Earlier this year, the International Organization for Standardization (ISO) published a long-awaited revision to ISO 31000, its risk management guidelines. After the June 2017 revision of the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management (ERM) framework, this means that two of the most widely used risk management guidance documents have been updated within the past year. Users need to understand the scope of the changes and determine the potential impact on how their organizations manage risk.
Although they are separate guidance documents issued by different standard-setting entities, revisions to the existing standards share some common characteristics.
Both of the revised documents reflect the evolution of risk management over the past decade, recognizing risk management’s move from a separate and at times departmentalized activity to an integrated management competency.
Additionally, rather than view risk management as a periodic risk assessment and modification activity, both revisions emphasize that managing risk is an integral part of decision-making throughout an organization and vital for carrying out its mission and improving performance. Both revisions also recognize that risk and uncertainty are important considerations as leaders form strategy, run operations and deliver project initiatives.
Changes to ISO 31000
For anyone who creates and protects value in organizations, the 2018 version of the ISO 31000 risk management standard provides simpler, clearer guidance than the 2009 version. It recognizes that organizations may already have a set of principles, framework and process for managing risk. As such, the revision stresses the importance of customizing and improving existing practices to better assist organizations in setting strategy, achieving objectives and making informed decisions. While the standard retains the familiar structure of principles, framework and process, the language contains less risk management jargon and reduces the number of defined terms.
“Risk” remains defined as “the effect of uncertainty on objectives.” ISO 31000:2018 emphasizes that managing risk can assist organizations in setting strategy, achieving objectives, and making informed decisions, and that it is critical to manage risk when decisions are being made, rather than after the fact.
There are a number of updates in the revision that are particularly noteworthy to risk professionals and their organizations:
- The stated purpose of risk management is to create and protect value.
- The purpose of the framework is to facilitate risk management’s “integration into the governance and all activities of the organization, including decision-making.” This changes the perspective of risk management from a stand-alone activity to something that is an integral part of organizational and individual decision-making. This version of the standard delves into both leadership’s commitment to integrating risk management into organizational activities and understanding contexts of the organization when designing an integrated framework. The governance descriptions are purposefully broad to appeal to a wide audience.
- ISO explicitly states that the risk management process can be applied at strategic, operational, program or project levels. The process is presented as sequential and is meant to be iterative in practice. The final process step has been broadened to include reporting as well as recording.
- The standard introduces the concept of adapting risk management frameworks to address external and internal changes in addition to including the risk management framework as part of an organization’s normal continual improvement processes.
- For the first time, the ISO standard recognizes that cognitive biases and the assumptions of those involved in the risk assessment process should be considered. Unrecognized biases, such as confirmation bias (the tendency to search for or interpret information in a way that confirms one’s preconceptions) and anchoring (the tendency make decisions based on the first piece of information one hears), can influence judgements and lead to faulty assessments that result in poor decisions. Personal or organizational perspectives should be taken into consideration as part of an organization’s risk criteria, as well as the during the risk analysis process.
- There is a greater distinction made between the complementary concepts of communication (imparting information) and consultation (stakeholder participation) in both the framework design and the process portions of the standard.
Changes to the COSO ERM Framework
The seemingly simple act of changing the title of the COSO framework from 2004’s “Enterprise Risk Management—Integrated Framework” to the new “Enterprise Risk Management—Integrating with Strategy and Performance” represents a significant shift in approach. COSO recognizes the “dynamic, integrated nature of ERM that begins with the mission, vision and core values of the organization through to the creation of enhanced value.”
In its executive summary, the updated COSO Enterprise Risk Management Framework is described as:
- More clearly connecting enterprise risk management with a range of stakeholder expectations;
- Positioning risk in the context of an organization’s performance, rather than as the subject of an isolated exercise;
- Enabling organizations to better anticipate risk so they can get ahead of it, with an understanding that change creates opportunities, not simply the potential for crisis;
- Emphasizing how ERM informs strategy and performance.
Since the 2017 version of the COSO ERM framework was a dramatic shift from the 2004 version, direct comparisons are difficult to make. That said, there are a number of specific differences worth noting:
- The updated version states that the purpose of effective enterprise risk management is to help boards and management optimize outcomes to best create, preserve and ultimately realize value.
- COSO’s definition of “risk” changed to reflect its evolved viewpoint that the focus of enterprise risk management is no longer principally on preventing the erosion of value and minimizing risk to an acceptable level. In the 2004 version, the definition read, “Risk is the possibility that an event will occur and adversely affect the achievement of objectives” [emphasis added]. The 2017 version reads, “Risk is the possibility that events will occur and affect the achievement of objectives.”
- Rather than simply viewing risk management as an extension of COSO’s Internal Controls Framework (the basis for the 2004 version) with a primary focus on the environment within an organization, the updated version explores enterprise risk management by evaluating a particular strategy, considering the possibility that strategy and business objectives may be misaligned, and looking at the risk to implementing the strategy and business objectives.
- The 2004 version focused on how the risk management process (objective-setting, identification, assessment, control activities, information, communication and monitoring) was implemented at each level of an organization (entity, division, business unit and subsidiary). The 2017 version, on the other hand, consists of five interrelated components of ERM. Three are related to common organizational processes (strategy and objective-setting; performance; and review and revision) and two are supporting factors (governance, culture and information; communication and reporting). Within these five components are 20 principles that represent the fundamental activities that organizations should engage in as part of their ERM practices.
- As with the ISO update, the COSO revision discusses the important influences that culture and biases carry in decision-making and risk management practices.
- The revision includes appendices that outline common roles and responsibilities for ERM (such as modifying “lines of defense” to “lines of accountability”) and provides illustrations as a guide for developing risk profiles.
The level to which an organization will need to make changes based on these revisions depends on the current level of integration and maturity of its existing risk management practices. For the number of organizations that already incorporate risk processes and techniques into decision-making and strategy-setting, few changes may be needed.
But if stakeholders believe that risk management is just another activity peripherally linked to advancing the organization’s mission, there may be an opportunity to build a stronger and more capable organization by modifying the stated purpose and approach to managing risk. These revisions can be used to begin a conversation regarding:
- Current practices. Do we consider managing risk as a core competency or as a periodic exercise?
- Stakeholder evaluations. Do those responsible for managing risk believe that what is currently being done adds value?
- Gap analysis. What aspects of the revised documents could be used to improve the risk management capabilities within the organization?
The evolution of risk management conveyed in these guidance documents may represent a change in the status quo of how risk management is viewed and integrated. Risk professionals and their organizations should view such changes as an opportunity to strengthen the organization so that it can more effectively achieve strategic objectives.