Risk Management - Introduction

From RiskWiki

Jump to: navigation, search

Contents

What Is Risk Management?

Risks, Causes & Consequences

Risks to your operations and assets are a permanent and inescapable aspect of existence. Put simply if you have an objective, the central possibility exists that your objective may not be achieved. That possibility is risk.


Inputs required for your objective may not be available when required, or the cost of the same may make the objective inviable, or the social or technical assumptions may be invalidated, etc. These are threats, or causes of objective failure, and therefore causes of risk. Threats exist - some latent and some active, but all are potential causes of the failure to achieve your objective (with varying likelihoods).


Further, it may be that failure to achieve the objective, or preserve the asset may have impacts far beyond the loss of the expected benefit to be derived, or value of the asset lost. Those impacts are the consequences. For example, at the individual business level, failure to achieve a strategic objective may result in failure of the business, while on the international stage, failure to achieve a diplomatic objective may impact the society detrimentally for generations to come, and failure to protect a critical military or hazardous materials technology may result in extensive loss of life.


Lastly, a risk may not be a bad thing - it might be a good thing, or more commonly known as "an opportunity". Likewise, in impact may not just be "nothing to really bad" but also "really good to nothing to really bad". In its fullest extent risk management covers both opportunties and exposures. Most of the following discussion will consider risk management in its more common guise as managing exposures, but when we consider "Competitive risk Management" we will once again expand the definition.



Risk Appetite

The degree to which these undesired outcomes are more or less certain will effect your degree of concern about them. At the extreme ends, everybody may have pretty much the same response: an undesired outcome that is virtually certain to occur will probably be judged as unacceptable, while an undesired outcome that is virtually certain not to occur, will probably be judged as acceptable. Between these extremes each individual, organisation, and society will have differing determinations of acceptability. This determination is also likely to vary with the nature of the undesired outcome (for example the 50% chance of a loss of thousands of lives is generally considered less acceptable than the 50% chance of the loss of ten dollars). This variance in judgement as the risk appetite - literally your or your organisation's willingness to passively accept the possibility of a particular type of undesired outcome.


Risk Response, Mitigation and Control

The reactive leader, when faced with changed circumstances will rapidly form a response. These responses are designed to minimise the consequences of the threat event and are risk mitigation actions, or risk treatments. Of course, some responses (like avoidance or insurance) are by this time out of the question - as the threat has materialised. Faced with too many or too big a change in circumstances, even the most responsive leader can be overwhelmed, and the process fails with the objective not achieved.


A wise leader then (at least) learns from experience, and establishes processes to minimise the likelihood of similar threat events occurring (prevention), to detect when they occur (detection) and immediately respond and mitigate the consequences when they occur regardless (correction). These preplanned and pre-established processes of prevention, detection and correction are controls.


Rating a Risk

All controls have a cost - whether measure in money, time, tactical advantage, etc. Too much control may make the achievement of the object inviable. The leader may judge that some threats experienced are unlikely to occur again (for example Yr 2000 date risk was a once off, as the year 2000 is unlikely to occur again in this time line!). Other threats will be considered almost certain - such as a sunny day melting an unrefrigerated cargo of ice cream. the probability that a threat will eventuate is its likelihood. Where the likelihood is very low, the leader may judge it is not worth the cost of controlling.


Likewise, some consequences of threat events are so minor that they can be ignored, while others are catastrophic to the objective. This judgement is the impact rating of the consequence.


The Likelihood of a threat event, combined with it's level of impact to the object achievement constitute the inherent risk to the achievement of the objective.


Although not yet part of the standard, over recent years an additional rating parameter is being argued for consideration: "Velocity". The velocity of a risk is the speed with which a causal event translates into an outcome. Velocity is a rating against time inversely, so the shorter the time it takes for a causal event to result in a specific impact, the higher the velocity.


Conversely if we are going to consider a time based measure for the onset of a risk event, we should allow for a velocity measure on the mitigation side of the equation. Here we would have two types to consider - pre-event controls (such as training, and document manuals), have a velocity measure that acts during a different phase from that during which the impact velocity is measured. The control velocity of specific interest to mitigating impact velocity is that of the reactive controls - Event (or Error) Detection and Event (or Error) Correction controls


NOTE: Controls fall into one of three groups - Prevention, Detection and Correction. The first group identifies proactive controls (although some control steps in a given strategy of controls may be reactive even here), while the latter two describe purely reactive controls. Note that under this view the process of setting up a reactive control system and training the participants and systems in the operation of that control is itself a proactive step and hence a Preventive control, while the operation of the actual control itself is, to the triggering causal event, reactive.


A similar case may, on the face of it, be advanced for direct estimation of Risk Frequency. Specifically, such a measure is one of the frequency of a causal event - with an assessed likelihood of triggering at each cycle. The amount of time required for a single cycle from Causal Event A0 to the next potential occurrence of Causal Event A at time 1 :i.e. A1 is the velocity of the likelihood of a causal event being once again tested. On this basis we could again track the velocity of the likelihood.


A reasonably strong case might also be advanced that likelihood measures carry an implied frequency measurement as people tend to rate things as more certain to occur of they are always almost occurring than when rarely experienced, even if the causal event actually occurs on these rare occasions. In this case it is argued that rating likelihood velocity in fact double weights the likelihood rating.


This author leans to the former view. If we are separating some velocities from their coupled ratings, we should consistently apply the logic of separation to them all. On that basis the probability or reliability estimates are consistently cleansed of time subjectivity, and thence become an instantaneous rating rather than a multi period rating of the probability, impact or dampening (control mitigation rating). In database design terms the rating measures are normalised with respect to time. The obvious benefit is that the greater the consistency among the properties (functional and data) if not the content of those properties, the greater the reliability that the items can be combined to give a result that varies consistently with its inputs (in this case a Risk rating). If some of the inputs are themselves functions of other inputs (such as time) the result of combining the various components of the risk formula together will not appear to move consistently with the inputs.


A further benefit of separating velocity information is the colour it might bring to the risk analysis. One can picture a risk model where the assessment of an otherwise well rated risk, on the basis of likelihood velocity (think frequency), impact velocity (think: "How quickly will this hit us?") against preventive control velocity (think "How long will it take for the training to be completed?") and Detection control velocity (think "How quickly will we know that the wheels have fallen off?" and Correction control velocity (think "How quickly will we have cleaned up the mess?"), might reveal some fascinating structural problems in a control system. Such as a 12 month wait for detection controls to be in place for an high to medium impact impact of an event happening every week, and if those detection controls that then tell us only at the end of a quarter that a problem occurred that will take 6 months to fix, we might like to know - even though individually all these controls got the highest ratings in terms of effectiveness. Of course, if our risk formula dealt with these items properly as part of its model we would not have a well rated risk with such problems!


Expressed as a formula where f() means a function of the items in parentheses, the risk equation with all these potential inputs is then:


Ri = f( f(Li), f(LVi), f(Ii), f(IVi), f(Ci), f(CPVi), f(CPVi), f(CDVi), f(CCVi)    )

where:

i
Represents an individual risk
L
Means Likelihood Rating for each cause
I
Means Impact Rating for each impact
C
Means Mitigating Strategies and Controls effectiveness rating mitigating causal events and consequential impacts.
LV
Means Likelihood Velocity Rating for each causal event
IV
Means Impact Velocity Rating for each impact
CPV
Means Preventive Control Velocity Rating for each causal event
CDV
Means Detective Control Velocity Rating for each causal event and possibly some to all impacts
CCV
Means Corrective Control Velocity Rating for each mitigating each impact and possibly some to all causal events


This formula says nothing more than that the risk rating is a function of eight variables, Whole-of-risk likelihood, likelihood velocity, impact, impact velocity, but mitigated by whole-of-risk control effectiveness-reliability, working over three velocities - Prevention control velocity, Detection control velocity and Correction control velocity. In term the value supplied for each of these ratings is itself a function of the assessed value of the rating to a normalised value (such as the range of reals from -1 to 1, or a shared 5 point scale, etc.)


The weakness in this formula lies in the consolidation of the three risk groups into a single control rating for the purposes of the risk function itself (thus hiding the relationship between the control group velocities and the control group ratings.


Ri = f( f(Li), f(LVi), f(Ii), f(IVi), f(CPi), f(CDi), f(CCi), f(CPVi), f(CPVi), f(CDVi), f(CCVi)    )

where:

i
Represents an individual risk
L
Means Likelihood Rating for each cause
I
Means Impact Rating for each impact
CP
Means Mitigating Strategies and Controls effectiveness rating at preventing causal events.
CD
Means Mitigating Strategies and Controls effectiveness rating at detecting causal events and consequential impacts.
CC
Means Mitigating Strategies and Controls effectiveness rating for reducing the likelihood of further causal events and mitigating consequential impacts.
LV
Means Likelihood Velocity Rating for each causal event
IV
Means Impact Velocity Rating for each impact
CPV
Means Preventive Control Velocity Rating for each causal event
CDV
Means Detective Control Velocity Rating for each causal event and possibly some to all impacts
CCV
Means Corrective Control Velocity Rating for each mitigating each impact and possibly some to all causal events



From Risk Response To Risk Management

Faced with a similar objective at another time, the prudent leader moves from re-action to pre-action. He applies his own and others' past experience, "common sense", and deductive reasoning when identifying the nature and causes of potential threat events and their consequences. He makes judgements as to the likelihood of these identified threats, and judgements as to the degree of impact arising from the consequences. This process is risk identification and assessment.


Comparing this assessment to the organisation's risk appetite he determines a range of risk responses, treatments or controls. The shift to pre-action (more commonly described as proactive management), the leader's options are widened when compared to the earlier reactive state. By preplanning the risk profile he is able to consider avoidance (just don't do it!), risk sharing (insurance) and threat prevention (training) as options in the risk mitigation armoury. Further the costs of each mitigation strategy can be considered against the benefits expected from the achievement of the objective, and the most effective, efficient and economic ones chosen.


In all cases a threat has a "tell-tale" which must be used to detect that the threat has eventuated, or that the likelihood of a threat has changed. These controls required in this case are detection controls. As with the other pre-action choices, detective controls are most advantageous before the event occurs - as once it has occurred they will generally tell you what you already know. This shifting assessment of risk based on the changes in likelihood over time is the current risk.


Implementing detection controls, allows the leader to defer the implementation (if not the planning, design and establishment) of other reactive controls, thus delivering a degree of certainty over the costs of mitigation at each point in a project, under a variety of circumstances and levels of current risk.


Once the controls (or risk mitigation plan) is applied to the assessed inherent risk of the objective the result is the residual risk - that portion of the inherent or current risk that remains after the controls have been applied.


Risk Management is about applying a structured thought process to identifying and managing such risks.


In one form or another, every leader undertakes risk management from the minute you establish a political ideology, manifesto, business vision, organisational mission, or business or political objective. Without a plan - however loosely defined - the objective is unlikely to be achieved. That plan is a map to managing risks to the non-achievement of the objective - starting with the most obvious risk: "inaction".


While Compliance Management is about a governance process for managing adherence to internally and externally known standards, policies, procedures, and controls; Risk Management is an approach to governance that aims to identify what plans, standards, policies, procedures, and controls are be required and how important each part is to the purpose, and when you will know which additional actions will be required. Risk Management is a systematic process of making a realistic evaluation of the true level of risks to your purpose, and mitigating those risks that exceed your risk appetite in the most efficient, effective and economic manner possible.


What Is Enterprise Risk Management?

Enterprise Risk Management applies the concepts outlined at the project or single objective level described above, and applies them across the enterprise, government, or society (as appropriate). Enterprise management distinguishes itself from project risk management by its aims:


  • Firstly, it aims to reduce duplication of risk management planning and risk mitigation strategies by facilitating cross-organisational sharing of control frameworks, management expertise, and resources.
  • Secondly, it aims to minimise contradictory, counter productive and mutually exclusive risk management strategies by facilitating enterprise wide knowledge of the risk profile of the organisation.
  • Thirdly, it aims to inform the governance team of their true organisation wide position on a continuous and instantaneous basis.
  • Fourthly, it aims to forecast the risk profile of the organisation within, at least, the decision cycle of the governance team.


What is Competitive Risk Management?

So far, we have considered risk management as a stability governance tool for the assisting the achievement of identified objectives. In essence it is under this view a defencive strategy. The scope of governance arguably extends beyond maintenance of environmental stability and achievement of defined near-term deadlines and objectives, to the identification of the correct objectives (those that succeed on some measure), and longer term aspirational objectives such "more profit" or, in social measures - "higher average literacy".


This shift implies to additional dimensions should be considered:

  1. A risk may also be an opportunity, and an impact may be both positive and negative. Where the impact is positive for the organisation the correct corrective control response is to in fact augment it the effect (such as by adjusting the causal states of other risks (opportunities)). The overall implication is that to accomodate opportunity the risk rating scheme needs to be balance around 0 (meaning minimum risk and minimum opportunity). Whether this is best done with a positive scale and a negative scale or whether this should be achieved with a linear scale with a floating normal line is, I think an implimentation question at this stage.
  2. A risk/opportunity may have a group of controls (strategies) intended both alternately to mitigate (Prevent, Detect, Correct ) and augment (Focus, Sense, Enable) a risk in some way. Note that we are expanding our control groups from three to six. This is necessary where two impact rating scales are used (an opportiunity scale and a impact scale). If only a single monotonic impact scale was used: eg. "really-good to negligeable to really-bad", we could prossibly escape with four groups: Focus, Prevent, Detect, Correct. Focus is the opportunity's version of Prevent. The difference is that in the case of a risk, an effective preventive control reduces the residual likelihood (if not the inherent likelihood) of a causal event, while in an opportnity we want precisely the opposite outcome. Thus we need to track these separately. In the case of the two scale system we need both the "opportunity" equivalents for detection and correction control functions separated as well.


In competitive risk management we utilise the techniques of "defencive" risk management as a method to inform competitive strategy. The same methods that are applied to determine and manage or avoid your risks, can be applied to:

  1. determine, induce and exploit your opportunities, and select the opportunities most likely to be successfully exploited; and
  2. determine and trigger your competitor's risks, and where they are either most exposed, or where their responsive mitigation costs will be greatest. In this use there is an implied additional measure-counter measure relationship between controls where an augmentation strategy is defined that is designed to detect or counter another mitigation strategy.


In competitive risk management we therefore look to identify and exploit our opportunities and the weakness in others through application if risk management techniques. Such an application of the method is likely to be most effective where knowledge of the competitor or competing industry approaches perfection, and the accuracyy of the model used approaches perfect accuracey. There are interesting implications to game theory where all participants in a market use equivalently competitive risk management methods and have equivalently perfect knowledge.


Competitive risk management is therefore a strategy setting process. In both cases the analysis expands the colour of the control analysis part of our formulah described in the previous section. Specifically the nature of the changes required are to accomodate additional ratings and velocities for allow treat risk and opportunity a single function (eg possibly describing a parabolic or logarythmic curve as the output).


Our revised formulah for competitive risk then becomes:


ROi = f( f(Li), f(LVi), f(Ii), f(IVi), f(CFi), f(CSi), f(CEi), f(CPi), f(CDi), f(CCi), f(CFVi), f(CSVi), f(CEVi), f(CPVi), f(CDVi), f(CCVi)    )

where:

RO
is expressed in a single scale such as: "really-good to negligeable to really-bad", or as complex numbers with two scales a rating (high to neglieable) and a binary (two position) scale - "Opportunity or Risk"
i
Represents an individual risk
L
Means Likelihood Rating for each cause
I
Means Impact Rating for each impact
CP
Means Mitigating Strategies and Controls effectiveness rating at preventing causal events.
CD
Means Mitigating Strategies and Controls effectiveness rating at detecting causal events and consequential impacts.
CC
Means Mitigating Strategies and Controls effectiveness rating for reducing the likelihood of further causal events and mitigating consequential impacts.
CF
Means Enabling Strategies and Controls effectiveness rating at focussing causal events.
CS
Means Enabling Strategies and Controls effectiveness rating at detecting causal events and consequential impacts.
CE
Means Enabling Strategies and Controls effectiveness rating for increasing the likelihood of further causal events and enabling consequential impacts.
LV
Means Likelihood Velocity Rating for each causal event
IV
Means Impact Velocity Rating for each impact
CFV
Means Focus Control Velocity Rating for each causal event
CSV
Means Sensing Control Velocity Rating for each causal event and possibly some to all impacts
CEV
Means Enabling Control Velocity Rating for each enabling control enabling impacts and possibly some to all causal events
CPV
Means Preventive Control Velocity Rating for each causal event
CDV
Means Detective Control Velocity Rating for each causal event and possibly some to all impacts
CCV
Means Corrective Control Velocity Rating for each mitigating control for all impacts and possibly mitigating some to all causal events




The Evolution of the Risk Management Standard

In Australia, a team of experienced risk management practitioners was assembled over two decades to codify a standard for risk management as it had been (and was being) developed and deployed in Australia and New Zealand. That codification was initially released by Standards Australia as AS/NZS 4360:1995, revised as AS/NZS 4360:1999 and revised again in its current version as AS/NZS 4360:2004. You can access the standard via Risk Management Portal. While still very much in its infancy as a governance tool, and immature as a management science, risk management has rapidly been adopted across the world and is now codified into an international standard: ISO 31000:2009 standard (October 2009), and supported by the ISO Guide 73:2009 - largely based on the AS/NZS standard.


The Classical Approach

In classical risk management - with respect to a given focus - a business, a business objective, and asset, etc - we told to identify the risks first, so that they can be properly managed. In its classical form, risk management asks, and attempts to answer three questions:

  • What can go wrong?
  • What can I do to prevent it?
  • What do I do if it happens?


You are advised to develop a risk register to document each potential problem, its level of seriousness, what is required to fix it, who will fix the problem, and monitor progress.


There are essentially four things you can do with risk. We will call them, the four T's:

  • Tolerate it (by accepting or ignoring a risk - this is where the profit lies)
  • Treat it (by actively re-mediating or controlling it)
  • Transfer it (by insuring it, perhaps better described as "sharing it")
  • Terminate it (by exiting the business that incurs it)


It is critical that leaders understand that risk management is NOT about avoiding risk, but about managing it.


The Evolution of a Risk Management Thought

The concept of risk and reward management are not new to mankind. The walls of cities and castles were early forms of risk management, and Hadrian's Wall, Agricola's Wall, Antonine Wall, and the Great Wall of China are dramatic statements of risk containment on a social scale.


History is littered with authors and thinkers exploring the relationship between risk awareness, risk exploitation, active management and outcomes. Military and political strategists have employed the concepts underpinning modern risk management for centuries. The writings of both military and political strategists such as Sun Tzu ("The Art of War"), Carl von Clausewitz ("On War"), Niccolò Machiavelli ("The Prince", "The Art of War"), and Miyamoto Musashi ("The Five Rings") are all examples of the practical application of risk awareness in strategy formation. To varying extent these works all encourage an awareness of one's own and one's opponent's weaknesses, and the mitigations and exploitation of the same.


Perhaps, what is new, is the codification of the process of identifying, measuring, assessing, and responding to risk laid down in the more recent writings. It would be naive, however, to consider that risk management, per-se, is new. The difference between a successful manager and an unsuccessful manager has always been their ability to see the potential reward in an opportunity and get strike the correct balance between ignoring, avoiding, transferring and mitigating risks. Too much risk avoidance means opportunities are not exploited, too much control or insurance means that there is no profit left from the risky activity, and too much ignorance means that eventually the strategy's angel will become history's fool.


In the absence of a formalised approach to risk management, the successful business leader is known as lucky. In truth, the success is probably more due to a that leader's accident of DNA and life experience that leads to instinctively correct risk judgements. It is possibly this instinct, more than anything else, that justifies the executive salary differentials.


There is an important observation to be made from the historic context of risk management theory. Currently risk management professionals tend to view the discipline as an extension of the strategy achievement, yet historically, risk management has been as much about strategy identification and formation, as about implementation.


Good risk management looks both inward and outward. By this I mean that risk management can be applied both to minimising your chance of failure and maximising your competitor's chance of failure. The essence of military strategist's thinking is to identify the weakness's of the opponent and exploit them to you own advantage. Application of the principles of risk management can enable you to not only identify the opponent's weaknesses, but identify the probable strategies they will employ to manage the risks arising from those weaknesses, and hence better inform your planners about potential strategies to employ.


Over the last 50 years a number of frameworks addressing risk management with respect to governance have emerged out of the experience of the different professional groups involved in strategic management, asset protection, public accountability, finance and risk. These groups include:

  • Internal Audit - focused on control system reliability
  • External Audit - focused on true and fair representation of financial position on a going concern basis
  • Actuarial Science - focused on the pricing of risk for insurance
  • Investment banking - focused on the pricing of risk for portfolio management, hedging, capital fees and adequacy
  • Risk Management - focused on management of risk to strategic and tactical outcomes on an enterprise and societal basis


Setting aside the military and political authors, among the business community, some of the earliest work in risk management arose from the financial advisory community looking for models to minimise the downside risks to financial products investment.


A Mathematical Basis To Risk Measurement

As early is 1952 Harry M Markowitz published his paper "Portfolio Selection" in the Journal of Finance, exploring the advantages of risk diversification through balanced portfolio selection. The essence of portfolio theory is that risk essentially expressed the potential for a negative return (financial loss) and the


An investor can reduce portfolio risk simply by holding combinations of instruments which are not perfectly positively correlated (correlation coefficient -1<(r)<1)).

To a greater of lesser extent the professional bodies, standards organisations and government agencies have responded with guidelines and standards for the measurement, application, response and management of risk as it applies to their specific problem domains. In the 1978 the Institute of Internal Auditors - the international professional body of the Internal Audit profession issued its Standard's for the Professional Practise of Internal Audit (SPPIA). In Anne of the earliest standards based references to risk based management the standards included standard 320: "Compliance with Policies, Plans, Procedures, Laws and Regulations". The statement determined that "Internal auditors should review the systems established to ensure compliance with policies, plans, procedures, laws and regulations which could have a significant impact on operations and reports, and should determine whether the organisation is in compliance". The SPPIA standards mandated the


Alternative Standards and Views of Risk Management

Among the definitive pronouncements on risk management are:

  • The King Report on Corporate Governance for South Africa (SA King II - 2002)
  • A Risk Management Standard (RMS 2004) by the Federation of European Risk Management Association (UK FERMA)
  • Australian/New Zealand Standard 4360—Risk Management (A/NZ 1995, 1999, 2004)
  • COSO’s Enterprise Risk Management— Integrated Framework
  • The Institute of Management Accountants’ (IMA)
  • “A Global Perspective on Assessing Internal Control over Financial Reporting” (ICoFR)
  • Basel II
  • Standard & Poor’s and ERM
  • ISO 31000:2009


Building on the work of many years, the middle of the first decade of the millenium saw a succession of enterprise risk management (ERM) related pronouncements. AS/NZS 4360: 2004 defined the risk management process as the “systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing ”. For the financial sector, the earlier BASEL I standard was superceded by BASEL II which closely mirrored by the view of AS/NZS 4360.


Expanding on an earlier Internal Control Framework from the early 1990's the Committee of Sponsoring Organisations of the Treadway Commission (COSO) releasmillenniumed the ‘Enterprise Risk Management (ERM) – Integrated Framework’ which attempted to map the COSO framework that formed the motivational basis for the US Sarbanes-Oxley compliance legislation into a broader enterprise risk management framework. The COSO/ERM framwork defined enterprise risk management as:

  • A process, ongoing and flowing through an entity,
  • Effected by people at every level of an organisation,
  • Applied in strategy setting,
  • Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk,
  • Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite,
  • Able to provide reasonable assurance to an entity’s management and board of directors,
  • Geared to achievement of objectives in one or more separate but overlapping categories.


The standards enjoy a shared purpose to improve the predictability of business outcomes, but differ significantly in how that certainty is to be improved. While 4360 describes the process for management of risk, BASEL II mandates firm’s operational risk management (ORM) system must be “conceptually sound and implemented with integrity”, but stops short of defining the form or process of the ORM. BASEL II does specify that the ORM should be maintained by an independent operational risk management function, and that is to consist of at least “strategies, methodologies and risk reporting systems". It identifies that the purpose of the ORM is to "identify, measure, monitor and control/mitigate operational risk”.

Under BASEL II, the ORM systems should be:

  • “credible and appropriate”,
  • “well reasoned, well documented”,
  • “transparent and accessible”, and
  • capable of being validated by audit.


Among the failings of BASEL II, is the lack of definition of these key terms, which, in a sense, is where AS/NZSpractisessuperseded 4360 and the COSO ERM Framwork come in. The latter standards provides a framework under which a credible, reasoned, transparent, documented and verifiable risk management model can be established.


AS/NZS 4360 and COSO do not eliminate failure in the ORM/ERM, however, as in their implementation there is still considerable subjectivity in risk identification and assessment, and within the process documented by the standard there is not a mechanism for provining or measuring "completeness". They do, however, populate the next level of the BASEL II obligation.


This problem of "completeness" in ERM frameworks should not be underestimated. It is present in all current risk management standards and is possibly a key reason for failure in ERM frameworks. We shall explore approaches to solving this problem in later papers.


Owing to their differing origins the three standards employ slightly different terminology for shared ideas:

  • AS/NZS 4360 refers to ‘Risk Treatment’, COSO to ‘Risk Response’ and Basel II uses ‘Risk Mitigation’.

While the seven ‘elements’ of AS/NZS 4360:2004 framework do not align precisely with the eight ‘components’ of the COSO process, the ‘end to end’ risk management process is the same.


AS/NZS 4360: 2004 Framework

COSOframework ERM–Integrated Framework

BASEL II ORM Framework

Establish the context

Internal environment

Establish the context

Objective setting

Identify risks

Event identification

Identify

Analyse risks

Risk assessment

Assess

Evaluate risks

Risk assessment

Assess

Treat risks

Risk response and control activities

Control/mitigate

Monitor and review

Monitoring

Monitor

Consult and communicate

Information and communication



BackLinks




CopyRight Bishop Phillips Consulting Pty Ltd 1997-2012 ( Risk Management - Introduction )
Personal tools