Carol Williams has a web site, ERM Insights, where she writes about risk management (I prefer to talk about the management of risk, rather than risk management, to ensure we are talking about how the organization addresses what might happen, i.e., risk, rather than talking about a function or team).
Recently, she shared her advice on frameworks and standards in ISO 31000 VS. COSO – Comparing And Contrasting The World’s Leading Risk Management Standards.
I like what she has to say (maybe because she quotes me) and recommend that you read and consider it.
Let me add to her discussion.
As Carol says, “the overarching goal of your risk-related activities should be to support decision-making by helping identify and properly assess both risks and opportunities to achieving strategic objectives”.
So the first step should be to understand how your organization makes decisions. Is decision-making centralized or distributed? Are employees empowered or limited?
You should also consider:
- At what speed and frequency does the path ahead seem to change (i.e., how volatile is risk both from internal and external sources)?
- The business you are in and what the sources of risk are. For example, I would consider different processes for managing a loan portfolio, customer credit, major projects, derivatives trading, and cyber.
- How do your decision-makers consume information about what might happen? In fact, what do they need to make intelligent and informed decisions?
The last point is the most important: what information do people need to make intelligent and informed decisions?
The point before that is also important, as you may need different guidelines and processes in different areas of the business.
While the management of risk should be both continuous and dynamic (as risk is created or changed with every decision), on a periodic basis it is wise to take stock and see whether you are on track. Are you still likely to achieve enterprise objectives, taking everything (within reason) into account?
So another question that needs to be answered is how to collect all the information you have about sources of risk around the extended enterprise to provide a big picture view to top management and the board.
Carol correctly points out that the selection of a risk management standard or framework should not be like going to a clothing store and finding a suit (off the rack) that fits perfectly. Some, maybe a lot of customization is going to be required. Tuck in the sleeve around the cyber joint, but extend the hem of the leg that carries the weight of personnel-related sources of risk.
I welcome your thoughts.
- What is quality internal auditing? - April 17, 2024
- Conflicting research and thoughts on ESG - March 20, 2024
- Useful ethics training for internal auditors - February 21, 2024