IRM ERM M1U2.1 Principles From International Standards Flashcards
Principles of IS
the majority ofrecognised standards include a section on Principles (for example,ISO31000; COSO; Orange Book).
ISO 31000 has established 8 principles around the central purpose of risk management, which is the creation and protection of value.
COSO incorporates 20 principles,
and the Orange Book has 5 principles.
The principles of risk management focus on the premise that it delivers value to the organisation by applying practices designed to achieve the best possible outcome reducing volatility or uncertainty
ISO 31000 Principles
Theeight principles associated with the application of ISO31000 under the heading of “Principles – Value Creation and Protection”. The Standard emphasises the integrated and structured nature of the recommended approach to risk management and also recognises the importance of human and cultural factors.
ISO 31000 defines the purpose of risk management as ‘the creation and protection of value’. It goes on to set out the eight principles which Hopkin and Thompson summarise as:
Framework and processes should be customized and proportionate.
Appropriate and timely involvement of stakeholders is necessary.
Structured and comprehensive approach is required.
Risk management is an integral part of all organisational activities.
Risk management anticipates, detects, acknowledges and responds to changes.
Risk management explicitly considers any limitations of available information.
Human and cultural factors influence all aspects of risk management.
Risk management is continually improved through learning and experience.
COSO Assessment by IRM
Overall, the COSO frameworks are strong on the context,
leadership and support, but less detailed on the plan,
implement, measure and learn features required of a
management system standard.
The message for risk
professionals is that their employer or client organisations
should implement the COSO components and principles that
are best suited to their particular circumstances and modify
other components and principles, as necessary.
(ISO) a guide to management system standards
(ISO) has published
a guide to management system standards with details of
the sections that should be included in a standard. This ISO
guidance is published as Annex SL and several standards
have already been converted into this format. ISO 9001 on
quality management is the best established international
standard and was updated in 2015 using the Annex SL format.
including ISO 14001:2015
– Environmental management systems and ISO 45001 –
Occupational health and safety management systems.
MADE2 Objectives of RM
The five objectives for risk management (mandatory, assurance, decision making, effective and efficient core processes) provide the acronym MADE2,
Main requirement of The Sarbanes–Oxley Act of 2002 (SOX)
This in turn allows for better reporting of information by organizations, including risk information. The Sarbanes–Oxley Act of 2002 (SOX) in the United States has accuracy of financial reporting as its main requirement. It
COSO (2017) Principles
COSO (2017) ERM Framework comprises of five components incorporating 20 principles which describe practices that allow the implementation of enterprise risk management in different ways for different organisations regardless of size, type or sector. The components and principles of the COSO (2017) ERM Framework are highlighted below:
Governance and culture
- Exercises Board Risk Oversight
- Establishes Operating Structures
- Defines Desired Culture
- Demonstrates Commitment to Core Values
- Attracts, Develops, and Retains Capable Individuals
Strategy and objective-setting
- Analyses Business Context
- Defines Risk Appetite
- Evaluates Alternative Strategies
- Formulates Business Objectives
Performance
- Identifies Risk
- Assesses Severity of Risk
- Prioritizes Risks
- Implements Risk Responses
- Develops Portfolio View
Review and revision
- Assesses Substantial Change
- Reviews Risk and Performance
- Pursues Improvement in Enterprise Risk Management
Information, communication and reporting
- Leverages Information Systems
- Communicates Risk
- Reports on Risk, Culture, and Performance
PACED Principle
Attributes of effective risk management
The principles of risk management can be combined into five attributes of effective enterprise risk management. These attributes are captured in the acronym PACED:
Proportionate – a structured process is customised and tailored to suit the organisation and the activity that is being undertaken – “one size does not fit all”. At the same time there is consistency in the overall process and the language used so that there is common understanding of the risk management process, the risks and the controls and actions to manage them
Aligned – the process is integrated with other organisational activities, so that business can continue as usual with ERM as a touchpoint into those different activities and an escalation and cascade mechanism to allow effective management of risks and risk reporting
Comprehensive – the process encourages consistency in the risk management process, and consideration of risks and controls across the organisation and outside of it. This allows effective oversight and understanding of the overall risk profile and improves the understanding of the existing, new and emerging risks from both the internal and external context of the organisation ,so considering what is going on the in the world around them
Embedded – the ERM framework and process encourages a change in risk attitudes, behaviour and culture, to help progress the risk management maturity and awareness of its value to the organisation
Dynamic – the process does not finish with the completion of the risk register. Although it is important to collate the risk information, this is only ‘risk register writing’, it is not risk management. The energy needs to keep flowing through the process, and effort needs to be invested in how to keep the process alive for the organisation so that it can continue to support decision making and add value.
Use of risk management standards for listed companies
For organizations listed on the New York Stock Exchange, the COSO ERM framework is the preferred risk management standard, along with the COSO internal control framework, which is a requirement of the Sarbanes–Oxley Act of 2002 (SOX). SOX also applies to subsidiaries of US-listed companies around the world.
The Guidance on Risk Management, Internal Control and Related Financial and Business Reporting from the UK’s Financial Reporting Council
The Guidance on Risk Management, Internal Control and Related Financial and Business Reporting from the UK’s Financial Reporting Council was updated in 2014 and is considered by the Securities and Exchange Commission in the United States to be an acceptable alternative to the COSO internal control framework for SOX compliance.
3 approaches followed in the various standards
There are three distinct approaches followed in the various standards:
‘risk management’, followed by ISO 31000;
‘internal control’, developed by COSO internal control framework and by the FRC risk guidance;
‘risk-aware culture’, developed by the Canadian Institute of Chartered Accountants, known as the criteria of control (CoCo) framework.
PIML and PDCA or OPDCA or PDSA
the stages involved in achieving successful enterprise risk management and this is structured in a plan, implement, measure and learn (PIML) format.
This is very similar to the plan–do–check–act format followed in several international standards and often referred to as PDCA. PIML is intended to indicate a more structured and analytical approach.
The PDCA construct emanates from the ‘quality’ management process and can be traced to the 1920s. It is sometimes called the ‘Deming’ cycle and has had some additions in the intervening years, including ‘Observation’ as an initial step and ‘Study’ as an interim step. Regardless of whether it is OPDCA (for observation) or PDSA (with S for study), the main idea is that it is a consistent way of analysing an issue and, through taking planned steps, making an improvement to a process which can be reviewed and then, after further planning, itself improved upon.
