News
Events
Blog
Training

Blog


FINALLY! – A Much needed ERM Global Standard:  ISO31000  

During the past fifteen years or so, there have been numerous organizations and regulatory bodies that have defined risk, and enterprise risk management.  Most of these have dealt with risk in a negative connotation, that is, harmful events, catastrophes and the like.  Standards included COSO and others. 

More recently AS/NZS4360:2004 (Australian/New Zealand ERM Standards) for the first time defined risk neutrally i.e. 'the chance of something happening that will have an impact on objectives'.  This standard received wide spread acclaim and was adopted by a number of countries.  Finally, it became the basis for the new ISO31000:2009 standard released this year.

We would suggest that the Vocabulary of Risk Management (ISO/IEC Guide 73:2009) is just as, if not more important than the Standard itself.  So many organizations we visit each year misunderstand the definitions and thus confuse a risk, with an event, a cause and a consequence.  These organizations spend too much time on defining a glossary for the organization, and through this they make compromises that ultimately defeat the ERM process.  The Guide and the Standard together, bring a common approach that is easily understood, and if followed, allow organizations to rapidly deploy ERM and thus spend time on actually managing and treating risks.

There are a few key highlights that impress us by the way they have been drafted in ISO31000. 

The first one is the actual definition of risk, which is ‘the effect of uncertainty on objectives’.  So risk is not about the ‘event’, but rather the ‘effect’ specifically on objectives.  This definition puts risk at the heart of the organization i.e. strategy.  So finally the board and stakeholders can relate risks to objectives and thus the things that will effect the achievement the objectives set.   By way of an example, lets take the meltdown in the markets last year.  The risk to the organization is not the market crashing.  Rather it’s the chance that a crash will affect (whether negatively or positively) the company objectives such as its ability to raise capital (negative) or its ability to execute a buy back (as the company may have cash, the share price is down and do positively).

Secondly, there is a clearly defined risk management process that should be adhered to.  This involves (i) establishing the context (define what we want to achieve, internal and external factors that influence the objectives); (ii) risk assessment comprising risk identification, analysis and evaluation; and (iii) treatment.  Coupled with this are the continuous activities carried out throughout the process which are (i) communication and consultation with stakeholders and (ii) monitoring and review.  ( Download the draft Standard here )

Finally, we find that organizations become confused and interchange the concept of ‘risk appetite’ and ‘risk tolerance’.   ISO31000 provides clarity in this regard. 

Risk Appetite is defined as the ‘amount and type of risk that an organization is prepared to pursue, retain, or take’.  Risk appetite thus deals with the type of risks and the related exposure.  Risk appetite remains a highly subjective item that is difficult to gauge.  In order to define risk appetite one needs to understand the nature of the risk and how it influences the related objectives.  Risk appetite should be established right at the beginning of the risk process on a risk by risk basis through a set of criteria.

Risk Tolerance is defined as ‘and organization’s…readiness to bear the risk after risk treatment in order to achieve its objectives’.   So simply put, when one gets to evaluating the risk, one needs to do an analysis (such as cost:benefit) which helps one make a decision as to which treatment one should use.  The link between risk appetite and risk tolerance come into play here, since typically one would do the analysis of risk tolerance for each set of criteria established as part of the risk appetite work done. 

Cura has created its Bridgework advisory and solution template to allow customers to rapidly take on a comprehensive and rapid adoption of ERM using the ISO31000 standards and frameworks.  The idea is to bridge the gap from risk assessment programmes, risk compliance approaches, immature and/or non-existent risk management in organizations to a strong foundation. 

To find out more, contact our advisory team at advisory@curasoftware.com

Download the ISO 31000 Standard (Final Draft)

 

Return to news


Copyright 2010 Cura Software Solutions. All rights reserved. Privacy Statement. Legal Notice.