ISO 31000 Risk Management – Principles and Guidelines on Implementation
January 2008 and written by Geoff Rodrigues, CA, ORMP of Horwath Orenstein - Risk management is defined as a systematic and disciplined approach for assessing the likelihood and impact of potential events occurring that could impede an organization from achieving its corporate objectives, and ensuring measures are in place to prevent those events from occurring.
The International Organization for Standardization (ISO) is in the process of developing a standard expected to become effective in 2009 that sets out guidelines for companies on implementation of risk management practices in their organization. This ISO 31000 is intended to apply to organizations of all sizes.
The fundamental principle in ISO 31000 is “Framework Design, Implementation, Monitoring and Review, and Continual Improvement of Framework”. This sounds very similar to the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management (ERM) Model of “Internal Environment, Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information & Communication, and Monitoring”. Below are the definitions of the fundamental principles:
Framework design – a systematic process developed to determine what the corporate objectives of the organization are and gathering information to identify and assess risk and the likelihood of events occurring that would prevent the objectives from being achieved. The COSO equivalent is “objective setting, event identification, and risk assessment”.
Implementation – the method by which management develops a response to deal with the “critical” risks identified, based on probability and impact, and the measures put in place to mitigate those risks. The COSO equivalent is “risk response, and control activities”.
Monitoring and review – a system in place to periodically perform test procedures to ensure the framework is operating as designed. This function is typically performed by a party independent of those who perform the activities, such as the Internal Audit department. The COSO equivalent is “Information and Communication, and Monitoring”.
Continual Improvement – a component of the monitoring and review phase, whereby changes are made to the risk management framework to align with changes in the industry or organization, resulting in improvements in the way management activities are performed. This is the only piece missing from COSO’s ERM model, however it is generally understood that risk management is a continuous process that evolves and adapts with the organization and must be continuously reviewed and adjusted accordingly.
ISO 31000 does not require certification but is intended to provide principles and guidelines on implementation of risk management.
Some of the key components in ISO 31000, which are consistent with other standards such as COSO, are:
January 2008 and written by Geoff Rodrigues, CA, ORMP of Horwath Orenstein - Risk management is defined as a systematic and disciplined approach for assessing the likelihood and impact of potential events occurring that could impede an organization from achieving its corporate objectives, and ensuring measures are in place to prevent those events from occurring.
The International Organization for Standardization (ISO) is in the process of developing a standard expected to become effective in 2009 that sets out guidelines for companies on implementation of risk management practices in their organization. This ISO 31000 is intended to apply to organizations of all sizes.
The fundamental principle in ISO 31000 is “Framework Design, Implementation, Monitoring and Review, and Continual Improvement of Framework”. This sounds very similar to the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management (ERM) Model of “Internal Environment, Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information & Communication, and Monitoring”. Below are the definitions of the fundamental principles:
Framework design – a systematic process developed to determine what the corporate objectives of the organization are and gathering information to identify and assess risk and the likelihood of events occurring that would prevent the objectives from being achieved. The COSO equivalent is “objective setting, event identification, and risk assessment”.
Implementation – the method by which management develops a response to deal with the “critical” risks identified, based on probability and impact, and the measures put in place to mitigate those risks. The COSO equivalent is “risk response, and control activities”.
Monitoring and review – a system in place to periodically perform test procedures to ensure the framework is operating as designed. This function is typically performed by a party independent of those who perform the activities, such as the Internal Audit department. The COSO equivalent is “Information and Communication, and Monitoring”.
Continual Improvement – a component of the monitoring and review phase, whereby changes are made to the risk management framework to align with changes in the industry or organization, resulting in improvements in the way management activities are performed. This is the only piece missing from COSO’s ERM model, however it is generally understood that risk management is a continuous process that evolves and adapts with the organization and must be continuously reviewed and adjusted accordingly.
ISO 31000 does not require certification but is intended to provide principles and guidelines on implementation of risk management.
Some of the key components in ISO 31000, which are consistent with other standards such as COSO, are:
- While risk usually implies a negative outcome, it can also identify opportunity for positive outcomes, such as reacting to changes in the economy earlier than the competition, or anticipating changes in supply chains or customer demand, etc.
- Risk management should be integrated with the ongoing operations and not be treated separately. It should be aligned with the overall decision making process of the organization
- Risk is unique to each organization, and therefore each companies’ risk management framework should be customized to match their specific objectives, strategies, risk tolerance, and methods of operating
- Risk management frameworks should focus on enterprise wide policies and practices, and not be segregated among divisions and business units
- Individuals’ own accountability and performance evaluation criteria should be aligned with their roles and responsibilities within the framework
- Risk management should “create value” for the organization and therefore the resources invested in developing and maintaining the framework should be outweighed by the degree of achievement of the corporate objectives by virtue of increased profits, reduced costs, increased market share, increases in value creation, etc.
- A consistent set of terminology should be developed such as risk, event, control, risk tolerance, residual risk, etc.
While ISO 31000 does not appear to introduce concepts that are new or unique, its’ appeal is that it suggests a harmonized standard that organizations of all sizes across the world can look to for principles and guidelines on implementing a risk management framework. This will become even more important once the move towards a harmonized set of International Financial Reporting Standards (IFRS) for organizations across the world has been completed.
Labels: GRC
posted by 180 Systems at 12:24 PM 
0 Comments:
Post a Comment
<< Home