COSO and ISO 31000 on discrete risk management processes (Risk Specialists)

COSO ERM and ISO 31000 do not recognise discrete risk management processes within an enterprise.

This short article reviews the recognition of discrete risk management processes in COSO Enterprise Risk Management and in ISO 31000. It’s short because they don’t recognise the concept.


COSO ERM and ISO 31000 do not recognise discrete risk management processes within an enterprise.

The reality of discrete risk management processes within an enterprise is not given much attention in the authoritative literature. It is almost fair to say that the matter has been avoided. There are no recommendations for discrete processes, and no authoritative statements against them.

COSO ERM talks only about ‘Enterprise’ risk management, without discussion of how the whole of the enterprise needs to take on some of the effort in a coordinated way. The ‘enterprise’ risk management concept appears to avoid the challenge of splitting up the risk management effort into separately managed activities. In reality, the ERM paradigm hides the problem rather than getting around it. ERM usually involves an expectation that risks across the organisation (and at many levels) will be taken into account, and that those risks will not all be understood or managed at by a single team at enterprise level. At the same time, it may be useful to start ERM as a broad-brush overview, without waiting for detailed input from lower-level risk assessments.

ISO 31000 is not very different in the particular matter of dividing up and coordinating the risk management effort across an enterprise. However, ISO 31000 has some very helpful emphasis on the need to set the context for any risk management activity, and setting the context includes scoping. It therefore deals with part of the problem of scoping a risk assessment activity.

Scope as part of ‘setting the context’

The requirement for scoping is spelled out in ISO 31000 Clause 5.3:

By establishing the context, the organization articulates its objectives…and sets the scope and risk criteria for the remaining process. (5.3.1)

It can involve…defining the scope, as well as the depth and breadth of the risk management activity to be carried out, including specific inclusions and exclusions;…defining the activity, process, function project, product, service or asset in terms of time and location… (5.3.4)

In ISO 31000, ‘the organization’ is any user of the standard, not necessarily a formally structured organisation with a legal name (see the Note in Clause 1 Scope).

Further Reading

Main articles on the topic: 1. Discrete risk management processes within an enterprise (Everyone) 2. Shapes for discrete risk management processes (Everyone) 3. Examples of discrete risk management processes (Everyone) 4. Risk ‘to’ an area of activity and risk ‘from’ the activity (Everyone)

Recommended next articles:

ERM and discrete risk management processes (Risk Specialists)

ERM may try to recognise all risks everywhere, or just high level risks. Trying to recognise all risks in ERM may be easier with many discrete risk management processes.

Some other main topics

What is Risk Management?

Coming soon: Scoping a risk management activity; ERM and RM; RM across an organisation, without a central register; Context setting, Objectives, expected and acceptable outcomes, priorities and tradeoffs.

All pages on ‘Discrete risk management processes within an enterprise’

Articles for everyone Discrete risk management processes within an enterprise (Everyone) Shapes for discrete risk management processes (Everyone) Examples of discrete risk management processes (Everyone) Risk ‘to’ an area of activity and risk ‘from’ the activity (Everyone)
Supplements for reader streams
For Risk Specialists: Risk management processes within an enterprise (Risk Specialists)
For CRMA Candidates: Risk management processes within an enterprise (CRMA)
For CRISC Candidates: Risk management processes within an enterprise (CRISC)
Extras for risk specialists: Vocabulary (Risk Specialists) COSO and ISO 31000 on discrete risk management processes (Risk Specialists) ERM and discrete risk management processes (Risk Specialists)

Risk consequences as the final effect on objectives (LinkedIn – registration required)

For Executives: Risk management processes within an enterprise (Executives)
For Australian Government readers: Risk management processes within an enterprise (Australian Government)

Leave a Reply

Your email address will not be published. Required fields are marked *