Risk management standards

ISO 31000:2018 19 Minutes
https://preteshbiswas.com/wp-content/uploads/2024/10/Risk-Management-Standards.mp3

There are several well-known risk management standards and frameworks. The first one came from Australia in 1995, and others have been developed in countries like Canada, Japan, the UK, and the United States. Many other national standards bodies and government agencies have also created their own versions. It’s important to know the difference between a risk management standard and a framework. A risk management standard outlines the general method for managing risks, including the process to follow and a suggested framework to support it. In simple terms, a risk management standard describes both the process and the recommended framework. There are three main approaches used in different standards:

  1. The risk management’ approach, is used by ISO 31000, British Standard BS 31100, and the IRM Standard.
  2. The internal Control’ approach, is found in the COSO Internal Control framework and the FRC risk guidance.
  3. The risk-aware culture’ approach, was created by the Canadian Institute of Chartered Accountants in the CoCo framework.

Several internationally recognized standards for risk management provide frameworks and guidelines for organizations to manage risks effectively. Here are some of the key ones:

1. ISO 31000:2018 – Risk Management Guidelines

  • Developed by: International Organization for Standardization (ISO)
  • Overview: ISO 31000 provides a set of guidelines for managing risk. It is applicable to any organization, regardless of size, industry, or sector. The standard emphasizes that risk management is an integral part of governance and leadership and focuses on embedding risk management into all aspects of the organization.
  • Key Features:
    • Establishing a risk management framework
    • Continuous improvement of risk management
    • Leadership and commitment from top management
    • Communication and consultation with stakeholders

2. COSO ERM – Enterprise Risk Management Framework (2017)

  • Developed by: Committee of Sponsoring Organizations of the Treadway Commission (COSO)
  • Overview: COSO ERM is a widely used framework that helps organizations manage enterprise risks holistically, aligning risk management with the entity’s strategy and performance. It emphasizes that risk management should be embedded into decision-making processes.
  • Key Features:
    • Governance and culture
    • Strategy and objective-setting
    • Performance
    • Review and revision
    • Information, communication, and reporting

3. ISO/IEC 27005 – Risk Management in Information Security

  • Developed by: ISO/IEC
  • Overview: This standard focuses on risk management in the context of information security, forming part of the broader ISO/IEC 27000 family of standards, which deal with information security management systems (ISMS).
  • Key Features:
    • Risk assessment, including risk identification, risk analysis, and risk evaluation
    • Risk treatment
    • Communication and consultation with stakeholders about risks
    • Monitoring and reviewing the risk management process

4. AS/NZS 4360:2004 – Risk Management

  • Developed by: Standards Australia/Standards New Zealand.
  • Overview: The standard that had the widest recognition was the Australian Standard AS 4360 (2004), but this was withdrawn in 2009 in favour of ISO 31000. This standard was one of the first formal risk management standards and laid the foundation for many modern risk management practices.
  • Key Features:
    • Establishing the context for risk management
    • Risk identification, assessment, and control
    • Regular review and improvement of the risk management process

5. NIST Risk Management Framework (RMF) – (NIST SP 800-37)

  • Developed by: National Institute of Standards and Technology (NIST)
  • Overview: This is a U.S.-based framework that provides a process for integrating security, privacy, and risk management into the system development life cycle. It is heavily used in cybersecurity and information systems risk management.
  • Key Features:
    • Categorizing information systems
    • Selecting and implementing appropriate security controls
    • Continuous monitoring and improvement

6. FERMA Risk Management Standard

  • Developed by: Federation of European Risk Management Associations (FERMA)
  • Overview: The FERMA standard provides guidelines for risk management specifically tailored for European organizations. It offers a practical approach to embedding risk management across various sectors.
  • Key Features:
    • Risk assessment process
    • Risk treatment
    • Risk monitoring and reporting
    • Involvement of stakeholders and continuous communication

7. Basel III – Risk Management for Banks

  • Developed by: Basel Committee on Banking Supervision
  • Overview: Basel III is a global regulatory framework for banks that strengthens risk management, particularly in the areas of credit risk, market risk, and operational risk. It provides measures to improve the banking sector’s ability to handle financial stress.
  • Key Features:
    • Capital adequacy requirements
    • Stress testing
    • Enhanced risk reporting
    • Liquidity management

8. OCEG GRC Capability Model

  • Developed by: Open Compliance and Ethics Group (OCEG)
  • Overview: This framework focuses on governance, risk management, and compliance (GRC) practices. It helps organizations align their risk management efforts with compliance and ethical business conduct.
  • Key Features:
    • Integration of risk management with governance and compliance
    • Development of risk-aware decision-making
    • Continuous improvement and monitoring

9 CoCo (Criteria of Control) framework

  • Developed by: the Canadian Institute of Chartered Accountants (CICA) in 1995
  • Overview: It was designed to help organizations assess and improve their internal controls, with a broader focus than traditional financial controls. The CoCo framework emphasizes that control is not just about compliance and accounting but about an organization’s overall governance, management, and performance. The Canadian Criteria of Control (CoCo) framework emphasizes that an organization’s risk culture is key; if the culture is right, effective risk management will follow naturally. According to the CoCo framework, a person completes a task by understanding its goal (what needs to be achieved) and having the necessary skills, information, resources, and tools. To perform well consistently, the person must be committed to the task. They will also need to monitor their performance and their environment to learn and improve. This applies to teams and groups, too. For any organization, control comes down to clear purpose, commitment, capability, and continuous monitoring and learning.
  • Key Features:
    • Assess and strengthen control environments
    • Enhance governance practices
    • Foster continuous improvement
    • Operational performance
    • Compliance and ethical standards

Risk management context

There are many risk management standards and frameworks created by different organizations. A standard is generally understood as a document that explains both the risk management process and the framework that supports it. Many standards make a distinction between the process and the framework, but this isn’t always clear in every standard or framework.

Some of the most well-known risk management approaches are ISO 31000, BS 31100, and the COSO ERM framework. ISO 31000, BS 31100, and the IRM Standard focus more on the process of managing risks, while COSO mainly focuses on the framework itself, without making a clear distinction between the two.

The risk management process usually follows a plan–implement–measure–learn (PIML) structure, which is similar to the plan–do–check–act (PDCA) format found in many international standards. PIML is intended to be a more structured and analytical method.

Many risk management standards emphasize that risk management should be done in the context of the organization, its business environment, and the specific risks it faces. To properly understand this context and support the process, a framework is needed. ISO 31000 stresses the importance of considering the internal and external factors, as well as the specific risk management context.

All major risk management standards mention the framework, but they do so in different ways. To simplify the concept of a risk management framework, the acronym RASP (Risk, Architecture, Strategy, and Protocols) is used.

Components of the RM context

Risk architecture • Risk architecture defines roles, responsibilities, communication, and risk-reporting structureRisk strategy • Risk strategy, appetite, attitudesand philosophy are defined in the risk management policy
Risk management process
Risk protocols • Risk protocols are defined in the risk guidelines for the organization and include the rules and procedures, as well as the risk management methodologies, tools and techniques that should be used

The RASP approach fits well with the idea of the risk management context or framework explained in ISO 31000. These elements—risk architecture, strategy, and protocols—are essential for effective risk management. It’s important to first understand the risk management process, then clearly define the framework that supports it. The framework helps with communication and ensures the smooth flow of risk information. It has two key roles: supporting the risk management process and making sure the results from the process are shared within the organization to bring the expected benefits. If an organization follows the structure of a Risk Management Standard, it needs to set up a framework that covers things like structure, responsibilities, administration, reporting, and communication. All these procedures would be documented in a risk management manual.

COSO ERM cube

The COSO Enterprise Risk Management (ERM) framework covers both risk management and internal controls. COSO ERM describes the framework by stating: ‘Within the context of the established mission or vision of an organization, management establishes strategic objectives, selects strategy and sets aligned objectives cascading through the enterprise.’ It views ERM as a flexible, ongoing process where different parts can influence each other, rather than a step-by-step sequence where one action leads to the next. In this framework, there’s a strong link between an organization’s goals (what it wants to achieve) and the components of risk management (what it needs to do to reach those goals). The COSO ERM cube is an important framework that consists of eight connected parts, which reflect how an organization is managed and are built into the management process. The framework explains that, based on the organization’s mission or vision, management sets strategic goals, chooses a strategy, and then establishes related objectives throughout the organization. The COSO ERM Cube is a visual representation of the COSO Enterprise Risk Management (ERM) Framework, which helps organizations manage risks effectively across all levels. It was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and provides a structured approach to identifying, assessing, managing, and monitoring risks.The COSO ERM framework calls the control environment the “internal environment,” similar to how it’s described in the CoCo framework. CoCo offers a structured way to analyze and assess the control environment, allowing organizations to identify areas for improvement. To evaluate a risk-aware culture within an organization using CoCo, the typical focus areas are:

  • Learning and development of competence
  • Purpose, vision, and mission
  • Commitment to integrity and ethical values
  • Capability, authority, and responsibilities

Structure of the COSO ERM Cube:

The cube has three dimensions, each representing a critical aspect of the ERM framework:

  1. Objectives (Top Side of the Cube): The cube highlights four categories of objectives that organizations need to focus on:
    • Strategic: High-level goals aligned with the organization’s mission.
    • Operations: Efficient and effective use of resources.
    • Reporting: Reliability of internal and external financial and non-financial reporting.
    • Compliance: Compliance with laws, regulations, and internal policies.
  2. Components (Front Side of the Cube): These are the eight components of the ERM process that provide a structured method for managing risk:
    • Internal Environment: Establishing a risk-conscious culture and philosophy.
    • Objective Setting: Ensuring risk management aligns with organizational goals.
    • Event Identification: Recognizing potential events that could impact objectives.
    • Risk Assessment: Evaluating the likelihood and impact of identified risks.
    • Risk Response: Deciding how to respond to risks (e.g., avoid, mitigate, transfer, or accept).
    • Control Activities: Implementing policies and procedures to manage risks.
    • Information and Communication: Ensuring relevant information flows within the organization to support decision-making.
    • Monitoring: Continuously reviewing the ERM framework and adjusting as necessary.
  3. Organizational Levels (Side of the Cube): This dimension reflects the idea that risk management should be integrated across all levels of the organization, including:
    • Entity Level: Company-wide risks.
    • Division Level: Risks that affect specific divisions or business units.
    • Business Unit Level: Risks relevant to specific units or functions.
    • Subsidiary Level: Risks affecting subsidiary operations.

Purpose of the COSO ERM Cube:

The COSO ERM Cube is designed to illustrate how the different components of risk management interact with organizational objectives and levels. It emphasizes that effective risk management requires an integrated approach that aligns with an organization’s overall strategy and operations. Each component of the framework works together to help an organization manage risk in a way that drives value and performance while ensuring compliance and accurate reporting.

Key Points:

  • The cube shows how risk management activities support various objectives (strategic, operational, reporting, and compliance) across all levels of an organization.
  • It emphasizes the importance of embedding risk management into an organization’s culture and decision-making processes.
  • The cube also serves as a reminder that risk management is a continuous process that requires regular monitoring and communication.

This enterprise risk management framework is geared to achieving corporate objectives, set out in four risk categories:
● strategic: high-level goals, aligned with and supporting its mission;
● operations: effective and efficient use of its resources;
● reporting: reliability of reporting;
● compliance: compliance with applicable laws and regulations.

King III corporate governance code

The King III Code on Corporate Governance, developed in South Africa in 2009, provides a framework for ethical and effective corporate governance, emphasizing leadership, sustainability, and corporate responsibility. King III is the third in a series of governance guidelines established by the King Committee on Corporate Governance and is widely recognized for its principle-based approach, which is adaptable to various organizations. Here are its key principles:

  1. Ethical Leadership and Corporate Citizenship: King III emphasizes that companies should be led ethically and responsibly, promoting integrity, fairness, transparency, and accountability. Boards and leaders are expected to serve as role models for ethical behaviour.
  2. Sustainability: King III highlights the importance of considering social, environmental, and economic factors in business strategies. It encourages a “triple bottom line” approach, where companies pursue not only financial performance but also positive social and environmental impact.
  3. Effective Governance Structures: The code advocates for well-defined roles within the board and management. It recommends a balanced board structure, including non-executive and independent directors, to ensure objectivity and effective decision-making.
  4. Risk Management: King III calls for a proactive approach to risk management, where risks are identified, assessed, and managed as part of strategic planning. The board is responsible for overseeing a sound risk management process, including internal controls.
  5. Accountability and Transparency: Organizations should provide accurate and clear information to stakeholders, ensuring transparency in financial and non-financial reporting. This includes disclosing material information on governance, strategy, and performance.
  6. Stakeholder Inclusivity: Recognizing that businesses impact various stakeholders (shareholders, employees, customers, society), King III emphasizes engaging with stakeholders and considering their interests in decision-making.
  7. Internal Audit and IT Governance: King III recommends regular internal audits to assess internal controls and ensure alignment with governance objectives. Additionally, it stresses the importance of IT governance, recognizing technology’s role in business operations and risk management.

King III uses the “apply or explain” principle, where organizations are expected to apply the code’s principles but may explain non-compliance if certain principles aren’t applied. This flexibility allows organizations to adopt governance practices suited to their specific circumstances while still promoting responsible and effective management. In the updated code, risk management is still a key focus, with more specific guidance on how it should be managed. The board is responsible for overseeing risk and disclosure, while management handles the planning, execution, and monitoring of risk management. King III outlines specific responsibilities for the board in managing risk:

  • The board ensures there are processes for clear, timely, accurate, and accessible risk disclosure to stakeholders.
  • The board oversees risk governance.
  • The board sets the organization’s risk tolerance and appetite.
  • A risk or audit committee should help the board manage risk.
  • The board assigns management the task of designing, implementing, and monitoring the risk management plan.
  • The board ensures regular risk assessments are done.
  • The board ensures that methods are in place to anticipate unexpected risks.
  • The board ensures that management takes suitable risk responses.
  • The board ensures management continuously monitors risks.
  • The board receives confirmation that the risk management process is effective.

Control Objectives for Information and Related Technology (COBIT)

The IT sector has developed several well-known standards, with Control Objectives for Information and Related Technology (COBIT) being one of the most popular. COBIT provides best practices through a structured framework of domains and processes, focusing on controls rather than specific actions. These practices, formed by experts, help optimize IT investments, ensure reliable service, and offer benchmarks for assessing issues when they arise. To ensure IT meets business needs, management should establish a control system or framework. The COBIT framework supports this by:

  • Connecting IT to business requirements
  • Organizing IT tasks into a widely accepted process model
  • Identifying key IT resources to use
  • Defining management control goals to consider

COBIT’s business-oriented approach links business and IT goals uses metrics and maturity models to track progress, and clarifies the roles of business and IT process owners. The Control Objectives for Information and Related Technology (COBIT) is a comprehensive framework created by ISACA to help organizations effectively manage and govern their information technology (IT) systems. COBIT provides guidelines for aligning IT strategies with business goals, ensuring that IT operations support organizational objectives while managing risks and compliance requirements. Here are its key elements:

  1. Governance and Management of IT: COBIT distinguishes between governance (oversight) and management (day-to-day operations). Governance involves setting objectives, defining responsibilities, and ensuring accountability. Management is responsible for implementing IT practices and achieving set goals.
  2. Principles and Enablers: COBIT is built on principles, including stakeholder needs, end-to-end coverage, and a holistic approach. Enablers are tools and resources, such as frameworks, policies, culture, and information, that support successful IT governance and management.
  3. Processes and Domains: COBIT organizes IT governance and management activities into domains and processes:
    • Governance Domain (Evaluate, Direct, Monitor): The board’s role in setting objectives and policies.
    • Management Domains (Align, Plan, Organize; Build, Acquire, Implement; Deliver, Service, Support; Monitor, Evaluate, Assess): Processes for implementing and sustaining IT solutions.
  4. Process Capability Model: COBIT uses a capability model to assess the maturity of IT processes. This model helps organizations understand how well they meet the requirements of each process and identify areas for improvement.
  5. Goals Cascade: COBIT provides a “goals cascade” to ensure alignment between organizational goals and IT goals, helping organizations identify how IT can support business priorities and create value.
  6. Risk and Compliance Management: COBIT emphasizes managing IT risks and ensuring compliance with regulations. It supports identifying, assessing, and mitigating IT-related risks to safeguard business operations.
  7. Performance Measurement: COBIT includes performance metrics for evaluating IT processes and identifying gaps. It enables organizations to assess the effectiveness of IT operations and improve continuously.

COBIT is commonly used in industries requiring strict control over IT, such as finance and healthcare, but it is adaptable to any organization aiming to align IT with business goals, manage IT risks, and improve IT performance.

IRM Risk Management Process

The IRM Risk Management Standard was developed by the Institute of Risk Management (IRM) along with other professional bodies, and it provides practical guidance for implementing risk management in organizations. The standard is designed to help organizations identify, assess, and manage risks in a structured and consistent way. It aims to improve decision-making, enhance performance, and support the achievement of objectives while minimizing potential losses or disruptions.

Key Features of the IRM Risk Management Standard:

  1. Risk Management Process: The standard outlines a clear risk management process, which typically includes the following steps:
    • Risk Identification: Identifying potential risks that could affect the achievement of objectives.
    • Risk Assessment: Analyzing and evaluating the identified risks in terms of their likelihood and impact.
    • Risk Control: Developing strategies and actions to manage or mitigate risks (e.g., avoid, transfer, mitigate, or accept the risks).
    • Risk Monitoring and Review: Continuously monitoring risks and the effectiveness of control measures, and updating the risk management process as needed.
  2. Risk Management Framework: The IRM standard emphasizes the need for a risk management framework that supports the risk management process. The framework includes:
    • Risk Architecture: The structure of roles and responsibilities related to managing risk across the organization.
    • Risk Strategy: The approach the organization takes to manage risks, aligned with its objectives and risk appetite.
    • Risk Protocols: The procedures, tools, and reporting mechanisms that guide how risks are managed and communicated.
  3. Integration with Organizational Objectives: The standard encourages organizations to align risk management with their overall strategy and objectives. This means integrating risk management into decision-making processes at all levels of the organization.
  4. Risk Appetite and Tolerance: The standard stresses the importance of defining the organization’s risk appetite (the amount of risk the organization is willing to take) and risk tolerance (acceptable levels of risk). This helps ensure that risks are managed within acceptable boundaries.
  5. Risk-Aware Culture: The IRM standard promotes the development of a risk-aware culture within the organization. This involves ensuring that employees understand the importance of managing risk and are actively engaged in the process.
  6. Communication and Reporting: The standard highlights the importance of clear communication and reporting on risks. Regular reporting to stakeholders, including top management and the board, is essential to ensure that risks are properly understood and addressed.

Benefits of the IRM Risk Management Standard:

  • Consistency: It provides a consistent and structured approach to managing risks across the organization.
  • Better Decision-Making: By managing risks effectively, organizations can make better-informed decisions and achieve their objectives more reliably.
  • Enhanced Performance: Proactively managing risks can help improve overall performance by minimizing disruptions and maximizing opportunities.
  • Compliance and Governance: The standard helps organizations meet regulatory requirements and supports good governance practices.

ISO 31000 Standard

The ISO 31000 standard provides internationally recognized guidelines for risk management. It is designed to help organizations of any size and industry manage risks effectively, providing a framework that ensures risk management is integrated into all organizational processes and decision-making.

Key Features of ISO 31000

  1. Risk Management Principles: The standard outlines key principles that should guide an effective risk management system:
    • Creates and protects value: Risk management should contribute to the achievement of organizational objectives and add value by improving decision-making.
    • Part of decision-making: Risk management needs to be a core part of decision-making and integrated into all levels of the organization.
    • Tailored: The approach to risk management should be customized to fit the organization’s external and internal context.
    • Structured and comprehensive: A structured and methodical approach is essential to ensure that all significant risks are identified and managed effectively.
    • Inclusive: Involving stakeholders in the risk management process is crucial for ensuring that different perspectives are considered.
    • Dynamic and responsive to change: Risk management must be flexible and adaptive to evolving risks and changing circumstances.
    • Continuous improvement: Risk management processes should be continually monitored, reviewed, and improved.
  2. Risk Management Framework: The framework is designed to ensure risk management is integrated into the organization’s overall governance, strategy, and management processes. The key elements of the framework include:
    • Leadership and Commitment: Top management must demonstrate a strong commitment to risk management, ensuring that it becomes part of the organization’s culture.
    • Integration: Risk management should be embedded into the organization’s structure, strategy, processes, and operations.
    • Resources and Responsibilities: The organization must allocate the necessary resources and clearly define responsibilities for managing risk.
    • Communication and Reporting: Effective risk management requires clear communication across all levels of the organization and consistent reporting on risk status and performance.
    • Monitoring and Review: The risk management framework should be regularly reviewed and improved to ensure it remains effective.
  3. Risk Management Process: ISO 31000 outlines a structured, iterative risk management process that helps organizations systematically address risks:
    • Establish the context: Understand the external and internal environment, including stakeholders, regulatory requirements, and the organization’s risk appetite.
    • Risk Identification: Identify potential risks that could affect the organization’s objectives.
    • Risk Assessment: Evaluate risks by considering their likelihood and impact.
      • Risk Analysis: Understand the nature of the risk and how it could affect objectives.
      • Risk Evaluation: Compare the results of the risk analysis with the organization’s risk appetite to determine the significance of each risk.
    • Risk Treatment: Decide how to respond to risks (e.g., avoid, mitigate, transfer, or accept them) and implement appropriate controls.
    • Monitoring and Review: Continuously monitor risks and the effectiveness of risk controls, and make adjustments as needed.
    • Communication and Consultation: Engage stakeholders throughout the process to ensure risks are fully understood and managed.

Benefits of ISO 31000

  • Improves Organizational Resilience: By identifying and managing risks proactively, organizations can better anticipate and respond to potential challenges, improving overall resilience.
  • Increases Stakeholder Confidence: Effective risk management builds trust with stakeholders, including employees, customers, and regulators, by demonstrating that risks are well managed.
  • Enhances Decision-Making: A structured approach to risk management helps leaders make more informed decisions, considering both risks and opportunities.
  • Aligns Risk Management with Strategy: The ISO 31000 framework ensures that risk management supports the organization’s strategic objectives, aligning with its goals and performance.
  • Universal Applicability: The standard can be applied to any organization, regardless of size, industry, or sector, making it highly flexible and adaptable.

ISO 31000 vs. Other Risk Management Standards

ISO 31000 is not prescriptive and does not provide detailed instructions on risk management techniques. Instead, it offers a broad set of guidelines that can be adapted to suit different organizational needs. Unlike standards like COSO ERM, which also focus on internal control and governance, ISO 31000 focuses more broadly on managing all types of risks, not just financial ones.

Continuous Improvement

ISO 31000 emphasizes the need for continuous improvement. It encourages organizations to regularly assess their risk management framework and process, ensuring that it evolves in response to changes in the business environment, emerging risks, and the organization’s objectives.

Features of RM standards

Risk management standards highlight the need for a framework to support the risk management process, which should be systematic, effective, and efficient for managing risks across different levels of an organization. Most of these standards focus on describing the risk management framework and providing guidance on how to develop risk management activities. Standards organizations review these guidelines regularly, usually every four years, to ensure they stay current and useful.

In addition to risk management standards, there are also internal control standards. There is an ongoing effort to keep both risk management standards and corporate governance codes up-to-date and relevant. Regulators learn from corporate failures and from each other to improve these standards. There is also a growing trend to develop management standards that cover broader topics like business continuity, information security, corporate governance, and compliance management. Over the past 20 years, various standards have been published, including the Association of Project Management’s Project Risk Analysis and Management (PRAM) and the UK Office of Government Commerce’s (OGC) Management of Risk (MoR) guidance.

Standards organizations face the challenge of ensuring that risk management standards remain relevant for future organizational success. When updating the COSO ERM framework, COSO emphasized the importance of considering stakeholder expectations and the link between risk and strategy. They suggest that organizations that integrate risk management into their strategic planning can benefit by:

  • Expanding opportunities by considering both risks and potential rewards.
  • Improving performance through organization-wide risk management.
  • Reducing negative surprises and taking advantage of positive developments.
  • Decreasing performance variability by minimizing disruptions.
  • Enhancing resource use and allocation.

While there are clear benefits to using established risk management standards, organizations must adapt these standards to fit their unique needs and circumstances. Risk management will be more effective if it is customized for each organization. One emerging trend in risk management is adopting the plan–implement–measure–learn (PIML) approach, also known as the plan–do–check–act (PDCA) cycle.

Future of risk management

The creation of the ISO 31000 standard has been a significant step for risk management, along with stronger corporate governance codes that have raised the profile of risk practices worldwide. The effects of the global financial crisis are still relevant, sparking discussions on why risk management didn’t play a larger role in preventing it. Other trends include stricter reporting rules, especially for publicly listed companies, and the growing use of advanced risk management information systems, which bring benefits to many organizations. Even with these advances and the increasing skill level of risk managers, there’s still room to consider the future of risk management. The concept of “governance, risk, and compliance” (GRC) has brought a new structure to risk activities, along with better adoption of the “three lines of defence” model, helping organizations manage risk more effectively. However, risk professionals know that risk management must be integrated into other management activities, not just seen as part of auditing. Organizations need to fully integrate risk activities throughout, rather than isolating them or relying solely on static risk registers, which are snapshots and may not be updated regularly. Risk activities, including assessments and action plans, should be part of the everyday management data that informs the organization’s decisions.

In short, risk managers should ensure that risk practices are proportional, aligned, complete, embedded, and dynamic (PACED). But with the growing knowledge of risk management, there’s a challenge to keep it meaningful, avoiding the risk of it becoming routine and losing impact. Risk discussions should connect to strategy, budgets, and daily operations. Risk management, unlike some management trends, is unlikely to fade due to regulatory requirements and lessons from the financial crisis. Risk management, especially enterprise risk management (ERM), is here to stay, driven by governance needs and societal expectations and has been embraced by many sectors.

Risk management doesn’t have to be complicated or resource-heavy. It can be customized to fit an organization’s needs, adapting as the organization becomes more experienced. This systematic, proactive approach focuses on identifying and controlling high-risk areas to an acceptable level, protecting the organization from major negative impacts and helping focus efforts on what’s most important to manage.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply