Document Text Contents
Page 1
2nd European Risk Conference
Università Bocconi
September 11th & 12th, 2008
Risk Management Standards
– role, benefits & applicability –
Dr. Roland Franz Erben
Academic affiliation:
Bayerische Julius-Maximilians-Universität Würzburg
Lehrstuhl für BWL und Wirtschaftsinformatik
Josef-Stangl-Platz 2
D-97070 Würzburg
Germany
Address for correspondence:
Resi-Weglein-Gasse 3
D-89077 Ulm
Germany
Tel.: +49.(0)731.360808-93
Fax.: +49.(0)731.360808-94
Cell.: +49.(0)163.3733633
E-Mail: [email protected]
Page 2
Risk Management Standards
Dr. Roland Franz Erben page 2 of 34
Abstract:
As every risk management system must reflect the specific circumstances of an
organization, a uniform approach can never be adequate. Nevertheless, risk
management standards can provide useful support for designing and
implementing a comprehensive and consistent risk management system. After a
short description of two standards – the “COSO Enterprise Risk Management –
Integrated Framework” (COSO ERM) as well as the “ISO/DIS 31000 – Risk
management: Principles and guidelines on implementation” – these frameworks
are compared regarding the criteria “completeness”, “generic breadth”, “usability”,
“integration” and “external assessment”. It is shown, that both standards fulfill
these requirements to a high degree, with the ISO 31000 being more generic and
flexible while the COSO ERM provides more practical guidance. As a conclusion, it
can be expected that the already well-established COSO ERM and the emerging
ISO 31000 will play a predominant role in the future.
JEL-classification:
M19, L15, L29
Keywords:
• Risk Management Standards
• Risk Management Systems
• Standardization
• COSO ERM Integrated Framework
• ISO 31000
Page 17
Risk Management Standards
Dr. Roland Franz Erben page 17 of 34
above or several standards in the field of IT security or product safety). To assure
a consistent use of terms and definitions in all theses standards, it seemed to
make sense to define the vocabulary in one separate document, which then is
referenced to by other standards [see Brühwiler 2008, p. 14].
Unfortunately, meanwhile the development of the ISO 73 is substantially lagging
behind the progress of the ISO 31000 (e. g. approximately 40 percent of the
definitions included in the ISO 73 have not even been discussed until today).
This situation results in a major dilemma: Firstly, the ISO 31000 could be
released as scheduled but would then contain a reference to a document, which
is still in a “draft” status and thus subject to changes, although it is seen as
“indispensable” for the application of the ISO 31000. Secondly, the final release
of the ISO 31000 could be postponed until the ISO 73 is finished, which would
cause a substantial delay of approximately 1 ½ years. Thirdly, the most relevant
terms and definitions of the ISO 73 could be included in the ISO 31000 (and
similar standards) accepting that the terms and definitions for one and the same
subject may become inconsistent while the particular standards are further
developed. While currently there seems to be a certain tendency to favor the
latter approach, this problem is still unsolved and will be a predominant issue at
the upcoming meeting of the working group in December 2008.
4. Principles of Managing risks: The fourth section of the document outlines the
following eleven basic principles for managing risk [see ISO 2008b, ln. 179-220]:
(a) Risk management creates value.
(b) Risk management is an integral part of organizational processes.
(c) Risk management is part of decision making.
(d) Risk management explicitly addresses uncertainty.
(e) Risk management is systematic, structured and timely.
(f) Risk management is based on the best available information.
(g) Risk management is tailored.
(h) Risk management takes human and cultural factors into account.
Page 18
Risk Management Standards
Dr. Roland Franz Erben page 18 of 34
(i) Risk management is transparent and inclusive.
(j) Risk management is dynamic, iterative and responsive to change.
(k) Risk management facilitates continual improvement and enhancement of
the organization.
5. Framework for Managing risks: The fifth section of the document outlines
a risk management framework, providing the foundations and organizational
arrangements that will embed risk management throughout the organization at
all levels (see figure 02) [see ISO 2008b, ln. 221-359]:
Figure 02: ISO 31000 – framework for managing risks
6. Process for Managing risks: The sixth (and most extensive) section of the
document outlines the risk management process considering the following five
main activities (see figure 03) [see ISO 2008b, ln. 360-600]:
Page 33
Risk Management Standards
Dr. Roland Franz Erben page 33 of 34
International Organization for Standardization (ISO) [ed.] (2008a) : About ISO,
published electronically: http://www.iso.org/iso/about.htm.
International Organization for Standardization (ISO) [ed.] (2008b) : Risk
management – Principles and guidelines on implementation, Draft International
Standard ISO/DIS 31000, Geneva 2007.
Institut der Deutschen Wirtsch aftsprüfer (IDW) [ed.] (2000) : IDW 340 - Die
Prüfung des Risikofrüherkennungssystems nach § 317 Abs. 4 HGB, Düsseldorf
2000.
Kuhn, H. (2006) : Risikomanagement für Unternehmen – Was bringen die neuen
Normen?, in: MQ Management und Qualität, H. 6/2006, S. 8-10.
Neubeck G. (2003) : Prüfung von Risikomanagementsystemen in: Marten, K.-U.;
Quick, R.; Ruhnke K. [Hrsg.]: Hochschulschriften zur Wirtschaftsprüfung,
Düsseldorf 2003, S. 85 f.
Nicklisch, H. (1912) : Allgemeine Betriebslehre als Privatwirtschaftslehre des
Handels und der Industrie, Band 1, Leipzig 1912.
Östereichisches Normeninst itut (ON) [ed.] (2008) : Zur Neuausgabe der ON-
Regeln ONR 49000 – Anwendung von ISO/DIS 31000 in der Praxis
(Facinformation 06), Wien 2008.
Risk Management Association e. V. (2008) [ed.] : Bewertungsschema für Risiko
Management Standards, München 2008 (internal document, unpublished).
Ruud T. F.; Sommer K. (2006) : Enterprise Risk Management – Das COSO-ERM-
Framework, in: Der Schweizer Treuhänder, 3/2006, S. 127-128.
Sarbanes, Paul S.; Oxley, M.; US Dept. of Justice [ed.] (2002) : An Act to protect
investors by improving the accuracy and reliability of corporate disclosures made
pursuant to the securities laws, and for other purposes, Washington 2002,
published electronically: www.usdoj.gov
Page 34
Risk Management Standards
Dr. Roland Franz Erben page 34 of 34
Schmid, W. (2005) : Risk Management Down Under (AS/NZS 4360:2004), in:
RISKNEWS, H. 03/05, S. 25-28.
Shortread, J. H. et al. (2003) : Basic Frameworks for Risk Management, Network
for Environmantal risk management [eds.], 2003
Simister, T. (2000): Risk Management – the need to set standards, in: Balance
Sheet vol. 8, no. 4, S. 9-10.
Standard & Poors (2006) [ed.] : Insurance Criteria: Refining The Focus Of Insurer
Enterprise Risk Management Criteria, London 2006.
Weidemann, M./Wieben, H.-J. (2001) : Zur Zertifizierbarkeit von
Risikomanagement-Systemen, in: Der Betrieb, 54. Jg. 2001, H. 34, S. 1789-
1795.
Weidemann, M. (2001) : Der australisch-neuseeländische Standard AS/NZS
4360:1999 zum Risikomanagement, in: Der Betrieb, 54. Jg. 2001, H. 50, S.
2613-2618.
Winter, P. (2007) : Risikocontrolling in Nicht-Finanzunternehmen – Entwicklung
einer tragfähigen Risikocontrolling-Konzeption und Vorschlag zur Gestaltung
einer Risikorechnung, Lohmar/Köln 2007.
2nd European Risk Conference
Università Bocconi
September 11th & 12th, 2008
Risk Management Standards
– role, benefits & applicability –
Dr. Roland Franz Erben
Academic affiliation:
Bayerische Julius-Maximilians-Universität Würzburg
Lehrstuhl für BWL und Wirtschaftsinformatik
Josef-Stangl-Platz 2
D-97070 Würzburg
Germany
Address for correspondence:
Resi-Weglein-Gasse 3
D-89077 Ulm
Germany
Tel.: +49.(0)731.360808-93
Fax.: +49.(0)731.360808-94
Cell.: +49.(0)163.3733633
E-Mail: [email protected]
Page 2
Risk Management Standards
Dr. Roland Franz Erben page 2 of 34
Abstract:
As every risk management system must reflect the specific circumstances of an
organization, a uniform approach can never be adequate. Nevertheless, risk
management standards can provide useful support for designing and
implementing a comprehensive and consistent risk management system. After a
short description of two standards – the “COSO Enterprise Risk Management –
Integrated Framework” (COSO ERM) as well as the “ISO/DIS 31000 – Risk
management: Principles and guidelines on implementation” – these frameworks
are compared regarding the criteria “completeness”, “generic breadth”, “usability”,
“integration” and “external assessment”. It is shown, that both standards fulfill
these requirements to a high degree, with the ISO 31000 being more generic and
flexible while the COSO ERM provides more practical guidance. As a conclusion, it
can be expected that the already well-established COSO ERM and the emerging
ISO 31000 will play a predominant role in the future.
JEL-classification:
M19, L15, L29
Keywords:
• Risk Management Standards
• Risk Management Systems
• Standardization
• COSO ERM Integrated Framework
• ISO 31000
Page 17
Risk Management Standards
Dr. Roland Franz Erben page 17 of 34
above or several standards in the field of IT security or product safety). To assure
a consistent use of terms and definitions in all theses standards, it seemed to
make sense to define the vocabulary in one separate document, which then is
referenced to by other standards [see Brühwiler 2008, p. 14].
Unfortunately, meanwhile the development of the ISO 73 is substantially lagging
behind the progress of the ISO 31000 (e. g. approximately 40 percent of the
definitions included in the ISO 73 have not even been discussed until today).
This situation results in a major dilemma: Firstly, the ISO 31000 could be
released as scheduled but would then contain a reference to a document, which
is still in a “draft” status and thus subject to changes, although it is seen as
“indispensable” for the application of the ISO 31000. Secondly, the final release
of the ISO 31000 could be postponed until the ISO 73 is finished, which would
cause a substantial delay of approximately 1 ½ years. Thirdly, the most relevant
terms and definitions of the ISO 73 could be included in the ISO 31000 (and
similar standards) accepting that the terms and definitions for one and the same
subject may become inconsistent while the particular standards are further
developed. While currently there seems to be a certain tendency to favor the
latter approach, this problem is still unsolved and will be a predominant issue at
the upcoming meeting of the working group in December 2008.
4. Principles of Managing risks: The fourth section of the document outlines the
following eleven basic principles for managing risk [see ISO 2008b, ln. 179-220]:
(a) Risk management creates value.
(b) Risk management is an integral part of organizational processes.
(c) Risk management is part of decision making.
(d) Risk management explicitly addresses uncertainty.
(e) Risk management is systematic, structured and timely.
(f) Risk management is based on the best available information.
(g) Risk management is tailored.
(h) Risk management takes human and cultural factors into account.
Page 18
Risk Management Standards
Dr. Roland Franz Erben page 18 of 34
(i) Risk management is transparent and inclusive.
(j) Risk management is dynamic, iterative and responsive to change.
(k) Risk management facilitates continual improvement and enhancement of
the organization.
5. Framework for Managing risks: The fifth section of the document outlines
a risk management framework, providing the foundations and organizational
arrangements that will embed risk management throughout the organization at
all levels (see figure 02) [see ISO 2008b, ln. 221-359]:
Figure 02: ISO 31000 – framework for managing risks
6. Process for Managing risks: The sixth (and most extensive) section of the
document outlines the risk management process considering the following five
main activities (see figure 03) [see ISO 2008b, ln. 360-600]:
Page 33
Risk Management Standards
Dr. Roland Franz Erben page 33 of 34
International Organization for Standardization (ISO) [ed.] (2008a) : About ISO,
published electronically: http://www.iso.org/iso/about.htm.
International Organization for Standardization (ISO) [ed.] (2008b) : Risk
management – Principles and guidelines on implementation, Draft International
Standard ISO/DIS 31000, Geneva 2007.
Institut der Deutschen Wirtsch aftsprüfer (IDW) [ed.] (2000) : IDW 340 - Die
Prüfung des Risikofrüherkennungssystems nach § 317 Abs. 4 HGB, Düsseldorf
2000.
Kuhn, H. (2006) : Risikomanagement für Unternehmen – Was bringen die neuen
Normen?, in: MQ Management und Qualität, H. 6/2006, S. 8-10.
Neubeck G. (2003) : Prüfung von Risikomanagementsystemen in: Marten, K.-U.;
Quick, R.; Ruhnke K. [Hrsg.]: Hochschulschriften zur Wirtschaftsprüfung,
Düsseldorf 2003, S. 85 f.
Nicklisch, H. (1912) : Allgemeine Betriebslehre als Privatwirtschaftslehre des
Handels und der Industrie, Band 1, Leipzig 1912.
Östereichisches Normeninst itut (ON) [ed.] (2008) : Zur Neuausgabe der ON-
Regeln ONR 49000 – Anwendung von ISO/DIS 31000 in der Praxis
(Facinformation 06), Wien 2008.
Risk Management Association e. V. (2008) [ed.] : Bewertungsschema für Risiko
Management Standards, München 2008 (internal document, unpublished).
Ruud T. F.; Sommer K. (2006) : Enterprise Risk Management – Das COSO-ERM-
Framework, in: Der Schweizer Treuhänder, 3/2006, S. 127-128.
Sarbanes, Paul S.; Oxley, M.; US Dept. of Justice [ed.] (2002) : An Act to protect
investors by improving the accuracy and reliability of corporate disclosures made
pursuant to the securities laws, and for other purposes, Washington 2002,
published electronically: www.usdoj.gov
Page 34
Risk Management Standards
Dr. Roland Franz Erben page 34 of 34
Schmid, W. (2005) : Risk Management Down Under (AS/NZS 4360:2004), in:
RISKNEWS, H. 03/05, S. 25-28.
Shortread, J. H. et al. (2003) : Basic Frameworks for Risk Management, Network
for Environmantal risk management [eds.], 2003
Simister, T. (2000): Risk Management – the need to set standards, in: Balance
Sheet vol. 8, no. 4, S. 9-10.
Standard & Poors (2006) [ed.] : Insurance Criteria: Refining The Focus Of Insurer
Enterprise Risk Management Criteria, London 2006.
Weidemann, M./Wieben, H.-J. (2001) : Zur Zertifizierbarkeit von
Risikomanagement-Systemen, in: Der Betrieb, 54. Jg. 2001, H. 34, S. 1789-
1795.
Weidemann, M. (2001) : Der australisch-neuseeländische Standard AS/NZS
4360:1999 zum Risikomanagement, in: Der Betrieb, 54. Jg. 2001, H. 50, S.
2613-2618.
Winter, P. (2007) : Risikocontrolling in Nicht-Finanzunternehmen – Entwicklung
einer tragfähigen Risikocontrolling-Konzeption und Vorschlag zur Gestaltung
einer Risikorechnung, Lohmar/Köln 2007.
