RIMS (which modestly claims the descriptive subtitle of ‘the risk management society’) has released an Executive Report: An Overview of Widely Used Risk Management Standards and Guidelines.
I am recommending a read of the report* for its comparison and comments about ISO 31000:2009, COSO ERM Framework, BS 31100:2008, FERMA: 2002, and Solvency II. Unfortunately, RIMS included OCEG’s Red Book as if it were a risk management framework, which it most definitely is not, and the analysis is not accurate (to my knowledge, RIMS did not contact any of the OCEG principals, so the misunderstanding of OCEG’s mission and its documents is understandable.) So, I am not commenting on RIMS’ analysis of the OCEG guidance.
Here are points I highlighted:
- “There are more similarities than differences among the reviewed standards and guidance documents.” I am not sure I fully agree with this statement, although I concur that the ISO and COSO documents agree on many important principles. I expect the ISO evangelists to take great exception to the RIMS statement.
- “Standards and guidelines tend to be conceptual with little guidance on practical implementation.” I think this is a little unfair as there are many practical guides on implementing ERM using COSO or ISO, and official ISO (or member country) guidance is on its way.
- “What ISO 31000 does it put the emphasis squarely on risk management as a strategic discipline for making risk-adjusted decisions, rather than as a compliance-based function.” Although I would prefer talking about ‘risk-intelligent’ decisions, I agree that ISO supports a strategic role for risk management.
- “In comparing ISO 31000 to the RIMS RMM attributes [the reference is to the RIMS Risk Maturity Model] we note that there is little discussion of a portfolio view and interrelated dependencies that risks may have on an organization’s objectives.” I understand this point and agree that the text in ISO around evaluating risks is limited. But it is covered.
- In its discussion of the British standard, BS 31100:2008, RIMS finds fault in a lack of detailed coverage of business continuity management. I find this troubling, as ERM is so much more than contingency planning and I would find fault in any risk management standard or framework that gave it too much attention.
- “The biggest change [resulting from ISO’s work] is shifting an organization’s risk focus from a rear-window view to what we call ‘a global positioning orientation’. In addition to focusing on preventing or mitigating known risks, what is the organziation facing on the road up ahead that may get in the way of achieving its objectives?” They continue: “ISO 31000’s shift in the view does not replace what risk management already brings to organizations. It expands the value that risk managers can add.” This is excellent, as is the next point.
- “The fundamental organizational need related to this shift is to broaden risk management competencies from reactive to proactive across the enterprise. Thinking about risk in a predictive and strategic way not only protects the value of an organization, it proactively helps to create and capture value – all in alignment with the organization’s objectives.” Well said!
- “ISO 31000, while universally applicable in its adaptability and simplicity, may be most helpful to rapidly changing organizations, those with constrained implementation resources, and those looking for greater flexibility in their strategic and operational risk management practices.” Since these are the organizations that would benefit most from effective ERM, doesn’t that mean if you want ‘good ERM’, use ISO?
- “COSO’s framework too has evolved, moving from a controls approach to a strategic approach.” It is refreshing to see COSO, for once, not being bashed as an auditor’s, controls-focused framework. It is not.
What do you think?
- Which risk framework/standard do you prefer and why?
- Have RIMS described the standards well?
- Do you agree with the analysis and/or my comments?
*Disclosure: I have been flattered by being made a Fellow of OCEG and an Honorary Fellow of IRM. Neither relationship, nor any person affiliated with either organziation, has affected this post – it is my honest and independent opinion. I should also say that (at least until they read this), I am on good relations with Dorothy Gjerdrum and Carol Fox, both of whom are named as contributors to the report.