Content uploaded by Alexandra Horobet
Author content
All content in this area was uploaded by Alexandra Horobet on Jul 26, 2016
Content may be subject to copyright.
The Standardization of Risk Management Practices at the International
Level
Belascu Lucian
Lucian Blaga University of Sibiu, Romania
lucian.belascu@ulbsibiu.ro
Horobet Alexandra
Bucharest University of Economic Studies, Romania
alexandra.horobet@rei.ase.ro
Abstract
The last decades have seen an increase in
concerns regarding risk management (RM),
leading to a number of internationally
recognized and applied standards. The aim
of this paper is to provide a critical overview
of the most widely used risk management
standards and frameworks promoted at the
international level, focusing on their different
approaches and potential implications.
Although the RM principles enforced by
various standards are supporting better RM
strategies, we argue that RM in an
organization should be developed beyond a
rules-based approach and by taking into
account the organization’s specificities and
objectives, making RM a key component of
an organization’s culture.
Key words: risk management, standards,
ISO, business strategy
J.E.L.classification: D80, G32, L21
1. Introduction
A quick online search for “risk
management” results in more than 76 million
references [the search was performed on
www.google.com on May 16, 2015], while a
search for academic papers results in more
than 809,000 contributions written between
1980 and 2014 [the search was performed on
www.scholar.google.com on May 16, 2015;
the number of papers increased from 579 in
1980 to 80,800 in 2014, but there were
247,000 works published on this topic
between 2008 and 2012, most likely as a
“side-effect” of the financial crisis that
emerged in 2007]. This is no accident, as RM
became a popular topic in the recent years,
the debate surrounding it being fuelled by an
increasing number of corporate mistakes,
failures, bankruptcies, which culminated
once the global financial crisis erupted in
2007 in the United States and spread
afterwards in Europe in 2008. Despite the
vivid discussions that are present in the
literature and are incorporated into a high
number of standards, frameworks,
regulations, codes of conduct etc., RM is in
many instances treated more like an issue
referring to control and compliance, which
can be addressed by drawing up rules, and
less like a “way of thinking” that can change
the manner businesses are run.
The world we live in presented us in
recent years with an ever growing number of
risks, on one hand, and with an enhanced
sophistication of these risks, on the other
hand. The Global Risks 2012 Report
published by the World Economic Forum
outlines five top risks in terms of likelihood -
severe income disparities countries, chronic
fiscal imbalances, rising greenhouse gas
emissions, cyber attacks and water supply
crises, while the five top risks in terms of
business impact are a major systemic
financial failure, water supply crises, food
shortage crises, chronic fiscal imbalances and
extreme volatility in energy and agriculture
prices [1]. It does not require a RM expert to
observe that many of these risks fall beyond
managers’ control and ability to forecast
them, which raises the question of RM
systems (if any!) effectiveness in a global
framework where volatility and risk are no
more the exception, but the rule.
We provide in this paper a critical
overview of the most widely used RM
standards and frameworks promoted at the
international level, focusing on their different
approaches and potential implications. Given
the features of the current macroeconomic
framework, we argue that risk management
in an organization should be developed
beyond a rules-based approach, typically
enforced by RM standards, and by taking into
account the organization’s specificities and
strategy. When RM becomes a key
component of an organization’s culture, its
benefits are widespread and sustainable.
2. Risk management standards – an
overview
A good understanding of RM standards,
and of any other standard, in the end, stems
from a proper understanding of what a
standard is and is not. From that perspective,
there is a lot of confusion between standards,
regulations, frameworks, principles etc.,
which might lead to an improper use of such
documents. First of all, there is a difference
between standards and regulations from their
mandatory features perspective: i.e. while
standards are typically voluntary, regulations
are mandated by legislation. Of course, when
standards are adopted by a government or by
an official body they might become
mandatory; the same is true when they
become part of a business contract. Second,
one should not confound a RM standard with
a RM framework; typically, the standard is
wider in scope, as it “sets out the overall
approach to the successful management of
risk, including a description of the risk
management process, together with the
suggested framework that supports that
process” [2]. Another important distinction
refers to standards and controls: while
controls do not evolve in scope or speed to
keep up with new emerging risks that the
organization is exposed to, standards are
developed collaboratively over time through
experience and are usually based on
collections of best practices and guidelines,
and are able to be adapted to new
circumstances and risks.
A number of RM standards and
frameworks have been developed in the last
decades, with rather similar approaches. The
first standard ever proposed was issued in
Australia in 1995 and was followed by
standards developed in Canada, United
Kingdom, Japan and the United States.
Besides standards put forward by
international bodies, national standards
bodies and various government departments
around the world have developed RM
standards, with a narrower scope, but built
around the same principles. While some of
these standards were developed by RM
professionals, others were developed by
accountants or auditors. Some of these
standards are considered primary or
recognized as they are formal documents that
establish criteria, methods, processes and
practices under the jurisdiction of a standards
body (national, regional or global). Other
standards are guidance-oriented, as they are
developed outside of an established standards
body; sometimes, when this type of
document becomes generally accepted it is
called a “de facto standard”. It is important to
understand that while primary standards are
used for regulatory compliance and public
certification or validation, guidance
documents tend to be used for internal
operational or process implementation
assistance.
Three main approaches to RM are
proposed in existing standards: (1) a “risk
management” approach, which focuses on
organizational objectives; (2) an “internal
control” approach, which is oriented towards
compliance and control objective; and (3) a
“risk-aware culture”, less encountered, which
aims at integrating RM into an organization’s
culture and strategy. Historically, the
standard that enjoyed the widest recognition
was the Australian Standard AS 4360 (2004),
which was replaced in 2009 by ISO 31000:
2009 “Risk Management – Principles and
guidelines”. Table 1 systematizes the most
well known RM standards, outlining their
main attributes and their intended focus.
Table 1. Risk Management standards
Standard
(year)
Issuing body
Brief description
Focus
CoCo -
Criteria of
Control
(1995)
Canadian
Institute of
Chartered
Accountants
Based on the idea that the risk culture of an organization should
receive the most important consideration. The criteria that are used
in order to evaluate the risk-
aware culture within an organization
using the CoCo approach are (i) the organization’s purpose, vision
and mission; (ii) the commitment to integrity and ethical values;
(iii) the capabilities, authority and respo
nsibilities; (iv) the learning
process and the development of competences within the
organization.
Risk culture
A Risk
Management
Standard
(2002)
Federation of
European Risk
Management
Associations
Describes the necessary components of an ERM framework, as
best practices against which organizations can measure themselves.
It does not discuss root cause as a key component to effective RM.
Risk
management
IRM (2004)
AIRMIC,
ALARM and
Institute for
Risk
Management
High-level approach, one of the best-established and widely used
standards, aimed at non risk-management specialists.
Risk
management
COSO ERM
(2004)
Committee of
Sponsoring
Organizations
of the Treadway
Committee
Replaces the COSO Internal Control Framework (1992) and has
both RM and internal control within scope. The Sarbanes-Oxley
Act of 2002 requires the approach proposed in the COSO Internal
Control Framework (1992). Designed for use primarily by risk
management practitioners. Places a greater degree of responsibility
on the board, requiring
it to have direct involvement in the ERM
process.
Internal
control
Orange Book
(2004)
HM Treasury of
the UK
Government
Introduces the concept of RM and provides a basic description to
its concepts, development and implementation of RM processes in
governm
ent organisations. It should be read and used in
conjunction with the other publications on Governance & Risk
Management of the HM Treasury.
Risk
management
Turnbull
Report (2005)
Financial
Reporting
Council
Is considered by the Securities and Exchange Commission (SEC)
in the United Stated as an acceptable alternative for the COSO
Framework in order to comply with Sarbanes-Oxley requirements.
Internal
control
BS 31100
(2008)
British
Standards
Institution
Highlights the benefits of using a risk maturity model to improve
an organization’s RM model. It directs users to the complementary
BS 25999 Business Continuity Management Standard, which is
specifically tailored to business resiliency and sustainability.
Risk
management
ISO 31000
(2009)
International
Standards
Organization
Shift from an event to the overall effect that risks and RM have on
an organization’s objectives. Emphasizes RM as a strategic
discipline for making risk-
adjusted decisions. Still, the standard
does not clearly offer a portfolio view on risks.
Risk
management
OCEG “Red
Book” 2.1
(2011) – GRC
Capability
Model
Open
Compliance &
Ethics Group
Integrates formally governance, risk and compliance processes,
supported by a common technology platform (ideally). Risk is
given a limited role focus
ed on identification and measurement.
Does not consider risk ownership by business areas.
Compliance
and Internal
control
Source: Authors’ collation
Of these standards, three deserve more
attention, in our view, given either their
widespread adoption or their specific focus:
the COSO Enterprise Risk Management
(ERM) framework, the ISO 31000 standard
and the CoCo standard. We briefly discuss
the contributions of these standards to the
RM profession. The COSO ERM approach
advocates ERM as a multidirectional and
iterative process, in which almost any
component can and does influence all other
components of the process. In this
framework, organization’s objectives are
directly related to ERM components, which
represent what is needed in order to achieve
the organization’s objectives. The well-
known representation of the influential RM
framework advanced by the COSO ERM
approach is the “Cube Diagram” [3],
depicted in Figure 1. The “Cube” proposes
eight inter-related components of an
organization’s RM framework, derived from
the manner management runs the
organization, as follows: internal
environment, objective setting, vent
identification, risk assessment, risk response,
control activities, information and
communication and monitoring. The ERM
framework is addressed to the achievement
of corporate objectives, divided into four risk
categories: strategic, operational, reporting
and compliance. Also, the “Cube” sets the
corporate level which receives the attention
of RM – entity level, division, business unit,
subsidiary – thus allowing an effective
“slicing” of RM processes and objectives
within the organization, with the associated
responsibilities.
Figure 1. COSO ERM's "Cube Diagram"
Source: Committee of Sponsoring
Organizations of the Treadway Committee –
Enterprise Risk Management – Integrated
Framework (2004)
In the latter part of 2009 the International
Standards Organization (ISO) published ISO
31000 – “Risk management – Principles and
guidelines”, a document that contains
elements of the RM framework and the key
phases of the RM process (see Figure 2). The
standard is structured into principles (11
attributes of RM), a framework with five
components (mandate, plan, implementation,
checks and improvement), and process
(communication and consultation, context,
risk assessment, treatment and monitoring)
[4]. The standard focuses on the actions taken
with regard to identified risks in order to
improve the cost-effectively improve the
organization’s performance. Based on
defining risk as “the effect of uncertainty on
objectives”, one of the key components of the
standard is the idea o “deviation”, as the
standard leads organizations towards
measurement of deviations from expected
outcomes. The ISO 31000 is a universal
standard that can be customized to the
specific needs of an organization and may be
most helpful for changing organizations and
for organizations seeking more flexibility in
their strategic and operational RM practices.
The last standard we discuss, the CoCo
standard (1995) is not the most recent of
them, but it is the most interesting in terms of
proposed approach to RM. This approach,
adopted by the Canadian Criteria of Control
and issued by the Canadian Institute of
Chartered Accountants, is based on the idea
that building a risk culture in an organization
is of paramount importance for a successful
RM process [5]. The standard builds on the
concepts in the COSO framework and
defines control as comprising “those
elements of a company (including its
resources, systems, processes, culture,
structure and tasks) that, taken together,
support people in the achievement of the
organisation’s objectives”. The CoCo report
also states that “control is effective to the
extent that the remaining (uncontrolled) risks
of the organisation failing to meet its
objectives are deemed acceptable”. The
standard sees control as encompassing the
entire organization starting with its smallest
unit and uses four essential elements as
groupings within which it articulates 20
criteria of control: (1) purpose criteria; (2)
commitment criteria; (3) capability criteria;
and (4) monitoring and learning criteria.
These criteria are interrelated and together
they provide the framework for looking at the
whole organization from a control
perspective.
Figure 2. Risk management process as
outlined by ISO 31000
Source: International Standards
Organisation – ISO 31000:2009 Risk
Management – Principles and guidelines
(2009)
3. Beyond the standards – effective risk
management strategies
The new global landscape that emerged
after the recent financial and economic crisis
is characterised by a “risk architecture” that
embodies higher variance in losses and gains
than before and increasing interconnections
between risks. In this framework, although
favourable for positive returns, contagion
risks are higher than ever and management
teams are forced, if determined to survive
and grow, to challenge themselves towards
developing more robust scenarios based on
this new and in many instances less
understood reality. Moreover, organizations
need to prepare for non-preventable risks that
arise externally to their strategy and
operations and that have the potential of
putting the organization out of business.
It is well acknowledged now, as
evidenced by many academic studies, that
people tend to be overconfident about the
accuracy of their forecasts and assessment of
risks and anchor their estimates to evidence
that is readily available, despite the perils of
extrapolating history into the future. in
addition, we all suffer from confirmation
bias, which means that we are collecting
information that supports our beliefs and
discard information that contradict them. At
the organization level, groupthink also
introduces biases regarding risk assessment –
this refers to the fact that once a course of
action has gathered support within a group,
those that are not supportive tend to suppress
their objections and fall in line. The result of
these individual and organizational biases
may be an overlooking or misreading of
ambiguous threats to the organization, which
leads to an ineffective RM, as organizations
tolerate apparently minor breakdowns and do
not treat early warning signals as alerts to
about to happen dangers.
Stemming from these biases, Kaplan and
Mikes (2012) propose a new framework for
an effective RM system, based on three
categories of risk that companies face, each
requiring a different RM approach [6]. Table
2 briefly presents these risks alongside with
the appropriate control model and role of RM
staff function. When organizations
understand that preventable risks can be more
easily monitored and controlled through the
use of rules-based standards and controls, but
strategy and external risks require the
application of RM processes that encourage
managers to openly discuss risks and identify
cost-effective ways to reduce the likelihood
of risk events or to mitigate their
consequences, the RM system is truly
adjusted to the organization’s particularities
and objectives.
4. Conclusions
Recognized RM standards offer a number
of benefits to organizations that adopt them,
but it is important to understand that there is
no single standard that covers an entire field
and that organizations are expected to use
whichever components of such standards in
order to meet their objectives. At the same
time, an effective RM systems should be
based a systematic thinking about the various
and interconnected categories of risk
companies face in such a way as to institute
the appropriate processes for each.
Standards’ adoption, which institute rules and
compliance actions that mitigate some risks,
cannot effectively support organization’s RM
without taking into account the
organization’s strategy, objectives and risk
culture.
Table 2. Tailored RM strategies to risk categories
Source: Kaplan and Mikes (2012)
5. References
[1] World Economic Forum, Global Risks 2012
Seventh Edition, 2012, www.weforum.org
[2] Hopkin, P., Fundamentals of Risk
Management. Understanding, evaluating and
implementing effective risk management, The
Institute of Risk Management, London, 2010
[3] Committee of Sponsoring Organizations of
the Treadway Committee, Enterprise Risk
Management – Integrated Framework, 2004,
www.coso.org
[4] International Standards Organisation, ISO
31000:2009 Risk Management – Principles
and guidelines, 2009, www.iso.org
[5] Canadian Institute of Chartered Accountants,
Criteria of Control, 1995, www.cica.ca
[6] Kaplan,R.S.; Mikes, A., Managing Risks: A
New Framework, Harvard Business Review,
June 2012, pp. 2-13
Preventable risks
Strategy risk
External risks
Risk
description
Risks arising from
within the company that
generate no strategic
benefits
Risks taken for superior
strategic returns
External, uncontrollable risks
RM objective
To avoid or eliminate
occurrence cost-
effectively
To reduce likelihood and
impact cost-effectively
To reduce impact cost-
effectively should risk event
occur
Control
model
Integrated culture-and-
compliance model
Interactive discussions about
risks to strategic objectives
Resource allocation to mitigate
critical risk events
“Envisioning” risks through
tail-risk assessment and stress
testing, scenario planning and
war-gaming
Role of RM
staff function
Coordinates, oversees
and revises specific risk
controls with internal
audit function
Runs risk workshops and risk
review meetings. Helps
develop portfolio of risk
initiatives and their funding.
Acts as devil’s advocates.
Runs stress-testing scenario-
planning and war-gaming
exercises with management
team. Acts as devil’s
advocates.
