ERM Chapter 1- Concept and Framework

ISO 31000:2018 24 Minutes

Risk has been defined in many ways over the years. One widely accepted definition comes from the International Organization for Standardization (ISO 31000, 2018), which says that risk is “the effect of uncertainty on objectives.” An effect is a deviation from the expected. It can be positive, negative or both, and can address, create, or result in opportunities and threats.. David Hillson simplifies risk as “uncertainties that matter.” In other words, the world is full of uncertainties, but they only become risks if they impact what a person, group, or organization wants to achieve their objectives. The Institute of Risk Management (IRM) also sees risk as having both positive and negative sides. In their 2002 Risk Management Standard, they defined risk as “the combination of the probability of an event and its consequence,” where consequences can be good or bad.

Most definitions of risk include three key ideas:

  1. Uncertainty – A risk must be something that is not certain to happen, so words like “uncertain,” “potential,” and “likelihood” are often used.
  2. Positive and Negative Impact – Risks can bring both opportunities and threats, so definitions may mention “pros and cons” or “positives and negatives.”
  3. Effect on Goals – A risk is only relevant if it affects what we are trying to achieve, whether as individuals, teams, organizations, or society as a whole.

It is also important to remember that risks are not just about how the world affects us but also how our actions impact the world, creating a cycle of cause and effect. Many organizations still think of risk only as a threat. Some focus only on negative risks (downsides), while others separate threats from opportunities. Risk can be divided into four types:

  1. Compliance as a mandatory risk
  2. Hazard risks as a negative risk
  3. Control risks as uncertainty.
  4. Opportunity risks as positive risk

Simplifying risks are considered simply as uncertainties that matter, or, the term risk is used to denote the effect of uncertainty on objectives, considering both – threats and opportunities. Any reference to compliance, hazard or control risks can be regarded as threats (negative) risks.

If risks are uncertainties that matter, then risk management is about taking action to deal with them. The main goal of risk management is to help organizations identify, understand, and handle risks based on their situation and what they want to achieve. ISO 31000 defines risk management as “coordinated activities to direct and control an organization with regard to risk.” Every organization faces different factors that create uncertainty about whether they will reach their goals. This uncertainty is what we call risk. Good risk management helps organizations recognize and manage risks, increasing their chances of success. That’s why it is an essential part of running any organization, just like general management or project management. Since risks are always changing, effective risk management involves planning for known risks while also preparing for unexpected situations. Risk management has grown to cover the whole organization and is now often called Enterprise Risk Management (ERM). ERM is the process of managing all types of risks—business, financial, operational, and risk transfer—to increase a company’s value. ERM helps a company succeed by creating a single, clear view of all risks and handling them consistently across the entire organization. Unlike traditional risk management, ERM understands that risks in one area can affect other areas, so it focuses on managing these connections, not just individual risks.

Aspects of a traditional RM approach

  1. Focus on Risk identification and Analysis.
  2. Risk as individual hazards.
  3. Focus on all risks managed in separate areas.
  4. Risk mitigation.
  5. Risk with no owner.
  6. Risk is insurance.
  7. Risk is not my priority.

Aspects of an ERM approach

  1. Risk in the context of the Business context.
  2. Risk portfolio development with risk. interconnectivities.
  3. Focus on critical risks.
  4. Risk is entity wise.
  5. Identifying and defining risk responsibilities.
  6. Monitoring and measuring risks
  7. Risk is embedded into everyone’s responsibilities

The COSO ERM Framework defines ERM as “the culture, capabilities, and practices integrated with strategy-setting and execution that help organizations manage risk while creating and protecting value.” This means that risk management isn’t just about having policies and procedures—it’s about building the right mindset, skills, and actions within the organization to effectively manage risks. Every organization that wants to manage risk properly should define what “risk” and “risk management” mean for them and ensure everyone shares the same understanding.Enterprise Risk Management (ERM) looks at risks in relation to an organization’s goals, from its mission, vision, and core values to creating value while achieving its objectives. ERM means that risk management should be built into every part of the organization, starting from the top leadership down to all business areas. For ERM to work well, organizations must invest heavily in risk management, have a high level of risk awareness, and use a strong system to ensure risks are properly managed. The board needs to be confident that the system in place is effective and consistent across the entire organization. ERM also focuses on how different risks are connected. By understanding these relationships, organizations can better assess the impact of risks both individually and as a whole (sometimes called risk exposure).

1.1 History of ERM

Risk management has changed a lot in recent years, and old ways of thinking about risk have had to adjust. In the past, risk management mainly dealt with the math behind hazards or financial risks. It often focused on specific risks rather than looking at risks across an entire organization. To understand where we are today and where risk management might go in the future, it’s important to know its history. The world is constantly changing, and new risks have emerged that don’t fit into old ways of thinking. By looking at the past, we can see how people handled new risks and learn from their experiences. This can help us prepare for the future. Risk management as a formal practice has only been around since 1995. Before that, the way people thought about risk evolved over centuries. For example, around 1500, people often saw risks as tied to religion, fate, or superstition. Between 1500 and 1900, education and new ideas started to change how people understood risk. From 1900 to 1970, specialized professions focused on risk began to develop. Between 1970 and 1995, risk management started to shift from being specialized to more general. After 1995, it became a more mature profession. From 1995 to 2004, risk management standards were introduced. Between 2004 and 2018, international frameworks and standards, like the COSO ERM Framework and ISO 31000, were developed and updated. Since 2010, issues like climate change, environmental and social governance (ESG), corporate social responsibility (CSR), sustainability, and resilience have become central to risk management discussions. These changes show how risk management continues to adapt to new challenges in our world.

Evaluation of Risk Management

This diagram illustrates the historical evolution of risk management, highlighting key events, frameworks, and global influences over time.

Timeline Breakdown:

  1. Pre-1500s:
    • Risk was understood through religious beliefs, fate, and superstition.
  2. 1600–1900:
    • Enlightenment led to a more scientific approach to risk management.
  3. 1900–1950:
    • Specialist risk professions began to emerge.
  4. 1950s–1980s:
    • Expansion of insurance in the US.
    • Focus on contingency planning, loss prevention, and safety.
    • Development of business continuity planning (BCP), captive insurance, and anti-corruption measures.
    • Increased corporate governance, control, and reporting.
  5. 1990s:
    • Introduction of corporate governance and listing requirements.
    • Notable frameworks introduced:
      • 1985: Treadway Report
      • 1988: IRM (Institute of Risk Management)
      • 1992: COSO Framework, Cadbury Report
      • 1995: Greenbury, AS/NZS 4360, CoCo
      • 1998–1999: Hampel, Turnbull
  6. 2000s:
    • Stronger internal controls and risk governance became essential due to financial crises.
    • Introduction of Chief Risk Officers (CROs) and risk management standards.
    • Major regulatory developments:
      • 2002: Sarbanes-Oxley Act (SOX)
      • 2002: IRM / ALARM / AIRMIC
      • 2003: UK Combined Code
      • 2004: COSO ERM
      • 2009: ISO 31000 (Global risk management standard)
  7. 2010s:
    • Financial crisis influenced the maturity of the risk profession.
    • Increased globalization and market volatility.
    • Key frameworks:
      • 2017: COSO ERM Update
      • 2018: UK Corporate Governance Code, Wates Principles
      • 2018: ISO 31000 update
  8. 2020s – Present:
    • Emerging challenges include COVID-19, COP26 (climate change policies), and rising international conflicts.
    • Continued evolution of risk governance models:
      • 2020: Orange Book (updated risk management guidance)
      • 2020: Three Lines Model
      • 2022: TCFD (climate-related financial disclosures)

Over the past few hundred years, there has been a major shift in how people understand risks. People have gained more knowledge about causes and effects by observing and learning about their environment. At first, this knowledge was passed down through stories, and later through written records. Over time, mystery and superstition turned into unknown uncertainty, and then into known uncertainty, especially during the Enlightenment period. This progress eventually allowed people to measure risk for the first time using statistics. Looking back at this history is valuable because it helps us understand how the field of risk management has developed and why the modern world looks the way it does, including some old superstitions and irrational beliefs that still influence us today.

In “A Brief History of Risk Management” (Kloman, 2010), the author traces the history of risk management from 1914 to 2008. It covers the development of specialized areas like insurance, actuarial science, and health and safety. While the material only scratches the surface of a very detailed subject, it helps highlight key events in the history of risk management. Since 2008, the world has seen significant changes in risk management. The focus has shifted from financial risks to environmental and social issues, as well as holding people and organizations accountable for their actions. While governance, risk, and compliance (GRC) were becoming important, especially in the financial sector, the spotlight has now turned to environmental, social, and governance (ESG) factors for most organizations worldwide. This shift has led to more regulations. For example, in the UK, laws like the Modern Slavery Act (2015) require companies to address human rights issues. Additionally, starting in April 2022, over 1,300 of the largest UK companies and financial institutions must disclose climate-related financial information using guidelines from the Task Force on Climate-related Financial Disclosures (TCFD). There are also broader requirements tied to ESG criteria, which focus on environmental, social, and governance practices. These changes show how risk management is evolving to address new challenges in our world.

1.2 Importance of ERM of Organization

Risk can be defined simply as uncertainty that matters because it can impact the goals we are trying to achieve. Because of this, managing risks—whether they could have negative or positive effects on our goals—is very important for any organization. Risk management can bring both “soft” benefits, like better teamwork and relationships, and “hard” benefits, like higher profits or returns on investment. Risk management is important when viewed through three key perspectives: organizational strategy (how the organization plans to achieve its goals), governance (how the organization is managed and controlled), and resilience (how the organization can adapt and recover from challenges).

Key Purposes of Risk Management:

  1. Financial Benefits:
    • Higher return on investment (ROI): Effective risk management helps organizations optimize resource allocation, reducing losses and increasing profitability.
    • Keep within risk appetite limits: Ensures that the organization operates within acceptable risk boundaries, preventing excessive exposure to risks.
  2. Operational Efficiency:
    • Reduce friction: By identifying and mitigating risks early, operations can run more smoothly without disruptions.
    • Increase quality of product/service: Proactive risk management helps in maintaining high standards and minimizing defects.
  3. Strategic Decision-Making:
    • Provide a rational basis for business decisions: Risk management provides data-driven insights for making informed choices.
    • Consistency of decision-making: A structured approach to risk management ensures decisions are aligned with company policies and objectives.
  4. Business Growth & Sustainability:
    • Increase ability to hit strategic targets: Reduces uncertainties impacting business goals.
    • Improve transparency of risk culture: Helps create a culture where employees are aware of risks and proactively manage them.
  5. Reputation & Trust:
    • Increase confidence: Stakeholders, including investors and customers, gain confidence in a company that manages risks effectively.
    • Retain brand/reputation value: Avoids reputational damage due to risk-related failures.
  6. Workplace & Relationship Management:
    • Improve working relationships: Encourages collaboration by reducing uncertainties in business processes.

Strategy

Risk management has grown more important over the past 15 years. It looks at how different risks in a company are connected. By understanding these connections, organizations can better see their overall risk exposure. A risk-aware strategy should be a top focus for the Board, and top executives expect ERM (Enterprise Risk Management) to play a bigger role in shaping and carrying out the company’s strategy. If ERM and strategic planning are not aligned, ERM can’t help the organization much. It won’t guide decision-making or make sure resources are used effectively to address the biggest risks.

Benefits

  • Build confidence in stakeholders and the investment community
  • Align risk appetite and strategy
  • Link growth, risk and return

Governance

Governance is the system of rules, practices, and processes that guide and control how a company is run. It involves how companies are managed, who has the power and responsibility to make decisions, and how accountability is ensured. Good corporate governance also makes sure that the right practices and procedures are in place to help the organization meet its goals, giving stakeholders confidence that their trust is well-placed. However, boards should pay more attention to the rapidly changing business environment and keep an eye on new risks, rather than focusing only on financial reporting. To lead effectively and achieve goals while dealing with uncertainty, a combined approach to governance, risk, and compliance (GRC) is needed. This means integrating compliance, risk management, internal controls, and internal audit. Boards often assign the oversight of ERM (Enterprise Risk Management) to their audit committees, but their responsibilities now also include other areas like ESG (Environmental, Social, and Governance) issues and emerging risks such as geopolitical tensions, market changes, skill shortages, and supply chain problems. Because of this, ERM is more important than ever to help decision-makers understand risks and ensure that risks are managed well, and that internal controls and risk management processes are working effectively.

Benefits

  • Comply with relevant legal and regulatory requirements
  • Enhance corporate governance
  • Embed the risk process throughout the organization
  • Rationalize capital

Organizational Performance

Benefits

  • Increase the likelihood of a business realizing its objectives
  • Improve organizational resilience
  • Embed the risk process throughout the organization
  • Minimize operational surprises and losses —less fire-fighting
  • Enhance risk response decisions
  • Identify and manage cross-enterprise risks

People

Benefits

  • Optimize allocation of resources
  • Improve organizational learning

Resilience

n recent years, we’ve faced many major risk events, such as the Covid-19 pandemic, the war in Ukraine, mass migrations due to civil wars, scandals involving senior officials, political uncertainties like the election of radical leaders and Brexit, and more frequent and severe natural disasters like floods and hurricanes. These events have pushed companies, industries, healthcare systems, and even countries to their limits, testing their resilience. These challenges have also impacted the role of risk professionals. Risk management is about protecting organizations and making them stronger in the face of disruptions, big or small. While aiming high, it’s also crucial to safeguard the organization’s value. Managing “downside risks” – events that could have negative outcomes – helps organizations implement controls and achieve their goals. At the same time, many of the ambitious and meaningful goals humanity wants to achieve are complex and come with risks. Risk management helps organizations pursue opportunities that might otherwise seem too risky or uncertain. Good risk management is about being able to take risks and aim high. Today, organizations are increasingly required by laws, regulations, or stakeholder expectations to build strong risk management skills and provide reports proving these skills are effective. This focus has grown due to Covid-19 and the growing impact of climate change. There’s also more pressure on organizations to demonstrate their ability to anticipate risks, build resilience, and show their commitment to sustainability, corporate social responsibility (CSR), and environmental, social, and governance (ESG) practices. In the future, these reports may be audited similarly to how financial reports are audited today. In short, risk management is about protecting organizations and making them resilient to disruptions of any size. While striving for success, it’s equally important to protect the organization’s value. Managing downside risks helps organizations stay on track, while risk management also enables them to pursue ambitious goals that might otherwise seem too uncertain. Good risk management is about taking calculated risks and aiming high. With growing expectations, organizations must build strong risk management capabilities and prove their effectiveness, especially in areas like sustainability and resilience.

1.3 Approach to ERM

Risk management is the same no matter where or how it’s applied. Whether it’s in a business, industry, sector, or country, all risk management processes aim to answer one key question: given the risks we face, can we achieve our goals? This idea can be broken down into a simple four-step process, created by risk management and sustainability experts.

  • Define context and Objectives – Know your internal and external environment and how it’s changing. Clearly define your goals within this context.
  • Assess Risk– Look for both potential threats and opportunities (risks). Analyze them using the best methods and ask, “Do we need to take action on these risks?”
  • Manage Risk – Where possible, manage the risks by implementing controls. A control is something that changes or reduces the risk. If it doesn’t affect the risk, it’s not a control.
  • Monitor, Review and Report – Keep track of how risks are being managed, review their status, and share updates with others. Let people know what’s happening and what they might need to do.

This helps us ask and answer the key question: Considering the situation we’re in, the risks we face (whether they’re opportunities or threats), and how well we’re managing them, can we achieve our goals?

  • If the answer is “yes” – the system is balanced, and no further changes are needed.
  • If the answer is “no” – there are two options:

a) Put more effort and resources into managing the risks (add more controls); or, if that’s not possible or desired,
b) Adjust the objectives (if possible) because the current goals are either too hard or too easy to achieve for the best balance.

This simple risk management process works at every level of an organization and connects risk management across all areas. It helps answer the key question, whether at the board level or in day-to-day operations. The process stays the same, but how it’s applied can be adjusted to fit the situation. This approach is used in different ways at all levels of an organization.

The simple four-step process can connect with any other risk management process, whether it’s for financial, project, health and safety, reputation, environmental, or other risks. It gathers risk information to support integrated risk management and helps make risk-based decisions across the entire organization. This process serves as the foundation for managing risks in a consistent and unified way. This approach aligns with one of the main principles of the International Risk Management Standard, ISO 31000:2018, which emphasizes the importance of integrating Enterprise Risk Management (ERM) with other organizational activities. Consistency and integration are key to effective risk management.

1.4 Risk Management Specialism

  1. Core Risk Management Process (Center Cycle)
    • The central cycle consists of four key steps:
      1. Define Context & Objectives – Establish the organization’s goals and risk framework.
      2. Assess Risks – Identify, analyze, and evaluate potential risks.
      3. Manage Risks – Develop and implement strategies to address risks.
      4. Monitor, Review & Report – Continuously track risk performance and make improvements.
  2. Surrounding Risk Categories (Outer Circle)
    • Various risk management areas are shown surrounding the central process, indicating that risk management applies across multiple domains:
      • Sustainability Risk Management – Risks related to environmental and social responsibilities.
      • HR Risk Management – Risks associated with human resources, including talent retention and compliance.
      • Reputation Risk Management – Risks impacting the organization’s brand and public perception.
      • Operational Risk Management – Risks related to internal processes, systems, and daily operations.
      • Health & Safety Risk Management – Risks affecting employee well-being and workplace safety.
      • Project Risk Management – Risks associated with project execution, cost overruns, and deadlines.
      • Financial Risk Management – Risks involving financial stability, market fluctuations, and investments.
      • Etc. – Suggesting additional risk categories like cybersecurity, regulatory risks, or geopolitical risks.

Risk management involves many aspects and is done in various parts of an organization for different reasons. A key principle of the International Risk Management Standard, ISO 31000:2018, is the need for a consistent approach and integrating Enterprise Risk Management (ERM) with other organizational activities. When looking at risk management across an organization, some areas, like finance, health and safety, and project management, will have more visible risk management activities compared to others.

Risk management is often seen as an extra task that is separate from other processes and management activities in a company. However, Enterprise Risk Management (ERM) is different because it applies to the entire organization and connects with other operations. This doesn’t mean ERM replaces areas like Health & Safety or Financial Risk Management, which follow strict rules and laws. Instead, ERM helps bring together different types of risk information, collected in various ways, and presents it to managers in a clear and consistent format to support better decision-making. When risk management is handled separately in different departments (silos), it can lead to gaps, overlaps, or inconsistencies, making it harder for organizations to make effective decisions.Although this unit focuses on three specific areas, risk management happens in every part of an organization, with some areas having more structured approaches than others. When working on any task, it’s important to consider the situation, goals, risks, and our ability to manage those risks. We should always ask: Can we achieve our objectives? If the answer is no, this should be reported to higher management to request either more resources to manage the risks or changes to the objectives. This request can be escalated to the right level of management, and once a decision is made, the actions can be passed back down to the relevant team. In this way, Enterprise Risk Management (ERM) can connect with all organizational activities, no matter their risk management needs. ERM provides a consistent approach, using common risk language, to manage and report risks across the organization. This helps managers and senior leaders understand the risks the organization faces and supports better decision-making to manage those risks and achieve goals.

1.Finance: Financial activities and the financial industry are highly regulated, with a strong emphasis on managing risks that could affect an organization’s finances. These risks range from basic accounting and tax rules for small businesses to corporate governance and financial reporting for larger companies. Bigger organizations must also demonstrate their ability to continue operating in the long run. Additionally, strict laws and regulations vary by country and industry. For example, in the U.S., the Sarbanes-Oxley Act sets rules for financial record-keeping and reporting for corporations. In financial services, regulations include the Basel Accord for banks and the Solvency II rules for insurance companies in the European Union. Banks are also required to manage operational risks. According to the Basel Committee on Banking Supervision (2021), operational risk refers to potential losses caused by internal failures (such as process breakdowns, human errors, or system issues) or external events. This is reflected in Basel’s updated guidelines for effective operational risk management.

2. Health and Safety: Health and safety is one of the oldest and most developed areas of risk management. In the UK, laws protecting workers date back to the 1800s, with the Factories Act of 1833 playing a key role in safeguarding child workers in textile mills. Over time, more laws were introduced for industries like mining and farming, leading to the Health and Safety at Work Act (1974). This act serves as a foundation for many regulations covering different workplaces and risks, such as construction safety, working at heights, injury and disease reporting (RIDDOR), and the handling of hazardous materials like asbestos and chemicals (COSHH). Health and safety laws exist worldwide, though they vary by country. Some examples include the Occupational Safety and Health Act (1970) in the U.S., the Labour Code in France, and the Industrial Safety and Health Law (1972) in Japan. These regulations ensure workplace safety, though the level of strictness differs between countries, as noted in the HSE’s international study on company directors’ health and safety responsibilities.

3. Project risk management: People have been carrying out projects for thousands of years, from building the Great Pyramid of Giza in 2570 BC to the millions of projects happening today across different industries and countries. However, formal project management became more recognized in the 1950s, leading to the creation of professional organizations like the International Project Management Association (IPMA) in 1965, the Project Management Institute (PMI) in 1969, and the Association for Project Management (APM) in 1972. The APM defines a project as a unique and temporary effort aimed at achieving specific goals, which could be measured by results, benefits, or deliverables. A project is considered successful if it meets its objectives on time, within budget, and according to agreed criteria.

Common Features of Projects:

  • Unique – No two projects are exactly the same.
  • Temporary – They have a start and an end.
  • Focused – They aim to deliver a specific change.
  • Complex – They involve multiple tasks and challenges.
  • Depend on Third Parties – Other people or companies may be involved.
  • Based on Assumptions – Planning relies on predictions, which may change.

Because of these factors, projects come with a lot of uncertainty and risk. The importance of project risk management started growing in the late 1970s, with official guidelines being developed. Organizations like APM introduced the Project Risk Analysis and Management (PRAM) Guide, while PMI created its own standard for risk management.

1.5 Enterprise Risk Management standards

Risk standard can be defined as ‘A published guide for managing risk, usually comprising a risk framework and (especially) a risk process.’ Risk framework can be defined as ‘ Also known as the risk management context. This comprises the risk strategy, risk architecture and risk protocols and forms the risk context which helps to drive the risk process.’ Risk process can be defined as’ The stages in the process of managing risk, which is driven mainly by how you set up the framework (but also affected by the internal and external environment).’

All risk management standards and frameworks are fairly new. In fact, the first-ever risk management standard, AS/NZS 4360, was only introduced in 1995 (Standards New Zealand, 2013). This shows how young the risk management profession is and why even today, risk managers still discuss basic issues like the definition of risk. Organizations can choose to use one of these standards or frameworks to manage their risks, mix elements from different ones, or even create their own custom approach. Over time, risk management has evolved across different regions, industries, and professions to meet various needs. Having a clear risk management framework and standards can help create a more consistent and effective risk management process. This ensures risks are managed in a coordinated and efficient way across the organization. Some widely used risk management standards include:

  • ISO 31000:2018, Risk Management – Guidelines
  • COSO:2004, Enterprise Risk Management – Integrated Framework
  • COSO:2017, Enterprise Risk Management – Integrating with Strategy and Performance

ISO 13000 (2018)

ISO 31000 (2018), Risk Management – Guidelines, is the global standard for risk management. It covers:

  • What good risk management looks like – the Principles
  • What’s needed to implement effective risk management – the Framework
  • The steps in risk management – the Process

First published in 2009 and updated in 2018, ISO 31000 is one of the simplest and most widely accepted risk management standards worldwide. You should feel confident about its content and purpose, especially its process. The standard explains that managing risk is based on the principles, framework, and process outlined in the guidelines. It’s important to note that ISO 31000 cannot be used for certification (unlike standards such as ISO 9001 for quality management). However, it provides guidance for organizations and audit programs, both internal and external. It helps compare risk management practices against an internationally recognized benchmark, focusing on principles for effective management, assurance, and corporate governance. To explain the risk management framework, the acronym RASP (Risk Architecture, Risk Strategy, and Risk Protocols) has been created. RASP supports the risk management process by defining how it works.

COSO

The COSO (2004) Enterprise Risk Management – Integrated Framework, also known as the COSO ERM Cube, was created in the United States by COSO (Committee of the Sponsoring Organizations of the Treadway Commission). The idea of “enterprise risk management” (ERM) started around 2000 and gained global popularity in 2004 when COSO introduced its first ERM Framework. This framework was developed to address fraudulent financial reporting, not just to control fraud and regulatory risks but also to identify and assess risks that needed controls. Its importance became clear after corporate scandals like Enron.

The COSO ERM framework is shown as a cube with three main parts:

  1. Front Face: The risk management process, made up of eight steps.
  2. Top Face: The four categories of organizational objectives.
  3. Side Face: How the standard is implemented, starting at the top level of the organization and spreading downward and across all areas. This means ERM must be part of every role, operation, and activity in the organization.

In 2017, the COSO ERM framework was updated, but the original “cube” remains influential. It provides a structure for assessing and improving risk management and internal control systems, making it a useful tool for managing risks.

The COSO (2017) Enterprise Risk Management – Integrating with Strategy and Performance, also known as the COSO ERM Rainbow Double Helix, is an updated version of the COSO ERM Cube. It reflects the growing complexity of risks and changes in the business environment. The new framework emphasizes that organizations integrating ERM across all levels can achieve greater benefits. The update was needed to better explain the connections between strategy, risk, and performance, and to highlight how risks are interconnected and how risk culture affects risk management. The COSO (2017) ERM Framework recognizes that ERM isn’t just about managing risks to achieve objectives but also about understanding how strategy and risks align. It focuses on improving performance in line with an organization’s mission, vision, and core values. The framework includes five interconnected components supported by 20 principles. Following these principles helps organizations understand and manage risks related to their strategy and goals.

The Framework itself is a set of principles organized into five interrelated components:

  • 1. Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
  • 2. Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
  • 3. Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
  • 4. Review and Revision: By reviewing entity performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.
  • 5. Information, Communication, and Reporting: Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.

Components and Principles

  1. Exercises Board Risk Oversight—The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives.
  2. Establishes Operating Structures—The organization establishes operating structures in the pursuit of strategy and business objectives.
  3. Defines Desired Culture—The organization defines the desired behaviors that characterize the entity’s desired culture.
  4. Demonstrates Commitment to Core Values—The organization demonstrates a commitment to the entity’s core values.
  5. Attracts, Develops, and Retains Capable Individuals—The organization is committed to building human capital in alignment with the strategy and business objectives.
  6. Analyzes Business Context—The organization considers potential effects of business context on risk profile.
  7. Defines Risk Appetite—The organization defines risk appetite in the context of creating, preserving, and realizing value.
  8. Evaluates Alternative Strategies—The organization evaluates alternative strategies and potential impact on risk profile.
  9. Formulates Business Objectives—The organization considers risk while establishing the business objectives at various levels that align and support strategy.
  10. Identifies Risk—The organization identifies risk that impacts the performance of strategy and business objectives.
  11. Assesses Severity of Risk—The organization assesses the severity of risk.
  12. Prioritizes Risks—The organization prioritizes risks as a basis for selecting responses to risks.
  13. Implements Risk Responses—The organization identifies and selects risk responses.
  14. Develops Portfolio View—The organization develops and evaluates a portfolio view of risk.
  15. Assesses Substantial Change—The organization identifies and assesses changes that may substantially affect strategy and business objectives.
  16. Reviews Risk and Performance—The organization reviews entity performance and considers risk.
  17. Pursues Improvement in Enterprise Risk Management—The organization pursues improvement of enterprise risk management.
  18. Leverages Information Systems—The organization leverages the entity’s information and technology systems to support enterprise risk management.
  19. Communicates Risk Information—The organization uses communication channels to support enterprise risk management.
  20. Reports on Risk, Culture, and Performance—The organization reports on risk, culture, and performance at multiple levels and across the entity.

Orange Book: 2020

The Orange Book 2020 was created by the UK government for the public sector. However, its ideas and principles offer useful insights into risk management for everyone. The Orange Book focuses on the key principles to follow rather than detailed steps or methods. It explains the “what” and “why” of risk management but not the “how.” This makes it a helpful framework that other industries can also use. The Orange Book highlights five main principles of risk management:

  1. Governance and Leadership – Strong leadership and clear governance are essential.
  2. Integration – Risk management should be part of all activities and decisions.
  3. Collaboration and Best Information – Work together and use the best available information to manage risks.
  4. Risk Management Processes – Have clear processes in place to identify, assess, and manage risks.
  5. Continual Improvement – Always look for ways to improve risk management practices.

Alternative Approach

The three main standards/frameworks for risk management are covered here, along with a look at some other approaches. In recent years, there’s been a trend to combine general risk management standards (like the ones we’ve discussed) with industry-specific ones. For example, COBIT is a specialized standard for managing IT risks.

There are also standards for specific industries, such as:

  • Banking: Basel III
  • Insurance: Solvency II
  • Health and Safety: ISO 45000 family (Occupational Health and Safety)
  • Legal: ISO 31022 (Guidelines for Managing Legal Risk)
  • Business Continuity: ISO 22301 (Business Continuity)
  • Projects: PRAM Guide by the Association for Project Management (Project Risk Analysis and Management)

There are three main approaches in risk management standards:

  1. Risk Management Approach: Used by ISO 31000.
  2. Internal Control Approach: Developed by COSO’s Internal Control Framework and the FRC (Financial Reporting Council) risk guidance.
  3. Risk-Aware Culture Approach: Created by the Canadian Institute of Chartered Accountants, known as the CoCo framework.

Providing assurance is a formal part of corporate governance, especially for companies listed on stock exchanges. There’s also a specific standard for the UK charity sector, which you can explore further if interested. Lastly, we’ll introduce a framework designed for the public sector, showing that risk management applies to all types of organisations—whether private, public, or third sector. This highlights that risk management is relevant to any activity in any organization, no matter the sector.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply