When looking forward to future models and frameworks of Enterprise Risk Management, it is worth looking back, to see what they looked like originally, and make comparisons. For instance, the COSO ERM framework introduced in 2004 was an industrial and attempted professional measure to help organisations identify, understand and prioritise their risks, and integrate internal controls into business processes. One of the main reasons for its emergence was the rise of corporate fraud; the Framework could therefore be considered a tool to combat mismanagement, tighten corporate governance and monitor financial reporting more stringently.
The COSO 2004 model addressed different aspects of risk management, and incorporated trends which were regarded as significant, such as ethics and organisational culture. But this was seen as still too restrictive, and still too skewed towards internal control, with undue emphasis on the internal audit function. The international standard ISO 31000, developed by the International Organization for Standardization and released in 2009, is a systematic, logical process of risk management which sets out processes for identifying and analysing risk, and determining its treatment or mitigation. The emphasis of ISO 31000, designed with proper input from Risk professionals, is geared toward the achievement of organisational objectives and improving the quality of decision making.
Some firms see it as a broader framework while others consider it lacking in clarity, but it tends to be more supported by seasoned Risk professionals, compared to COSO. There is no one-size-fits-all when it comes to ERM. Business environments today are exceedingly dynamic and firms may find it hard to keep up with market trends and issues, let alone be able to identify the risks associated with them. But ERM is also about opportunity, managing risk, achieving objectives, improving decision-making and achieving an optimum level of agility, resilience and sustainability for the organisation.
ERM frameworks are likely to become easier to use. The first ISO 31000 standard evolved from the first known standard for enterprise risk management, AS/NZS 4360, published by Standards Australia and Standards New Zealand, in 1995. But even this base standard underwent revision before it became the foundation of ISO 31000 (published in 2009). Its refinement included the deletion of areas which were regarded as hindering, rather than helping its implementation, based on users’ feedback. ISO 31000:2018 became even shorter, clearer and more concise to support firms in their use of ERM principles when planning and making decisions.
ERM models and frameworks are not static; they undergo continuous refinement based on feedback from users in a diverse range of industries. They need to, because businesses are becoming more complex; firms are entering new, unfamiliar markets; and in some cases, completely new industries are emerging, with risks and opportunities in tandem. Future models and frameworks may see greater inclusion of “issues of the day” like gender diversity, climate change, human and cultural factors, more transparency and stricter governance. The lessons from the Covid-19 pandemic will not be forgotten; more attention is likely to be paid to “future readiness” and dealing with disruption and uncertainty.