This article from Grant Purdy and John Lark that was published by the Conference Board of Canada in May 2012 explains that while managing risk is a natural part of life and business, we can all benefit from advice on how this can be achieved better and with more beneficial outcomes. The publication of ISO 31000 in 2009 represented a very significant milestone in our journey to understand and harness uncertainty as part of decision making.
The basic contention
We all manage risk, every day and all the time. We may not do it very systematically and, unless we are particularly well informed or inspired, it is likely that we will fail to properly understand and fully appreciate the risks that matter, and therefore take the most appropriate action to treat them.
Organisations are no different. Organisations of all kinds face internal and external factors and influences that make it uncertain whether, when and the extent to which, they will achieve or exceed their objectives. The effect this uncertainty has on the organisation’s objectives is “risk” .
Like individuals, organisations and the people who lead them do not naturally understand the risks that arise as a consequence of the decisions they make. Often their approach to assessing and responding to risk can be haphazard, informal and ad hoc. And this means that the organisations suffer losses and detrimental consequences at a higher rate than is acceptable and also fail to identify, appreciate and respond to all opportunities that might lead to gains.
Clearly shareholders and stakeholders reward and respect organisations that achieve their objectives: so if organisations want to improve their level of success, they must understand the uncertainties they face and how to tackle these when they make decisions and take actions. This is, after all, the reason why so many corporate governance codes around the world now require boards to gain assurance on how well their organisations manage risk.
Guidance on managing risk
The practice of risk management has arisen from this need to optimise decision-making and while there are various models out there as to how this should take place, that contained in the International Standard ISO 31000:2009 is now achieving a wide degree of acceptance as reflecting world best practice.
The risk management process described in the international standard came from the Australian and New Zealand Standard, AS/NZS 4360 that, since 1995 and through three revisions and updates, had became the most widely used standard for risk management in organisations. ISO 31000 also draws from best practice in many other countries. For example, Clause 4 on implementation through integration was based on an elegant approach using the organisational improvement cycle of Plan Do Check Act in Part 2 of the Austrian risk management standard .
The final version of ISO 31000 contains very little of the original text from other standards; it was re-written, reviewed and revised many times, by thousands of contributors, so that it became quite homogeneous and now reflects the global consensus on how best to manage risk within organisations.
Two of the most important qualities of the International standard are its brevity and its advice on integration as a means of ensuring that the management of risk is both systematic and meaningful to managers and decision makers.
Other standards do exist and of those, probably that produced by the US-based COSO organisation in 2004 is best known. However, the approach given there now looks dated and, compared with the international standard, seems narrow and confused.
A recent review of the COSO ERM code found that:
- When preparing a risk assessment the code mentions external factors but the majority of the discussion is focused on internal factors, systems, culture etc. This can easily lead to organizations just focusing inwardly and not actively identifying risks that reflect external factors and circumstances;
- Stakeholders, particularly external ones, are not mentioned and stakeholders’ objectives and their influence on decisions about the significance of levels and types of risk are omitted;
- Risks are described as events, and events are described and illustrated by examples of sudden, acute occurrences. There is no appreciation of the slow changes in circumstance and situation (for example a deterioration in internal culture or market sentiment) that gives rise to some of the most critical risks;
- The COSO ERM code advises that the level of risk is estimated in terms of the probability of an event and its “typical” consequences. However, we will not always get the “typical” consequences every time an event occurs. In practice people who follow the COSO ERM approach to estimating the level of risk will omit the conditional probabilities that should be applied to the event probability that means which they always overestimate the level of risk. This prevents individual risks from being properly assessed and compromises any realistic modeling of the effectiveness of controls;
- The term ‘risk likelihood’ is used, but risk does not, per se, have a likelihood. Likelihood is one of the attributes used to measure the level of risk;
- While there are some concessions to what are called ‘opportunities’, in the COSO ERM code risks are mostly about losses and risk treatment (response) is about reducing the likelihood and severity of losses. The thinking in the COSO ERM code is not mature enough to appreciate and explain that risk is just the effect of uncertainty in what you set out to achieve and that outcomes can be beneficial, detrimental or both;
- The discussion about ‘risk responses’, ‘control activities’ and ‘monitoring’ are confusing and confused. In places the terms are used interchangeably and it is not clear in the COSO ERM code if ‘control’ is being used as a noun or a verb;
- While the problems with the concept of inherent risk are well known, the COSO ERM code continues to advocate this artificial, theoretical state where no controls exist – which is contrary to best practice and the advice of the Institute of Internal Auditors ;
- The whole area of risk appetite and what COSO ERM calls ‘risk tolerance’ is handled in a mechanistic and naive way. The material in the COSO ERM document on risk appetite has led to greater confusion and more wasted consultancy dollars than any other part of the code;
- The COSO ERM code confuses and mixes up the framework (the organizational structures, policies, and arrangements put in place to promote, integrate and improve the management of risk) with the process used for risk management, particularly that used for risk assessment, risk treatment and monitor and review.
Hydro One in Ontario is recognised as having one of the best implementations of risk management and its Chief Risk Officer, John Fraser, has commented that:
ISO 31000 is a simple, workable and proven concept. COSO is complex, unworkable and demonstrably can never work effectively.
The first principle of effective risk management given in ISO 31000:2009 is that risk management should create and protect value. This principle emphasizes that the underlying purpose of risk management is to assist an organization create and protect value – i.e. to achieve those ambitions that are expressed by its objectives. This requires that risks are detected, understood and modified as necessary.
The linkage between success (i.e. creating and protecting value) and the effectiveness of risk management is unavoidable and thus can be exploited to create value.
This principle also implicitly promotes the idea that risk should be managed in the most efficient way possible – for example, in a way that does not waste resources. The corollary is, of course, that if we do not manage risk effectively value is destroyed or not created.
John Fraser and his coauthors have identified the tangible benefits from effective risk management to his company as shown in the following table.
Examples of ERM benefits
Hydro One experiences
Achieve lower cost of debt
Realized higher debt rating and lower interest costs than expected on $1 billion debt issue, which was the first issue as a new company. Issue was heavily oversubscribed. Ratings analysts stated ERM was a significant factor in the ratings process for Hydro One.
Capital expenditures process focused on managing/allocating capital based on greatest mitigation of risk per $ spent
Capital expenditures are allocated and prioritized based on a risk-based structural approach. An “optimal portfolio” of capital investments are achieved providing the greatest risk reduction per $ spent. Also, ERM has been used in the change management for major projects such as: the eighty-eight corporate utility acquisitions during 2000 and the potential building of an underground cable to the USA.
Avoid “land mines” and other surprises
Since starting ERM, there have been many unusual occurrences at the company. Interestingly two significant ones were spelled out in the Corporate Risk Tolerances ahead of time: the dismissal of the Board of Directors and the reaction to a large oil spill.
Reassure stakeholders that the business is well managed – stakeholders that include investors, analysts, rating agencies, regulators and the press
During the Initial Public Offering road shows, the Corporate Risk Management Group were told that the ERM workshops had greatly assisted the executive team to articulate the risks they faced and what was being done about them. There are many other examples.
Improved corporate governance via best practices guidelines
Hydro One has moved from the Board Committees asking why these risk summaries were being brought to them to now where they expect this information. Directors recognize that Hydro One is ahead of other companies where they sit on the boards.
Implement a formalized system of risk management that includes an ERM system (a required component of the 1995/1999/2004 Australian Standard for Risk Management)
Hydro One has a formalized system that drives periodic assessment, documentation and reporting of all risks.
Identifying which risks the company can pursue better than its peers
Although not necessarily attributable solely to ERM: • A subsidiary marketing electricity was sold due to high commodity risks. • Several processing and administrative functions were outsourced to transfer labour union and labour costs risks.
How to enhance your organization’s approach to managing risk
ISO has started the development of a new Standard, ISO 31004, which is intended to provide advice on how ISO 31000 should be implemented. The two authors of this article are both members of the working group that is developing that implementation guide.
One of the challenges all organisations face is how they move their approach to risk management forward, to enhance it and make it more responsive to its needs. ISO 31004 will contain advice on how organisations can:
- Move from an approach in which different types of risk are managed in distinctive ways each with their own techniques and defined terms, to one using common approach fully integrated into the organization’s system of management;
- Move from an approach concerned primarily with a narrow range of outcomes such as financial reporting to the full range of valued outcomes;
- Achieve better alignment with the principles of ISO 31000; and
- Ensure that uncertainty and its effect on all objectives are consistently considered as part of decision-making.
Regardless of the motive for making this transition, the expected outcome from doing so will be to ensure that the organization makes its decisions with a correct understanding of the associated risks and that the decisions ensure that the risk is within its risk criteria .
In order to be successful the strategy for transition should recognize that the organization is already managing risk to some extent and it is always a good change management approach to adapt and modify existing arrangements rather than simply eliminating the arrangements and starting from the beginning.
Whatever the detail of the process adopted for the transition, it must be lead by top management to ensure that the purpose is clear and that the necessary resources that are needed to make the transition as quickly as possible, are made available.
The key steps of the transition process are:
- The clear expression of the intent of top management for the change to occur and their support in terms of the allocation of the resources required to achieve a desired level of capability;
- Developing a clear understanding of the organizations characteristics, its internal and external context including the objectives of its key stakeholders;
- The setting of some performance based ‘standards’ which specify the desired behaviors of managers and decision makers in the organization. In particular, these should lead to the integration of the risk management process into the organization’s system of management and, in particular, decision making;
- An evaluation of the existing practices and processes. This evaluation can involve both a gap analysis and a maturity assessment – and ISO 31000 provides an ideal basis for this;
- The development of a transition plan that specifies, in practical terms what needs to be done to bring about the desired changes so that the organization complies with its own performance based standards;
- The implementation of that plan – with appropriate tracking and monitoring of progress;
- A periodic and formal review of both progress with the transition plan and also, of the suitability, effectiveness and relevance the company standards. This should, if necessary, lead to a realignment of the standards and a revision and update of the plan.
While managing risk is a natural part of life and business, we can all benefit from advice on how this can be achieved better and with more beneficial outcomes. The publication of ISO 31000 in 2009 represented a very significant milestone in our journey to understand and harness uncertainty as part of decision making.
New standards, by their nature, reset goals and ways of thinking and undoubtedly the publication of ISO 31000 and its adoption by countries such as Canada as its national standard is stimulating organisations to examine their current ways of working so that those who are faced with making decisions, obtain simple, consistent, useful and unambiguous information that will help them reduce uncertainty in the achievement of objectives. This can only lead to greater confidence in decision-making and, ultimately, to better decisions and the creation of more value.
CAN/CSA-ISO 31000-10, Risk management — Principles and guidelines, Mississauga, Canadian Standards Organization for International Standards Organisation, 2009
Enterprise Risk Management — Integrated Framework: Executive Summary. Committee of Sponsoring Organizations of the Treadway Commission, September 2004.
Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives—chapter 28 John Fraser, Betty Simkins, Wiley2010
HB 158, Delivering Assurance – Based on ISO 31000:2009. Sydney, Standards Australia and the Institute of Internal Auditors, ISBN 0 7337, 7843 7, 2010.
ISO Guide 73, Risk Management – vocabulary. Geneva, International Standards Organisation, 2009.
ONR 49002-2: Risk management for organisations and systems, Part 2 Guidelines for the integration of risk management into the general management system. Wien, Austrian Standards Institute, 2004