By early next year it is likely the first global risk management standard will be a reality. Grant Purdy steps through the changes it will bring, and gives a guide to putting it into practice
The new ISO risk management standard will guide those companies who have not previously embarked on enterprise risk management. It will also provide a challenge for those who have adopted this strategy but where it is not yet working effectively.
The standard has been written with a wide range of organisations in mind. It not only provides information on the processes to be adopted generally for risk management, but also contains advice on how those processes should be implemented through the development and implementation of a ‘framework’.
Such a framework “integrates” risk management into the organisational context and provides the mandate, resources and management system to enable effective risk management to take place, to improve and to adapt in time.
Five steps to implementation
Quite simply the implementation of risk management under ISO 31000 should follow the processes described in that standard. In particular, those wishing to improve or advance risk management within their organisations should use the principles and attributes of good practice given in the standard as a means to benchmark and evaluate what they are doing now.
Furthermore, the strategies developed and adopted to improve an organisation’s approach to risk management, to bring it into line with the “performance” requirements of ISO 31000, should follow the advice given in Clause 5 of the standard.
1: Change the paradigm for risk and risk management. Many risk management practitioners have learnt to their cost that it is very difficult to implement effective risk management in an organisation if management, particularly at a senior level, doesn’t have a mature understanding of risk and how it can be managed.
ISO/IEC Guide 73 – the guide to risk management vocabulary being issued at the same time as ISO 31000 – defines risk as: “effect of uncertainty on objectives”. That definition is consistent with that in the Australian and New Zealand Standard 4360:2004: “the chance of something happening that will impact objectives”. However, the new definition moves our thinking on and beyond “events” and “things that happen”. Certainly the new definition is a world away from the way many people still think of risk as “hazards” or “things that go wrong”. Unfortunately, in many organisations the terms “risk” and “hazard” are still confused and the link between objectives and risk is not properly understood and appreciated.
ISO 31000 is predicated upon risk being the uncertainty that lies between us and our objectives. This concept is quite simple and, of course, very relevant to managers and executives. It implies a top-down philosophy where risk management becomes a key process to enable the organisation to determine and achieve its objectives. Risk is not positive, nor negative. It’s just risk.
Of course consequences can be both negative and positive and the main purpose of the risk management process is to treat the causes of the risk so as to magnify the likelihood and size of the positive, beneficial, consequences while acting to shrink the likelihood and size of the negative, detrimental consequence.
Unless management, especially senior management, appreciates this paradigm for risk and risk management, then no real progress can be made in the implementation of the standard. Achieving this understanding must be tackled first, as part of the obtaining of a mandate.
2: Take stock. Clause 5 of the standard contains full advice on how a framework should be developed, implemented and kept up to date and effective.
Of course the risk management framework must be designed to suit the organisation, its internal and external context. However, the framework for all organisations, whatever their size or purpose, should still contain certain essential elements for risk management to be effective. The diagram ‘Risk framework elements’ on page15 contains a general scheme showing all the required elements, including those for the risk management process and risk management information system.
The starting point for improving an organisation’s approach to risk management should always be a gap analysis that “takes stock” and evaluates what processes and systems are present now. If any of the essential elements are missing it is highly unlikely that risk management will become effective.
3: Evaluate your maturity. Unfortunately, some organisations which have attempted to implement ERM and other forms of risk management in the past have been ill-advised, ill-directed or have followed a deficient standard. Because of this, dysfunctional systems of risk management are often encountered that not only yield very little return for the investment that has been made, but are often viewed as a compliance overhead or an imposition, more concerned with the reporting of risks rather than with their effective treatment.
Clause 4 of ISO 31000 contains a list of practical and important “principles” that should be the starting point for any maturity evaluation. These principles ask not only: “Does the process element or system exist?” but also “Is it effective and relevant for your organisation?” and “Does it add value?”. In fact, the first principle is that risk management must add value.
The annex to ISO 31000 also contains a list of attributes that seek to represent excellence in risk management, particularly ERM. These should be treated as aspirational goals – representing stretch targets for existing good risk management processes and frameworks.
4: Develop your plan to start. We would recommend that the person or team who is leading the risk management activity should create a plan that shows the actions that will be taken initially to “start up” risk management according to ISO 31000. This plan should be carefully developed because it will provide the foundations for effective risk management and will become the guide that the whole organisation follows. The plan should include:
• Conducting a gap analysis and maturity evaluation;
• Getting a sponsor and receiving a clear mandate;
• Setting a realistic timetable (years);
• Getting a budget (and some help?);
• Spending enough time getting ready and deciding when you will be ready to roll (down);
• Bleeding in the processes (one a year?);
• Deciding on the “early adopters” with credibility and starting with them;
• Deciding on the “blockers” and taking them on later;
• Looking out for opportunity to “showcase” risk management.
In particular, the plan should include the strategy to be adopted to “engage” management at successive layers of the organisation, as the risk management framework is rolled down.
5: Develop your plan to keep it going. Often organisations start risk management well, but after the first few months the process can falter and momentum is lost. This can arise from a change in staff or leadership, but often occurs because senior management assume that risk management no longer needs their attention, which is then diverted towards some other initiative or project.
Fundamentally such problems arise because risk management is being treated as a short-term initiative or a project and there is no understanding that implementing enterprise risk management requires and is part of a significant culture change.
Often there is an unrealistic understanding of how long it takes an organisation to change culture, to embrace and embed risk management. Some changes can happen quickly but it does require prolonged effort and management focus to make risk management become self-sustaining.
For these reasons it is essential for organisations also to plan for how they will maintain, sustain, improve and adapt their approaches to risk management – as their organisation and its external context changes.
Key actions to make a risk management framework self sustaining include:
Embedding risk management processes into key business processes. For example, using risk assessment as part of the management of change, integrating strategic plan development with risk assessment and root cause analysis, building accountability and skills in line management review and assurance of controls.
Applying performance management processes to risk management at both a personal and organisation level. This will involve making line management accountable for their own risk management plans, reinforcing accountability for risks and controls through performance monitoring and reporting using a risk management information system and setting up a system of periodic management self evaluation and reporting with internal audit validation and corroboration.
Valuable momentum can also be achieved by allowing the detailed direction of risk management to lie with a “community of practice” of risk champions who represent all parts of the organisation.
This transfers ownership of the framework and its enhancement to the business as a whole and away from the risk management department.
There has been a lot of interest recently on reporting about risks and risk management. This has been stimulated by the ERM Framework produced by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) organisation in the US, the Sarbanes Oxley legislation and similar requirements – including our own ASX Corporate Governance Guidelines.
Much of this reporting has focused on systems to escalate the notification of risks identified up the management chain in the belief that “big” risks must be notified to senior people. However, this risk reporting activity has sometimes served to distract attention away from the main purpose of risk management – to treat risk.
Somehow, some organisations have become so caught up with the reporting frenzy that risk treatment becomes a secondary consideration. Some software systems encourage this imbalance and the linking of compliance and risk management has sought to re-frame risk management into just risk reporting.
Reporting is just one part of risk management. In practice, it should be incidental to good risk management, not the sole purpose for it to occur. Fortunately, the revised Principle 7 of the ASX Guidelines now requires reporting on “risk management” not on risks. After all, if an organisation’s approach to risk management is defective, any report of the risks it faces must be treated with suspicion.
The future of risk management
AS/NZS 4360 has been applied and adopted by many thousands of organisations in Australia, New Zealand and across the world over the last 13 years. They have generally found that it provides a very practical approach to the management of risks which can be widely applied.
On the other hand, there are many signs now that organisations that have attempted to implement the COSO ERM framework are dissatisfied with the progress they have made and are seeking an approach which is more relevant to the strategic management of their businesses. Several authors have pointed out that the COSO framework possesses many technical and practical weaknesses. For example the well known commentator, Felix Kloman has said: “Most efforts improve the breed, although the COSO II (Committee of Sponsoring Organizations) monster in the United States set us back several years. The Australian/New Zealand effort should be the bellwether if risk management is to continue to evolve and flourish” (see Risk Management Reports, v33, No.10, October 2006).
Ali Samad-Khan has pointed to technical weaknesses in the way COSO requires risk analysis to be conducted. He has said: “COSO not only fails to help a firm assess its risks, it actually obfuscates the risk assessment process” (see Operational Risk, January 2005).
The Institute of Internal Auditors was one of the authors of the COSO ERM Framework. Their Australian branch, in a letter to Standards Australia containing comments on the latest draft of ISO 31000:2009, has suggested that: “While those responsible for setting the ISO standard may not agree with everything in the COSO ERM document, they need to be cognisant that a very significant number of organisations around the world have invested significant effort into developing risk management frameworks which are based on COSO and that a competing standard is likely to cause significant frustration and confusion by users.
“As such the IIA-Australia would contend that if ISO is to go ahead with this standard, then a harmonisation project would be appropriate to ensure that these two documents are compatible and/or complementary. This may require an update to COSO, an update to the draft ISO 31000 or both.”
It seems almost certain now that ISO 31000 will become a global standard early next year and that it will become the paramount standard for risk management for all countries. It also seems likely that the COSO ERM standard will need to change because it currently does not comply with ISO 31000.
For instance, the approach to risk management it advocates does not satisfy the principles of good risk management under clause 4 of the ISO standard. COSO also omits certain key elements of the risk management process (Clause 6), does not contain practical guidance on implementation (Clause 5), and does not lead to approaches to risk management that meet the attributes of excellence (included in the 31000 Annex).
Importantly, under COSO risk is still about events with negative consequences and is not associated with the achievement of an organisation’s broad objectives and the uncertainty faced in that.
I would strongly advocate that organisations look to ISO 31000 itself as the primary guide to implementing the standard. This should involve a carefully planned process starting with taking stock of the existing approaches using a gap analysis followed by maturity evaluation.
The development of a strategic plan for risk management is then essential. This should not only address the immediate steps to be taken but also deal with how effective risk management can be sustained over time.
We are also confident that ISO 31000 will quickly receive universal acceptance and will lead to the rectification of the deficiencies in some other standards such as that from COSO.
In time we expect to see that risk management implemented according to ISO 31000 will be seen to be adding much value to many organisations and that it will become a worthy successor to AS/NZS 4360:2004. In summary, ISO 31000 will treat the risk in risk management.
This is an edited paper presented at the LexisNexis Risk Management conference held last month
Grant Purdy is associate director of Broadleaf Capital International, and Standards Australia’s nominated expert to the ISO Risk Management Working Group
News