IRM ERM M1U1.5 ERM Standards And Framework

Question 1

Where and when the first ever risk management standard was released

Answer 1

The first ever risk management standard, the AS/NZS4360 was only released in 1995 (Standards New Zealand, 2013).

Question 2

ISO 31000 (2018) RM Principles, Framework and Processes

Answer 2

ISO 31000 (2018), Risk Management - Guidelines, is the international standard on risk management which considers:

what good risk management looks like – the Principles

what is needed to implement effective risk management – the Framework

what the steps are in risk management – the Process.

Question 3

Can ISO 31000 be used for certification?

Answer 3

ISO 31000 cannot be used for certification purposes (such as with Quality standard ISO 9001). However, it does provide guidance for organisations and internal and external audit programmes, as it can be used to compare risk management practice with an internationally recognised benchmark, looking at principles for effective management and assurance / corporate governance.

Question 4

RASP stands for?

Answer 4

In order to provide an explanation for the content of the risk management framework, the acronym RASP or ‘Risk Architecture, risk Strategy and risk Protocols’ has been developed. RASP is a supportive structure of the risk management process – it is what helps to determine how the process works.

Question 5

Risk standard

Answer 5

Risk standard – A published guide for managing risk, usually comprising a risk framework and (especially) a risk process.

Question 6

Risk framework

Answer 6

Risk framework – Also known as the risk management context. This comprises RASP the risk strategy, risk architecture and risk protocols and forms the risk context which helps to drive the risk process.

Question 7

Risk process

Answer 7

The stages in the process of managing risk, which is driven mainly by how you set up the framework (but also affected by theinternal and external environment).

Question 8

COSO 2004

Answer 8

The COSO (2004), Enterprise Risk Management - Integrated Framework(known as the COSO ERM Cube), was developed in the US (United States) by COSO (Committee of the Sponsoring Organisations of the Treadway Commission)

Question 9

COSO ERM Cube

Answer 9

The COSO ERM framework is displayed as a cube where:

The front face is the risk management process, consisting of eight items.

The top face of the cube describes the four categories of organisational objectives.

Finally, the side face of the cube shows the implementation process of the standard. It indicates that ERM begins at entity level and then is cascaded downwards and across the organisation. In that sense, the fully implemented version of ERM must be embedded in all roles, operations, and activities of the enterprise.

Question 10

COSO ERM rainbow double helix 2017

Answer 10

The COSO (2017) Enterprise Risk Management – Integrating with Strategy and Performance(known as the COSO ERM rainbow double helix), is an update to the COSO ERM Cube, to reflect the changing complexity of risks and the evolving business environment. In particular, the new ERM framework emphasizes that organisations who integrate enterprise risk management throughout the entity can realise many more benefits.

However, the update was needed to provide greater insight into the links between strategy, risk, and performance, and to highlight the interconnectedness of risks and the effect that risk culture has on the effective implementation of risk management.

Question 11

Industry-specific standards

Answer 11

industry-specific standards. Hopkin refers to one specialist standard called COBIT, which provides guidance regarding information technology risk management

Banking – Basel III

Insurance – Solvency II

Health and safety – ISO 45000 family – Occupational health and safety

Legal – ISO 31022 – Risk Management: Guidelines for the management of legal risk

Business Continuity – ISO 22301 – Business Continuity

Projects – Association for Project Management – PRAM (Project Risk Analysis and Management) Guide.

Question 12

three distinct approaches followed in standards:

Answer 12

three distinct approaches followed in standards:

‘risk management approach, followed by ISO 31000

‘internal control’ approach, developed by COSO Internal Control Framework and by the FRC risk guidance.

‘risk-aware culture’ approach, developed by the Canadian Institute of Chartered Accountants, known as the CoCo framework

Question 13

The Orange Book 2020

Answer 13

The Orange Book 2020 was designed for government / the public sector. However, the concepts and principles provide a valuable insight into risk management in general. The Orange Book looks at the main principles to adopt rather than detailed processes and procedures. It is the “what” and the “why” but not the how.

Question 14

Orange Book 5 main principles of Risk Management.

Answer 14

The rest of the Orange Book explores 5 main principles of Risk Management.

Governance and Leadership

Integration

Collaboration and Best Information

Risk Management Processes

Continual Improvement.