COSO ERM and ISO 31000 do not recognise discrete risk management processes within an enterprise.
The reality of discrete risk management processes within an enterprise is not given much attention in the authoritative literature. It is almost fair to say that the matter has been avoided. There are no recommendations for discrete processes, and no authoritative statements against them.
COSO ERM talks only about ‘Enterprise’ risk management, without discussion of how the whole of the enterprise needs to take on some of the effort in a coordinated way. The ‘enterprise’ risk management concept appears to avoid the challenge of splitting up the risk management effort into separately managed activities. In reality, the ERM paradigm hides the problem rather than getting around it. ERM usually involves an expectation that risks across the organisation (and at many levels) will be taken into account, and that those risks will not all be understood or managed at by a single team at enterprise level. At the same time, it may be useful to start ERM as a broad-brush overview, without waiting for detailed input from lower-level risk assessments.
ISO 31000 is not very different in the particular matter of dividing up and coordinating the risk management effort across an enterprise. However, ISO 31000 has some very helpful emphasis on the need to set the context for any risk management activity, and setting the context includes scoping. It therefore deals with part of the problem of scoping a risk assessment activity.
Scope as part of ‘setting the context’
The requirement for scoping is spelled out in ISO 31000 Clause 5.3:
By establishing the context, the organization articulates its objectives…and sets the scope and risk criteria for the remaining process. (5.3.1)
It can involve…defining the scope, as well as the depth and breadth of the risk management activity to be carried out, including specific inclusions and exclusions;…defining the activity, process, function project, product, service or asset in terms of time and location… (5.3.4)
In ISO 31000, ‘the organization’ is any user of the standard, not necessarily a formally structured organisation with a legal name (see the Note in Clause 1 Scope).
Main articles on the topic: 1. Discrete risk management processes within an enterprise (Everyone) 2. Shapes for discrete risk management processes (Everyone) 3. Examples of discrete risk management processes (Everyone) 4. Risk ‘to’ an area of activity and risk ‘from’ the activity (Everyone)
Recommended next articles:
|ERM and discrete risk management processes (Risk Specialists)|
Some other main topics
Coming soon: Scoping a risk management activity; ERM and RM; RM across an organisation, without a central register; Context setting, Objectives, expected and acceptable outcomes, priorities and tradeoffs.
All pages on ‘Discrete risk management processes within an enterprise’