IRM ERM M1U2.5 Risk management processes Flashcards
Key risk management standards and frameworks
ISO 31000
(
2018
)
.
COSO
(
2004
)
.
COSO
(
2017
)
.
Orange Book
(
2020
)
8 RM Steps of ISO 31000 process
- Communication and consultation.
- Scope, context, criteria.
- Risk assessment – risk identification.
- Risk assessment – risk analysis.
- Risk assessment – risk evaluation.
- Risk treatment.
- Monitoring and review.
- Recording and reporting.
ISO difference from other standarts
A difference from other standards is the combination of risk identification, risk analysis and risk evaluation within the over-arching section of risk assessment
Although the standard starts with communication and consultation, most organisations using this approach start with the scope context and criteria.
In the earlier version ofthis standard, this step was called ‘establish the context,’ which you may see used in different sources of risk management information and by many organisations.
8 Key Steps of COSO 2004 process
Internal environment.
Objective setting.
Event identification.
Risk assessment.
Risk response.
Control activities.
Information and communication.
Monitoring.
In this approach, the term risk assessment is used, which covers both the analysis and evaluation steps within ISO 31000.
COS 2017 process
In this version of the COSO ERM Framework the risk management framework and the process are woven together.
The steps of understanding the context and the objectives are captured within the first two components of the framework:
1) Governance and culture and
2) Strategy and objective setting.
More recognisable riskmanagement process steps are within the third component, 3) Performance:
Identifies risk.
Assesses severity of risk.
Prioritises risk.
Implements risk responses.
Develops portfolio view.
In this approach, the terms assess and prioritise are used, which relate to the analysis and evaluation steps within ISO 31000.
The ‘rest’ of the risk management process is captured in the last two components: 4) Review and revision and 5) Information, communication and reporting.
Orange book 2020 process
The Orange Book comprises a combination of a risk management framework, principles and the process, where it is stated that risk management shall be:
Principle A – an essential part of governance and leadership.
Principle B – an integral part of all operational activities.
Principle C – collaborative and informed by the best available info.
Principle D – have structure processes.
Principle E – continually improved.
c
Principle D includes the main steps of the process which comprise:
Risk identification and assessment.
Risk treatment.
Risk monitoring.
Risk reporting.
In this approach, risk assessment aligns to the ISO 31000 steps of analysis and evaluation. The Orange Book framework is closely aligned to ISO 31000 in its language andapproach.
4 key approaches considered in ISO 31000, COSO 2004 and 2017 and the Orange Book.
- Define context and objectives - understanding both the external and internal context in which we are operating and clarifying what we are trying to achieve – ourobjectives.
- Assess the risks - Identifying risks that we face, analysing them to see which are the biggest risks, and evaluating them to determine whether they are acceptable orwhether action is needed to manage them further
- Manage the risks – implement controls and additional actions that take charge of and change the risks
- Monitor, Review and Report – consider changes in the risks, controls and context to ensure risks are being managed effectively and new and emerging risks areconsidered appropriately.
How long does it take to establish ERM
A fully compliant ERM program can be established in 1-2 years, seeking to institute an Enterprise Risk Board, a governance structure, risk appetite statement, updated Statement of Assurance, risk profile, etc.
It is not as easy to build an ERM program that is mature, fully functioning, integrated, and outcome-oriented. In a smaller, less complex agency with leadership buy-in, this could range from 5-7 years.
However, in a larger, complex, decentralized agency, it could take 5-10+ years. It is important that agencies not be discouraged by those projections. Effective ERM is meant to be a long-term, evolving endeavor.
The initial draft is ready for consideration, and we can make adjustments for the next review, as the policy has recently been reviewed by ARC and the Board.
An objective of operational risk management
An objective of operational risk management is not to remove operational risk altogether, but to manage the risk to an acceptable level, taking into account the cost of minimizing the risk as against the resultant reduction in exposure. Strategies to manage operational risk include avoidance, transfer, acceptance and mitigation by controls.
Risk owner decision as per ISO Guide
One of the most important responsibilities to be allocated is that of ‘risk owner’.
ISO Guide 73 defines a risk owner as a ‘person with authority and accountability to make the decision to treat, or not to treat a risk’.
The guide also states that anyone who has accountability for an objective also has accountability for the risks associated with the objective and the implementation of the controls to manage those risks.
2 Key Functions of Risk Framework
As noted earlier, this framework must fulfil two functions: firstly, provide support for the risk management process within the organization; and secondly ensure that the outputs from the risk management process are communicated to internal and external stakeholders.
