The Objective-Centric (OC) – identifying risks in relation to objectives – approach to risk is recommended by both ISO 31000 as well as COSO 2017 and represents current best International practice. COSO 2004, however, prefers the Taxonomy approach (identifying risks in relation to definitions). The OC approach and Taxonomy are diametrically opposite and incompatible from a risk identification perspective. The OC system is more practical than the taxonomy approach and focuses the organisation on achieving organizational objectives rather than just identifying “risk” from an academic and theoretical perspective.
Symptoms of a Taxonomy approach would be the failure to get organizational support for risk management, risk registers where the mitigation action due date has passed and the person responsible for the mitigation resigned two years ago but the risk register has never been updated – because the line views (and they are correct!) the risk registers as academic and a waste of their valuable time – even I would not want to waste my time completing such academic and impractical risk registers.
The open style of the OC approach ensures that all risks, including emerging risks, etc., are properly identified and risk identification is not limited to the extent and range of the up-front risk categories provided under a Taxonomy approach. Hence, under a Taxonomy system for example, if you do not have a category for (say) “Pandemic risk”, you will fail to identify any pandemic risk – as that is how Taxonomy works. Additionally, if for example you have mis-defined said “pandemic risks”, then you will once again fail to fully and properly identify pandemic risk. Also, the taxonomy approach has a tendency to identify risk effects (i.e. consequences) rather than sources of risk – such as reputational risk and strategic risk (both of which are not sources of risks but rather consequences of risks which, accordingly, would be the wrong focus for any mitigation strategy).
None of the problems are present with a properly implemented OC approach via something like the IERP®’s Goals and Objectives Harmonisation approach. Unfortunately, the majority of consultants and so called “ERM experts” really have no idea on how to properly implement the OC approach. The IERP® is one of the few organisations who is expert in implementing it. We have even designed a special tried and tested program which can implement the OC approach in any organisation of any size in 4 days. Success stories include organisations as diverse as Financial Institutions, technology companies, manufacturing companies, to oil and gas companies and property developers and other service organisations.