Following The American Psychological Association’s Guidelines
Abstract
Whenever the term “enterprise risk management” is mentioned, most illustrate it as risk reduction and prevention to occupants of a business establishment or occupancy in question. While this is partly true, the generic definition of risk management can be disconcerting as it entails several aspects in part of or revolving about an enterprise model. The purpose of enterprise risk management (ERM which shall be abbreviated as such throughout this report) is also to plan, organize, lead, and control activities in order to reduce financial, strategic, or operational risks for sustainability of an organization or association. Over the past decade, investors, along with industrial and governmental boards have often compared established and accepted frameworks to analyze the then practices thriving on risk management. This paper discusses the comparisons and contrasts of the criteria towards the formulation of adapted risk management programs by various organizations ranging from internal to external environments acting on behalf in the best interests of all parties concerned. As for myself working for a reputable government agency, I conceptualize and parallel the validation of risk management in all divisions involved, even though the protocols of each division vary. Therefore, this report briefly explains the duties of some processes involved and how they are intertwined into respective frameworks in various locations and accepted diversely. Typical risk functions shall also be included to remind readers of earlier practices on which the current ERM are based and referenced to, and the common challenges in problem solving. Importantly though, the role of key players shall be explained in their individual involvements as they are required to perform within the ERM framework.
Keywords: risk management, COSO, financial risks, strategic risks, organizational structures
1.0 Introduction
Depending on location, type of occupancy, and the type of accidents that occur, the best performance of a risk management program may only cover so much for damages under certain frameworks, and their extensions thereof. Even prior to placing each framework under scrutiny, the question comes down to what type and how an incident may fall under a particular framework that holds precedence. Each framework is only ideally designed explaining why a cluster of frameworks has been formulated to correspond to the various risks referencing an enterprise. Since exhaustive lists of risks have been complied whether how often they occur or projected on their occurrence potential, pertaining frameworks and organizations, both new and existing, need to be prepared and exercised to identify circumstances that may hinder or enhance progress of organizations. Similar to practice manuals of examples of building, electrical or fire codes, ERM, which can be viewed as a code itself, constantly undergoes revisions, research, and restructuring editions to improve the functions of an organization as deemed necessary.
The following frameworks have been chosen to compare with one another by outlining of an individual basis:
- ISO 31000
- COSO Integrated Framework – 2004
- COSO draft Integrated Framework (Dec. 2011), and
- Risk Management Standard 030820
The questions becomes: hoe does each aforementioned framework beneficially or grievously affect organizations? Essentially, risks are experienced by all types of business organizations and are not guaranteed to be eliminated, but may only be reduced. Hopefully severe losses do not diminish the integrity of organizations when they occur, and may instead serve as improvement models to better all frameworks concerned. A few details described shall entail how key players contribute to the definitions and evolutions of ERM practices.
2.0 Principle ERM Programs
2.1 ISO 31000
Some organizations follow established practices adopted by other appropriate authorities, whereas others follow documents designed for to allow for the development if their own approach to risk management (Lazarte, M. & Tranchard, S., 2010). ISO 31000 is one of the entities that provide such developments. Although it possesses a systematic procedure capable of handling any scope or context with transitioning recommendations to implement and improve risk management, it has a disadvantage from a standardization perspective: it cannot be certified by organizations. Instead it needs to compare itself to international practices to achieve its status as the proper framework to correspond with other countries. One of the main purposes is to permeate these standards for relocated personnel when faced with diverse organizational environments, reduce conflicts of interests, and be cushioned from global influences.
Hence ISO 31000 standards have been reconstructed to assist organizations in the industrial, commercial, public, and private categories to recover from the aftermath of global incidents. The level and magnitude of risks determines the requirements of risk treatments and if they shall have any noticeable impact on an organization. The process of risk assessment then gets partitioned from a macroscopic to a microscopic scale to identify the adequate response in order to analyze the risk, followed by a prompt study on the repercussions of future events if left untreated. One scrutinized incident sometimes requires the review of a separate party to discern the effects to forecast any further consequences and take appropriate action to prevent, if necessary.
2.2 COSO Integrated Framework – 2004
A response was required to adapt to a principles-based protocol to help organizations further integrate the designs and implement effective approaches to risk management. Therefore, the 2004 volume of COSO (Committee of Sponsoring Organizations) was established to respond to the 1992 report. COSO reinterpreted their definition of the actual components and principles essential within an ERM system. Since diverse locations and countries may possess identical and overlapping policies, how these diversities understand each other (i.e. language and language barriers) to be mandatory. A misinterpretation of terminology and translation whether between different languages or even between various protocols of the same language can magnify risks to an organization. A common guidance system introducing full organizational policies would surely capture concepts such as risk appetite, risk tolerance, and portfolio viewing of past prologues (HM Treasury, 2006). Carrying over these concepts has improved a worldwide connection extended by the COSO framework for ERM.
COSO managed to develop its own interpretation and focus on ERM. Similar to the ISO 31000 framework, it focuses on risk management instead of solely on enterprise risk management and specific industries and types of risk, including reducing and managing risks. COSO however applies protocols to all industries and addresses all kinds of possible risks. Additionally, this amended framework encompasses effective ERM practices applicable to particular contexts of a given strategy setting. This application is what sets COSO apart from most modern risk models not recognized globally. The execution of this model begins with the founders or establishers of an organization and becomes the foundation of its strategic vision.
2.3 COSO draft Integrated Framework (Dec. 2011)
In spite of becoming the most widely accepted global internal control frameworks in 1992, COSO needed to amend its edition further, and will continue to undergo amendments and improvements. ERM saw the arrival of an exposure draft proposed in 2011 with enhancements to this framework concerning changes to organizations and working environments and how they shall adapt to current standards. The noticeable changes were naturally addressed within the chapters such as of control environment, risk assessment, communications, and monitoring activities. One of the major intents was to add to the framework on an objective level in conjunction to the prescriptive level.
The proposed changes for the aforementioned chapters were opened to public comments as in the form of public consultations. Currently, thousands of comments have been submitted and are under review before finalization. To ensure more responsible acts are enforced, the acknowledgments of all principles were to be exposed and tutored to all internal functions and the key players in charge of all functions (Ramirez, 2011). The amendments needed to be visibly added to distinguish each revised framework amongst each other, and to internally rework their structures where the changes were most significant. One example, since public consultation and commenting were encouraged, the incentive of third party reviews subjected the framework regarding its changes. Alterations as to how organizations adapted to the amendments later reflected the technological requirements integrated into the internal framework.
Not all proposed changes to COSO would necessarily be relevant and adapted. Some aspects of these changes needed to undergo testing of the framework to broaden guidance, meaning coordination and communication of each group appointed to regulate organizational control internally. By subjecting each division within an organization to changes in the COSO framework, surely identifying risks shall be streamlined and a simpler analysis can be conducted in handling risk management.
2.4 Risk Management Standard 030820
Whenever a company or organization suffers financial losses, it requires a reliable resource to cover financial losses without interrupting the regular functioning of an organization. Much coverage is in the form of insurance programs as part of a risk treatment, although it is not generally intended for provision funding as part of risk management implementation. The 030820 standard became a collaborated compilation where extensive periods of public consultation to reach an agreement among organizations to utilize the same terminology language, how risk management tasks may be approached, and the internal structuring for risk management. The intent became clearer to view the amendment not only from a contextual perspective, but also how stakeholders may be affected, as setting the objectives would be difficult to outline in a single document (Curtis, P. & Carey, M. 2012). A user-friendly document in the form of broken down instructions would assist in understanding risk management protocols required in all areas of responsibility, even if potential risks may not directly affect designated areas, but may do so indirectly. Additionally, indirect risks regardless may affect most, if not all, areas within an organization if the potential risk is threatening enough to the organization itself.
One purpose of Standard 030820 was to ensure emphasis on all organizations that risk management becomes centralized. Integration into an organization also by tactical and operational was meant to address throughout the timeline of all risk management. But with any accepted model successfully implemented, continually adding value enabled an organization to operate when exposed to future uncertainty (Peter, 2013). The internal approach can be carried out for a long-term strategic objective concerning financial availability, political risks, and administrative changes along with changes to the physical environment of an organization. With prompt and proper communication then, all boards would be able to internally and externally report risks.
Standard 030820 also provides prescriptive risk management policies with pathways leading to the level of risks involved to determine how the risks may affect company functions. The scope and nature of risks may fall under specific categories where they may trigger other aspects of a company to be dealt with accordingly. This method becomes highlighted within an organization’s strategic processes and provides effective training for internal key players to learn how to participate in setting policies for risk management.
3.0 Comparisons and Contrasts
ISO and COSO appear to most either as founders of risk management or key opponents. However, each has its benefits and pitfalls because of the timing of their editorial updated at different times throughout the years. Some organizations and countries accept both standards of ERM, whereas others make a conscious choice between the two. More contrasts result than the comparisons as they are expressed below.
3.1 Comparisons
In spite of how well written or well intentioned any framework instructs the protocols of risk management, they are not derived from a single point of research and sourcing. They become a family of highlights compiled internationally by a number of participating countries that share common goals for risk management. The question is: do ISO 31000 and COSO ERM have anything in common? These two frameworks do in fact have similarities, although they each have their benefits over each other in their own respects. Most participating countries concluded that ISO 3100 is actually an update to COSO, and recognize each other’s intents in which they reflect current risk management for organizations. Each have explicitly defined overlapped terms where organizations may seek references in various sources instead one streamlined source.
For effective risk management, both ISO and COSO have the ability to create and protect value of organizational processes. The capturing of addressing uncertainty is best on available information to operate a company more smoothly, creating, for the most part, a systematic and structured approach toward the desired result (Hoefgen, 2010). Providing an inclusive rapport among organizational structure by each framework formulates the conciseness of company standards. By having each of these frameworks implemented in tandem retains human and cultural value meaning compatible and easier interaction for the purposes of decision-making.
3.2 Contrasts
One of the mist significant differences between ISO and COSO pertains to the how each define risk management. As aforementioned that ISO is an update of COSO, it has it advantages over COSO. ISO is known to provide more practical processes where COSO provides more of a theoretical approach that can be more difficult to put into practice. Because of its practicality in detailing, ISO’s defined terms are more explicit. The stakeholders and all key players (CEOs, management, and risk analysts) have a better understanding of terminology because they written more clearly. When ISO suggests required updates to an already developed guideline of risk management, its standards and information can be more readily adaptable and integrated into a guideline. Plus being a parent to its risk management standards, it eventually becomes the sourcing foundation for its former guidelines.
As far as definitions are concerned, ISO defines the effects of uncertainty of objectives on an organization, meaning it is focused on the consequences of uncertainty following sequential events taking its perspectives on risk above those presented by COSO. Seemingly ISO takes it analysis on a step-by-step basis to resolve the consequences instigated by events. This is not to suggest that ISO is superior to COSO, only to iterate its updates compared to those of COSO when established over a decade ago.
Finally COSO is known to be a complex and multi-layered procedure proving difficult or organizations to understand and follow. Such procedures are not always performed by the same type of personnel in the organization, since COSO is tailored by a team involved in financial positions. ISO, on the other hand, is tailored by a team already trained in risk management standards.
4.0 Conclusion
As the frameworks aforementioned individually demonstrate guidance of an organization’s approach to risk and risk management, they do attempt to achieve identical goals. Although each framework has a common goal that can correlate with its fellow framework strategies, working towards improving already existing and stand-alone frameworks may also enhance their functions in risk management. The purpose is to classify how they can operate in one discipline or in another section, because certain protocol editions may be more suitable than others. Perhaps written volumes where workable frameworks are referenced with one another may improve functions to magnify understanding between frameworks where they are implemented differently in other organizations that plan to put them into practice. This integrated practice works similarly and analogously to referencing among building construction codes practices intertwining sprinkler, manufacturer manuals, or firefighting codes. Hence each framework becomes further accepted and recognized to appropriately identify and benefit risk management functions within organizations, and no framework has a right or wrong way to perform risk management.
With common and embedded definitions of ERM permeating each framework, organizations can forecast a balance among all responsibilities for risk management. Having commonalities in ERM can streamline interactions within and between organizations to gain better control of their interlacing divisions. After all, an organization where its constituent subsidiaries, for example, would not function properly as a whole if each subsidiary does not operate as a team player, and consequently run as a different enterprise system (Quinn, 2009). The investment shall be spent on brand new risk management topics rather than wasting resources on acceptable levels belonging to an ERM system are not spent on further reducing risks that are already at an acceptable level.
Work Cited
Lazarte, M. & Tranchard, S. (2010). The Risk Management Toolbox. ISO Focus.
Curtis, P. & Carey, M. (2012). Risk Assessment In Practice. Thought Leadership In ERM. Committee of Sponsoring Organizations of the Treadway Commission.
Peter, M. (2013). Leveraging Your Company’s Strengths With ERM. Enterprise Risk Management. EideBailly.
Hoefgen, M. (2010). Risk, Risk, and More Risk. CA Technologies and Community. International Organization for Standardization.
HM Treasury. (2006). Thinking About Risk, Managing Your Risk Appetite. Controller of Her Majesty’s Stationary Office.
Ramirez, M.A. (2011). Approach to Successful Enterprise Risk Management Programs. Business Brief. AICPA.
Quinn, L.R. (2009). The Evolution of Enterprise Risk Management. Corporate Risk Management.
