First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Selecting a framework for managing risk

managing risk

Carol Williams has a web site, ERM Insights, where she writes about risk management (I prefer to talk about the management of risk, rather than risk management, to ensure we are talking about how the organization addresses what might happen, i.e., risk, rather than talking about a function or team).

Recently, she shared her advice on frameworks and standards in ISO 31000 VS. COSO – Comparing And Contrasting The World’s Leading Risk Management Standards.

I like what she has to say (maybe because she quotes me) and recommend that you read and consider it.

Let me add to her discussion.

As Carol says, “the overarching goal of your risk-related activities should be to support decision-making by helping identify and properly assess both risks and opportunities to achieving strategic objectives”.

So the first step should be to understand how your organization makes decisions. Is decision-making centralized or distributed? Are employees empowered or limited?

You should also consider:

  • At what speed and frequency does the path ahead seem to change (i.e., how volatile is risk both from internal and external sources)?
  • The business you are in and what the sources of risk are. For example, I would consider different processes for managing a loan portfolio, customer credit, major projects, derivatives trading, and cyber.
  • How do your decision-makers consume information about what might happen? In fact, what do they need to make intelligent and informed decisions?

The last point is the most important: what information do people need to make intelligent and informed decisions?

The point before that is also important, as you may need different guidelines and processes in different areas of the business.

While the management of risk should be both continuous and dynamic (as risk is created or changed with every decision), on a periodic basis it is wise to take stock and see whether you are on track. Are you still likely to achieve enterprise objectives, taking everything (within reason) into account?

So another question that needs to be answered is how to collect all the information you have about sources of risk around the extended enterprise to provide a big picture view to top management and the board.

Carol correctly points out that the selection of a risk management standard or framework should not be like going to a clothing store and finding a suit (off the rack) that fits perfectly. Some, maybe a lot of customization is going to be required. Tuck in the sleeve around the cyber joint, but extend the hem of the leg that carries the weight of personnel-related sources of risk.

I welcome your thoughts.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.