Download Risk Management Standards1880 PDF

TitleRisk Management Standards1880
File Size318.0 KB
Total Pages34
Document Text Contents
Page 1

2nd European Risk Conference
Università Bocconi

September 11th & 12th, 2008

Risk Management Standards
– role, benefits & applicability –

Dr. Roland Franz Erben

Academic affiliation:

Bayerische Julius-Maximilians-Universität Würzburg

Lehrstuhl für BWL und Wirtschaftsinformatik

Josef-Stangl-Platz 2

D-97070 Würzburg


Address for correspondence:

Resi-Weglein-Gasse 3

D-89077 Ulm


Tel.: +49.(0)731.360808-93

Fax.: +49.(0)731.360808-94

Cell.: +49.(0)163.3733633

E-Mail: [email protected]

Page 2

Risk Management Standards

Dr. Roland Franz Erben   page 2 of 34 



As every risk management system must reflect the specific circumstances of an

organization, a uniform approach can never be adequate. Nevertheless, risk

management standards can provide useful support for designing and

implementing a comprehensive and consistent risk management system. After a

short description of two standards – the “COSO Enterprise Risk Management –

Integrated Framework” (COSO ERM) as well as the “ISO/DIS 31000 – Risk

management: Principles and guidelines on implementation” – these frameworks

are compared regarding the criteria “completeness”, “generic breadth”, “usability”,

“integration” and “external assessment”. It is shown, that both standards fulfill

these requirements to a high degree, with the ISO 31000 being more generic and

flexible while the COSO ERM provides more practical guidance. As a conclusion, it

can be expected that the already well-established COSO ERM and the emerging

ISO 31000 will play a predominant role in the future.


M19, L15, L29


• Risk Management Standards

• Risk Management Systems

• Standardization

• COSO ERM Integrated Framework

• ISO 31000

Page 17

Risk Management Standards

Dr. Roland Franz Erben   page 17 of 34 


above or several standards in the field of IT security or product safety). To assure

a consistent use of terms and definitions in all theses standards, it seemed to

make sense to define the vocabulary in one separate document, which then is

referenced to by other standards [see Brühwiler 2008, p. 14].

Unfortunately, meanwhile the development of the ISO 73 is substantially lagging

behind the progress of the ISO 31000 (e. g. approximately 40 percent of the

definitions included in the ISO 73 have not even been discussed until today).

This situation results in a major dilemma: Firstly, the ISO 31000 could be

released as scheduled but would then contain a reference to a document, which

is still in a “draft” status and thus subject to changes, although it is seen as

“indispensable” for the application of the ISO 31000. Secondly, the final release

of the ISO 31000 could be postponed until the ISO 73 is finished, which would

cause a substantial delay of approximately 1 ½ years. Thirdly, the most relevant

terms and definitions of the ISO 73 could be included in the ISO 31000 (and

similar standards) accepting that the terms and definitions for one and the same

subject may become inconsistent while the particular standards are further

developed. While currently there seems to be a certain tendency to favor the

latter approach, this problem is still unsolved and will be a predominant issue at

the upcoming meeting of the working group in December 2008.

4. Principles of Managing risks: The fourth section of the document outlines the

following eleven basic principles for managing risk [see ISO 2008b, ln. 179-220]:

(a) Risk management creates value.

(b) Risk management is an integral part of organizational processes.

(c) Risk management is part of decision making.

(d) Risk management explicitly addresses uncertainty.

(e) Risk management is systematic, structured and timely.

(f) Risk management is based on the best available information.

(g) Risk management is tailored.

(h) Risk management takes human and cultural factors into account.

Page 18

Risk Management Standards

Dr. Roland Franz Erben   page 18 of 34 


(i) Risk management is transparent and inclusive.

(j) Risk management is dynamic, iterative and responsive to change.

(k) Risk management facilitates continual improvement and enhancement of

the organization.

5. Framework for Managing risks: The fifth section of the document outlines

a risk management framework, providing the foundations and organizational

arrangements that will embed risk management throughout the organization at

all levels (see figure 02) [see ISO 2008b, ln. 221-359]:

Figure 02: ISO 31000 – framework for managing risks

6. Process for Managing risks: The sixth (and most extensive) section of the

document outlines the risk management process considering the following five

main activities (see figure 03) [see ISO 2008b, ln. 360-600]:

Page 33

Risk Management Standards

Dr. Roland Franz Erben   page 33 of 34 


International Organization for Standardization (ISO) [ed.] (2008a) : About ISO,

published electronically:

International Organization for Standardization (ISO) [ed.] (2008b) : Risk

management – Principles and guidelines on implementation, Draft International

Standard ISO/DIS 31000, Geneva 2007.

Institut der Deutschen Wirtsch aftsprüfer (IDW) [ed.] (2000) : IDW 340 - Die

Prüfung des Risikofrüherkennungssystems nach § 317 Abs. 4 HGB, Düsseldorf


Kuhn, H. (2006) : Risikomanagement für Unternehmen – Was bringen die neuen

Normen?, in: MQ Management und Qualität, H. 6/2006, S. 8-10.

Neubeck G. (2003) : Prüfung von Risikomanagementsystemen in: Marten, K.-U.;

Quick, R.; Ruhnke K. [Hrsg.]: Hochschulschriften zur Wirtschaftsprüfung,

Düsseldorf 2003, S. 85 f.

Nicklisch, H. (1912) : Allgemeine Betriebslehre als Privatwirtschaftslehre des

Handels und der Industrie, Band 1, Leipzig 1912.

Östereichisches Normeninst itut (ON) [ed.] (2008) : Zur Neuausgabe der ON-

Regeln ONR 49000 – Anwendung von ISO/DIS 31000 in der Praxis

(Facinformation 06), Wien 2008.

Risk Management Association e. V. (2008) [ed.] : Bewertungsschema für Risiko

Management Standards, München 2008 (internal document, unpublished).

Ruud T. F.; Sommer K. (2006) : Enterprise Risk Management – Das COSO-ERM-

Framework, in: Der Schweizer Treuhänder, 3/2006, S. 127-128.

Sarbanes, Paul S.; Oxley, M.; US Dept. of Justice [ed.] (2002) : An Act to protect

investors by improving the accuracy and reliability of corporate disclosures made

pursuant to the securities laws, and for other purposes, Washington 2002,

published electronically:

Page 34

Risk Management Standards

Dr. Roland Franz Erben   page 34 of 34 


Schmid, W. (2005) : Risk Management Down Under (AS/NZS 4360:2004), in:

RISKNEWS, H. 03/05, S. 25-28.

Shortread, J. H. et al. (2003) : Basic Frameworks for Risk Management, Network

for Environmantal risk management [eds.], 2003

Simister, T. (2000): Risk Management – the need to set standards, in: Balance

Sheet vol. 8, no. 4, S. 9-10.

Standard & Poors (2006) [ed.] : Insurance Criteria: Refining The Focus Of Insurer

Enterprise Risk Management Criteria, London 2006.

Weidemann, M./Wieben, H.-J. (2001) : Zur Zertifizierbarkeit von

Risikomanagement-Systemen, in: Der Betrieb, 54. Jg. 2001, H. 34, S. 1789-


Weidemann, M. (2001) : Der australisch-neuseeländische Standard AS/NZS

4360:1999 zum Risikomanagement, in: Der Betrieb, 54. Jg. 2001, H. 50, S.


Winter, P. (2007) : Risikocontrolling in Nicht-Finanzunternehmen – Entwicklung

einer tragfähigen Risikocontrolling-Konzeption und Vorschlag zur Gestaltung

einer Risikorechnung, Lohmar/Köln 2007.

Similer Documents