#215 – RISK MANAGEMENT STANDARD TASTE TEST – BOB POJASEK

AAIAAQDGAAwAAQAAAAAAAAuRAAAAJGJmZGQ0Njg0LWFlNDUtNDcyZC04MTVhLWJkNmM1Zjg1MGZmOQ-150x150On My Left is COSO ERM:2017! On My Right is ISO 31000:2018!

Many companies are in the process of conducting the risk management taste test.  The problem is that many of these companies are not yet sold on risk management.  However, stakeholders, institutional investors and the US Securities and Exchange Commission have other ideas.

COSO ERM:2017 is going to be widely used by publicly traded companies since it is customized to work well in an organization with a Board of Directors. This new version has shed the COSO “cube” for a principles-based narrative structure with five “components” and 20 “principles.”  Weighing in at 110 pages, it has much of the information that you will need to put it to work in your company.

ISO 31000:2018 is more focused for use by all of the other companies and is closely related to the ISO high-level structure used in all of the ISO management system standards.  It has three interrelated components – principles (they are different than the principles in COSO ERM), a process (for the risk assessment) and a framework that shows how to manage a risk management program with these structures.  The standard weighs in at 16 pages.  You will probably need to invest in ISO TR 31004 and a copy of the Australian HB 436 companion to ISO 31000:2009 to find the best means for connecting the three-part risk management standard with the needs of your organization.

Finding the Right Fit

You can compare the ISO 31000:2018 risk framework components (i.e. leadership and commitment, integration, design, implementation, evaluation and improvement) with its counterpart elements in the COSO ERM. It is a bit easier to conduct the comparison from the perspective of the ISO 31000 risk process components that include the organization’s context, risk assessment, risk response, recording and reporting, communication and consultation, and monitoring and review.

While the risk principles differ in the two standards, both risk standards do an excellent job in preparing a risk-aware culture within the organization. With a little work, I was able to compare them in a logical fashion.

Getting Back to the Taste Test

Let’s face it, risk management is not welcomed with open arms by all organizations.  However, it has been used effectively in Australia since the first risk management standard (AS/NZS 4360) was published in 1995.  I really like the narrative structure of the new COSO ERM. The front part of the COSO ERM provides useful information on applying the framework and putting it into the context of the organization.

Because both risk management processes describe risk as opportunities and threats, it is comforting that COSO ERM uses the term, “risk response” instead of “risk treatment” – a term associated with the management of the threats.

With both standards, there is an opportunity to make some changes to help the standard work more effectively.  Many companies have experienced an increased level of uncertainty with emerging, context and strategic risks.  Each of these systems can help you deal with disruption.

ISO 31000 states it well – “This document is for use by people who create and protect value in organizations by managing risks, making decisions, setting and achieving objectives and improving performance. Organizations of all types and sizes face external and internal factors and influences that make it uncertain whether they will achieve their objectives.”

COSO states – “Integrating enterprise risk management practices throughout an organization improves decision-making in governance, strategy, objective-setting, and day to day operations. It helps to enhance performance by more closely linking strategy and business objectives to risk. The diligence required to integrate enterprise risks management, provides an entity with a clear path to creating, preserving, and realizing value.”

Making the Choice

The investment community and the government regulators continue to examine how organizations manage risk.  Whether you choose IO 31000, COSO ERM, or some combination of the two standards, you should be able to help your organization to effectively manage risks. By engaging with your diverse set of stakeholders, you can improve your ability to set a strategy and business objectives that can be effective even is the face of disruption and the constant change in the external and internal operating environments.  In today’s world, you do not want to operate without an effective risk management system.  It is time to take the taste test.  I’ll provide more information in the next few weeks.  Stay tuned!

Bio:

Robert B. Pojasek, Ph.D.
Harvard University & Pojasek & Associates LLC
Risk Management & Organizational Sustainability
rpojasek@sprynet.com
(781) 777-1858  Office
(617) 401-5708  Mobile & Text
www.linkedin.com/in/bobpojasek
Organizational Risk Management and Sustainability:
A Practical Step-by-Step Guide
Now available as an e-book
http://tiny.cc/xz3fhy

Also available as an online action learning course

http://tiny.cc/y23fhy

Expert as environment, health & safety, and sustainability professional with a record of providing leadership, training and operational support to all levels of the organization; Implements new and revised management systems to drive EHS/sustainability program conformance throughout the operation; Integrates organizational systems of management using the ISO harmonized high-level structure; Provides support for organizations implementing sustainability/risk management practices featured in my book.

Leave a Reply

Your email address will not be published. Required fields are marked *