After defining risk, ISO 31000 goes on to define risk management as:
I think it is regrettable that the word ‘organisation’ was rolled into the definition. Risk management can be done by and for entities and activities that are not formally ‘organisations’. Otherwise, the ISO definition is straightforward and my definition is consistent with it. I have not emphasised the organisational characteristics (direct, control) from the ISO definition as I don’t believe they are intrinsic to risk management as such. They are important in Enterprise Risk Management, a specific application of risk management. ISO 31000 does not distinguish risk management and Enterprise Risk Management, and tends to confuse the two.
COSO ERM is only concerned with Enterprise Risk Management, which it defines like this:
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
That definition is reasonably consistent with the ISO 31000 definition if we make some allowances for the narrower application to a formal organisation with a board of directors. Like ISO 31000, COSO ERM does not specifically address the management of risk in smaller or larger units of human activity.
Limiting this definition of ERM to organisations with boards may help to explain the casual inclusion of ‘its risk appetite’ in the definition. I have chosen not to explore risk appetite in this basic introduction to risk management. For comparison purposes, we can take ‘within its risk appetite’ to mean ‘acceptable in view of the organisation’s situation and objectives’.
COSO ERM assumes that the risk appetite is owned and set (conclusively) by the board of directors. I think it is fair to say that a board of directors owns the risk appetite, given that they are elected by investors and heavily regulated by law and government, so that board ‘ownership’ is already far from autocratic. In other types of organisation, particularly government agencies, there may be no board of directors exercising that level of autonomy and ownership over the risk appetite. While there definitely is a risk appetite, it may not be owned or chosen by anyone inside the organisation structure. It is more likely to be a latent reality of community expectations that will never be fully discovered and known. In such cases the role of senior managers and governance bodies is to assess the risk appetite of stakeholders, and not to set it.
The Institute of Internal Auditors also has an attractive definition of ERM:
…a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding responses to, and reporting on opportunities and threats that affect the achievement of its objectives. [IIA 2009 Position Paper Role of Internal Auditing in Enterprise Risk Management.]
|This definition is a good description of risk management applied specifically at the enterprise level. Risk can also be managed at other levels, and understood to affect objectives other than enterprise objectives. Look out for a future article specifically comparing risk management with Enterprise Risk Management.|
Next article for Risk Specialists
|For CRMA candidates (IIA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRMA Study Guide.|
|For CRISC candidates (ISACA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRISC Study Guide.|
Previous article for Risk Specialists