The two most widely-used risk management system standards are ISO 31000:2018 and COSO ERM:2017.
ISO 31000:2018[i] presents eight ‘principles’ to provide guidance on the characteristics of having efficient and effective risk management, communicating its value, and explaining its intention and purpose. These principles are offered as the foundation for managing risk and seeks the users’ consideration when establishing the organization’s risk management framework and processes.
COSO ERM:2017[ii] uses the ‘Governance and Culture Component’ and Principle 3 (‘Defines Desired Culture’) to assist the board of directors and management in defining the desired culture. Core values are specified to drive the expected behaviors in day-to-day decision-making to be able to enable everyone to engage with stakeholders inside and outside the organization.
Let’s Take a Deep Dive to Examine the Culture Differences
COSO ERM:2017 states that establishing a culture embraced by all personnel (where people do the right thing at the right time) is critical to the success of the organization being able to seize opportunities and manage risk to achieve the strategy and business objectives in the risk management program. Many factors shape the organization’s culture. Internal factors include the level of judgement and autonomy provided to personnel, how the organization employees interact with each other and their managers, the standards and rule, the physical layout of the workplace, and the reward system in place. External factors include regulatory requirements and expectations of customers, investors, and other influences. The ability for an organization to successfully achieve its strategy and business objectives is impeded when the behaviors and decisions of the organization do not align with its core values. In a risk-aware culture, personnel know what the entity stands for and the boundaries within which they can operate. They can openly discuss and debate which risks should be taken to achieve the entity’s strategy and business objectives, with the result being employee and management behaviors that are more consistently aligned with the entity’s risk appetite.
As mentioned above, ISO 31000:2018 lists eight ‘principles’ for effective risk management. The role of these principles is to inform and guide all aspects of the organization’s approach to risk management. It also provides the basis for managing risks associated with risk management itself! Rather than ‘implementing’ the principles as suggested in COSO ERM:2017, the organization should ‘give effect to them in all aspects of risk management.’
How to ‘Give Effect’ to the ISO 31000:2018 Principles[iii]
In ISO 31000:2018 the principles are not specified actions that must be taken, but rather essential underlying concepts and drivers. The principles provide guidance to both the way the risk management process is applied and indicators or characteristics that can be used diagnostically to evaluate the effectiveness of the risk-aware culture. Although the principles are expressed succinctly, the implications of each needs to be thoroughly understood to ‘give effect’ to them on a continuing basis.
The most effective way to give effect to the principles is to become thoroughly conversant with each principle. Each stakeholder needs ensure that the meaning of words used in the principles are properly understood and that this meaning becomes part of the understanding of the principle. Everyone must also recognize that many of the principles are interrelated and that their linkages must be kept in mind.
For each principle, stakeholders must consider, in a general sense (in the context of their organization), in what respects the principle would be likely to have application. For each principle, they must review the present situation, consider which aspects of the organization’s activities and its risk management practices which the principle applies to. They consider to what extent the principle is already evident and in which ways it could be given greater effect.
Standards of Australia have developed a tool[iv] that guides everyone through the process and allows for a qualitative measure of the principle’s application over time.
It’s Your Choice
You can use standard or create a hybrid standard for your own organization. In my consulting practice, I have found that the process and tool for ‘giving effect’ to risk management principles works much better than having a board of directors telling people to just go and change the existing culture – no matter how compelling the instruction might be. We’ll look at the ‘risk management process’ in the next blog.
Bio:
Robert B. Pojasek, Ph.D.
Harvard University & Pojasek & Associates LLC
Risk Management & Organizational Sustainability
rpojasek@sprynet.com
(781) 777-1858 Office
(617) 401-5708 Mobile & Text
www.linkedin.com/in/bobpojasek
Organizational Risk Management and Sustainability:
A Practical Step-by-Step Guide
Now available as an e-book
http://tiny.cc/xz3fhy
Also available as an online action learning course
Expert as environment, health & safety, and sustainability professional with a record of providing leadership, training and operational support to all levels of the organization; Implements new and revised management systems to drive EHS/sustainability program conformance throughout the operation; Integrates organizational systems of management using the ISO harmonized high-level structure; Provides support for organizations implementing sustainability/risk management practices featured in my book.
[i] ISO 31000:2018 Risk Management Guidelines – available through any ISO authorized standards distributor online
[ii] COSO ERM:2017 Enterprise Risk Management: Integrating with Strategy and Performance – https://www.coso.org/Pages/ERM-Framework-Purchase.aspx
[iii] AS/NZS HB 436 Risk Management Guidelines – Companion to AS/NZS Risk Management Guidelines: 2009 – https://infostore.saiglobal.com/en-us/standards/sa-snz-hb-436-2013-1694350/
[iv] Ibid.