First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

The updated ISO risk management standard merits our attention

risk management standardYou can purchase the ISO 31000:2018 global risk management standard from a number of sources. I got my copy from the US standards organization, ANSI. The ISO press release includes a link to their Swiss site.

There are pluses and minuses, IMHO.

To start with, I like the first part of the Introduction:

This document is for use by people who create and protect value in organizations by managing risks, making decisions, setting and achieving objectives and improving performance.

Organizations of all types and sizes face external and internal factors and influences that make it uncertain whether they will achieve their objectives.

Managing risk is iterative and assists organizations in setting strategy, achieving objectives and making informed decisions.

  1. It is not limited to protecting value, but helps organizations and their people create Traditional risk management is focused on the review of a list of risks – what I now refer to as ‘doom management’ and Jim DeLoach calls ‘enterprise list management’ – whereas effective risk management (if we retain that term) should help people take the right level of the right risks to objectives, make informed decisions, and increase the extent and likelihood of success: ‘success management’.
  2. Right from the start, it highlights the need to make quality decisions. By the way, setting an objective or selecting a strategy is a decision and is frankly little different in how it should be done than any other major decision (COSO, please take note).
  3. The second paragraph removes some of the confusion about the meaning of the word ‘uncertainty’ in the 2009 version (where it says “risk is the effect of uncertainty on objectives”, a definition retained in the 2018 update). We are concerned with what might happen (‘external and internal factors and influences’) as we strive to achieve our objectives – and we don’t and never will have a crystal ball so it is uncertain.
  4. Managing risk (a term I greatly prefer to risk management) is an essential part of effective management, and this is at least strongly inferred in the third paragraph.

I also like the brevity and simple (for the most part) language of the updated standard.

But the update shares some less positive features with the COSO ERM update:

  1. It still focuses on and talks about “managing risk” when we should be talking about improving the extent and likelihood of success. The common vernacular treats the word ‘risk’ as something negative and ‘managing risk’ as limiting risk – when often we should be taking more! So continuing to talk about risk management and using the ‘r’ word is talking in a language that only ISO devotees are likely to understand the way ISO intends. We should be talking about helping people make informed decisions that take the right level (not too little and not too much) of the right risks!
  2. There really isn’t much help on how you should make informed decisions and take the right level of the right risks, balancing the upside and potential downside consequences of your decision. (See more in my books.)
  3. It still talks about how you identify, assess, and address risk as a one-by-one activity – but in real life there are multiple potential effects. There is no guidance on how to assess the combination of risks, some of which might have positive while others have potential adverse effects.
  4. There is no recognition that the level of risk is not a point. There is no single value for the magnitude of the effect, nor of the likelihood of that level of effect. It’s a range of values and their likelihoods. (Again, see my books.)
  5. The regulators are driving organizations, especially in financial services, to have a risk appetite statement. While I believe this is a concept that does not have practical value for every source of risk, the pressure to have one and measure your levels of risk against it has to be addressed. ISO ignores this reality and the guidance in COSO is poor.
  6. I am starting to dislike the idea of ‘risk oversight’ (mentioned in passing by ISO in the update and more prominent in COSO) or ‘risk governance’. Again, we should be looking at how management assures the board that it is making informed and intelligent decisions that result in taking the desired level (not too much and not too little) of the right risks. ‘Risk governance’ implies oversight of doom management.
  7. It no longer provides useful principles for assessing the effectiveness of what we are doing (risk management, if you like). The COSO principles are too many and include items I would omit, and the ISO principles are a downgrade from those in the 2009 edition. The former ISO principles were crisp and pretty much stood on their own. The update’s principles are more like chapter headings.

Overall, neither the ISO nor the COSO updates will, in my opinion, move the understanding and practice of ‘risk management’ to where they need to be. The updates are small steps when leaps were required.

As I wrote in my earlier post, I see no need to update World-Class Risk Management and instead am trying to stimulate discussion with leadership through Risk Management in Plain English: A Guide for Executives: Enabling Success through Intelligent and Informed Risk-Taking.

What do you think?

I welcome your comments.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

, , , , ,

Comments are currently closed.