Focusing on the ‘Enterprise’ in Enterprise Risk Management
Guest Post by Robert Pojasek (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Why does COSO ERM:2017[i] use the word “enterprise” in the title of their standard and ISO 31000:2018[ii] is a “risk management standard?” CERM Academy also has a book on this topic[iii]. So, what does the concept of an “enterprise” impart to an organization, if anything, to set apart the COSO standard from the ISO standard?
A search of the definition for enterprise covers the entire gamut of possible uses. There appears to be little difference between business enterprise and the business itself.
COSO defines Enterprise Risk Management as “the culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving and realizing value.”
ISO31000:2018 defines Risk Management as “coordinated activities to direct and control an organization with regard to risk.”
The COSO ERM:2017 is written in business language that focus on the needs for financial management of the non financial aspects of the activities that are subject to risk management.
ISO 31000:2018 provides just the standard without the support we need to see the differences between these two standards. To support the background of ISO 31000:2018, we will need to read the IRM publication, “A Risk Practitioner’s Guide to ISO 31000:2018[iv]. Since ISO 31000:2018 was derived from the original risk management standard, AS/NZS 4360, it would be prudent to explore the document that Standards Australia/Standards New Zealand prepared for ISO 31000:2009[v]’.
With the ISO 31000:2018 support documents cited above, let’s now dive in to understanding the significance of the word, “enterprise” found in the COSO risk management standard.
COSO and the Enterprise
The COSO ERM:2017 has more than 200 pages of information. While the “Executive Summary” is available online, you will have to purchase the standard from COSO. The standard is written in business language, not unlike a typical MBA textbook. While COSO recognizes that not all organizations have a board of directors, Principle 1 defines how the board exercises risk oversight in an organization. It is quite detailed and will be of great interest to the board.
COSO Principle14 shows how an organization can develop a portfolio review for risks. This is aggregating tool is commonly used by corporate boards.
There are many other areas where advice is provided to the board. This makes COSO very appealing to publicly traded corporations in the United States to satisfy their requirements under Sarbanes-Oxley Section 404[vi]. However, the new 2017 version is quite different than the “old cube” used in previous editions. It looks much more like ISO 31000:2018 in many topic areas.
ISO and the Organization
ISO 31000:2018 is focused on risk management in “organizations”. All ISO management system standards are focused on organizations. An organization is defined by ISO as, “person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives. The concept of organization includes, but is not limited to sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.”
The IRM guide has a chapter, “The Nature of Management Systems,” to help the ISO 31000:2018 standard user understand the difference in approach with respect to organizations when compared to COSO ERM:2017.
In the risk management framework (Clause 5.2.1), the following statement is made: “top management and oversight bodies, where applicable, should ensure that risk management integrated into all organization activities.” According to the independent guidance for the standard, the oversight bodies could be Boards of Directors.
I use both standards in my risk management consulting practice. I choose to start with ISO 31000:2018 since it can be easily integrated with the other ISO management systems currently in use by the organization. This is the best way to make risk management part of what everyone does every day. The standard’s three sections (i.e. principles, framework, and process) are very helpful in organizing and integrating the risk management activity.
If the organization is a publicly traded company, I add information from COSO ERM:2017 that would be of importance to the board whether the risk management system is being used by the corporate office or at any of its facilities. There are other sections in COSO ERM:2017 that could help quality management system users to understand how to determine the context of their organization so they can conduct a risk program in Clause 6.1.1 as required by ISO 9001:2015!
When I use the supporting documents for ISO 31000:2018, I can create an integrated (enterprise) risk management program that will fit how the organization wants to use it. Even though ISO does not define or use the word, enterprise, its use helps anchor risk management within every part of the organization.
What is your view on the use of the word, enterprise, when used to embellish the risk management system?
Robert B. Pojasek, Ph.D.
Harvard University & Pojasek & Associates LLC
Risk Management & Organizational Sustainability
(781) 777-1858 Office
(617) 401-5708 Mobile & Text
Organizational Risk Management and Sustainability:
A Practical Step-by-Step Guide
Now available as an e-book
Also available as an online action learning course
[i] COSO ERM:2017 Executive Summary https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf
[iv] IRM’s Risk Practitioners Guide to ISO 31000:2018 https://www.theirm.org/media/3513119/IRM-Report-ISO-31000-2018-v3.pdf
[v] AS/NZS HB 436 “Risk Management Guidelines – Companion to AS/NZS ISO 31000:2009” https://infostore.saiglobal.com/store/downloadFile.aspx?path=Previews%%205cas%%205cmisc%%205chandbook%%205cHB436-2013.pdf
[vi] AICPA Information on Sarbanes Oxley Section 404 https://www.aicpa.org/advocacy/issues/section404bofsox.html