Many risk professionals are not aware that different risk management standards were developed based on three distinct methodologies.
Some of these standards were crafted by experts in risk management, while others were composed by financial experts or auditors. The three distinctive methodologies used in the construction of these standards include:
A. ‘Risk Management’, which is the approach followed by ISO 31000.
B. ‘Internal Control’, which was developed by the COSO internal control framework and the FRC risk guidance.
C. ‘Risk-aware Culture’, which was implemented by the Canadian Institute of Chartered Accountants, and is widely known as the criteria of control (CoCo) framework.
ISO 31000, COSO, and CoCo are all frameworks for managing risk and ensuring efficient and effective governance in organizations. However, they each have different approaches and focuses on distinct areas.
A. ISO 31000 is an international standard that provides a comprehensive framework for risk management. It is applicable to all organizations, regardless of size, type, or sector. ISO 31000 is process-based and focuses on the integration of risk management into all organizational processes.
B. COSO is a framework for enterprise risk management (ERM) that was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO ERM is a framework for identifying, assessing, and managing risks to the achievement of an organization’s objectives. COSO ERM is principles-based and focuses on the alignment of risk management with organizational strategy and objectives.
C. CoCo is a framework for integrated risk management (IRM) that was developed by the Institute of Risk Management (IRM). CoCo IRM is a framework for managing all types of risks, including strategic, operational, financial, and reputational risks. CoCo IRM is principles-based and focuses on the integration of risk management into all organizational processes.
In reality, there are specialized standards for a variety of functions, such as:
A. Banking; Basel III
B. Business Continuity, ISO 22301 – Business Continuity
C. Health and safety; ISO 45000 family – Occupational health and safety
D. Insurance; Solvency II
E. Legal; ISO 31022 – Risk Management: Guidelines for the management of legal risk
F. Projects; Association for Project Management – PRAM (Project Risk Analysis and Management) Guide.
Organizations can choose the approach that best meets their specific needs and objectives. In addition to the three main approaches, there are also standards for many specialist functions, such as banking, insurance, health and safety, legal, business continuity, and projects.
Which framework should you choose?
The best framework for your organization will depend on your specific needs and requirements.
If you are looking for a comprehensive framework that is aligned with international standards, then ISO 31000 is a good choice.
If you are looking for a framework that is focused on the alignment of risk management with organizational strategy and objectives, then COSO ERM is a good choice.
If you are looking for a framework that is focused on the integration of risk management into all organizational processes, then CoCo IRM is a good choice.
It is also important to note that the three frameworks are not mutually exclusive. You can use one framework or a combination of frameworks, depending on your needs. For example, you could use ISO 31000 as the foundation for your risk management system and then incorporate elements of COSO ERM and CoCo IRM to meet your specific needs.
So to sum up, while ISO 31000 provides broad risk management guidelines, COSO focuses more on internal controls and governance, especially in relation to financial reporting, and CoCo emphasizes operational controls.
Depending on an organization’s specific needs, one framework may be more appropriate to adopt than the others.
https://knepublishing.com/index.php/Kne-Social/article/view/5195/10308