Risk Management Standards1880

2nd European Risk Conference Università Bocconi

September 11th & 12th, 2008

Risk Management Standards – role, benefits & applicability –

Dr. Roland Franz Erben

Academic affiliation:

Bayerische Julius-Maximilians-Universität Würzburg

Lehrstuhl für BWL und Wirtschaftsinformatik

Josef-Stangl-Platz 2

D-97070 Würzburg

Germany

Address for correspondence:

Resi-Weglein-Gasse 3

D-89077 Ulm

Germany

Tel.: +49.(0)731.360808-93

Fax.: +49.(0)731.360808-94

Cell.: +49.(0)163.3733633

E-Mail: [email protected]

Risk Management Standards

Dr. Roland Franz Erben page 2 of 34

Abstract:

As every risk management system must reflect the specific circumstances of an

organization, a uniform approach can never be adequate. Nevertheless, risk

management standards can provide useful support for designing and

implementing a comprehensive and consistent risk management system. After a

short description of two standards – the “COSO Enterprise Risk Management –

Integrated Framework” (COSO ERM) as well as the “ISO/DIS 31000 – Risk

management: Principles and guidelines on implementation” – these frameworks

are compared regarding the criteria “completeness”, “generic breadth”, “usability”,

“integration” and “external assessment”. It is shown, that both standards fulfill

these requirements to a high degree, with the ISO 31000 being more generic and

flexible while the COSO ERM provides more practical guidance. As a conclusion, it

can be expected that the already well-established COSO ERM and the emerging

ISO 31000 will play a predominant role in the future.

JEL-classification:

M19, L15, L29

Keywords:

• Risk Management Standards

• Risk Management Systems

• Standardization

• COSO ERM Integrated Framework

• ISO 31000



Content

1 Introduction ........................................................................................ 4

2 Risk management standards – potential benefits and practical relevance ..... 7

3 COSO ERM and ISO 31000 – an overview ............................................. 10

3.1 COSO ERM Integrated Framework .................................................. 10

3.2 ISO 31000 Risk management ........................................................ 15

4 COSO ERM and ISO 31000 – a comparison ........................................... 22

5 Further developments & Conclusion ..................................................... 27

Appendix A: Elements of risk management standards ............................................... 30

Appendix B: Comparison of COSO ERM and ISO 31000 regarding their completeness .... 31

References ....................................................................................... 31



1 Introduction

All companies and organizations face a wide range of opportunities and risks that

may – positively or negatively – affect the achievement of their objectives. The

importance of a particular risk for a specific organization is determined by a great

variety of internal (e. g. business model, products, size, financial resources,

reputation, degree of vertical integration) and external (e. g. macroeconomic

situation, legislation and jurisdiction, exchange and interest rates, sozio-

demographic changes, quality of public infrastructure, natural disasters) factors.

Because of the diversity of these factors, their varying importance, their constant

changes and their mutual interdependency, every single organization has to deal

with a unique set of risks. To adequately handle these risks, it is a prerequisite to

design and implement a customized risk management system which reflects the

specific and characteristic attributes of the particular organization and takes into

account its individual risk appetite.

Under these circumstances, a uniform, “one size fits all” risk management

approach is inevitably bound to fail. Nevertheless, since the early 1990ies a great

(and still growing) number of efforts targeting at the standardization of risk

management and internal control systems in organizations have been developed

by standard setters (like the International Organization for Standardization,

ISO), regulatory bodies (like the Bank for International Settlement, BIS) or

professional associations and working groups (like the Institute of Risk

Management South Africa, IRMSA).

Because of the great number of bodies being involved in the development of risk

management standards, the terms and definitions used are everything but

standardized. An in-depth analysis and discussion of the differences regarding

the wording of the different standards would not contribute substantially to the

objectives of this paper. Therefore, in this context the term “standard” is used to

describe a published set of rules to solve a certain problem or to fulfill certain

requirements. More or less analogous expressions for the term “standard”



(admittedly sometimes with a slightly different meaning or emphasis) that can be

found in other publications, are e. g. “framework”, “guideline” or “norm”.

Although the research efforts in the field of risk management standards have

been very limited so far, it can be assumed that currently there are

approximately 80 standards in use [see Shortread 2003, p. 3]. These approaches

differ very much regarding their scope, target groups, topics and level of detail.

Based on the probably most important factor – “scope” – the following three

main types of standards can be distinguished:

• Risk category specific standards targeting at a particular type or source

of risk. Well-known examples for these risk category specific standards are

the International Standard “ISO 27000 et seq.” in the field of IT-Security,

the British Standard “BS 6079” for project risk management or a variety of

regulations aiming at the assurance of adequate product safety.

• Industry specific standards targeting at the characteristic risks of

organizations with activities in a certain area of business. These standards

are mainly applied in industries with high significance for the economy, the

environment or public health & safety (like e. g. aviation, banking,

insurance or the chemical/pharmaceutical industry). For these industries,

compliance with the relevant risk management standards is often a legal

requirement. Well-known examples for industry specific standards are

“Basel II” and “Solvency II”, which define risk management requirements

for financial institutions resp. insurance companies.

• Generic standards targeting at the standardization of risk management

systems. These standards constitute a comprehensive and holistic risk

management approach and claim to outline general requirements for a

great variety organizations, almost independent of their type, size, activities

or location. Well-known examples for generic standards are the “COSO

Enterprise Risk Management – Integrated Framework” (hereafter referred to

as “COSO ERM”), the Austrian/Swiss “ON-Regel 49000 et seq.” or the

Australian/New Zealand “AS/NZS 4360”. In recent months, significant



impact on the discussion about generic risk management standards arose

from the efforts by the International Organization for Standardization (ISO)

to establish a globally valid risk management standard, the “ISO 31000 –

Risk management – Principles and guidelines on implementation” (hereafter

referred to as “ISO 31000”), which is currently in the last stages of its

development and is expected to be released in the first quarter of 2009.



2 Risk management standards – potential benefits and practical relevance

Taking into account the fact that risk management systems have to reflect resp. be

adapted to the specific circumstances and requirements of each and every

organization, generic risk management standards do not aim at standardizing the

concrete specifications and implementation of such a system for a particular

organization. Instead, they claim to provide a universally valid guideline. Despite

the relatively high level of abstractness, the application of a risk management

standard can turn out to be quite useful as they outline generally accepted risk

management processes and components. These standards can especially offer

support regarding the following issues [see Winter 2007, p. 137; Kuhn 2006, S. 8]:

• By providing clear, unambiguous and consistent terms and definitions,

generic standards can help to establish a common understanding of the

relevant topics throughout the entire organization. Therefore they can

contribute to a better communication between the different entities of an

organization or between the organization and its stakeholders (e. g.

customers, suppliers, investors, regulators, …). This aspect proves to be

especially important in large, diversified and complex organizations, e. g.

global companies with a wide range of activities in many different countries

and therefore divergent (risk) cultures.

• By describing the essential (and maybe also the desirable) components,

processes and organizational structures of an effective and efficient

risk management system, generic standards provide a useful blueprint for

organizations aiming at designing and implementing such a system. The

consideration of a comprehensive and holistic standard can help these

organizations to avoid substantial gaps resp. to incorporate all pivotal

aspects in their individual conceptual design.

• By outlining a “best practice” risk management system, generic standards

can serve as a benchmark to which organizations can compare their

existing approaches. Therefore, generic standards can help to identify



potential deficiencies of existing risk management systems and gaps

between the actual status and a “best practice” approach.

• By designing and implementing its risk management system according to a

tried and tested standard, an organization can enhance the transparency

of its own approach. Additionally, the consideration of a standard can

contribute to improve the trust and confidence of internal and external

stakeholders in the risk management abilities of an organization. As risk

management standards often incorporate relevant legal requirements

and/or new regulations take into account the issues outlined in these

standards, they can also help organizations to fulfill their compliance

requirements in that area [see Weidemann/Wieben 2001, p. 1790].

As already mentioned above, despite the growing number of risk management

standards, the research efforts regarding their dissemination or use in practice

have been very limited so far. Most of all, an empirical analysis, if or to which

extent these standards are actually applied in organizations has not yet been

accomplished. A first (although admittedly scientifically not very sound)

indication of the popularity of some generic risk management standards may be

the number of results returned by Google when searching for their names. The

results of this analysis, performed on July 19th 2008, can be found in table 01

(interestingly enough – although it is still in a “draft” status – the ISO 31000

returned a remarkable number of results).

Table 01: Google search results for different risk management standards

Search term # of results

“AS/NZS 4360” 26.400 “COSO ERM” 19.900 “ISO 31000” 3.320 “ON 49000” 2.650 “JIS Q 2001” 1.680 “CAN/CSA Q850” 969 “IRMSA Code of practice” 91



For further analysis, this paper will focus on the COSO ERM and the ISO 31000.

First of all, a comparison between these two standards seems to be most

promising as they show some noteworthy differences [see section 4].

Furthermore, this decision can be justified by the fact that the development of

the ISO 31000 was predominantly based on the AS/NZS 4360 and strongly

influenced by the ONR 49000 [see section 3.2]. As a consequence, major

concepts and principles of these two standards can also be found in the ISO

31000. Because of their similarity to the ISO 31000, an in-depth analysis of the

Australian/New Zealand resp. Austrian/Swiss approach seems negligible. Finally,

the non-observance of the Japanese “JIS Q 2001”, the Canadian “CAN/CSA

Q850” and the “Code of practice” developed by the “Institute of Risk

Management South Africa (IRMSA)” can be justified by taking into account that

these standard have undoubtedly gained a remarkable recognition in their

regions of origin but seem to lack acceptance in the rest of the world.



3 COSO ERM and ISO 31000 – an overview

Prior to a comparison between the COSO ERM and the ISO 31000 in section 4, a

short overview of the structure as well as the basic concepts of the two

standards is outlined in the following sections.

3.1 COSO ERM Integrated Framework

COSO, the “Committee of Sponsoring Organizations of the Treadway

Commission“ was established in 1985 in the USA. The group was named after its

first chairman James C. Treadway Jr., the former Commissioner of the US

Securities and Exchange Commission (SEC). The “Sponsoring Organizations”

represent some of the most important US accounting and auditing associations

(the “American Accounting Association, AAA”, the “American Institute of Certified

Public Accountants, AICPA”, the “Financial Executives International, FEI”, the

“Institute of Management Accountants, IMA” and “The Institute of Internal

Auditors, IIA”). Additionally, the development of the COSO standard was

supported by a project advisory council with representatives from various

companies and the accounting & auditing firm PricewaterhouseCoopers (PwC)

[see COSO 2004a, p. iii; Ballou/Heitger 2004, p. 1].

A major objective of the Committee was the development of approaches to

prevent fraudulent or misleading financial reporting [see Janke 2007, p. 115;

Foerschler/Scherf 2007, p. 210]. To reach this objective, in 1992 COSO

published a standard called “Internal Control – Integrated Framework”

(commonly known as “COSO I”) targeting at the development and

implementation of an effective and efficient monitoring system [see COSO

2004a, p. v]. Because of its suitability for a wide range of industries and

companies, COSO I quickly gained a high level of appreciation. As it emerged as

a “de-facto” industry standard for internal control issues, its principles influenced

a wide range of other frameworks in that area and also were considered in some

regulatory requirements – as an example, the Sarbanes Oxley Act (SOX) of 2002

recommends the use of COSO I [see Sarbanes/Oxley 2002].



In 2004, the COSO I standard was substantially enhanced. While the original

framework primarily focused the issues of internal control and monitoring, the

updated version – the “COSO Enterprise Risk Management – Integrated

Framework” (commonly known as “COSO II” or “COSO ERM”) – expanded this

relatively narrow scope by integrating aspects of a comprehensive, holistic,

enterprise-wide risk management system. Apart from minor adjustments, all

topics of COSO I were also incorporated in COSO ERM [see COSO 2004a, p. v;

Ballou/Heitger 2004, p. 2; Foerschler/Scherf 2007, p. 210].

One of the most outstanding characteristics of the COSO-approach is its three-

dimensional view of the organization and its risk management system (often

referred to as the “COSO Cube”, see figure 01) [see COSO 2004a, p. 23].

Figure 01: COSO Cube

The first dimension of this cube represents the objectives set by the top

management of a company. COSO ERM is geared to achieving these objectives,

set forth in four categories [see COSO 2004a, p. 21]:



• Strategic: Obviously, the top priority of each organization is the

achievement of the objectives derived from its vision and mission. These

high-level goals also constitute the guidelines for the other components of

the first and the other dimensions.

• Operations: The effective and efficient use of its resources is a basic

requirement for every organization to create value.

• Reporting: The reliability of (financial) reporting is a basic requirement for

the effectiveness of internal controls and the information of external

stakeholders.

• Compliance: Compliance with applicable laws and regulations is a

prerequisite for every organization to make business.

The second dimension represents the components and processes of an risk

management system. According to COSO, the enterprise risk management

consists of eight interrelated building blocks. Incorporating these components

(and hereby following the guidance provided by COSO regarding their design,

implementation and operation) should enable an organization to achieve the

objectives outlined in the first dimension. The components specified by COSO are

[see COSO 2004, p. 27-81]:

• Internal Environment: The internal environment constitutes the

foundation for how risk is viewed and addressed and sets forth the general

conditions for all following steps of the risk management process.

Obviously, this component is strongly influenced by the history, the culture

and values, the risk appetite and the operating environment of an

organization [see COSO 2007, p. 27-34].

• Objective Setting: Following Nicklisch’s wide-spread definition of the term

“risk” as “the possibility of a negative deviation of the actual outcomes from

the original objectives” [see Nicklisch, 1912, p. 34], the specification of

objectives is a prerequisite for the emergence of risk: Without having

defined objectives, potential events affecting their achievements can neither

be identified nor managed. The objectives have to be measureable and



consistent with the organization’s mission and risk appetite and must be

aligned with the categories of the first dimension (strategy, operations,

reporting and compliance) [see COSO 2004a, p. 35-40].

• Event Identification: The setting of objectives is followed by the

identification of (internal and external) events that may affect their

achievement. During the event identification, an explicit differentiation

between risks and opportunities is made. Possible tools to facilitate this

process are e. g. checklists, questionnaires or interviews with experts. The

interdependency between different events and their mutual reinforcement

resp. dilution is to be considered. To assure efficiency and to reduce

complexity, an organization should concentrate on significant events [see

COSO 2004a, p. 41-47].

• Risk Assessment: During the next process step, the identified risks are

analyzed and quantitatively evaluated according to their “probability” and

“impact”. For this purpose, the use of existing (internal or external)

information, empirical data, estimates etc. is recommended. Possible

correlations between different events are also to be taken into account. As a

result of these activities, an overview of the risks of an organization is

generated, listed according to their priorities [see COSO 2004a, p. 49-54].

• Risk Response: Based on the results of the risk assessment, adequate

measures (avoid, reduce, transfer/share, accept/self carry) for an

appropriate risk mitigation have to be defined and implemented to align the

existing risks with the organization’s risk tolerance and risk appetite and –

at the same time – find an optimal balance between risks and the

corresponding opportunities [see COSO 2004a, p. 55-60].

• Control Activities: The implemented mitigation/risk response measures

have to be continuously monitored using appropriate procedures to assure

that they are carried out effectively. A differentiation is made between

measures aiming at preventing or detecting potentially undesired impacts

and measures aiming at correcting damages resulting from incidents that



already have occurred [see see COSO 2004a, p. 61-66; Ruud/Sommer

2006, p. 129].

• Information and Communication: The responsible managers an, if

necessary, other internal and external stakeholders (e. g. employees resp.

customers, suppliers, investors, regulators, media, …) have to be informed

about all relevant risks, incidents, damages etc. as well as other important

aspects of the risk management process. The relevant information for this

purpose has to be identified, captured and communicated in a timely,

comprehensible and accurate manner. As not all of the stakeholders above

should receive the same kind and amount of information, an appropriate

filtering of information has to be applied [see COSO 2004a, p. 67-74;

Neubeck 2003, p. 88].

• Monitoring: Finally, the risk management system has to be monitored,

reviewed and – if necessary – modified and improved to meet changing

requirements. A major objective of this process step is to assure the

effectiveness and efficiency of the system as a whole. Monitoring is

accomplished through ongoing management activities, separate

evaluations, or both. Furthermore, monitoring does not only refer to the risk

management system itself, but also has to consider the external

environment of an organization to assure that possible changes are

adequately reflected by the risk management [see COSO 2004a, p. 75-81].

The third and last dimension of the COSO Cube finally represents the

organizational structure. By taking this dimension into account, it shall be

assured that the objectives and processes defined in the resp. second dimension

are implemented and executed on all levels of the organization. In this context

the levels “entity”, “division”, “business-unit” and “subsidiary” are mentioned as

examples [see COSO 2004a, p. 24; Foerschler/Scherf 2007, p. 212].



3.2 ISO 31000 Risk management

ISO, the International Organization for Standardization (Organisation

internationale de normalisation), is an international standard setter composed of

representatives from 157 national standardization bodies. The organization

promulgates world-wide proprietary industrial and commercial standards [see

ISO 2008a]. The development of the international standard ISO 31000 started in

2005, when the Australian and New Zealand standard setting bodies proposed to

upraise their existing AS/NZS 4360 to an international standard. ISO decided

that a globally valid risk management standard was desirable, but argued against

a simple adoption of the AS/NZS 4360. Instead, the development of a new

standard was initiated, which, however, should incorporate the proven and

established concepts and components of the major existing frameworks. To

achieve this objective, a working group was founded and presented a first

proposal for a standard in September 2005 [see ISO 2005]. After passing

through several cycles of improvement, the current draft is now in the stage of a

“Draft International Standard (DIS)” [see ISO 2008b]. It is expected that it will

be upraised to the status of a “Final Draft International Standard (FDIS)” in the

upcoming meeting of the working group in December 2008 and – after another

round of consultation – the final document will be released as an ISO standard in

the first quarter of 2009 [see Brühwiler 2008, p. 14].

The main objective of the ISO working group is to “provide a document which

provides principles and practical guidance to the risk management process. The

document is applicable to all organizations, regardless of type, size, activities and

location and should apply to all type of risk“ [see ISO 2005, p. 1]. In contrast to

its ambitious claim, the working group right away excluded aspects of business

continuity/crisis management from their program, as these issues are already

subject to the efforts of another ISO working group resp. standard development

(the “ISO 22399 – Societal security – Guideline for incident preparedness and

operational continuity management”) [see ISO 2005, p. 2].

As the ISO 31000 aims at establishing a common understanding regarding risk

and risk management, it outlines a high-level framework instead of dealing with



operational issues. Due to this objective, it sees itself as a generic guideline

containing recommendations rather than explicit requirements and is therefore not

intended to be used as a basis for external certification by independent third

parties [see ISO 2008b, ln. 172; Brühwiler 2008, p. 15].

The content of the ISO 31000 is structured according to the following sections [see

ISO 2008b, p. iii]:

Introduction

Foreword

1. Scope

2. Normative References

3. Terms and Definitions

4. Principles of Managing Risk

5. Framework for Managing Risk

6. Process for Managing Risk

Annex: Attributes of enhanced Risk Management

1. Scope: The first section of the document provides a general overview standard

and claims its universal applicability “to any public, private or community enterprise,

association, group or individual” as well as “throughout the life of an organization,

and to a wide range of activities, processes, functions, projects, products, services,

assets, operations and decisions”. [see ISO 2008b, lines 159-164].

2. Normative References: The second section of the document refers to the

“ISO/IEC Guide 73, Risk management – Vocabulary (ISO 73)” [see below] as a

document, which is seen as “indispensable” for the application of the ISO 31000

[see ISO 2008b, ln. 173-176].

3. Terms and definitions: The third section of the document contains a simple

reference to the ISO 73 mentioned above [see ISO 2008b, ln. 178]. The reason

for including this reference to a separate document instead of including all the

necessary terms and definitions in the ISO 31000 itself was the fact, that risk

(management) related vocabulary shows a wide-spread relevance and is also used

in many other international standards (like the ISO 22399 already mentioned



above or several standards in the field of IT security or product safety). To assure

a consistent use of terms and definitions in all theses standards, it seemed to

make sense to define the vocabulary in one separate document, which then is

referenced to by other standards [see Brühwiler 2008, p. 14].

Unfortunately, meanwhile the development of the ISO 73 is substantially lagging

behind the progress of the ISO 31000 (e. g. approximately 40 percent of the

definitions included in the ISO 73 have not even been discussed until today).

This situation results in a major dilemma: Firstly, the ISO 31000 could be

released as scheduled but would then contain a reference to a document, which

is still in a “draft” status and thus subject to changes, although it is seen as

“indispensable” for the application of the ISO 31000. Secondly, the final release

of the ISO 31000 could be postponed until the ISO 73 is finished, which would

cause a substantial delay of approximately 1 ½ years. Thirdly, the most relevant

terms and definitions of the ISO 73 could be included in the ISO 31000 (and

similar standards) accepting that the terms and definitions for one and the same

subject may become inconsistent while the particular standards are further

developed. While currently there seems to be a certain tendency to favor the

latter approach, this problem is still unsolved and will be a predominant issue at

the upcoming meeting of the working group in December 2008.

4. Principles of Managing risks: The fourth section of the document outlines the

following eleven basic principles for managing risk [see ISO 2008b, ln. 179-220]:

(a) Risk management creates value.

(b) Risk management is an integral part of organizational processes.

(c) Risk management is part of decision making.

(d) Risk management explicitly addresses uncertainty.

(e) Risk management is systematic, structured and timely.

(f) Risk management is based on the best available information.

(g) Risk management is tailored.

(h) Risk management takes human and cultural factors into account.



(i) Risk management is transparent and inclusive.

(j) Risk management is dynamic, iterative and responsive to change.

(k) Risk management facilitates continual improvement and enhancement of

the organization.

5. Framework for Managing risks: The fifth section of the document outlines

a risk management framework, providing the foundations and organizational

arrangements that will embed risk management throughout the organization at

all levels (see figure 02) [see ISO 2008b, ln. 221-359]:

Figure 02: ISO 31000 – framework for managing risks

6. Process for Managing risks: The sixth (and most extensive) section of the

document outlines the risk management process considering the following five

main activities (see figure 03) [see ISO 2008b, ln. 360-600]:



• Communication and Consultation: Communication and consultation is

seen as an integral part of all risk management activities and therefore

should take place at all stages of the risk management process involving all

relevant internal and external stakeholders. It is recommended that a

communication and consultation plan is developed, addressing issues

relating to the risk itself as well as to its consequences and the measures

being taken to manage it. Furthermore, there’s strong emphasis on the fact

that communication and consultation with stakeholders is especially

important as they make judgments about a certain risk based on their

perceptions, which can vary to a great extend due to differences in values,

needs, assumptions, concepts and concerns [see ISO 2008b, ln. 369-395].

• Establishing the Context: In this step, the organization defines the internal

and external parameters to be taken into account when managing risk. The

context should include both internal and external parameters relevant for the

organization (e. g. capabilities/know-how, information systems or policies

resp. the cultural, political, legal, regulatory, financial, technological,

economic, natural or competitive environment as well as the perceptions and

values of both internal and external stakeholders). Furthermore, the context

for the risk management process itself has to be developed (by defining e. g.

roles and responsibilities, scope, depth and breadth of the risk management

activities, risk assessment methodologies, …). A last important aspect of this

process step is the development of risk criteria. These criteria should be

consistent with the organization’s risk management policy and should

continually be reviewed [see ISO 2008b, ln. 396-469].

• Risk Assessment: Risk assessment is the overall process of risk

identification, risk analysis and risk evaluation. The aim of the first activity –

risk identification – is to generate a comprehensive list of risks which may

affect the achievement of the organization’s objectives. In this context, it is

pointed out, that it’s important to identify the risks associated with not

pursuing an opportunity [see ISO 2008b, ln. 473-485]. The second activity

– risk analysis – provides input to risk evaluation as well as to decisions on

the most appropriate risk treatment measures. A particular risk is analyzed



by determining its consequences and their likelihood. It is also emphasized

that the confidence in the determination of risks and their sensitivity to

preconditions and assumptions should be considered in the analysis and

communicated effectively [see ISO 2008b, ln. 486-511]. The third activity –

risk evaluation – involves comparing the level of risk determined during the

risk analysis and risk evaluation with the defined risk criteria to prioritize

the implementation of adequate measures for treating/mitigating the risk

[see ISO 2008b, ln. 512-524].

• Risk treatment: Risk treatment involves the selection of one or more

options to avoid, reduce, transfer/share or accept/self carry risks, as well as

the implementation of appropriate measures. The choice of the most

appropriate risk treatment option involves balancing the costs and efforts of

implementation against its benefits (which not necessarily need to be

exclusively monetary). When selecting risk treatment options, the

organization should also consider the values and perceptions of stakeholders

and the most appropriate ways to communicate with them. Finally, it should

be taken into account that risk treatment itself can introduce new risks, like

the failure or ineffectiveness of risk treatment measures. Therefore, adequate

monitoring also needs to be an integral part of the risk treatment plan.

Finally, the context of the risk treatment plan (e. g the expected benefits,

performance measures, resource requirements, timing and schedule, …)

should be documented [see ISO 2008b, ln. 525-573].

• Monitoring and review: Regular and ad hoc monitoring and review

activities should encompass all aspects of the risk management process and

refers to all the steps described above. This process aims e. g. at analyzing

and learning lessons from events, detecting changes in the external and

internal context, ensuring that the risk treatment measures are effective

and identifying emerging risks [see ISO 2008b, ln. 574-590].



Figure 03: ISO 31000 – process for managing risks

Annex – Attributes of enhanced Risk Management: The closing section of

the document contains a collection of attributes representing a high level of

performance in managing risk. These attributes are:

a) Emphasis on continual improvement in risk management,

b) Comprehensive, fully defined and fully accepted accountability for risks,

risk controls and risk treatment tasks.

c) All decision making within the organization, whatever the level of

importance and significance, involves the explicit consideration of risks,

d) Continual communications with internal and external stakeholders.

e) Risk management is viewed as central to the organization's management

processes.

With the help of this list, organizations should be supported in measuring their

own performance against the criteria outlined herein. For this purpose, some

tangible indicators are given for each attribute [see ISO 2008b, ln. 601-659].



4 COSO ERM and ISO 31000 – a comparison

As already mentioned above, generic risk management standards should – first of

all – provide clear, unambiguous and consistent terms and definitions and describe

essential components, processes and organizational structures. Moreover, they

should meet the following requirements [see Winter 2007, pp. 137-138]:

• Completeness: The principles described by a standard should cover all

aspects of the implementing and operating a risk management system.

• Generic Breadth: The principles described by a standard should not set

any constraints limiting its applicability but instead be suitable for a

preferably wide range of organizations (i. e. independent of their industry,

legal structure, activities, products, location, size, …).

• Usability: The principles described by a standard should be comprehensible

and practicable.

• Integration: The principles described by a standard should make clear,

how the risk management system can interact or can be integrated in other

management systems (e. g. quality management, internal control, …)

• External Assessment: The principles described by a standard should

provide an adequate basis for an independent, objective assessment by

(external) experts, e. g. by being suitable for a third party certification.

As all standards refer to the same subject, it is not surprising that the elements

described by them are – to a large extent – quite similar. Nevertheless, the

particular standards do show some significant differences. In this context, a

predominant role can be assigned to the criteria of “completeness”. If a standard

should not be limited to certain risk-categories or industries (as outlined in section

1), but instead serve as a robust basis for the design and implementation of a

really comprehensive risk management system, the complete coverage of all risk

management related topics is a prerequisite. Therefore, special attention will be

paid to this issue by the following comparison between COSO ERM and ISO 31000.



Completeness: To outline the differences between particular standards

regarding their completeness, it seems useful to compare them on the basis of a

standardized catalogue containing the most important components a truly

comprehensive risk management standard should incorporate. Possible

taxonomies for structuring these requirements was e. g. proposed by

Weidemann and Wieben [see Weidemann/Wieben 2001] and Neubeck [see

Neubeck 2003]. In addition, some of these requirements are also reflected in the

relevant accounting & auditing standards (e. g. the German IDW PS 340 [see

IDW 2000]), which are mainly used for compliance assessments of risk

management systems. Further input to this topic can also be found in the

evaluation schemes of rating agencies to assess the adequacy and efficiency of

enterprise-wide risk management systems [see e. g. S&P 2006].

The most comprehensive evaluation scheme for risk management systems by

now was developed by Winter [see Winter 2007, p. 149]. Throughout the last

months, a special interest group of the German “Risk Management Association

(RMA) e. V.” – a professional organization of academics and risk managers from

a wide range of industries – worked on expanding and refining this scheme [see

RMA 2008]. Appendix A contains an overview of the results of these efforts. To

assess the (quantitative and qualitative) completeness of risk management

standards, the criteria outlined in this catalogue will be applied to the COSO ERM

and the ISO 31000. By using the scale shown in Appendix B to evaluate the

elements shown in Appendix A, a comparison between the COSO ERM and the

ISO 31000 can be accomplished. The results – which again are mainly based on

an assessment by the special interest group of the Risk Management Association

already mentioned above – of this effort are shown in Appendix B [see also

Winter 2007, p 150; RMA 2008].

It becomes clear that both the COSO ERM and the ISO 31000 cover a wide range

of topics and almost completely meet the requirements outlined in the catalogue.

Nevertheless, COSO ERM as well as ISO 31000 show substantial gaps regarding

the element “business continuity/crisis management”. In case of IS0 31000 this

can be explained – as already mentioned – by the explicit exclusion of these

issues as they are subject to the ISO 22399. However, by neglecting this area



and its integration with other components of a risk management system, a

organization might lose sight of pivotal issues, possibly leading to a reduced

efficiency of the risk management system and its acceptance by internal and

external stakeholders [see Winter 2007, p. 151].

Generic Breadth & Usability: As the next two requirements show a significant

trade-off, it seems to make sense to jointly examine them. When analyzing the

criteria “completeness” (as documented in Appendix B), this issue was not only

considered in a mere quantitative way. By assessing if, resp. to which extend, a

particular standard provides detailed descriptions of certain elements and

practical guidance for their implementation, it is also possible to draw some

conclusions regarding the generic breadth and the practical usability of the COSO

ERM and the ISO 31000.

In general, the evaluation shows that the COSO ERM covers most of the topics

on a more detailed level and with a higher attention to practical relevance than

the ISO 31000. In addition to the original standard, COSO also provides a

document called “Application Techniques”, which contains detailed descriptions,

practical illustrations and examples of how to implement the different concepts,

components an processes outlined by the COSO ERM [see COSO 2004b].

The perceivable deficiencies of the ISO 31000 regarding the usability of the standard

are mainly due to the fact that the ISO 31000 follows a very broad approach with

great emphasis of the standard’s universal applicability. However, while the COSO

ERM seems to be very much focused on “typical” enterprises, the generic approach

chosen by the ISO 31000 shows a higher flexibility and should therefore be better

adaptable to the needs of other entities, like e. g. non-government/non-profit

organizations & associations or companies in the public sector.

Although the ISO 31000 is not finalized yet, it seems very unlikely that its

generic/high-level approach will be changed to incorporate more operational

aspects. Moreover, it seem equally unlikely that the ISO 31000 will be

supplemented with additional guidelines, tools, examples, checklists or similar

material providing support for the practical implementation of the standard (in



case of the ONR 49000 and the AS/NZS 4360 e. g. this was primarily

accomplished by including Annexes covering certain topics in detail).

However, as the ISO seems to be very much aware that an improvement of the

usability of its risk management standard is crucial for its success, it started a

initiative to develop sub-standards which should provide a more in-depth view on

the practical aspects of implementing a risk management system. The first of

these projects – which was started in December 2006 as a joint effort of the ISO

and the International Electrotechnical Commission (IEC) – focuses on the

development of a standard covering the process step of “risk assessment” (the

“IEC 31010 – Risk Management – Risk Assessment Techniques”). Meanwhile this

standard reached the status of a “Committee Draft” (the third of the six-stage

approval process) with its final version scheduled to be released by mid-2009

[see IEC 2008]. The document contains a relatively detailed description of 31

different approaches for risk assessment (e. g. Markov analysis, Monte Carlo

simulation, Bayesian statistics and Bayes nets, Event Tree Analysis (ETA), Fault

Modes and Effects Analysis (FMEA), …) [see IEC 2008, pp. 33-93]. As it is not yet

decided, which other aspects of the ISO 31000 should be covered by particular

sub-standards, improving the usability of the ISO 31000 remains a major issue.

Integration: Regarding the criterion of “integration”, both the COSO ERM as

well as the ISO 31000 emphasize the importance of connecting the risk

management system with existing management (sub-)systems. Obviously due to

the different background of the two standard setters – and therefore not

surprisingly – the COSO ERM focuses more on the relationship between risk

management and strategic planning as well as internal controls while the ISO

31000 emphasizes the link between risk management and operative systems (e.

g. quality management). However, both standards extensively point out, that the

objectives of the risk management system should be aligned to and be consistent

with the strategic objective of an organization and should exchange information

with other management systems.

External Assessment: Unlike other popular standards (e. g. the “ISO 9000 –

Quality Management Systems”) neither the COSO ERM nor the ISO 31000 are



intended to be used for a formal certification of an organization’s risk

management system. In case of the ISO 31000, this even stated explicitly [see

ISO 2008b, ln. 172]. Nevertheless – as already mentioned above – the COSO

ERM has substantially influenced major regulatory requirement, so many

concepts of this framework can also be found in the relevant guidelines and

standards for auditing and accounting professionals. Therefore, some kind of

“de-facto” certification – at least for certain components of a risk management

system – has emerged, e. g. if an auditor certifies that the internal controls used

by an organization comply with the relevant legal requirements, which again are

based on the COSO ERM framework.

For a quick overview of the results regarding the comparison between the COSO

ERM and the ISO 31000, table 02 shortly summarizes the findings described

above [see also Winter 2007, p. 151]

Table 02: Comparison between COSO ERM and ISO 31000

Element COSO ERM ISO 31000

Completeness Generic Breadth ☺ Usability ☺ Integration ☺ ☺ External Assessment



5 Conclusion & Outlook

As shown in the sections above, both the “COSO Enterprise Risk Management –

Integrated Framework” as well as the “ISO 31000 – Risk management –

Principles and guidelines on implementation” can provide useful support for

organizations aiming at designing and implementing an appropriate enterprise-

wide risk management system. Except for the element “business continuity/crisis

management”, both standards provide an almost complete and consistent

framework incorporating all important aspects of a comprehensive risk

management system. Because of their maturity, their holistic approach and their

methodological consistency, both the COSO ERM and the ISO 31000 can help

organizations to actually realize the potential benefits connected with the

application of a generic risk management standard (see section 2).

By pointing out some differences between the COSO ERM and the ISO 31000 it

became clear that both approaches have certain advantages and disadvantages.

Therefore, finally some potential future developments of the “risk management

standards landscape” will be discussed. Given the situation, that – on the one

hand – there’s a well-established standard and – on the other – there’s an

emerging new one (which in fact incorporates a great variety of concepts that

can be found in well-established standards), one of following three scenarios

(resp. a combination of these) may seem likely:

(a) The ISO 31000 turns out to be “just another standard”, (more or less

“peacefully”) coexisting along other frameworks,

(b) the ISO 31000 becomes some kind of “meta-standard”, acting as a

reference point or generic basis upon which other standards are enhanced

and further developed,

(c) the ISO 31000 gradually substitutes other standards.

Scenario (a) seems most likely for the relationship between the ISO 31000 and

the COSO ERM. Organizations which already have implemented a risk

management framework according to the COSO ERM will probably see only little



benefits in occupying themselves with another standard. Furthermore, as the

COSO ERM has also influenced a remarkable number of regulatory requirements,

its continuing popularity and wide-spread use seems to be guaranteed. Finally,

there seems to be no incentive for the US auditing and accounting associations

as the predominant promoters of the COSO ERM to skip the standard they have

been working on throughout the last 20 years and replace it by a new one.

Nevertheless, as ISO points out some new aspects (e. g. the emphasis of the

efficiency of risk management systems) and works on detailing some existing

ones (e. g. the in-depth description of risk assessment in the IEC 31010), having

a close look at the new standard might be worth the effort – even for

organizations which already have implemented the COSO ERM. Finally, due to its

generic breadth and high flexibility, the ISO 31000 could prove more adequate

for organizations looking for a standard which is less focused on the needs of a

“typical” company with “typical” business. Therefore, the ISO 31000 could be an

interesting option especially non-profit/non government organizations &

associations as well as entities in the public sector.

Scenario (b) seems most likely for the relationship between the ISO 31000 and

both the AS/NZS 4360 and the ONR 49000, at least in the near future. A first

indication to affirm this assumption might be the updated version of the “ONR

49000:2008 – Anwendung von ISO/DIS 31000 in der Praxis” [“practical

application of the ISO/DIS 31000”], which was released on June 1st, 2008 by the

Austrian standard setting body (“Österreichisches Normungsinstitut, ON”) [see

ON 2008, p. 3]. In this new release, the ONR 49000 was aligned with the ISO

31000 while at the same time the original concept of providing additional

“hands-on” guidelines and tools for the implementation was continued resp. even

enhanced. This kind of “job sharing” (the ISO provides a generic document, while

other standard setters provide concrete guidelines for its practical

implementation) could turn out to be a reasonable approach for the next few

years – at least, until the ISO itself is able to accomplish this efforts, e. g. by

developing a set of sub-standards for different areas like the IEC 31010 for risk

assessment. While the Austrian standard setting body apparently has already



decided to move in this direction, the position of the Australian and New Zealand

standardization committees still seems to be unclear.

Finally, scenario (c) seems most likely for the relationship between the ISO

31000 and the remaining standards. As most of the other frameworks (e. g. the

“IRMSA Code of practice”) show some noticeable deficiencies regarding the

criteria outlined in section 4, a decision to use one of these standards it will be

hard to justify for an organization, when a mature, comprehensive and

consistent standard for risk management becomes available.

Generally, a consolidation of the “standards landscape” seems quite probable in

the long run, with the COSO ERM and the ISO 31000 (supplemented by a variety

of sub-standards and – in the near-term – by updated versions of the ONR

49000 and eventually the AS/NZS 4360) remaining as the two relevant generic

standards for the design and implementation of a holistic, consistent and

comprehensive risk management systems.



Appendix A: Elements of risk management standards

Category No. Element Description

basic principles

1 corporate strategy consideration of risk management aspects within the corporate strategy & vision

2 risk policy basic principles regarding the handling of risks and the risk appetite, according to strategic objectives

3 risk program risk management objectives and activities

4 organization/ responsibilities organizational elements, roles and responsibilities

planning

5 risk identification methods, instruments and processes for the identification of risks

6 risk assessment methods, instruments and processes for the assessment of risks

7 risk aggregation methods, instruments and processes for the aggregation of risks

8 risk mitigation methods, instruments and processes for the mitigation of risks (avoid, reduce, transfer, self-carry)

control 9 implementation/ controlling

implementation of a risk management system with adequate and efficient methods and processes

monitoring

10 continuous monitoring continuous monitoring of all risks and counter measures

11 periodical checks and reviews

periodical checks and reviews of the risk management system and structures

12 management assessment

assessment of risk management efficiency and adequacy by top management

13 system efficiency assessment of risk management efficiency and adequacy by external parties (e. g. auditors)

information & communication

14 information supply gathering of all necessary risk management information

15 documentation documentation of the assumptions, information, methods, processes, results ... related to risk management

16 recording recording and storage of the information attained

17 internal reporting/ communication

communication of risk management related topics to internal stakeholders (e. g. board, employees, …)

18 external reporting/ communication

communication of risk management related topics to external stakeholders (e. g. investors, regulators, ... )

management of resources

19 human resources skills necessary to implement and operate the risk management system

20 other resources other resources necessary to implement and operate the risk management system (e. g. IT, consulting, …)

other aspects 21 business continuity/

crises management reactive measures after damages have occurred to limit their impact and restore normal operations

22 interfaces to other management systems

relations and interactions with other management systems (e. g. accounting, quality management, …)



Appendix B: Comparison of COSO ERM and ISO 31000 regarding their completeness

Category No. Element COSO ERM ISO 31000

basic principles

1 corporate strategy

2 risk policy

3 risk program

4 organization/ responsibilities

planning

5 risk identification

6 risk assessment

7 risk aggregation

8 risk mitigation

control 9 implementation/ controlling

monitoring

10 continuous monitoring

11 periodical checks and reviews

12 management assessment

13 system efficiency

information & communication

14 information supply

15 documentation

16 recording

17 internal reporting/ communication

18 external reporting/ communication

management of resources

19 human resources

20 other resources

other aspects 21 business continuity/

crises management

22 interfaces to other management systems

no coverage The particular element is not covered.

low coverage

The particular element is covered, definitions and descriptions remain fragmentary.

medium coverage

The particular element is covered, definitions and descriptions are sufficient, practical guidance remains fragmentary.

good coverage

The particular element is covered, definitions and descriptions as well as practical guidance are sufficient.



References:

Ballou, B./Heitger, D. (2004): A Building-Block Approach for Implementing

COSO‘s Enterprise Risk Management – Integrated Framework, in: Management

Accounting Quarterly, Vol. 6/2004, No. 2, S. 1-10.

Brühwiler, B. (2008): Der neue Risikomanagement-Standard ISO 31000, in:

ZRFG, 3. Jg. 2008, H. 01, S. 14-17.

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

[ed.] (2004a): Enterprise Risk Management – Integrated Framework Framework,

New York 2004.

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

[ed.] (2004b): Enterprise Risk Management – Integrated Framework –

Application Techniques, New York 2004.

Eckert, S./Möller, K. (2006): COSO Enterprise Risk Management Framework, in:

Controlling, H. 3/2006, S. 161-163.

Erben, R. F. (2008): Das COSO-ERM-Framework als Ansatz zur Standardisierung

von Risikomanagementsystemen, in: Bachert, R./Peters, A./Speckert, M. [Hrsg.]:

Risikomanagement in Non-Profit-Organisationen, Baden-Baden 2008.

Foerschler, D./Scherf, C. (2007): COSO II – Enterprise Risk Management

Framework in der operativen Revisionspraxis, in: ZRFG, 2. Jg. 2007, H. 05, S.

209-215.

International Electrotechnical Commission (IEC)/ International Organization for

Standardization (ISO) [eds.]: IEC 31010 Ed. 1.0: Risk Management – Risk

Assessment Techniques, Document No. 56/1268/CDV, May 23rd, 2008.

International Organization for Standardization (ISO)/WG on General Guidelines

for Principles and Implementation of Risk Management [ed.] (2005): Terms of

Reference as adopted by the ISO/TMB, Document No. NA 095-04-02 N 0007,

June 22nd , 2005.



International Organization for Standardization (ISO) [ed.] (2008a): About ISO,

published electronically: http://www.iso.org/iso/about.htm.

International Organization for Standardization (ISO) [ed.] (2008b): Risk

management – Principles and guidelines on implementation, Draft International

Standard ISO/DIS 31000, Geneva 2007.

Institut der Deutschen Wirtschaftsprüfer (IDW) [ed.] (2000): IDW 340 - Die

Prüfung des Risikofrüherkennungssystems nach § 317 Abs. 4 HGB, Düsseldorf

2000.

Kuhn, H. (2006): Risikomanagement für Unternehmen – Was bringen die neuen

Normen?, in: MQ Management und Qualität, H. 6/2006, S. 8-10.

Neubeck G. (2003): Prüfung von Risikomanagementsystemen in: Marten, K.-U.;

Quick, R.; Ruhnke K. [Hrsg.]: Hochschulschriften zur Wirtschaftsprüfung,

Düsseldorf 2003, S. 85 f.

Nicklisch, H. (1912): Allgemeine Betriebslehre als Privatwirtschaftslehre des

Handels und der Industrie, Band 1, Leipzig 1912.

Östereichisches Normeninstitut (ON) [ed.] (2008): Zur Neuausgabe der ON-

Regeln ONR 49000 – Anwendung von ISO/DIS 31000 in der Praxis

(Facinformation 06), Wien 2008.

Risk Management Association e. V. (2008) [ed.]: Bewertungsschema für Risiko

Management Standards, München 2008 (internal document, unpublished).

Ruud T. F.; Sommer K. (2006): Enterprise Risk Management – Das COSO-ERM-

Framework, in: Der Schweizer Treuhänder, 3/2006, S. 127-128.

Sarbanes, Paul S.; Oxley, M.; US Dept. of Justice [ed.] (2002): An Act to protect

investors by improving the accuracy and reliability of corporate disclosures made

pursuant to the securities laws, and for other purposes, Washington 2002,

published electronically: www.usdoj.gov



Schmid, W. (2005): Risk Management Down Under (AS/NZS 4360:2004), in:

RISKNEWS, H. 03/05, S. 25-28.

Shortread, J. H. et al. (2003): Basic Frameworks for Risk Management, Network

for Environmantal risk management [eds.], 2003

Simister, T. (2000): Risk Management – the need to set standards, in: Balance

Sheet vol. 8, no. 4, S. 9-10.

Standard & Poors (2006) [ed.]: Insurance Criteria: Refining The Focus Of Insurer

Enterprise Risk Management Criteria, London 2006.

Weidemann, M./Wieben, H.-J. (2001): Zur Zertifizierbarkeit von

Risikomanagement-Systemen, in: Der Betrieb, 54. Jg. 2001, H. 34, S. 1789-

1795.

Weidemann, M. (2001): Der australisch-neuseeländische Standard AS/NZS

4360:1999 zum Risikomanagement, in: Der Betrieb, 54. Jg. 2001, H. 50, S.

2613-2618.

Winter, P. (2007): Risikocontrolling in Nicht-Finanzunternehmen – Entwicklung

einer tragfähigen Risikocontrolling-Konzeption und Vorschlag zur Gestaltung

einer Risikorechnung, Lohmar/Köln 2007.

Documents

Risk Management Standards1880