In my past two blogs, we have examined the risk-aware culture[i] and the risk management process[ii] as found in ISO 31000:2018 and COSO ERM 2017. This blog will address the third structural element defined by these documents – “risk management framework.” ISO 31000:2018 includes the risk management framework along with the risk-aware culture and the risk management process. COSO ERM 2017 is a risk management framework even though it addresses what ISO 31000:2018 addresses in its three-component risk management standard.
ISO 31000:2018 Risk Management Framework
As stated in this international standard, “the purpose of the risk management framework is to assist the organization in integrating risk management into all of its activities and functions[iii]. Effective integration of risk management into the governance and all activities of the organization, especially decision-making, is critical to the success of the organization as it seeks to manage the “effects of uncertainty.” This requires support from all internal and external stakeholders, particularly top management and the board.
ISO 31000:2018 uses a risk management framework that consists of six iterative elements:
- Leadership and commitment
- Integrating risk management
- Design
- Implementation
- Evaluation
- Improvement
You will note the familiar plan-do-check-act (PDCA) of this activity. Everyone in the organization has the responsibility to manage risk.
COSO ERM: 2017 Risk Management Framework
In COSO ERM 2017, the entire process is referred to as a “framework.” This is quite different than the approach used in ISO 31000:2018. The framework consists of five interrelated components[iv]:
- Governance and Culture
- Strategy and Objective-Setting
- Performance
- Review and Revision
- Information, Communication and Reporting.
The first three components represent the processes that are conducted to support:
- Strategy Development
- Business Objective Formulation
- Implementation and Performance of the ERM
“Framework” items 4 and 5 represent processes that support the ERM.
Each of the five components contain several “principles” (i.e. a word that is used differently than the principles in ISO 31000:2018). There are 20 principles in COSO ERM 2017. These principles are presented as “things organizations would do as part of the organization’s enterprise risk management practices.”
Comparison of the Two Risk Management Frameworks
Both COSO ERM: 2017 and ISO 31000:2018 help the user understand “what” needs to be done to establish and maintain a risk management program. These standards do NOT tell you “how” to do this. Each organization must use their judgement and experience to bear in applying the frameworks.
ISO 31000:2018 has a widely accepted method for developing a risk-aware culture[v] in the organization.
ISO 31000:2018 and COSO ERM:2017 both have a risk management process[vi].
COSO ERM:2017 has a decided business focus that guides an organization from its mission, vision, and core values to its enhanced value proposition.
While the two standards are configured differently, it should be a straight-forward task to create a hybrid standard for an organization that is seeking a decided edge in how it uses risk management in it organization and its influence throughout its value chain.
[i] https://insights.cermacademy.com/2018/09/216-creating-risk-aware-culture-bob-pojasek
[ii] https://insights.cermacademy.com/2018/09/217/
[iii] https://www.iso.org/obp/ui#iso:std:iso:31000:ed-2:v1:en
[iv] https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf
[v] See Reference i
[vi] See Reference ii
Bio:
Robert B. Pojasek, Ph.D.
Harvard University & Pojasek & Associates LLC
Risk Management & Organizational Sustainability
rpojasek@sprynet.com
(781) 777-1858 Office
(617) 401-5708 Mobile & Text
www.linkedin.com/in/bobpojasek
Organizational Risk Management and Sustainability:
A Practical Step-by-Step Guide
Now available as an e-book
http://tiny.cc/xz3fhy
Also available as an online action learning course
Expert as environment, health & safety, and sustainability professional with a record of providing leadership, training and operational support to all levels of the organization; Implements new and revised management systems to drive EHS/sustainability program conformance throughout the operation; Integrates organizational systems of management using the ISO harmonized high-level structure; Provides support for organizations implementing sustainability/risk management practices featured in my book.