Not All Enterprise Risk Management Models Are Created Equal
Enterprise Risk Management (ERM) works best when it has been properly thought through and implemented. Organisations have been trying to identify,
assess, prioritise, treat and monitor their risks for many centuries; but today’s risks, of course, are infinitely more complex so it is no wonder that the task of mitigating them has been increasing in complexity as well. Contemporary risk management has been evolving for more than six decades, and in the process, several models and frameworks have been developed.
Today, there are several that can be used by organisations eager to minimise accidental losses and mitigate operational hazards, to better and more efficiently achieve business objectives. They have a few bodies to thank, starting with the Standards Boards of Australia and New Zealand, which promulgated AS/NZS 4360 in 1995; the Committee of Sponsoring Organisations of the Treadway Commission (COSO); and the International Standards Organisation, ISO. These bodies generally had the same reasons for putting together ERM models – the business environment was rife with fraud, malpractice and corruption, and if this unhealthy state of affairs continued, stakeholders would eventually become completely disenchanted with industry.
This loss of confidence would have considerable long-term impacts on many economies but this was not the only reason; the very nature of doing business was changing, and new risks were emerging. Businesses did not know how to cope with them; new strategies were needed. Because ERM is all-encompassing, it needs to be workable across the board, for all business units, subsidiaries and departments. The added complexity of the different kinds of challenges faced by different industries, spurred the need for the development of bespoke ERM solutions.
These factors were incorporated as strategy into the respective models and frameworks that were developed as the need for ERM was recognised, and various parties began giving feedback. Organisations began “finding their feet” within the context of understanding what was needed for themselves where ERM was concerned. They began to realise other advantages of ERM; its frameworks and procedures helped bring shortfalls and potential threats to light. It also highlighted the organisations’ strengths and showed how organisational culture could be a positive, protective force for the firm.
As risk management moved from being applied selectively to certain departments and business units, to being applied throughout the company, people began to operate less and less in silos, and greater transparency began emerging. Thus, while early ERM models were heavily compliance-focused, later models became more integrated with other aspects of business management. For instance, AS/NZS 4360, which was the first formalised corporate governance framework and risk management process, was later updated and reissued as AS/NZS 4360:1999, then again as AS/NZS 4360:2004 after feedback from practitioners and stakeholders.
In the US, COSO was taking a different tack. Although its aim was to develop guidance on internal controls to improve the quality of financial reporting, business ethics and corporate governance, it attempted to try and deal with Risk Management as well. COSO ERM, which was released in 2004, was cumbersome when it came to implementation; users said that it focussed on reporting, not managing risks – useful for organisations where risk was audit – and internal control – centred. In 2017, COSO’s “Enterprise Risk Management – Integrating with Strategy and Performance” was released with some significant changes in structure, and an emphasis on culture and creating value – but seemed to just mirror most of the content and approach of ISO 31000.
ISO 31000, as the only International Risk Management standard, is applicable to public, private or community enterprises, as well as associations, groups or individuals. ISO 31000 is not a requirement but a guideline that offers structure and guidance for anyone wanting to use risk management principles. However, because it is an ISO standard, it does incorporate best practices from a wide range of contributors on implementing, maintaining and improving risk management frameworks.
Its framework focus is on six areas: Leadership & Communication, Integration, Design, Implementation, Evaluation and Improvement. Practitioners describe it as simplifying risk management, making it concise, comprehensive, understandable and implementable.