COSO and ISO 31000 on discrete risk management processes

COSO ERM and ISO 31000 do not recognise discrete risk management processes within an enterprise.

What to read first: Vocabulary for ‘risk management process’ Discrete risk management processes within an enterprise (supplement for risk specialists)

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

This short article reviews the recognition of discrete risk management processes in COSO Enterprise Risk Management and in ISO 31000. It’s short because they don’t recognise the concept.


COSO ERM and ISO 31000 do not recognise discrete risk management processes within an enterprise.

The reality of discrete risk management processes within an enterprise is not given much attention in the authoritative literature. It is almost fair to say that the matter has been avoided. There are no recommendations for discrete processes, and no authoritative statements against them.

COSO ERM talks only about ‘Enterprise’ risk management, without discussion of how the whole of the enterprise needs to take on some of the effort in a coordinated way. The ‘enterprise’ risk management concept appears to avoid the challenge of splitting up the risk management effort into separately managed activities. In reality, the ERM paradigm hides the problem rather than getting around it. ERM usually involves an expectation that risks across the organisation (and at many levels) will be taken into account, and that those risks will not all be understood or managed at by a single team at enterprise level. At the same time, it may be useful to start ERM as a broad-brush overview, without waiting for detailed input from lower-level risk assessments.


Next article for Risk Specialists

ERM and discrete risk management processes

ERM may try to recognise all risks everywhere, or just high level risks. Trying to recognise all risks in ERM may be easier with many discrete risk management processes.

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Drill-down articles

Discrete risk management processes within an enterprise (CRMA)

The CRMA Study Guide does not recognise the possibility of discrete risk management processes within a single enterprise.

For CRMA candidates (IIA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRMA Study Guide.

Discrete risk management processes within an enterprise (CRISC)

The CRISC Review Manual does not discuss the possibility of discrete risk management processes within a single enterprise. There is implicit support for a discrete risk management process for ICT, which may be independent of enterprise or business risk management.

For CRISC candidates (ISACA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRISC Study Guide.

Previous article for Risk Specialists

Vocabulary for ‘risk management process’

Clear Lines on Audit and Risk uses the term ‘discrete risk management process’ to refer to an identifiable application of risk management that has a defined context and scope. A discrete risk management process would typically have its own risk register. It may also have its own risk criteria.

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Parent articles

Discrete risk management processes within an enterprise (supplement for risk specialists)

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Index to the topic Discrete risk management processes within an enterprise

Leave a Reply

Your email address will not be published. Required fields are marked *