Enterprise Risk Management
Enterprise risk management - which can be defined as the approach used to identify, assess and respond to internal and external risks and opportunities - is a fundamental governance responsibility. The corporate board has a duty to identify and manage enterprise risk - in many countries the duty is statutory.
“Unmanaged risk is the greatest source of waste in your business and in our economy as a whole. Major projects fail; customer shifts make our offers irrelevant; billion-dollar brands erode, then collapse; entire industries stop making money; technology shifts or unique competitors kill dozens of companies in one stroke; companies stagnate needlessly.
When these risk events happen, thousands of jobs get lost, brilliant organizations are disassembled, expertise gets lost, and assets are destroyed. Yet all of these risks can be understood, identified, anticipated, mitigated, or reversed, thereby averting hundreds of billions of dollars in unnecessary losses.” From The Upside, Adrian J. Slywotzky.
Enterprise Risk Management: A Manager's Journey is a quick yet thorough approach to the practical realities of enterprise risk management.
Operational Risk Management
Operational risk management, particularly in the financial sector, is essential. Some key publications on the uissue include:
Operational Risk Modelling & Analysis collates the work of the leading experts in the field. There is no more up-to-date and authoritative title on the subject of operational risk - unless you prefer Advances in Operational Risk, Second Edition, a multi-contributor title that brings you right up-to-date on all the latest issues and developments in the area of operational risk management and the regulatory environment. Our Operational Risk Bookshelf has more!
The US Sarbanes Oxley Act mandated the adoption, by US listed companies, of an appropriate system of internal control and, in parallel, requires directors to monitor and report operational risk
Under SOX, management is required to certify the company’s financial reports and both management and an independent accountant are required to certify the organization’s internal controls. In almost every organization, financial reporting depends on the IT infrastructure, whether it is for the rendering of an invoice, the effective operation of an ERP system, or an integrated, organization-wide management information and control system.system.
COSO ERM framework
COSO, whose internal control framework has become the de facto standard for companies complying with SOX, started work on developing a separate risk management framework in 2001. This framework, the Enterprise Risk Management – Integrated Framework was designed to provide a common framework, ‘key principles and concepts, a common language, and clear direction and guidance.’ This framework expands on the internal control framework, providing a broader and more robust focus on enterprise risk management.
Because it incorporates the internal control framework, organizations could (as COSO suggests) move toward implementing an ERM framework to satisfy their internal control needs as well as their broader business risk management needs. COSO Enterprise Risk Management: Understanding the New Integrated ERM Framework is a pragmatic guide to using the COSO framework for real.
Basel II / Basel III
The Basel accords (Basel I, II and III) are a series of banking regulations agreed in 1988, 2004 and 2013 respectively by ‘The Basel Group’, formed of representatives from 27 major financial centres. The purpose of the accords is to regulate financial and banking practices on an international level, focusing on ensuring effective operational risk practices.
Basel 2 raised operational risk management right up the agenda of financial institutions around the world by stipulating the minimal levels of capital they needed to put aside to offset potential losses from investment and lending.
Basel III, due to supersede Basel II between 2012 and 2018, is a stronger version of the original accord requiring increased levels of offset capital.
Operational risk (see Sound Practices for the Management and Supervision of Operational Risk is defined as ‘the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.’ Risk categories include systems risks, such as hardware or software failure, issues over availability and integrity of data, and utility failures, and external events (e.g. malware or hacker attack, terrorist attack, vandalism or supplier failure.)
Here are books on the Basel II Accord.
Risk Management Standards
New risk management standards are emerging. Popular standards include:
BS31100:2008 - The British Code of Practice for Risk Management
JIS Q 2001 - The Japanese Guidelines for Development and Implememenation of a Risk Management System
ISO16085 - The international standard for Systems and Software Engineering Risk Management
ISO22301 - The international standard for Business Continuity
All of the above can be purchased through this website.
Information Risk and ISO 27001
The information security standard, ISO/IEC 27001:2005, is specifically risk-based. It recommends, in effect, that organizations implement information security controls prioritized by, and in proportion to, the business and information risks they identify. While OCTAVE (Operationally Critical Threat, Asset & Vulnerability Evaluation) is a clear risk assessment methodology, information security risk assessment can also now follow the guidelines contained in ISO/IEC 27005:2008
Information Security Risk Management for ISO27001/ISO17799 provides the most comprehensive guidance on the subject.
Risk assessment is an asset-level activity that is virtually impossible, for any but the smallest of organizations, without a risk assessment database and specialist tool such as vsRisk™
Management of Risk (M_o_R®)
Management of Risk (M_o_R) is the OGC Best Practice Methodology for managing risk.
Management of Risk (M_o_R) is the UK Cabinet Office's route map for risk management, bringing together principles, interrelated processes and pointers to more detailed sources of advice on risk management techniques and specialisms.
M_o_R covers four key concepts:
M_o_R Principles - seen as essential for the development of best practice risk management. All are derived from corporate governance principles in the recognition that risk management is a subset of any organisation's internal controls.
M_o_R Approach - these principles need to be adapted to suit each individual organisation. Accordingly, an organisation's approach to these principles need to be agreed and defined within a risk management policy, process guide and plans, and supported by the use of risk registers and issue logs.
M_o_R Processes - these six process steps describe the inputs, outputs and activities involved in ensuring that risk are identified, assessed and controlled.
Embedding and Reviewing M_o_R - having put in place these principles, approaches and processes, for them to be effective, an organisation needs to ensure that they are consistently applied across the organisation and that their application undergoes continual improvement.