ENTERPRISE RISK MANAGEMENT MODELS AND STANDARDS
Enterprise Risk Management (ERM), sometimes referred to as the…
Enterprise Risk Management (ERM), sometimes referred to as the application of management processes, policies and procedures to identify, assess, prioritise, treat and monitor the risks faced by an organisation, has been evolving for more than six decades. Traditionally, it’s application was restricted to minimise accidental losses and mitigate to a limited extent, the operational hazards that challenged businesses. However, while risk management has always been about helping organisations achieve their objectives, it tended to be applied only in selected groups, departments and business units instead of being applied organisation-wide.
This caused it to operate in a silo, and be quite reactive in character. It also tended to have a heavy focus on compliance. But the character of businesses and business environments were changing, and ERM changed with it, moving from traditional practices in the 1960s to more conventional ways in the 1970s and 1980s. In the 1990s, companies began to take a more holistic, integrated approach to it because of the realisation of its potential. Users began to be aware that applying the principles of ERM could result in fewer unpleasant surprises when the business was in operation; the business could also experience improvements in planning, performance and effectiveness, that could boost economy and efficiency.
Support from Down Under
This in turn could lead to a raft of benefits such as improved relationships with stakeholders, improved business reputation, more transparency, and better governance. The awareness of the need for more responsible business operations was not limited to Western Europe or the US. In 1995, the joint Australian/New Zealand Standards Board (AS/NZS) issued AS/NZS 4360, one of the first efforts at formalising a corporate governance framework and risk management process. This was later updated and reissued as AS/NSZ 4360:1999, and again in 2004 after feedback from various stakeholder groups helped to clarify some aspects of it. Elsewhere too, the need for standards for ERM was becoming apparent.
The Committee of Sponsoring Organisations (COSO)
In the US, the Committee of Sponsoring Organisations of the Treadway Commission, “COSO” for short, was formed in 1985 by the American Institute of Public Accountants (AICPA), American Accounting Association (AAA), the Financial Executives International (FEI), the Institute of Internal Auditors (IIA) and the Institute of Management Accountants (IMA). COSO’s aim was to develop guidance on internal controls to improve the quality of financial reporting through business ethics, effective internal controls and corporate governance.
In September 1992, COSO released an internal control report that proposed a common framework and evaluation of internal controls. This became its Integrated Framework Model, and consisted of five elements of internal controls: monitoring, information & communication, control activities, risk assessment and control environment. Over the next decade, the growing number of business failures due to fraudulent practices spurred COSO to develop its Enterprise Risk Management-Integrated Framework, COSO ERM, in 2004, which highlighted essential components, suggested a platform for a common language, clear guidelines and direction.
However, despite the improvements of COSO ERM over its first Integrated Framework Model, industrial practitioners found it cumbersome to implement and lacking in clarity, with a distinct focus on reporting rather than managing risks. It also lacked practical guidance for implementation of an effective ERM system, the practitioners said. Under the COSO ERM framework, ERM was driven by audit, and did not have the components which identified risk as opportunities – a core components of ERM; there was too much emphasis on internal controls, hazards, and reporting as opposed to managing risk. Following comments from industry experts and feedback from practitioners, the COSO ERM framework was updated.
In 2017, it released “Enterprise Risk Management – Integrating with Strategy and Performance” which emphasised the importance of integrating risk considerations in the organisation’s design and implementation strategies. It also emphasised culture, and took into consideration the need for organisations to deal with increasingly volatile risks in the face of increasing regulatory pressure. Due attention was also paid to managing cybersecurity risks, and the fact that the ERM process requires continuous improvement to be effective. However, the COSO models remained, essentially, a North American model.
The International Standards Organisation (ISO)
As previously mentioned, organisations around the world realised that they were becoming increasingly exposed to a multitude of risks in the course of doing business. This became even more complex with the expansion abroad of many companies large and small; they were similarly exposed to risks within their respective environments, in addition to the risks of their parent companies. AS/NSZ 4360, which was one of earliest practical standards that was developed to standardise ERM, was applied by many companies and, after consultation with industry experts, practitioners and other stakeholders, it was decided that a common international standard should be developed. These practitioner led (as opposed to accountant and auditor led) discussions culminated in the release of ISO 31000:2009 which till today stands as the only International ERM standard.
ISO 31000:2009 was not so much a framework as a guideline. It was not certifiable, and contained no compulsory requirements. Instead, if offered best practices and a common vocabulary and approach to ERM. To maintain and improve its relevancy, it was further refined and released as ISO 31000:2018. The refreshed version further emphasised leadership and the creation and protection of value via three components: principles, framework and processes. Users have found it easier to read and understand, and have been able to customise risk management processes for their respective organisations, rather than rely on cookie-cutter models which may not be completely relevant to their operations.
Experts say that this iteration has been able to bring recommendations and implementation together because of its clarity. ISO 31000:2018 is easier to understand than other models and frameworks, and is applicable across the industrial board, focusing on creating value for any organisation which applies it, and does not concentrate on auditing as much as other models do. Even so, ERM being a living, ongoing process, there may well be more versions to come, that will address future issues and concerns.