Courtesy: ISO 31000 risk management internal auditor training
ISO 31000: the new International Risk Management Standard
ISO 31000 is an International Standard for Risk Management which was published on 13 November 2009. An accompanying standard, ISO 31010 – Risk Assessment Techniques, soon followed publication (December 1, 2009) together with the updated Risk Management vocabulary ISO Guide 73.
RIMS Risk Maturity Model
The RIMS Risk Maturity Model (RMM) for Enterprise Risk Management, published in 2006, is an umbrella framework of content and methodology that detail the requirements for sustainable and effective enterprise risk management. The RMM model consists of twenty-five competency drivers for seven attributes that create ERM’s value and utility in an organization. The 7 attributes are:
- ERM-based approach
- ERM process management
- Risk appetite management
- Root cause discipline
- Uncovering risks
- Performance management
- Business resiliency and sustainability
The model was developed by Steven Minsky, CEO of LogicManager, and published by the Risk and Insurance Management Society in collaboration with the RIMS ERM Committee. The Risk Maturity Model is based on the Capability Maturity Model, a methodology founded by the Carnegie Mellon University Software Engineering Institute (SEI) in the 1980s.[7]
Implementing an ERM program
Goals of an ERM program
Organizations by nature manage risks and have a variety of existing departments or functions (“risk functions”) that identify and manage particular risks. However, each risk function varies in capability and how it coordinates with other risk functions. A central goal and challenge of ERM is improving this capability and coordination, while integrating the output to provide a unified picture of risk for stakeholders and improving the organization’s ability to manage the risks effectively.
Typical risk functions
The primary risk functions in large corporations that may participate in an ERM program typically include:
- Strategic planning – identifies external threats and competitive opportunities, along with strategic initiatives to address them
- Marketing – understands the target customer to ensure product/service alignment with customer requirements
- Compliance & Ethics – monitors compliance with code of conduct and directs fraud investigations
- Accounting / Financial compliance – directs the Sarbanes–Oxley Section 302 and 404 assessment, which identifies financial reporting risks
- Law Department – manages litigation and analyzes emerging legal trends that may impact the organization
- Insurance – ensures the proper insurance coverage for the organization
- Treasury – ensures cash is sufficient to meet business needs, while managing risk related to commodity pricing or foreign exchange
- Operational Quality Assurance – verifies operational output is within tolerances
- Operations management – ensures the business runs day-to-day and that related barriers are surfaced for resolution
- Credit – ensures any credit provided to customers is appropriate to their ability to pay
- Customer service – ensures customer complaints are handled promptly and root causes are reported to operations for resolution
- Internal audit – evaluates the effectiveness of each of the above risk functions and recommends improvements
- Corporate Security – identifies, evaluates, and mitigates risks posed by physical and information security threats
Common challenges in ERM implementation
Various consulting firms offer suggestions for how to implement an ERM program. Common topics and challenges include:
- Identifying executive sponsors for ERM.
- Establishing a common risk language or glossary.
- Describing the entity’s risk appetite (i.e., risks it will and will not take)
- Identifying and describing the risks in a “risk inventory”.
- Implementing a risk-ranking methodology to prioritize risks within and across functions.
- Establishing a risk committee and or Chief Risk Officer (CRO) to coordinate certain activities of the risk functions.
- Establishing ownership for particular risks and responses.
- Demonstrating the cost-benefit of the risk management effort.
- Developing action plans to ensure the risks are appropriately managed.
- Developing consolidated reporting for various stakeholders.
- Monitoring the results of actions taken to mitigate risk.
- Ensuring efficient risk coverage by internal auditors, consulting teams, and other evaluating entities.
- Developing a technical ERM framework that enables secure participation by 3rd parties and remote employees