ERM Chapter 2- Principles of Risk Management

ISO 31000:2018 17 Minutes
https://preteshbiswas.com/wp-content/uploads/2025/03/Principles-and-Processes-of-Risk-Management-new.wav

Risk management is important for all organizations and offers many benefits. Its principles are based on the idea that it adds value by using practices aimed at achieving the best results, which helps reduce uncertainty and unpredictability. To deliver these benefits, most recognized standards, like ISO 31000, COSO, and the Orange Book, include a section on principles. In short, risk management principles focus on delivering value by using practices that aim for the best outcomes, reducing uncertainty and instability. For example:

  1. ISO 31000 Principles: The eight principles of ISO 31000 fall under the theme of “Principles – Value Creation and Protection.” The standard highlights the importance of a structured and integrated approach to risk management. It also acknowledges the role of human and cultural factors. ISO 31000 states that the purpose of risk management is to create and protect value. It outlines eight principles, which can be summarized as follows::
    • Framework and processes should be customized and proportionate.
    • Appropriate and timely involvement of stakeholders is necessary.
    • Structured and comprehensive approach is required.
    • Risk management is an integral part of all organisational activities.
    • Risk management anticipates, detects, acknowledges and responds to changes.
    • Risk management explicitly considers any limitations of available information.
    • Human and cultural factors influence all aspects of risk management.
    • Risk management is continually improved through learning and experience.
  2. COSO (2017) Principles: The framework has five parts. It includes 20 principles. These principles describe practices for implementing enterprise risk management. It works for all organizations, no matter their size, type, or sector. Below are the components and principles of the COSO (2017) ERM Framework:
    • Governance and culture
      • Exercises Board Risk Oversight
      • Establishes Operating Structures
      • Defines Desired Culture
      • Demonstrates Commitment to Core Values
      • Attracts, Develops, and Retains Capable Individuals
    • Strategy and objective-setting
      • Analyses Business Context
      • Defines Risk Appetite
      • Evaluates Alternative Strategies
      • Formulates Business Objectives
    • Performance
      • Identifies Risk
      • Assesses Severity of Risk
      • Prioritizes Risks
      • Implements Risk Responses
      • Develops Portfolio View
    • Review and revision
      • Assesses Substantial Change
      • Reviews Risk and Performance
      • Pursues Improvement in Enterprise Risk Management
    • Information, communication and reporting
      • Leverages Information Systems
      • Communicates Risk
      • Reports on Risk, Culture, and Performance
  3. Orange Book ( 2020) Principles: The Orange Book outlines key principles for effective risk management. It applies to all UK government departments and public bodies. These principles help government organizations follow the UK Corporate Governance Code. There are 5 main principles. They explain the “what” and “why” but not the “how” for creating, running, and maintaining a strong risk management framework.
    • Governance and Leadership
    • Integration
    • Collaboration and Best Information
    • Risk Management Processes
    • Continual Improvement.

PACED Attributes

The principles of risk management can be grouped into five key features of effective enterprise risk management. These features are summarized by the acronym PACED:

  1. Proportionate – The process is tailored to fit the organization and its activities. “One size does not fit all.” However, the overall process and language used should be consistent for clear understanding of risks, controls, and actions.
  2. Aligned – The process connects with other organizational activities. This ensures business runs smoothly while ERM acts as a link to these activities. It also allows for effective risk reporting and management.
  3. Comprehensive – The process ensures consistency and considers risks and controls across the organization and beyond. This helps in understanding the overall risk profile and identifying existing, new, and emerging risks from both internal and external factors.
  4. Embedded – The ERM framework encourages a shift in risk attitudes, behavior, and culture. This helps improve risk management maturity and awareness of its value to the organization.
  5. Dynamic – The process doesn’t end with creating a risk register. While collecting risk information is important, it’s just “register writing,” not risk management. The process must stay active to support decision-making and add value to the organization.

2.1 Risk Management Process:

1) ISO 31000 Process: The ISO 31000 process consists of eight key risk management steps:

  • Recording and reporting.
  • Communication and consultation.
  • Scope, context, criteria.
  • Risk assessment – risk identification.
  • Risk assessment – risk analysis.
  • Risk assessment – risk evaluation.
  • Risk treatment.
  • Monitoring and review.

Even though the standard begins with communication and consultation, most organizations using this approach start by defining the scope, context, and criteria. In the previous version of this standard, this step was called “establish the context,” a term you might still come across in various risk management resources and used by many organizations. One key difference from other standards is that it groups risk identification, risk analysis, and risk evaluation together under the broader section called risk assessment.

2) COSO Process:

In the 2004 version of the COSO ERM Framework, the process consists of eight key risk management steps:

  • Internal environment.
  • Objective setting.
  • Event identification.
  • Risk assessment. ( Risk assessment covers both analysis and evaluation steps)
  • Risk response.
  • Control activities.
  • Information and communication.
  • Monitoring.

In the 2017 version of the COSO ERM Framework, the risk management framework and process are integrated. The initial steps of understanding the context and objectives are included in the first two components of the framework: 1) Governance and Culture, and 2) Strategy and Objective Setting. The more familiar steps of the risk management process are found in the third component, 3) Performance, which involves:

  • Identifying risks,
  • Assessing the severity of risks,
  • Prioritizing risks,
  • Implementing risk responses, and
  • Developing a portfolio view.

In this approach, the terms “assess” and “prioritize” align with the analysis and evaluation steps in ISO 31000.

The remaining parts of the risk management process are covered in the last two components: 4) Review and Revision, and 5) Information, Communication, and Reporting.

3) Orange Book Process:

The Orange Book comprises of a risk management framework, principles and the process,:

  • Principle A – an essential part of governance and leadership.
  • Principle B – an integral part of all operational activities.
  • Principle C – collaborative and informed by the best available information.
  • Principle D – have structure processes.
  • Principle E – continually improved.

Principle D includes the main steps of the process which comprise:

  • Risk identification and assessment.
  • Risk treatment.
  • Risk monitoring.
  • Risk reporting.

In this approach, risk assessment corresponds to the ISO 31000 steps of analysis and evaluation. The Orange Book framework closely mirrors ISO 31000 in both its terminology and methodology.

Comparison using the four simple steps of risk management

As noted earlier, there are many different standards and frameworks for risk management, with four main approaches highlighted in the Standard: ISO 31000, COSO 2004 and 2017, and the Orange Book. Organizations may adopt these frameworks to meet regulatory, industry, or regional requirements, or simply because they are well-known to their risk management teams. Additionally, as risk management systems mature, advisory firms have developed their own frameworks and toolkit. While each organization, standard, or framework may promote different methods, the four core steps of risk management remain consistent:

  1. Define Context and Objectives – Understand the external and internal environment in which the organization operates and clarify its goals and objectives.
  2. Assess the Risks – Identify the risks faced, analyze their potential impact, and evaluate whether they are acceptable or require further action.
  3. Manage the Risks – Implement controls and additional measures to address and modify the risks.
  4. Monitor, Review, and Report – Continuously assess changes in risks, controls, and the overall context to ensure risks are effectively managed and new or emerging risks are appropriately considered.

A key difference in many standards is the focus on closing the loop in this four-step process. This involves regularly asking whether, given the current context, objectives, risks, and the organization’s ability to manage them, it is still possible to achieve those objectives.

2.2 Risk Architecture

The risk management framework, also called RASP, stands for Risk Strategy, Risk Architecture, and Risk Protocols. Risk architecture is about how the organization manages risk and its setup. It matches the organization’s structure and defines how risk management works. Risk architecture includes:

  • Committee structure and terms of reference.
  • Roles and Responsibilities.
  • Internal reporting requirements.
  • External reporting controls.
  • Risk management assurance arrangements.
  • Budget and agreement on resources..

Organizations usually shape their risk management based on their overall management style and structure. This setup depends on key relationships and task delegation, especially when there are conflicting interests. This idea comes from “Agency Theory.” Agency Theory explains the relationship between a “principal” and an “agent.” The principal relies on the agent to make financial decisions, which can have uncertain results. In businesses, these relationships exist between shareholders, members, trustees, executives, the board of directors, and the CEO. Some CEOs like a centralized structure, where a central team controls strategy and operations. Others prefer a decentralized approach, where unit or divisional managers handle decisions with little input from the center. Many organizations use a mix of both. They allow some freedom in certain areas but require a corporate approach in others, like brand management, health and safety, and banking. Understanding the organization’s structure is key to aligning the ERM process with roles, responsibilities, and reporting needs. No matter the structure, risk management is essential. The risk management team and activities will vary depending on whether the organization is centralized, decentralized, or hybrid.

Role and Responsibilities

Organizations have many roles and responsibilities tied to risk management. To make risk management work well, these roles must be clearly defined. Simply hiring more risk management staff doesn’t mean the process is effective. It might even backfire, making others feel less responsible or think, “I don’t need to worry about risk because there’s a risk manager or champion handling it.” Key staff and all employees play a part in risk architecture. Risk tasks are also given to experts who manage specific risks. Depending on the organization’s activities, these roles include:

  • Head of legal.
  • Business continuity manager.
  • Head of internal audit.
  • Head of clinical safety.
  • Compliance officer.
  • Money laundering reporting officer.
  • Head of credit risk.
  • Head of security.
  • Corporate insurance manager.
  • Head of human resources.

Each role has a job description outlining its duties. These specialists’ work is part of the organization’s risk architecture. Think about the roles in your organization that help manage risk. For projects, roles and responsibilities are often shown in a RACI chart. This chart lists stakeholders and their level of involvement: Responsible, Accountable, Consulted, or Informed.

For more on Roles and Responsibilities on ERM click here https://preteshbiswas.com/2024/12/04/responsibilities-for-erm/

Risk Management Planning

When starting ERM for the first time, remember:

  1. Organizations often hire a risk manager or team to handle ERM setup and operations. In sectors like banking and finance, or in some countries, having a Chief Risk Officer is becoming a legal requirement.
  2. The PACED principles of risk management are key to implementing ERM successfully and getting the most benefits.
  3. Organizations can measure the benefits of a well-implemented ERM framework using FIRM (financial, infrastructural, reputational, and marketplace benefits) or the MADE2 model.

ERM implementation isn’t just about managing risk—it shows how mature an organization’s risk management is. Having ERM means the organization is more advanced in risk management. A successful risk management process follows four steps: planning, implementing, measuring, and learning (PIML). This is similar to the plan-do-check-act method used in many management standards. Setting up a fully working ERM program is a big task that involves the entire organization. The time needed to successfully implement ERM depends on several factors, such as:

  • Starting point: What already exists that the organization can use?
  • Leadership support: Strong commitment from top leaders speeds up the process.
  • Size and complexity: Larger, more complex organizations take longer.
  • Global reach: Organizations operating worldwide may need more time.
  • Available resources: More resources can help speed up implementation.

One thing is clear: ERM is not a quick project. For large financial organizations, it can take 3-5 years. A basic ERM program with key elements like a risk board, governance structure, and risk appetite statement can be set up in 1-2 years. However, building a mature, fully integrated, and results-focused ERM program takes longer. In smaller, simpler organizations with strong leadership support, it might take 5-7 years. In larger, more complex organizations, it could take 5-10+ years. Don’t be discouraged by these timelines. Effective ERM is a long-term effort that evolves over time. Key factors to consider include:

  • Governance structure and assurance.
  • Risk appetite statements.
  • Risk profiles.
  • Organizational culture and openness to change.
  • The number of countries the organization operates in.

In short, ERM is a long-term investment (likely over 3 years) that brings significant benefits to the organization. Many guides and resources offer advice on ERM implementation. Most agree that the approach depends on the organization’s risk characteristics and its internal and external environment. In other words, it depends on the organization’s specific context.

Risk Management Reporting:

A key part of risk planning is making sure risk management fits into the organization’s governance and reporting structure. This means risk discussions should happen during regular meetings that already exist. Ideally, risks and how to manage them should be reviewed and reported in these meetings, matching the organization’s usual schedule.

  • Shows how reporting works, where some discussions and decisions happen as part of normal business and don’t need to be shared with higher management.
  • Gives an example of regular team meetings, like every two weeks, where information is shared, decisions are made, and feedback is given to support day-to-day operations.
  • Explains how important information from these team meetings is collected and shared with senior managers at their monthly meetings.
  • Suggests that every quarter, key information from management is shared with the Board.

Often, what’s missing but very important is feedback from the Board back to the teams and operations about the outcomes of discussions and decisions (E). This is just an example of how meetings and reporting can work in an organization. For risk management to work well, it should fit into and follow this same cycle.

2.3 Risk Strategy

An organization needs a clear plan for managing risk. The key parts of a Risk Strategy include:

  • Risk management philosophy
  • Arrangements for embedding risk management
  • Risk appetite and attitude to risk
  • Benchmark tests for significance
  • Specific statements/policies
  • Risk assessment techniques
  • Risk priorities

These parts show that the Risk Strategy reflects the leadership’s approach and the purpose of risk management. Is it just about meeting basic stakeholder needs, or is it about creating a process that adds real value, supports decision-making, and protects the organization? The Risk Strategy should match the organization’s agreed principles for managing risk.

Risk management policy

For a risk management strategy, it should be outlined in a risk policy approved by the board and used across the entire organization. In organizations with a decentralized structure, a hybrid risk management framework might involve a central policy, with unit or divisional managers responsible for implementing it. Most organizations have a short ERM Policy (usually no more than two pages). This policy explains the organization’s approach to risk management, assigns responsibility, and ensures resources are available to keep risks at an acceptable level. The policy is typically approved and owned by the Board or a Board Risk Committee. Many examples of such policies can be found online, but they should always be adapted to fit the organization’s culture and risk management style.

Risk Appetite

An organization’s decision on whether to act on risks is called its ‘risk appetite.’ The IRM defines it as: ‘The amount of risk an organization is willing to take to achieve its long-term goals.’ Risk appetite is usually mentioned in the risk strategy, but details on how to set it and apply it across the organization are often found in the risk manual or supporting guidelines. For an organization to manage risk consistently (ERM), staff need to know when to act on a risk. If they don’t know when to respond or when to accept a risk, the organization’s overall risk exposure will grow due to inconsistent actions. Staff might act based on their personal views of risk, rather than following the organization’s consistent approach. The main tool organizations use to help staff decide whether to act on risks is called ‘risk appetite.’ The board is responsible for setting this. Here’s what the key terms mean:

  • Risk appetite: The level of risk the organization is okay with, where no action is needed except monitoring for changes.
  • Risk tolerance: The level of risk the organization can handle for a short time while working to reduce it.
  • Risk capacity: The maximum level of risk the organization can’t or won’t go beyond.

Risk appetite differs between organizations—some take more risks (risk aggressive), while others avoid risks (risk averse). Even within the same organization, different areas may have different risk appetites. An ERM approach requires organizations to understand their overall risk appetite and apply it consistently. This helps the organization make clear decisions about how to handle risks. Risk appetite must align with the organization’s business strategy, operations, and legal requirements. However, boards often focus on business goals and strategy, which can lead to decisions that don’t fully consider the actual risk levels or the organization’s willingness to accept them.

2.4 Risk Protocol

Organizations create and use risk protocols to put their chosen risk strategy and structure into action. These protocols can be gathered into a manual, standard, procedure, tools, templates, techniques, or a mix of these documents. Note that each organization may use different terms for its formal documents. Below, we use varied language intentionally. These documents explain “how” to deliver effective risk management. Often, a risk manual (or multiple manuals focusing on specific areas like financial, strategic, and operational risks) is developed and integrated into the organization’s operations. The protocols outline operating procedures and guidelines. For example, they may include:

  • Methods for identifying risks.
  • The format and content of the organization’s risk register, how to fill it out, and how often it should be updated.
  • Rules for logging risk events and reporting significant events based on their importance.
  • Reporting requirements, such as weekly or monthly reports, risk analysis, and tracking key risk indicators.
  • Approval processes for spending on risk improvement actions.
  • Steps for reviewing and approving new or renewed contracts.
  • Templates for risk assessments and, if needed, certifications.

Risk protocols focus on practical, organization-wide practices that ensure the risk strategy is implemented and works effectively. If the policy explains the “what” and “why” of risk management, procedures explain the “how.” Organizations usually provide a detailed document that explains how to manage risk at a more detailed level. This document ensures a consistent approach to risk management, defines the terms and language to use, clarifies roles and responsibilities, and provides information on tools and techniques. The risk management function owns this document, allowing updates to keep practices current without needing board approval. Different organizations may call this document procedures, framework, manual, guidance, etc., depending on their document control system.

Tools and Technique

As part of risk management protocols, organizations typically offer distinct information on tools and techniques to ensure the effective implementation of risk management practices. Tools refer to devices, equipment, or applications that facilitate the completion of tasks, such as modeling software. Techniques, on the other hand, are methods used to carry out specific tasks, like the PESTLE analysis technique, which helps in understanding the context and identifying risks. Numerous techniques are employed in the risk management process. ISO 31010:2019, part of the risk management suite of international standards, specifically addresses risk assessment techniques, including risk identification, analysis, and evaluation. While tools and techniques are not typically integral to the risk management procedure itself, they are referenced within it. These documents are not consulted as frequently as policies and procedures but are available to assist individuals when performing specific tasks, particularly when the techniques are unfamiliar to organizational members or are rarely used. Examples include root cause analysis, Monte Carlo simulations, or scenario analyses. Information on tools and techniques is often presented in user-friendly formats such as factsheets, flowcharts, or toolboxes, providing step-by-step guidance to enable individuals to complete tasks with minimal or no support or supervision. The documentation maintained for risk management information can be broadly categorized into these resources, which serve as supplementary aids to the core risk management processes.

Governance

  • Risk Governance
  • Risk Management Policies
  • Specific Risk Statement
  • Terms of Reference of the risk
  • audit committees
  • Risk Protocol and Procedures
  • Risk awareness training records

Management and Controls

  • Risk response
  • Result of risk assessment
  • Risk control standards
  • Risk improvement recommendations
  • Risk assurance report
  • Business Continuity Plan/Disaster Recovery Plan

Insurance

  • Event Report
  • Loss/Claim report and recommendations
  • legal and litigation reports
  • Enforcement actions/Customer complaint
  • Incident/near miss investigations
  • Business Performance report/Key performance indicator

Audit

  • Risk Performance
  • Control risk self-assessment (CRSA) returns
  • Audit Procedures and Protocols
  • Internal audit report
  • Unit risk management report
  • External disclosure report

Risk Management Information System (RMIS)

This is often called a risk management information system (RMIS). It’s the tool that connects and supports the work done by the central risk team and the different operating divisions within the organization. Risk management data and information are frequently stored in spreadsheets and other file formats, often using templates provided by the risk team to various operating departments and divisions within the organization. However, many organizations opt for a structured IT system to store, analyze, and report risk-related information to senior management. A centralized risk repository helps in effectively analyzing and managing this information, especially when multiple divisions or departments contribute data to the central risk management team. For numerous organizations, the central hub for all risk management information is the risk register. A risk register can be as straightforward as an Excel spreadsheet, though it should not be maintained in Word or PowerPoint formats. While these tools help report risk information, they lack the functionality to sort, filter, or analyze large datasets. The risk register serves as the primary record of an organization’s current understanding of risks. A well-maintained risk register:

  • Consolidates knowledge about risks and controls,
  • Is customized to fit the organization’s needs,
  • Is regularly updated,
  • Supports informed decision-making, and
  • Enables teams, projects, and the organization as a whole to prioritize and manage risks effectively.

There are many specialized RMIS (Risk Management Information System) software options available. Some focus on specific areas of risk, like managing corporate insurance and claims or handling project risks, while others aim to provide a comprehensive, organization-wide approach to risk management. The main advantages of using a structured RMIS include consistent data collection, storage, and analysis, as well as fewer errors and gaps compared to relying on multiple spreadsheets. Some organizations use a ‘GRC’ approach—Governance, Risk Management, and Compliance—as a single, unified process. Software systems, known as GRC platforms, are available to help manage these activities. For example, MetricStream, one of the providers, explains:

‘Companies are increasingly driven by the need to comply with regulations, manage risks, and meet quality standards. MetricStream’s GRC Platform offers a unified framework to support risk, compliance, and quality management processes, helping organizations improve risk management and corporate governance. The platform integrates these processes into a seamless system, making it easier to manage risks, regulations, and compliance issues.’

More advanced RMIS tools offer enhanced risk analysis capabilities by using risk data for predictive modeling, such as Monte Carlo simulations. They can also be set up to analyze cost and schedule forecasts in projects, which is crucial for project risk management. While a RMIS helps risk managers make better-informed decisions, it doesn’t replace their skills, experience, and expertise. It’s important to remember that a RMIS is a tool to support risk management, not the process itself. It serves as a central hub for risk information, aiding decision-making and action, but it doesn’t replace the need for a structured risk management process.

Conclusion

Enterprise Risk Management (ERM) integrates principles from various globally recognized frameworks, including ISO 31000, COSO, and the UK’s Orange Book, to provide a comprehensive and coherent approach to managing risk across an organization. At its core, ERM emphasizes the importance of aligning risk management with an organization’s objectives and decision-making processes. From ISO 31000, the principle of integration stands out—risk management should be part of all organizational activities and embedded in culture and practices. It also underscores the need for a structured, systematic, and customized approach that is inclusive, dynamic, and responsive to change. COSO complements this by highlighting the need for governance and culture that supports risk awareness, as well as a strong emphasis on performance, strategy, and accountability. COSO’s model revolves around understanding risk in the context of value creation and preservation, integrating risk considerations into strategy-setting, and driving better decision-making and performance outcomes. The Orange Book, tailored for public sector organizations, reinforces the importance of transparency, proportionality, and continuous improvement in managing risk. It introduces the concept of “risk appetite” in a structured manner, emphasizing clarity on the level of risk the organization is willing to accept in pursuit of its objectives.Together, these frameworks advocate a proactive, continuous, and people-centered approach that enhances resilience and supports better governance, strategic alignment, and sustainable performance in both public and private sector organizations.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply