29 December 2024

If you search for risk management frameworks, you will quickly see that there are almost limitless options for what your business can implement and how it can be certified. There are formal options like the COSO or ISO frameworks, as well as more bespoke frameworks specific to industries or businesses. Then there are various acronyms like ERM, GRC and ESG, and finally some specific phrases like risk tolerance and risk appetite. So, what does all this mean and how does it fit together?

This article will explore some of these concepts and provide a little extra information so you can navigate the world of risk management a bit better. One thing is certain - risk management is not as daunting as it seems. Policies and processes don’t manage risks; people and good communication do, and the fundamental principles of awareness, assessment, decision making and communication underpin every risk management framework.

What is a ‘framework’?

In the risk management sense, a framework is simply the structure underlying your risk management practices. Frameworks range from the very formal to the very informal, and everything in between. However, what is critical to acknowledge is that every business has a risk management framework in place, whether or not it is written down in a formal document or policy or risk register. Every action taken or not taken, at the board, executive and operational level is a decision in relation to a risk.

How does that relate to Enterprise Risk Management and other related concepts?

Enterprise risk management (ERM) is one of many different risk management concepts. In one sense, ERM is the formal implementation of a specific COSO guideline (the 2017 ERM Guideline), but in general sense, it can be used informally to refer to an organisation’s risk management framework, particularly if it’s at the board and executive level, as opposed to the operational level. Other risk management concepts and frameworks sits along side ERM - these include GRC (‘Governance, Risk & Compliance’), ESG (‘Environmental, Social & Governance’), but also industry standard frameworks like ISO31000.

Typically, a CEO, Chief Risk Officer or Chief Compliance Officer would say something like “We should put a GRC framework in place” or “We should do ERM”. Alternatively, they might be more specific and say “We need to comply with ISO31000”. In both scenarios, they are saying that they want to develop a risk management framework. And unless there is a specific industry requirement to implement COSO’s 2017 ERM Guideline, then the framework that your business uses is somewhat irrelevant. What matters is the end result: as a leader, do you feel that your risks are managed appropriately or not?

What are some examples of frameworks?

There are some very well-known risk management frameworks. Usually, the larger, more complex frameworks are implemented by organisations that need to establish formality, because they operate within a highly regulated industry. For most businesses, ISO31000 or the COSO2017 frameworks are not necessary. The time and resources required for full implementation does not pass a cost-benefit analysis. Having said that, they can be very helpful, because they provide some broader guidelines that can be cherry-picked and used in any organisation!

You will see many common themes among the formal frameworks because Let’s take a look at some of the bigger risk management frameworks and how they are structured:

ISO31000 Risk Management Guidelines

The International Organization for Standardization develops and publishes many different frameworks in relation to risk management, compliance, cyber security, to name a few. ISO31000 is a specific risk management framework that distinguishes between framework and underlying processes. It provides a framework for identifying, assessing, handling, and monitoring risks, tailored to business objectives and context.

Under ISO31000, risk management:

• is an integral part of business processes
• is specific to goals, context and capabilities
• is structured and well-defined
• relies on the most recent information at the time
• is a dynamic and fluid concept; and
• involves various people and teams, at different levels

COSO 2017 Enterprise Risk Management

COSO 2017 is an updated guideline in relation to Enterprise Risk Management. It sets out a series of guidelines that boards and management can use in furtherance of their risk management efforts. The whole idea is to move away from risk management being a ‘function’ or a ‘department’ and move towards risk management being a culture and specific practices of organisations. COSO 2017 provides the following key concepts:

• Governance & culture - setting the tone, supporting risk management as a culture, and taking appropriate action at the board and executive level
• Strategy - managing risks and business objectives go hand in hand, resulting in a better understanding of risk appetite.
• Performance - risks should be prioritised in relation to objectives and risk appetite, with an appropriate risk response selected in relation to each, and then a wider risk profile appears. Key stakeholders have oversight of this.
• Review - by reviewing entity performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed
• Communication & reporting - enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.

COSO 2013 Internal Control Framework

The 2013 framework is similar to the 2017 ERM framework, but relates more specifically to implementing and assessing internal controls and risk mitigation practices. Its core concepts are:

• Control environment - this relates to the overall tone, core values, management activities and desire to put effective policies and lines of communication in place.
• Risk assessment - this principle considers risk tolerance, the ability to identify and assess risks within the broader goals and objectives of the business.
• Control activities - control activities are the actions to handle risks. What controls are in place? Do controls mitigate risks and allow us to achieve objectives?
• Information & communication - this is about collecting accurate and appropriate information to make decisions, as well as ensuring relevant information is shared with key stakeholders at the right times.
• Monitoring activities - only when controls are assessed will it be clear if they are actually working. Evaluating and adapting when necessary is a key part of this framework.

ISO19600 Compliance Management Systems

This framework relates more specifically to compliance ‘systems’ but aligns closely with the ISO31000 framework. As with the other frameworks above, it provides a methodology to consider how to plan and implement various aspects of governance, risk and compliance. In particular, ISO19600 focuses on:

• Context of the organization - this relates to understanding of the broader risk and compliance environment, the current maturity, and how compliance operates internally.
• Leadership - the tone at the top, is there buy-in and is this supported by broader values? Does compliance have a certain level of authority?
• Planning - are there plans to reduce compliance risks? Is there a documentation process in place? These questions should be considered in line with broader objectives.
• Support - this principle looks at whether there is resourcing in place, and whether training can be put in place. It is about compliance as an ongoing process, not a one-off.
• Operation - this considers what happens in reality, and whether there are processes and systems in place, and if problems are dealt with on a proactive or reactive basis.
• Performance evaluation - evaluation of people, processes, resourcing, and objectives is critical to ensure risk and compliance management is conducted effectively.
• Improvement - if there are gaps or issues, these need to be dealt with appropriately. Improvements need to be efficient and effective, with processes for escalation and communication simple and clear.

In further articles, I will explore some of the key principles of these frameworks (and risk management in general) in more detail. In most cases, the name of the framework you put in place does not matter, as long as it covers the main aspects of risk management: (i) understanding risk tolerance and your ability to absorb certain impacts; (ii) identifying, assessing, and dealing with risks; (iii) communicating with key stakeholders at the right time; and (iv) documenting relevant information.

To find out more about creating and implementing a bespoke risk management framework, understanding where you are on the journey, or to talk about risk appetite and risk tolerance, reach out to us at [email protected]. We would love to hear from you and help you get more from your risk management practices today!