Understanding the ‘Risk Management’ Process
Guest Post by Robert Pojasek (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
There are two widely-used risk management standards:
- ISO 31000:2018
- COSO ERM 2017
In my previous blog[i], I presented details on how these risk management standards address the development of a risk-aware culture – a necessary foundation for risk management success. As promised, this blog will address the risk management “process.” This is how the organization addresses specific risks.
ISO 31000:2018 Risk Management Process[ii]
This international standard creates three interrelated risk management process activities:
- Develop the Scope, Context, Criteria
- Conduct the Risk Assessment
- Address the Risk Treatment (COSO ERM calls this Risk Response)
The ISO 31000 risk management process is often described as the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk. This risk management process dates back to 1995 with the release of the first risk management standard – AS/NZS 4360:1995.
It is important to have the risk management process be an integral part of management and decision-making. This process needs to be integrated into the structure, operations, and processes of the organization. It is NOT a “stand-alone” process!
The ISO 31000 risk management process has many applications within an organization since it is customized to achieve objectives and to address the risks in the external and internal context in which they are applied.
The component of the COSO ERM framework that deals with the risk management process can be found in the “performance” section (Component 8). Entities use a process that:
- Identifies new and emerging risks so that management can deploy risk responses in a timely manner
- Assesses the severity of risk, with an understanding of how the risk may change depending on the level of the entity
- Prioritizes risk, allowing management to optimize the allocation of resources in response to those risks
- Identifies and selects responses to risk (both opportunities and threats)
- Develops a portfolio view to enhance the ability for the entity to articulate the amount of risk assumed in pursuit of the strategy and business objectives.
As in the case of the ISO 31000 process, the practices in the COSO ERM are interactive, with the inputs in one step of the process being the outputs of the previous step.
Comparison of Risk Management Processes
The focus of the ISO 31000:2018 risk management process is focused on an ‘organizational development’ theme common to the ISO management system standards. This risk management process will work quite well with other ISO management system standards used by the organization. It is also preferred in nonfinancial situations.
COSO ERM 2017 is business focused and tied to the entity’s strategy. This is clearly stated in the introduction to the standard:
“The diligence required to integrate enterprise risk management provides an entity with a clear path to creating, preserving, and realizing value.”
COSO ERM 2017 is preferred in publicly traded entities and in financial entities.
There is a lot of consistency noted when comparing these approaches to risk management ‘process.’
Once Again, It’s Your Choice
You can use either standard or create a hybrid standard for your organization. Both standards see risk as both opportunities and threats. Make sure you are using a method that supports this[iv]. We’ll look at two risk management “frameworks” in the next blog.
Robert B. Pojasek, Ph.D.
Harvard University & Pojasek & Associates LLC
Risk Management & Organizational Sustainability
(781) 777-1858 Office
(617) 401-5708 Mobile & Text
Organizational Risk Management and Sustainability:
A Practical Step-by-Step Guide
Now available as an e-book
Also available as an online action learning course
Expert as environment, health & safety, and sustainability professional with a record of providing leadership, training and operational support to all levels of the organization; Implements new and revised management systems to drive EHS/sustainability program conformance throughout the operation; Integrates organizational systems of management using the ISO harmonized high-level structure; Provides support for organizations implementing sustainability/risk management practices featured in my book.