Enterprise Risk Management
Separating the wheat from the chaff
RIMS provides guidance on various ERM frameworks
By Michael J. Moody, MBA, ARM
Enterprise risk management (ERM) has gone from a novel approach to risk management to a corporate management mainstay over the past eight to 10 years. Growth of this holistic approach to risk management has been helped by several critical drivers, including pressure from rating agencies and regulatory oversight. Despite this encouragement, as Rough Notes has documented a number of times over the past few years, ERM implementation continues to lag.
While there are a number of reasons for this, one of the most critical has been the large number of "frameworks" that have been advanced to "assist" in implementation. As a result, too many corporations have been hesitant to move to ERM for fear that the framework they select will not be the one that their industry sector, audit partners, rating agencies, and other concerned parties decide to use to measure success.
Sorting out the frameworks
Aware that this situation was causing problems for its members, the Risk and Insurance Management Society (RIMS) has decided to provide an objective report that reviews each of the major frameworks that are in use today. The Executive Report, which is titled An Overview of Widely Used Risk Management Standards and Guidelines, is designed "to evaluate the common elements and to differentiate among the various documents," according to a recent RIMS press release.
While there are a number of other frameworks in the public domain, RIMS has chosen the following six to review in the report:
• FERMA: A Risk Management Standard - 2002
• COSO: Enterprise Risk Management—Integrated Framework - 2004
• BS 31000: Code of Practice for Risk Management - 2008
• OCEG "Red Book" 2.0: GRC Capability Model - 2009
• ISO 31000: Risk Management—Practices and Guidelines - 2009
• Solvency II: Risk Management for the Insurance Industry - 2012
RIMS notes that there are several other popular frameworks, such as the Australia/New Zealand 4360:2004 standard, that were not selected. However, they indicate that in this case much of the information that was contained in the 4360 Framework was used as the core of the ISO 31000; so a review of this information, they believed, would be redundant.
In order to maintain a common approach to reviewing the above noted frameworks, RIMS "utilized the attributes from the RIMS Risk Maturity Model as the basis for evaluating the common aspects" of each program. In that regard, a couple of concepts that are important to keep in mind when reviewing these programs, as noted by RIMS, include the distinction between a "primary or recognized standard," and a "de facto standard." They point out that the primary standard is an established norm or requirement that usually takes the form of a formal document with established criteria or practices under the jurisdiction of a standards body. The de facto standard, on the other hand, "is typically considered as a custom, framework, etc., that may be developed outside of a recognized standard-setting body."
RIMS also points out that there continues to be much confusion regarding what standards are and what they are not. One quick illustration points out the importance of a standard. That is, while they have a number of important functions, in practice "standards often are used by auditors to determine whether a company is complying with industry best practices." So, many times, it is the auditors who are pushing for the acceptance of one framework over another. As such, the auditor's involvement in the selection of the framework cannot be minimized.
How do they stack up?
Research has shown that risk management strategies generally focus on one or more of the following elements:
• Meeting or exceeding an organization's objectives
• Adhering to control-based objectives, rules and/or controls
• Complying with regulatory requirements and objectives
It is quickly apparent that even with only these few elements, many times they represent competing objectives, thus causing confusion about the purpose of ERM. One of the initial conclusions of the RIMS review is that the "alignment with an organization's objectives, adherence to controls as a means of managing risk, and the need to meet regulatory requirements tends to be weighted more in one area than the others, depending on the culture of the organization. Realizing this fact can help a corporation determine the most appropriate framework for its approach to developing a risk management strategy."
Without getting into a detailed analysis of each framework, RIMS has determined, based on its review, that all of the frameworks share a number of important similarities. Among the key features that are shared with all frameworks are:
• Adoption of an enterprise approach, with executive level sponsorship and defined accountabilities
• Structured process steps, oversight and reporting of the identified risks
• Understanding and accountability for defining risk appetite and acceptable tolerance boundaries
• Formal documentation of risks in risk assessment activities
• Establishment and communication of risk management process goals and activities
• Monitored treatment plans
But despite a number of similarities, each of the frameworks has a major difference. For example, the major difference for ISO 31000 as compared with the RIMS maturity model is that "it shifts from an event to the effect risk and risk management has on an organization's objectives," and they note, "Trying to predict events can be difficult and challenging." Further, there is little discussion as to the "portfolio view and interrelated dependencies that risk may have on the organization." While the framework may allude to this, at best, the discussion of any interrelated risk is somewhat fleeting.
The OCEG "Red Book's" major difference revolves around the fact that it represents a formal approach to integration of the governance, risk and compliance processes. As a result, "risk is given a limited role" with its primary focus on identification and measurement. Additionally, the Red Book approach fails to focus attention on either root cause considerations or risk ownership by business units, based on RIMS review.
The British Standards, as set forth in the BS 31000, is quite similar to the ISO 31000. However, it fails to discuss business continuity management to any great degree. The framework does, however, refer readers to a companion publication, BS 25999, Business Continuity Management, which "is offered as a standard specifically tailored to business resiliency and sustainability." However, long-term this is a significant shortcoming.
The RIMS analysis also found that the COSO framework had a high degree of similarity, except in one major area. "COSO more than any framework places a greater degree of responsibility on the board." It does this by requiring "not only that the board support ERM, but also have a direct involvement in the ERM process." While some risk management professionals believe that the board's involvement at this level is necessary to implement a successful ERM program, RIMS does not agree. To a lesser degree, the COSO framework also does not speak about root cause analysis or business resiliency or sustainability.
The standard set forth by FERMA is "not designed to create a prescriptive process for ERM." Rather, FERMA's approach is to describe necessary component parts of an ERM framework. By doing so, these components represent the "best practices," against which a company can measure itself. As with several others of the frameworks, this one also fails to discuss root causes as a key component to effective risk management.
Finally, Solvency II is, for the most part, a regulatory standard that is directed at the insurance industry. It must be implemented by insurance companies in the European Union by November 1, 2012, and in addition to risk management, the regulation has to do with financial assets/economic capital, governance, and disclosure and transparency. As a result, this framework is much narrower in its focus since it is limited to the insurance industry. The primary difference according to RIMS is "the quantification related to capital requirements."
When organizations begin to review the various ERM frameworks, they should realize that no one framework is going to provide an off-the-shelf solution. For the most part, every company is going to need to modify the framework it is using to meet its specific needs. But the company should also keep in mind that one of the key findings of the study is "that there are more similarities than differences among the reviewed standards and guidance documents."
Those organizations that are looking for a meaningful review of each of the major frameworks should note that the RIMS report goes into significant detail as to the specifics regarding each of the above noted frameworks. Based on the RIMS analysis, the report indicates that all of the "standards and guidelines tend to be conceptual in nature, with little guidance on practical implementation." RIMS also points out that organizations should be aware that "elements in each of the standards and/or guidelines may be useful or adaptable" so that they can be better utilized in individual applications.
Finally, RIMS notes that it is not uncommon for a new management discipline to have several approaches to successful implementation. RIMS states that this "demonstrates that ERM is an evolving discipline that has meaningful applications to all business sectors." Without question, the RIMS review of the primary ERM frameworks is an important work and, as such, should help companies determine which framework is the most appropriate for them, and thus hasten their movement to ERM.
Michael J. Moody, MBA, ARM, actively promotes enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.