seq. or the Australian/New Zealand AS/NZS 4360. In recent months, significant Dr.RolandFranzErben
page 5 of 34

Risk Management Standards

impact on the discussion about generic risk management standards arose from the efforts by the International Organization for Standardization (ISO) to establish a globally valid risk management standard, the ISO 31000 Risk management Principles and guidelines on implementation (hereafter referred to as ISO 31000), which is currently in the last stages of its development and is expected to be released in the first quarter of 2009.

Dr.RolandFranzErben

page 6 of 34

Risk Management Standards

Risk management standards potential benefits and practical relevance

Taking into account the fact that risk management systems have to reflect resp. be adapted to the specific circumstances and requirements of each and every organization, generic risk management standards do not aim at standardizing the concrete specifications and implementation of such a system for a particular organization. Instead, they claim to provide a universally valid guideline. Despite the relatively high level of abstractness, the application of a risk management standard can turn out to be quite useful as they outline generally accepted risk management processes and components. These standards can especially offer support regarding the following issues [see Winter 2007, p. 137; Kuhn 2006, S. 8]: By providing clear, unambiguous and consistent terms and definitions, generic standards can help to establish a common understanding of the relevant topics throughout the entire organization. Therefore they can contribute to a better communication between the different entities of an organization or between the organization and its stakeholders (e. g. customers, suppliers, investors, regulators, ). This aspect proves to be especially important in large, diversified and complex organizations, e. g. global companies with a wide range of activities in many different countries and therefore divergent (risk) cultures. By describing the essential (and maybe also the desirable) components, processes and organizational structures of an effective and efficient risk management system, generic standards provide a useful blueprint for organizations aiming at designing and implementing such a system. The consideration of a comprehensive and holistic standard can help these organizations to avoid substantial gaps resp. to incorporate all pivotal aspects in their individual conceptual design. By outlining a best practice risk management system, generic standards can serve as a benchmark to which organizations can compare their existing approaches. Therefore, generic standards can help to identify Dr.RolandFranzErben
page 7 of 34

Risk Management Standards

potential deficiencies of existing risk management systems and gaps between the actual status and a best practice approach. By designing and implementing its risk management system according to a tried and tested standard, an organization can enhance the transparency of its own approach. Additionally, the consideration of a standard can contribute to improve the trust and confidence of internal and external stakeholders in the risk management abilities of an organization. As risk management standards often incorporate relevant legal requirements and/or new regulations take into account the issues outlined in these standards, they can also help organizations to fulfill their compliance requirements in that area [see Weidemann/Wieben 2001, p. 1790]. As already mentioned above, despite the growing number of risk management standards, the research efforts regarding their dissemination or use in practice have been very limited so far. Most of all, an empirical analysis, if or to which extent these standards are actually applied in organizations has not yet been accomplished. A first (although admittedly scientifically not very sound) indication of the popularity of some generic risk management standards may be the number of results returned by Google when searching for their names. The results of this analysis, performed on July 19th 2008, can be found in table 01 (interestingly enough although it is still in a draft status the ISO 31000 returned a remarkable number of results). Table 01: Google search results for different risk management standards
Search term AS/NZS 4360 COSO ERM ISO 31000 ON 49000 JIS Q 2001 CAN/CSA Q850 IRMSA Code of practice # of results 26.400 19.900 3.320 2.650 1.680 969 91

Dr.RolandFranzErben

page 8 of 34

Risk Management Standards

For further analysis, this paper will focus on the COSO ERM and the ISO 31000. First of all, a comparison between these two standards seems to be most promising as they show some noteworthy differences [see section 4]. Furthermore, this decision can be justified by the fact that the development of the ISO 31000 was predominantly based on the AS/NZS 4360 and strongly influenced by the ONR 49000 [see section 3.2]. As a consequence, major concepts and principles of these two standards can also be found in the ISO 31000. Because of their similarity to the ISO 31000, an in-depth analysis of the Australian/New Zealand resp. Austrian/Swiss approach seems negligible. Finally, the non-observance of the Japanese JIS Q 2001, the Canadian CAN/CSA Q850 and the Code of practice developed by the Institute of Risk Management South Africa (IRMSA) can be justified by taking into account that these standard have undoubtedly gained a remarkable recognition in their regions of origin but seem to lack acceptance in the rest of the world.

Dr.RolandFranzErben

page 9 of 34

Risk Management Standards

COSO ERM and ISO 31000 an overview

Prior to a comparison between the COSO ERM and the ISO 31000 in section 4, a short overview of the structure as well as the basic concepts of the two standards is outlined in the following sections.

3.1
COSO,

COSO ERM Integrated Framework

the Committee of Sponsoring Organizations of the Treadway

Commission was established in 1985 in the USA. The group was named after its first chairman James C. Treadway Jr., the former Commissioner of the US Securities and Exchange Commission (SEC). The Sponsoring Organizations represent some of the most important US accounting and auditing associations (the American Accounting Association, AAA, the American Institute of Certified Public Accountants, AICPA, the Financial Executives International, FEI, the Institute of Management Accountants, IMA and The Institute of Internal Auditors, IIA). Additionally, the development of the COSO standard was supported by a project advisory council with representatives from various companies and the accounting & auditing firm PricewaterhouseCoopers (PwC) [see COSO 2004a, p. iii; Ballou/Heitger 2004, p. 1]. A major objective of the Committee was the development of approaches to prevent fraudulent or misleading financial reporting [see Janke 2007, p. 115; Foerschler/Scherf 2007, p. 210]. To reach this objective, in 1992 COSO published (commonly a standard known as called Internal Control at Integrated the Framework and COSO I) targeting development

implementation of an effective and efficient monitoring system [see COSO 2004a, p. v]. Because of its suitability for a wide range of industries and companies, COSO I quickly gained a high level of appreciation. As it emerged as a de-facto industry standard for internal control issues, its principles influenced a wide range of other frameworks in that area and also were considered in some regulatory requirements as an example, the Sarbanes Oxley Act (SOX) of 2002 recommends the use of COSO I [see Sarbanes/Oxley 2002].

Dr.RolandFranzErben

page 10 of 34

Risk Management Standards

In 2004, the COSO I standard was substantially enhanced. While the original framework primarily focused the issues of internal control and monitoring, the updated version the COSO Enterprise Risk Management Integrated Framework (commonly known as COSO II or COSO ERM) expanded this relatively narrow scope by integrating aspects of a comprehensive, holistic, enterprise-wide risk management system. Apart from minor adjustments, all topics of COSO I were also incorporated in COSO ERM [see COSO 2004a, p. v; Ballou/Heitger 2004, p. 2; Foerschler/Scherf 2007, p. 210]. One of the most outstanding characteristics of the COSO-approach is its threedimensional view of the organization and its risk management system (often referred to as the COSO Cube, see figure 01) [see COSO 2004a, p. 23]. Figure 01: COSO Cube

The first dimension of this cube represents the objectives set by the top management of a company. COSO ERM is geared to achieving these objectives, set forth in four categories [see COSO 2004a, p. 21]: Dr.RolandFranzErben
page 11 of 34

Risk Management Standards

Strategic:

Obviously,

the

top

priority

of

each

organization

is

the

achievement of the objectives derived from its vision and mission. These high-level goals also constitute the guidelines for the other components of the first and the other dimensions. Operations: The effective and efficient use of its resources is a basic requirement for every organization to create value. Reporting: The reliability of (financial) reporting is a basic requirement for the effectiveness of internal controls and the information of external stakeholders. Compliance: Compliance with applicable laws and regulations is a prerequisite for every organization to make business. The second dimension represents the components and processes of an risk management system. According to COSO, the enterprise risk management consists of eight interrelated building blocks. Incorporating these components (and hereby following the guidance provided by COSO regarding their design, implementation and operation) should enable an organization to achieve the objectives outlined in the first dimension. The components specified by COSO are [see COSO 2004, p. 27-81]: Internal Environment: The internal environment constitutes the

foundation for how risk is viewed and addressed and sets forth the general conditions for all following steps of the risk management process. Obviously, this component is strongly influenced by the history, the culture and values, the risk appetite and the operating environment of an organization [see COSO 2007, p. 27-34]. Objective Setting: Following Nicklischs wide-spread definition of the term risk as the possibility of a negative deviation of the actual outcomes from the original objectives [see Nicklisch, 1912, p. 34], the specification of objectives is a prerequisite for the emergence of risk: Without having defined objectives, potential events affecting their achievements can neither be identified nor managed. The objectives have to be measureable and Dr.RolandFranzErben
page 12 of 34

Risk Management Standards

consistent with the organizations mission and risk appetite and must be aligned with the categories of the first dimension (strategy, operations, reporting and compliance) [see COSO 2004a, p. 35-40]. Event Identification: The setting of objectives is followed by the identification of (internal and external) events that may affect their achievement. During the event identification, an explicit differentiation between risks and opportunities is made. Possible tools to facilitate this process are e. g. checklists, questionnaires or interviews with experts. The interdependency between different events and their mutual reinforcement resp. dilution is to be considered. To assure efficiency and to reduce complexity, an organization should concentrate on significant events [see COSO 2004a, p. 41-47]. Risk Assessment: During the next process step, the identified risks are analyzed and quantitatively evaluated according to their probability and impact. For this purpose, the use of existing (internal or external) information, empirical data, estimates etc. is recommended. Possible correlations between different events are also to be taken into account. As a result of these activities, an overview of the risks of an organization is generated, listed according to their priorities [see COSO 2004a, p. 49-54]. Risk Response: Based on the results of the risk assessment, adequate measures (avoid, reduce, transfer/share, accept/self carry) for an appropriate risk mitigation have to be defined and implemented to align the existing risks with the organizations risk tolerance and risk appetite and at the same time find an optimal balance between risks and the corresponding opportunities [see COSO 2004a, p. 55-60]. Control Activities: The implemented mitigation/risk response measures have to be continuously monitored using appropriate procedures to assure that they are carried out effectively. A differentiation is made between measures aiming at preventing or detecting potentially undesired impacts and measures aiming at correcting damages resulting from incidents that Dr.RolandFranzErben
page 13 of 34

Risk Management Standards

already have occurred [see see COSO 2004a, p. 61-66; Ruud/Sommer 2006, p. 129]. Information and Communication: The responsible managers an, if necessary, other internal and external stakeholders (e. g. employees resp. customers, suppliers, investors, regulators, media, ) have to be informed about all relevant risks, incidents, damages etc. as well as other important aspects of the risk management process. The relevant information for this purpose has to be identified, captured and communicated in a timely, comprehensible and accurate manner. As not all of the stakeholders above should receive the same kind and amount of information, an appropriate filtering of information has to be applied [see COSO 2004a, p. 67-74; Neubeck 2003, p. 88]. Monitoring: Finally, the risk management system has to be monitored, reviewed and if necessary modified and improved to meet changing requirements. A major objective of this process step is to assure the effectiveness and efficiency of the system as a whole. Monitoring is accomplished management through system ongoing but management also has to activities, consider the separate external evaluations, or both. Furthermore, monitoring does not only refer to the risk itself, environment of an organization to assure that possible changes are adequately reflected by the risk management [see COSO 2004a, p. 75-81]. The third and last dimension of the COSO Cube finally represents the organizational structure. By taking this dimension into account, it shall be assured that the objectives and processes defined in the resp. second dimension are implemented and executed on all levels of the organization. In this context the levels entity, division, business-unit and subsidiary are mentioned as examples [see COSO 2004a, p. 24; Foerschler/Scherf 2007, p. 212].

Dr.RolandFranzErben

page 14 of 34

Risk Management Standards

3.2
ISO,

ISO 31000 Risk management

the International Organization for Standardization (Organisation

internationale de normalisation), is an international standard setter composed of representatives from 157 national standardization bodies. The organization promulgates world-wide proprietary industrial and commercial standards [see ISO 2008a]. The development of the international standard ISO 31000 started in 2005, when the Australian and New Zealand standard setting bodies proposed to upraise their existing AS/NZS 4360 to an international standard. ISO decided that a globally valid risk management standard was desirable, but argued against a simple adoption of the AS/NZS 4360. Instead, the development of a new standard was initiated, which, however, should incorporate the proven and established concepts and components of the major existing frameworks. To achieve this objective, a working group was founded and presented a first proposal for a standard in September 2005 [see ISO 2005]. After passing through several cycles of improvement, the current draft is now in the stage of a Draft International Standard (DIS) [see ISO 2008b]. It is expected that it will be upraised to the status of a Final Draft International Standard (FDIS) in the upcoming meeting of the working group in December 2008 and after another round of consultation the final document will be released as an ISO standard in the first quarter of 2009 [see Brhwiler 2008, p. 14]. The main objective of the ISO working group is to provide a document which provides principles and practical guidance to the risk management process. The document is applicable to all organizations, regardless of type, size, activities and location and should apply to all type of risk [see ISO 2005, p. 1]. In contrast to its ambitious claim, the working group right away excluded aspects of business continuity/crisis management from their program, as these issues are already subject to the efforts of another ISO working group resp. standard development (the ISO 22399 Societal security Guideline for incident preparedness and operational continuity management) [see ISO 2005, p. 2]. As the ISO 31000 aims at establishing a common understanding regarding risk and risk management, it outlines a high-level framework instead of dealing with Dr.RolandFranzErben
page 15 of 34

Risk Management Standards

operational issues. Due to this objective, it sees itself as a generic guideline containing recommendations rather than explicit requirements and is therefore not intended to be used as a basis for external certification by independent third parties [see ISO 2008b, ln. 172; Brhwiler 2008, p. 15]. The content of the ISO 31000 is structured according to the following sections [see ISO 2008b, p. iii]: Introduction Foreword 1. Scope 2. Normative References 3. Terms and Definitions 4. Principles of Managing Risk 5. Framework for Managing Risk 6. Process for Managing Risk Annex: Attributes of enhanced Risk Management 1. Scope: The first section of the document provides a general overview standard and claims its universal applicability to any public, private or community enterprise, association, group or individual as well as throughout the life of an organization, and to a wide range of activities, processes, functions, projects, products, services, assets, operations and decisions. [see ISO 2008b, lines 159-164]. 2. Normative References: The second section of the document refers to the ISO/IEC Guide 73, Risk management Vocabulary (ISO 73) [see below] as a document, which is seen as indispensable for the application of the ISO 31000 [see ISO 2008b, ln. 173-176]. 3. Terms and definitions: The third section of the document contains a simple reference to the ISO 73 mentioned above [see ISO 2008b, ln. 178]. The reason for including this reference to a separate document instead of including all the necessary terms and definitions in the ISO 31000 itself was the fact, that risk (management) related vocabulary shows a wide-spread relevance and is also used in many other international standards (like the ISO 22399 already mentioned Dr.RolandFranzErben
page 16 of 34

Risk Management Standards

above or several standards in the field of IT security or product safety). To assure a consistent use of terms and definitions in all theses standards, it seemed to make sense to define the vocabulary in one separate document, which then is referenced to by other standards [see Brhwiler 2008, p. 14]. Unfortunately, meanwhile the development of the ISO 73 is substantially lagging behind the progress of the ISO 31000 (e. g. approximately 40 percent of the definitions included in the ISO 73 have not even been discussed until today). This situation results in a major dilemma: Firstly, the ISO 31000 could be released as scheduled but would then contain a reference to a document, which is still in a draft status and thus subject to changes, although it is seen as indispensable for the application of the ISO 31000. Secondly, the final release of the ISO 31000 could be postponed until the ISO 73 is finished, which would cause a substantial delay of approximately 1 years. Thirdly, the most relevant terms and definitions of the ISO 73 could be included in the ISO 31000 (and similar standards) accepting that the terms and definitions for one and the same subject may become inconsistent while the particular standards are further developed. While currently there seems to be a certain tendency to favor the latter approach, this problem is still unsolved and will be a predominant issue at the upcoming meeting of the working group in December 2008. 4. Principles of Managing risks: The fourth section of the document outlines the following eleven basic principles for managing risk [see ISO 2008b, ln. 179-220]: (a) Risk management creates value. (b) Risk management is an integral part of organizational processes. (c) Risk management is part of decision making. (d) Risk management explicitly addresses uncertainty. (e) Risk management is systematic, structured and timely. (f) Risk management is based on the best available information. (g) Risk management is tailored. (h) Risk management takes human and cultural factors into account. Dr.RolandFranzErben
page 17 of 34

Risk Management Standards

(i) Risk management is transparent and inclusive. (j) Risk management is dynamic, iterative and responsive to change. (k) Risk management facilitates continual improvement and enhancement of the organization. 5. Framework for Managing risks: The fifth section of the document outlines a risk management framework, providing the foundations and organizational arrangements that will embed risk management throughout the organization at all levels (see figure 02) [see ISO 2008b, ln. 221-359]: Figure 02: ISO 31000 framework for managing risks

6. Process for Managing risks: The sixth (and most extensive) section of the document outlines the risk management process considering the following five main activities (see figure 03) [see ISO 2008b, ln. 360-600]:

Dr.RolandFranzErben

page 18 of 34

Risk Management Standards

Communication and Consultation: Communication and consultation is seen as an integral part of all risk management activities and therefore should take place at all stages of the risk management process involving all relevant internal and external stakeholders. It is recommended that a communication and consultation plan is developed, addressing issues relating to the risk itself as well as to its consequences and the measures being taken to manage it. Furthermore, theres strong emphasis on the fact that communication and consultation with stakeholders is especially important as they make judgments about a certain risk based on their perceptions, which can vary to a great extend due to differences in values, needs, assumptions, concepts and concerns [see ISO 2008b, ln. 369-395]. Establishing the Context: In this step, the organization defines the internal and external parameters to be taken into account when managing risk. The context should include both internal and external parameters relevant for the organization (e. g. capabilities/know-how, information systems or policies resp. the cultural, political, legal, regulatory, financial, technological, economic, natural or competitive environment as well as the perceptions and values of both internal and external stakeholders). Furthermore, the context for the risk management process itself has to be developed (by defining e. g. roles and responsibilities, scope, depth and breadth of the risk management activities, risk assessment methodologies, ). A last important aspect of this process step is the development of risk criteria. These criteria should be consistent with the organizations risk management policy and should continually be reviewed [see ISO 2008b, ln. 396-469]. Risk Assessment: Risk assessment is the overall process of risk identification, risk analysis and risk evaluation. The aim of the first activity risk identification is to generate a comprehensive list of risks which may affect the achievement of the organizations objectives. In this context, it is pointed out, that its important to identify the risks associated with not pursuing an opportunity [see ISO 2008b, ln. 473-485]. The second activity risk analysis provides input to risk evaluation as well as to decisions on the most appropriate risk treatment measures. A particular risk is analyzed Dr.RolandFranzErben
page 19 of 34

Risk Management Standards

by determining its consequences and their likelihood. It is also emphasized that the confidence in the determination of risks and their sensitivity to preconditions and assumptions should be considered in the analysis and communicated effectively [see ISO 2008b, ln. 486-511]. The third activity risk evaluation involves comparing the level of risk determined during the risk analysis and risk evaluation with the defined risk criteria to prioritize the implementation of adequate measures for treating/mitigating the risk [see ISO 2008b, ln. 512-524]. Risk treatment: Risk treatment involves the selection of one or more options to avoid, reduce, transfer/share or accept/self carry risks, as well as the implementation of appropriate measures. The choice of the most appropriate risk treatment option involves balancing the costs and efforts of implementation against its benefits (which not necessarily need to be exclusively monetary). When selecting risk treatment options, the organization should also consider the values and perceptions of stakeholders and the most appropriate ways to communicate with them. Finally, it should be taken into account that risk treatment itself can introduce new risks, like the failure or ineffectiveness of risk treatment measures. Therefore, adequate monitoring also needs to be an integral part of the risk treatment plan. Finally, the context of the risk treatment plan (e. g the expected benefits, performance measures, resource requirements, timing and schedule, ) should be documented [see ISO 2008b, ln. 525-573]. Monitoring and review: Regular and ad hoc monitoring and review activities should encompass all aspects of the risk management process and refers to all the steps described above. This process aims e. g. at analyzing and learning lessons from events, detecting changes in the external and internal context, ensuring that the risk treatment measures are effective and identifying emerging risks [see ISO 2008b, ln. 574-590].

Dr.RolandFranzErben

page 20 of 34

Risk Management Standards

Figure 03: ISO 31000 process for managing risks

Annex Attributes of enhanced Risk Management: The closing section of the document contains a collection of attributes representing a high level of performance in managing risk. These attributes are: a) Emphasis on continual improvement in risk management, b) Comprehensive, fully defined and fully accepted accountability for risks, risk controls and risk treatment tasks. c) All decision making within the organization, whatever the level of importance and significance, involves the explicit consideration of risks, d) Continual communications with internal and external stakeholders. e) Risk management is viewed as central to the organization's management processes. With the help of this list, organizations should be supported in measuring their own performance against the criteria outlined herein. For this purpose, some tangible indicators are given for each attribute [see ISO 2008b, ln. 601-659]. Dr.RolandFranzErben
page 21 of 34

Risk Management Standards

COSO ERM and ISO 31000 a comparison

As already mentioned above, generic risk management standards should first of all provide clear, unambiguous and consistent terms and definitions and describe essential components, processes and organizational structures. Moreover, they should meet the following requirements [see Winter 2007, pp. 137-138]: Completeness: The principles described by a standard should cover all aspects of the implementing and operating a risk management system. Generic Breadth: The principles described by a standard should not set any constraints limiting its applicability but instead be suitable for a preferably wide range of organizations (i. e. independent of their industry, legal structure, activities, products, location, size, ). Usability: The principles described by a standard should be comprehensible and practicable. Integration: The principles described by a standard should make clear, how the risk management system can interact or can be integrated in other management systems (e. g. quality management, internal control, ) External Assessment: The principles described by a standard should provide an adequate basis for an independent, objective assessment by (external) experts, e. g. by being suitable for a third party certification. As all standards refer to the same subject, it is not surprising that the elements described by them are to a large extent quite similar. Nevertheless, the particular standards do show some significant differences. In this context, a predominant role can be assigned to the criteria of completeness. If a standard should not be limited to certain risk-categories or industries (as outlined in section 1), but instead serve as a robust basis for the design and implementation of a really comprehensive risk management system, the complete coverage of all risk management related topics is a prerequisite. Therefore, special attention will be paid to this issue by the following comparison between COSO ERM and ISO 31000.

Dr.RolandFranzErben

page 22 of 34

Risk Management Standards

Completeness:

To

outline

the

differences

between

particular

standards

regarding their completeness, it seems useful to compare them on the basis of a standardized catalogue containing the most important components a truly comprehensive taxonomies for risk management these standard should was incorporate. e. g. Possible by structuring requirements proposed

Weidemann and Wieben [see Weidemann/Wieben 2001] and Neubeck [see Neubeck 2003]. In addition, some of these requirements are also reflected in the relevant accounting & auditing standards (e. g. the German IDW PS 340 [see IDW 2000]), which are mainly used for compliance assessments of risk management systems. Further input to this topic can also be found in the evaluation schemes of rating agencies to assess the adequacy and efficiency of enterprise-wide risk management systems [see e. g. S&P 2006]. The most comprehensive evaluation scheme for risk management systems by now was developed by Winter [see Winter 2007, p. 149]. Throughout the last months, a special interest group of the German Risk Management Association (RMA) e. V. a professional organization of academics and risk managers from a wide range of industries worked on expanding and refining this scheme [see RMA 2008]. Appendix A contains an overview of the results of these efforts. To assess the (quantitative and qualitative) completeness of risk management standards, the criteria outlined in this catalogue will be applied to the COSO ERM and the ISO 31000. By using the scale shown in Appendix B to evaluate the elements shown in Appendix A, a comparison between the COSO ERM and the ISO 31000 can be accomplished. The results which again are mainly based on an assessment by the special interest group of the Risk Management Association already mentioned above of this effort are shown in Appendix B [see also Winter 2007, p 150; RMA 2008]. It becomes clear that both the COSO ERM and the ISO 31000 cover a wide range of topics and almost completely meet the requirements outlined in the catalogue. Nevertheless, COSO ERM as well as ISO 31000 show substantial gaps regarding the element business continuity/crisis management. In case of IS0 31000 this can be explained as already mentioned by the explicit exclusion of these issues as they are subject to the ISO 22399. However, by neglecting this area Dr.RolandFranzErben
page 23 of 34

Risk Management Standards

and its integration with other components of a risk management system, a organization might lose sight of pivotal issues, possibly leading to a reduced efficiency of the risk management system and its acceptance by internal and external stakeholders [see Winter 2007, p. 151]. Generic Breadth & Usability: As the next two requirements show a significant trade-off, it seems to make sense to jointly examine them. When analyzing the criteria completeness (as documented in Appendix B), this issue was not only considered in a mere quantitative way. By assessing if, resp. to which extend, a particular standard provides detailed descriptions of certain elements and practical guidance for their implementation, it is also possible to draw some conclusions regarding the generic breadth and the practical usability of the COSO ERM and the ISO 31000. In general, the evaluation shows that the COSO ERM covers most of the topics on a more detailed level and with a higher attention to practical relevance than the ISO 31000. In addition to the original standard, COSO also provides a document called Application Techniques, which contains detailed descriptions, practical illustrations and examples of how to implement the different concepts, components an processes outlined by the COSO ERM [see COSO 2004b]. The perceivable deficiencies of the ISO 31000 regarding the usability of the standard are mainly due to the fact that the ISO 31000 follows a very broad approach with great emphasis of the standards universal applicability. However, while the COSO ERM seems to be very much focused on typical enterprises, the generic approach chosen by the ISO 31000 shows a higher flexibility and should therefore be better adaptable to the needs of other entities, like e. g. non-government/non-profit organizations & associations or companies in the public sector. Although the ISO 31000 is not finalized yet, it seems very unlikely that its generic/high-level approach will be changed to incorporate more operational aspects. Moreover, it seem equally unlikely that the ISO 31000 will be supplemented with additional guidelines, tools, examples, checklists or similar material providing support for the practical implementation of the standard (in Dr.RolandFranzErben
page 24 of 34

Risk Management Standards

case of the ONR 49000 and the AS/NZS 4360 e. g. this was primarily accomplished by including Annexes covering certain topics in detail). However, as the ISO seems to be very much aware that an improvement of the usability of its risk management standard is crucial for its success, it started a initiative to develop sub-standards which should provide a more in-depth view on the practical aspects of implementing a risk management system. The first of these projects which was started in December 2006 as a joint effort of the ISO and the International Electrotechnical Commission (IEC) focuses on the development of a standard covering the process step of risk assessment (the IEC 31010 Risk Management Risk Assessment Techniques). Meanwhile this standard reached the status of a Committee Draft (the third of the six-stage approval process) with its final version scheduled to be released by mid-2009 [see IEC 2008]. The document contains a relatively detailed description of 31 different approaches for risk assessment (e. g. Markov analysis, Monte Carlo simulation, Bayesian statistics and Bayes nets, Event Tree Analysis (ETA), Fault Modes and Effects Analysis (FMEA), ) [see IEC 2008, pp. 33-93]. As it is not yet decided, which other aspects of the ISO 31000 should be covered by particular sub-standards, improving the usability of the ISO 31000 remains a major issue. Integration: Regarding the criterion of integration, both the COSO ERM as well as the ISO 31000 emphasize the importance of connecting the risk management system with existing management (sub-)systems. Obviously due to the different background of the two standard setters and therefore not surprisingly the COSO ERM focuses more on the relationship between risk management and strategic planning as well as internal controls while the ISO 31000 emphasizes the link between risk management and operative systems (e. g. quality management). However, both standards extensively point out, that the objectives of the risk management system should be aligned to and be consistent with the strategic objective of an organization and should exchange information with other management systems. External Assessment: Unlike other popular standards (e. g. the ISO 9000 Quality Management Systems) neither the COSO ERM nor the ISO 31000 are Dr.RolandFranzErben
page 25 of 34

Risk Management Standards

intended to be used for a formal certification of an organizations risk management system. In case of the ISO 31000, this even stated explicitly [see ISO 2008b, ln. 172]. Nevertheless as already mentioned above the COSO ERM has substantially influenced major regulatory requirement, so many concepts of this framework can also be found in the relevant guidelines and standards for auditing and accounting professionals. Therefore, some kind of de-facto certification at least for certain components of a risk management system has emerged, e. g. if an auditor certifies that the internal controls used by an organization comply with the relevant legal requirements, which again are based on the COSO ERM framework. For a quick overview of the results regarding the comparison between the COSO ERM and the ISO 31000, table 02 shortly summarizes the findings described above [see also Winter 2007, p. 151] Table 02: Comparison between COSO ERM and ISO 31000
Element Completeness Generic Breadth Usability Integration External Assessment COSO ERM ISO 31000

Dr.RolandFranzErben

page 26 of 34

Risk Management Standards

Conclusion & Outlook

As shown in the sections above, both the COSO Enterprise Risk Management Integrated Framework as well as the ISO 31000 Risk management Principles and guidelines on implementation can provide useful support for organizations aiming at designing and implementing an appropriate enterprisewide risk management system. Except for the element business continuity/crisis management, both standards provide an almost complete and consistent framework incorporating all important aspects of a comprehensive risk management system. Because of their maturity, their holistic approach and their methodological consistency, both the COSO ERM and the ISO 31000 can help organizations to actually realize the potential benefits connected with the application of a generic risk management standard (see section 2). By pointing out some differences between the COSO ERM and the ISO 31000 it became clear that both approaches have certain advantages and disadvantages. Therefore, finally some potential future developments of the risk management standards landscape will be discussed. Given the situation, that on the one hand theres a well-established standard and on the other theres an emerging new one (which in fact incorporates a great variety of concepts that can be found in well-established standards), one of following three scenarios (resp. a combination of these) may seem likely: (a) The ISO 31000 turns out to be just another standard, (more or less peacefully) coexisting along other frameworks, (b) the ISO 31000 becomes some kind of meta-standard, acting as a reference point or generic basis upon which other standards are enhanced and further developed, (c) the ISO 31000 gradually substitutes other standards. Scenario (a) seems most likely for the relationship between the ISO 31000 and the COSO ERM. Organizations which already have implemented a risk management framework according to the COSO ERM will probably see only little Dr.RolandFranzErben
page 27 of 34

Risk Management Standards

benefits in occupying themselves with another standard. Furthermore, as the COSO ERM has also influenced a remarkable number of regulatory requirements, its continuing popularity and wide-spread use seems to be guaranteed. Finally, there seems to be no incentive for the US auditing and accounting associations as the predominant promoters of the COSO ERM to skip the standard they have been working on throughout the last 20 years and replace it by a new one. Nevertheless, as ISO points out some new aspects (e. g. the emphasis of the efficiency of risk management systems) and works on detailing some existing ones (e. g. the in-depth description of risk assessment in the IEC 31010), having a close look at the new standard might be worth the effort even for organizations which already have implemented the COSO ERM. Finally, due to its generic breadth and high flexibility, the ISO 31000 could prove more adequate for organizations looking for a standard which is less focused on the needs of a typical company with typical business. Therefore, the ISO 31000 could be an interesting option especially non-profit/non government organizations & associations as well as entities in the public sector. Scenario (b) seems most likely for the relationship between the ISO 31000 and both the AS/NZS 4360 and the ONR 49000, at least in the near future. A first indication to affirm this assumption might be the updated version of the ONR 49000:2008 Anwendung von ISO/DIS 31000 in der Praxis [practical application of the ISO/DIS 31000], which was released on June 1st, 2008 by the Austrian standard setting body (sterreichisches Normungsinstitut, ON) [see ON 2008, p. 3]. In this new release, the ONR 49000 was aligned with the ISO 31000 while at the same time the original concept of providing additional hands-on guidelines and tools for the implementation was continued resp. even enhanced. This kind of job sharing (the ISO provides a generic document, while other standard setters provide concrete guidelines for its practical implementation) could turn out to be a reasonable approach for the next few years at least, until the ISO itself is able to accomplish this efforts, e. g. by developing a set of sub-standards for different areas like the IEC 31010 for risk assessment. While the Austrian standard setting body apparently has already

Dr.RolandFranzErben

page 28 of 34

Risk Management Standards

decided to move in this direction, the position of the Australian and New Zealand standardization committees still seems to be unclear. Finally, scenario (c) seems most likely for the relationship between the ISO 31000 and the remaining standards. As most of the other frameworks (e. g. the IRMSA Code of practice) show some noticeable deficiencies regarding the criteria outlined in section 4, a decision to use one of these standards it will be hard to justify for an organization, when a mature, comprehensive and consistent standard for risk management becomes available. Generally, a consolidation of the standards landscape seems quite probable in the long run, with the COSO ERM and the ISO 31000 (supplemented by a variety of sub-standards and in the near-term by updated versions of the ONR 49000 and eventually the AS/NZS 4360) remaining as the two relevant generic standards for the design and implementation of a holistic, consistent and comprehensive risk management systems.

Dr.RolandFranzErben

page 29 of 34

Risk Management Standards

Appendix A: Elements of risk management standards

Category

No. Element 1 2 corporate strategy risk policy risk program organization/ responsibilities risk identification risk assessment risk aggregation risk mitigation implementation/ controlling continuous monitoring periodical checks and reviews management assessment system efficiency information supply documentation recording internal reporting/ communication external reporting/ communication human resources other resources business continuity/ crises management interfaces to other management systems

Description consideration of risk management aspects within the corporate strategy & vision basic principles regarding the handling of risks and the risk appetite, according to strategic objectives risk management objectives and activities organizational elements, roles and responsibilities methods, instruments and processes for the identification of risks methods, instruments and processes for the assessment of risks methods, instruments and processes for the aggregation of risks methods, instruments and processes for the mitigation of risks (avoid, reduce, transfer, self-carry) implementation of a risk management system with adequate and efficient methods and processes continuous monitoring of all risks and counter measures periodical checks and reviews of the risk management system and structures assessment of risk management efficiency and adequacy by top management assessment of risk management efficiency and adequacy by external parties (e. g. auditors) gathering of all necessary risk management information documentation of the assumptions, information, methods, processes, results ... related to risk management recording and storage of the information attained communication of risk management related topics to internal stakeholders (e. g. board, employees, ) communication of risk management related topics to external stakeholders (e. g. investors, regulators, ... ) skills necessary to implement and operate the risk management system other resources necessary to implement and operate the risk management system (e. g. IT, consulting, ) reactive measures after damages have occurred to limit their impact and restore normal operations relations and interactions with other management systems (e. g. accounting, quality management, )

basic principles 3 4 5 6 planning 7 8 control 9 10 11 monitoring 12 13 14 15 information & communication 16 17 18 19 20 21 other aspects 22

management of resources

Dr.RolandFranzErben

page 30 of 34

Risk Management Standards

Appendix B: Comparison of COSO ERM and ISO 31000 regarding their completeness
Category No. 1 2 basic principles 3 4 5 6 planning 7 8 control 9 10 11 monitoring 12 13 14 15 information & communication 16 17 18 management of resources 19 20 21 other aspects 22 no coverage low coverage medium coverage good coverage risk aggregation risk mitigation implementation/ controlling continuous monitoring periodical checks and reviews management assessment system efficiency information supply documentation recording internal reporting/ communication external reporting/ communication human resources other resources business continuity/ crises management interfaces to other management systems risk program organization/ responsibilities risk identification risk assessment Element corporate strategy risk policy COSO ERM ISO 31000

The particular element is not covered. The particular element is covered, definitions and descriptions remain fragmentary. The particular element is covered, definitions and descriptions are sufficient, practical guidance remains fragmentary. The particular element is covered, definitions and descriptions as well as practical guidance are sufficient.

Dr.RolandFranzErben

page 31 of 34

Risk Management Standards

References:
Ballou, B./Heitger, D. (2004): A Building-Block Approach for Implementing COSOs Enterprise Risk Management Integrated Framework, in: Management Accounting Quarterly, Vol. 6/2004, No. 2, S. 1-10. Brhwiler, B. (2008): Der neue Risikomanagement-Standard ISO 31000, in: ZRFG, 3. Jg. 2008, H. 01, S. 14-17. Committee of New York 2004. Committee of [ed.] (2004b): Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management Integrated Framework Sponsoring Organizations of the Treadway Commission (COSO)

[ed.] (2004a): Enterprise Risk Management Integrated Framework Framework,

Application Techniques, New York 2004. Eckert, S./Mller, K. (2006): COSO Enterprise Risk Management Framework, in: Controlling, H. 3/2006, S. 161-163. Erben, R. F. (2008): Das COSO-ERM-Framework als Ansatz zur Standardisierung von Risikomanagementsystemen, in: Bachert, R./Peters, A./Speckert, M. [Hrsg.]: Risikomanagement in Non-Profit-Organisationen, Baden-Baden 2008. Foerschler, D./Scherf, C. (2007): COSO II Enterprise Risk Management Framework in der operativen Revisionspraxis, in: ZRFG, 2. Jg. 2007, H. 05, S. 209-215. International Electrotechnical Commission (IEC)/ International Organization for Standardization (ISO) [eds.]: IEC 31010 Ed. 1.0: Risk Management Risk Assessment Techniques, Document No. 56/1268/CDV, May 23rd, 2008. International Organization for Standardization (ISO)/WG on General Guidelines for Principles and Implementation of Risk Management [ed.] (2005): Terms of Reference as adopted by the ISO/TMB, Document No. NA 095-04-02 N 0007, June 22nd , 2005.
page 32 of 34

Dr.RolandFranzErben

Risk Management Standards

International Organization for Standardization (ISO) [ed.] (2008a): About ISO, published electronically: http://www.iso.org/iso/about.htm. International Organization for Standardization (ISO) [ed.] (2008b): Risk

management Principles and guidelines on implementation, Draft International Standard ISO/DIS 31000, Geneva 2007. Institut der Deutschen Wirtschaftsprfer (IDW) [ed.] (2000): IDW 340 - Die Prfung des Risikofrherkennungssystems nach 317 Abs. 4 HGB, Dsseldorf 2000. Kuhn, H. (2006): Risikomanagement fr Unternehmen Was bringen die neuen Normen?, in: MQ Management und Qualitt, H. 6/2006, S. 8-10. Neubeck G. (2003): Prfung von Risikomanagementsystemen in: Marten, K.-U.; Quick, R.; Ruhnke K. [Hrsg.]: Hochschulschriften zur Wirtschaftsprfung, Dsseldorf 2003, S. 85 f. Nicklisch, H. (1912): Allgemeine Betriebslehre als Privatwirtschaftslehre des Handels und der Industrie, Band 1, Leipzig 1912. stereichisches Normeninstitut (ON) [ed.] (2008): Zur Neuausgabe der ONRegeln ONR 49000 Anwendung von ISO/DIS 31000 in der Praxis (Facinformation 06), Wien 2008. Risk Management Association e. V. (2008) [ed.]: Bewertungsschema fr Risiko Management Standards, Mnchen 2008 (internal document, unpublished). Ruud T. F.; Sommer K. (2006): Enterprise Risk Management Das COSO-ERMFramework, in: Der Schweizer Treuhnder, 3/2006, S. 127-128. Sarbanes, Paul S.; Oxley, M.; US Dept. of Justice [ed.] (2002): An Act to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes, Washington 2002, published electronically: www.usdoj.gov

Dr.RolandFranzErben

page 33 of 34

Risk Management Standards

Schmid, W. (2005): Risk Management Down Under (AS/NZS 4360:2004), in: RISKNEWS, H. 03/05, S. 25-28. Shortread, J. H. et al. (2003): Basic Frameworks for Risk Management, Network for Environmantal risk management [eds.], 2003 Simister, T. (2000): Risk Management the need to set standards, in: Balance Sheet vol. 8, no. 4, S. 9-10. Standard & Poors (2006) [ed.]: Insurance Criteria: Refining The Focus Of Insurer Enterprise Risk Management Criteria, London 2006. Weidemann, 1795. Weidemann, M. (2001): Der australisch-neuseelndische Standard AS/NZS 4360:1999 zum Risikomanagement, in: Der Betrieb, 54. Jg. 2001, H. 50, S. 2613-2618. Winter, P. (2007): Risikocontrolling in Nicht-Finanzunternehmen Entwicklung einer tragfhigen Risikocontrolling-Konzeption und Vorschlag zur Gestaltung einer Risikorechnung, Lohmar/Kln 2007. M./Wieben, H.-J. (2001): Zur Zertifizierbarkeit von

Risikomanagement-Systemen, in: Der Betrieb, 54. Jg. 2001, H. 34, S. 1789-

Dr.RolandFranzErben

page 34 of 34