Differences in How Risk is Conceptualized

IFAC’s recent report, Enabling the Accountant’s Role in Effective Enterprise Risk Management, highlights both the importance of Enterprise Risk Management (ERM), and the contribution of accountants, CFOs and finance functions in leading ERM practice.

To help accountants and others lead and be proactively involved in ERM, it is important to understand the concepts and processes in risk management standards that can be put into place to deal with context risk.

Context risk (as opposed to pure or traditional risk approach based on minimizing a chance of loss) is the effect of uncertainty on an organization being able to meet its strategic objectives.  An effect is a deviation from the expected. It can be positive or negative or both! An effect can arise as a result of a response, or failure to respond to an opportunity or to a threat related to the organization’s objectives.  Risk management involves coordinated activities to direct and control an organization with respect to risk. We refer to this as the “new” risk management since the first ‘national standard’ on this topic (AS/NZS 4360:1995) was formalized only about 25 years ago.

Every organization needs to establish, implement and maintain a process(es) to:

• assess traditional risks associated with losses and identified hazards, while considering the effectiveness of existing controls;
• determine and assess the context risks related to the establishment, implementation, operation and maintenance of its risk management system.

In other words, attention must be focused on addressing the entire spectrum of risks that can be experienced in the operation of any organization.

Risk Management Standards and High-Level Structure

There are two risk management standards in wide use today – ISO 31000:2018 and COSO ERM:2017.  No longer is risk management designed to attend to pure risk.  Instead, a risk-aware company selects highly rated opportunities (highly positive consequences and likelihood) opportunities to help offset the major threats with a highly negative consequence and positive likelihood.  These risk management standards are now focused on providing organizations with a clear path to find opportunities to manage and sustain value in an organization operating in an uncertain world.

Many of the readers of this article are familiar with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and its enterprise risk management standard: COSO ERM. This standard underwent major revisions in the 2017 version of the COSO ERM. The risk management standard of the International Organization for Standardization (ISO 31000:2018) experienced less extensive change in the most recent version. In COSO ERM:2017, you will discover a clear path to enhanced value.  This journey is supported using 20 coordinated principles. ISO 31000:2018 provides a three-element program to help integrate the risk management standard into any operation.  It considers an organization’s financial risks as well as non-financial risks. In both risk management standards, value in a corporation is expressed in its mission, vision, strategy, as well as its strategic, operational and tactical objectives. 

To integrate risk management into all the organization’s functional activities, ISO created an open source “high-level structure” for creating uniform responsibilities for top leaders.  All the ISO management system standards hold the top leader fully accountable for achieving the organization’s objectives – all of them!  This high-level structure also provides all decision-makers with an operational framework consisting of the newly structured ISO management system standards. These extensively revised standards provide uniform information for development of the risk-aware culture that enables workers and their supervisors to make the decisions with guidance that provides clear reference for internal and external auditing.

The high-level structure also requires the creation of a continuous improvement program that supports leadership to focus on what really matters! Conventional risk management must be refocused by seeking opportunities that can help decision makers to identify, prioritize, and realize relevant improvements that are used to successfully engage the internal and external stakeholders. 

“How New Risk Helps Leaders Master Uncertainty”, shows how companies can manage and sustain value through risk management. It presents the best from both standards and allow you to use COSO ERM:2017 and ISO 31000:2018 separately or combined in a single risk management program. These risk management standards can be used to inform the development of new risk management efforts to meet the specific needs of an organization. You can use a host of ISO management system standards to help inform your efforts to improve your existing enterprise risk management system, regardless of the organization activity or standards that are incorporated into the effort. Information on ordering and using the standards is provided in the book.