Please enable JavaScript.
Coggle requires JavaScript to display documents.
Risk Management Frameworks and Standards - Coggle Diagram
Risk Management Frameworks and Standards
Contents of a risk management framework
The identification of risks that could impact the organisation in either a positive or negative way
Assessing the significance of identified risks, in order to help prioritise management attention and financial resources
Monitoring to help detect any changes in the organisations exposure to identified risks
Controlling the organisation's exposure to the risks that have been identified
ISO 31000:2018 risk management standard talks about three core elements
Risk management architecture
Committees
Reporting Structures
Risk Management Strategy
Risk policies
Risk appetite
Risk Management Protocols
Processes
Procedures
Risk Management Policy
Its aims and objectives for risk management, including how they support the wider strategic objectives of the organisation
The processes, procedures and activities that comprise its risk management framework, including any other risk or control policies
Governance arrangements for risk management, such as these of a risk committee
The allocation of roles and responsibilities for risk management
Different business units may maintain their own individual risk management policies or different policies may be drafted for different categories of risk.
Risk management procedures
An organisation will have procedures to specify how its employees and managers should perform specific tasks and activities
Many of these procedures will relate to the assessment and control of related risk
Eg manual handling procedures for lifting and carrying objects, as well as procedures for operating machinery
May be used to help control certain types of risk such as managing incdients, escalating control weaknesses, building evacuations, critical systems recovery or reporting suspicious financial transactions
Technology systems that support risk management
Organisations may use internet or internal network based technology systems to support their risk assessment, monitoring and control activities - risk management information systems (RMIS)
Systems may be built in house, often using standard database applications, or they may be purchased from external specialists
Can be expensive but can help to improve an organisation's ability to co-ordinate its risk management activities. They can also reduce the time and effort required to produce risk management reports on the organisation's risk exposures or the effectiveness of its controls
Risk reports
Most organisations will produce some form of risk report to help management understand the organisation's risk exposures and make effective risk management decisions
Different reports may be produced for different areas and levels of management including reports for IT managers, HR managers, senior managers, the board and the executive team
The frequency of risk reporting will depend on how quickly risk exposures are changing or the materiality of the principal risks.
Risk reporting can be real time in areas such as information security or investment management. Alternatively it may be monthly, quarterly, annually or any other required level of frequency
Risk appetite statement
A risk appetite statement will usually outline the types and levels of risk that an organisation is wiling to take in the pursuit of its objectives, as well as the risks that it is not willing to take or will only tolerate in specific circumstances
Stakeholder risk preferences should be taken into account when deciding what risks to take or avoid
A risk appetite statement may be kept as a standalone document or included in the risk management policy. Larger organisations may choose to make some or all of their risk appetite statement public
Internally, an organisation may have more than one risk-appetite statement. Statements may exist fo specific categories of risk or for different business units
This is because an organisation may have have a different appetite for different risks and business units
This will often reflect the strategy of the organisation, the risks it wishes to take to achieve its objectives, and the risks it may want to reduce to avoid business disruption, unnecessary cost or operational inefficiency
Training and awareness
Risk management and risk awareness training courses help employees and managers to understand the types of risk relevant to them
They also help employees understand how to identify, assess, monitor and control these risks in an effective manner, ensuring that the organisation meets its strategic objectives and the risk preferences of its stakeholders
Training courses may explain the importance of risk-management for the organisation and its stakeholders as well as the benefits and costs associated with taking specific risks
Courses may also reinforce the contents of policies and procedures or help employees and managers to operate the risk management process and use RMIS
Risk Governance and Compliance Arrangements
Risk governance and compliance arrangements support the direction of the design and operation of risk management policies, processes and procedures, including risk reporting and incident management activities
Risk governance and compliance arrangements may be created to ensure compliance with internal policies and procedures, as well as laws and regulations imposed by external agencies or customers who have specific requirements to which the organisation has agreed
Risk governance and compliance arrangements exist to ensure compliance with the policies, processes and procedures that comprise a risk management framework and that any weaknesses in their design or application are identified and addressed promptly.
The activities of external and internal auditors are part of these risk-governance and compliance arrangements, as are compliance reviews and internal control assurance activities
Company secretaries and governance professionals often help to support the operation of risk governance and compliance arrangements
Specialist staff
Medium to large organisations will often recruit risk-management specialists to support the operation and ongoing improvement of their risk management framework
This may include health and safety professionals, information security professionals, business continuity managers and general risk managers
A risk manager is a professional skilled at identifying, assessing, monitoring and controlling a wide range of risks
Risk committees
The purpose of a risk committee is to oversee and co-ordinate the design and operation of an organisation's risk management framework - this will include
Ensuring that risk are managed in a consistent and objective supporting way across the organisation
Monitoring more significant risks
Balancing the sometimes different risk preferences of stakeholders
Ensuring that adequate resources are devoted to risk management
Generally only large organisations will have a dedicated risk management committee
Small to medium sized organisations may incorporate risk management oversight into their audit committee
Merged audit and risk committees require careful management, the responsibilities of an audit committee can conflict with that of a risk committee. The focus of an audit committee is on accurate financial reporting and internal control to limit the risks that could threaten an organisation
A risk committee should consider taking risk in a proactive manner to support the achievement of organisational strategy and objectives. Risk can be harmful and disruptive but it is also an essential part of generating social, environmental and financial reurns
Where a committee is merged, the members should be reminded of this potential conflict to ensure that they apply the right risk mindset to each agenda item
British Standard BS31100
The advice and guidance in BS 31100 is designed to be suitable for any organisation operating in the UK
Gives practical and specific recommendations on how to implement the risk management principles, framework and process as outlined in ISO 31000
The guidance includes
How to manage risk in a proactive rather than a reactive manner - for example by preventing adverse risk events from occuring
The operation of effective risk management oversight via an organisation's governance and internal control functions
Providing assurance to the board and senior management on the effectiveness of an organisation's risk management activities
Reporting to stakeholders, for example through disclosures in annual financial statements, corporate governance reports or CSR reports
National Standards Agency of Ireland (NSAI)
Provides additional guidance on ISO 31000 for Irish organisations
Outlines various risk management methods and techniques that Irish organisations can use to implement an effective risk management framework
The guidance covers topics such as
Guidance on designing a risk management framework
How to draft a risk management policy
Allocating accountability for risk management
Establishing effective risk management communication mechanisms
Risk assessment techniques
Risk treatment options
How to design an effective risk register
The Orange Book
Published by the UK Government
The purpose of the document is to
Provide an introduction to risk management for those new to the disciplne
Offer a set of principles against which risk management practices in organisations can be benchmarked
Help senior leadership to understand their responsibilities for risk management
Provide practical support for those taken with day to day risk management responsibilities
Offer insights into more advanced concepts such as risk appetite, for those with more risk management experience
The Orange Book adopts a principles based approach to risk management. These principles cover
Governance and leadership
Integration (into the organisation and its activities)
Collaboration and the communication of information
Risk management processes (reporting, treatment, monitoring and reporting)
Continual improvement (of risk management)
Institute of Risk Management Standard
IRM adopts a very similar approach to ISO 31000.
free to download in 14 languages and it is shorter
The original IRM standard has not been updated as recently as ISO 31000
More recently the IRM published 'Risk Practionier Guides' covering both ISO 31000 and the COSO Enterprise Risk Management - Integrated Framework
Provides best practice benchmark that organisations can use to help design and implement effective risk management frameworks
The standard emphasises that the management of internal and external risks can help to protect and create value in organisations
The Standard indicates that an organisation's risk management process should be audited periodically to determine whether it remains fit for purpose and to ensure it is operating effectively
COSO ERM Framework
The COSO 2004 ERM Framework underwent a major revision in 2017
Along with the revision of ISO 31000, the COSO ERM Framework represents the latest thinking in terms of the design and implementation of risk management frameworks in organisations
The 2017 COSO ERM Framework emphasises that although risk management is an important part of effective corporate governance and internal control, this does not preclude using risk management to help improve the strategic and operational performance of an organisation
The COSO ERM Framework explains that the adverse consequences of an ineffective risk management framework are significant in the 21st century especially as the world becomes more complex and interconnected and as stakeholders exercise increased scrutiny over organisational activities
Risk is an element in every organisational decision. Effective risk management should help organisations to make better decisions that exploit the available opportunities and mitigate the potential threats
Risk management is not only about limiting risk, rather it is a tool that allows an organisation to exploit risk in order to increase its performance
The COSO ERM Framework is intended for organisations of all sizes and sectors and provides insight into how an organisation can better integrate risk management into its strategy, operations and decision making
The framework is different in approach to most conventional risk management frameworks but this helps emphasise the performance enhancing focus for risk management that COSO believes is important. The framework is presented as a set of principles organisaed into five inter-related components
Principles
Governance and culture
The first element of the COSO ERM Framework is about ensuring that employees and other relevant stakeholders (such as suppliers and contractors) behave in a manner that is inconsistent with the organisation's values and codes of conduct, as well as undertaking activities that support the organisation's strategic, operational and risk management objectives
This includes overseeing management decisions to ensure that opportunities are exploited and any threats are mitigated
It also includes managing risk management attitudes and perceptions to ensure that there is a good understanding of risk, its consequences and the benefits of effective risk management
Strategy and objective setting
Strategy and risk management complement each other closely in the COSO ERM Framework, each playing their part in enhancing organisational performance.
Key to this is the concept of risk appetite, which helps to direct strategic and risk management decisions across the organisations
By determining its appetite for different types of risk, an organisation can plan a strategy that is less likely to result in any associated risk exposures that exceed this level of risk appetite
Where there is the potential for risk exposures to exceed appetite, risk management can be used to help reduce this potential or ensure that the organisation is resilient enough to withstand the effects of these exposures
Performance
This activity is concerned with identifying and assessing risks that may affect the achievements of an organisation's objectives
An organisations objectives are usually determined as part of the annual planning and budgeting process and are often aligned with its broader strategic goals or mission
Risks that are believed to be a threat to objectives are compared against the organisation's appetite for risk. Where the level of risk exposure is considered too high, actions are taken to control these exposures
By focusing management attention on the risks that represent a major threat to an organisation's objectives, resources can be used in an efficient way, ensuring the maximum benefit for the costs that are incurred in managing risk.
Stakeholder value can be protected and possibly enhanced by reporting on these risk exposures and control activities - an action that should provide stakeholders with the assurance they need that the organisation is meeting their expectations by fufilling its stated objectives
Review and revision
This COSO component has multiple objectives (especially when compared to the ISO 31000 standard)
The organisation should identify and assess substantial internal and external changes that may affect strategy or the achievement of its objectives
The organisation should evaluate its performance and the achievement of its objectives in light of the chosen strategy and risk response
Based on the outcomes of the previous activities, the organisation should evaluate the continued appropriateness of its risk management arrangements and revise them accordingly
Information, communication and reporting
Within the COSO ERM Framework, organisations are involved in a continuous process of collecting and sharing information
Information may be collected from internal and external sources.
Sharing is up, down and across the organisation to ensure that all decision makers have the information that they need to manage risk in an effective way
Not all risk management frameworks involve the continuous processing and sharing of information - some rely on periodic, monthly, quarterly or annual - risk reports, along with incident and issues reporting of risk events and identified control failures
The COSO ERM Framework considers this to be ineffective because an organisation, its external operating context and things like regulation, politics and the environment change constantly. Periodic reports can go out of date very quickly
The COBIT framework for IT governance
The guideline Control Objectives for Information and Related Technologies (COBIT) published by the Information Systems Audit and Control Association (ISACA) provides a good practice framework for the control of IT related risks
The COBIT framework is business oritented and links IT goals to business goals, providing example merits and benchmark maturity models to help an organisation assess and enhance the effectiveness of its IT risk management activities
The COBIT framework incorporates the following elements
Core governance principles
COBIT 2019 is based on six governance principles
Providing stakeholder value: by delivering a financial return or protecting them from risk
Holistic approach: one that covers the whole of the organisation - all departments, activities and functions
Dynamic governance system: that adapts and improves as required
Governance distinct from management: this ensures that those responsible for overseeing the operating of an organisation's IT risk management activities are not involved in the day to day running of the organisation. This should, in theory, mean that they maintain a degree of impartiality allowing them to challenge management practices where necessary
Tailored to enterprise needs: there is no one best approach to good governance, organisations must implement an approach that helps them to achieve their objectives and deliver stakeholder value
End to end governance system: effective IT risk management must cover the entire operational processes and supply chains of an organisation
Generic process descriptions
Presents a process reference model for the effective management of the organisations IT arrangements.
This model consists of one overarching governance domain 'evaluate, direct and monitor' and four management domains 'plan, build, run and monitor'
Control objectives
The COBIT 2019 framework provides a list of control objectives that are linked to the 40 IT management objectives
Management guidelines
The COBIT 2019 management guidelines cover topics such as the assignment of roles and responsibilities for IT risk-management and performance measurement
Process maturity models
Maturity models are provided for each control objective
These models help organisations to review their control arrangements, conduct gap analyses to identify areas for improvement, and record the actions taken to address these gaps