With the increasing complexity and rising expectations for high-performance risk management, well considered, thoroughly vetted and appropriately applied risk standards are necessary and useful.
Inconsistency in processes and practices quickly becomes chaotic for the practitioner. Well-developed standards enable consistency and promote the application of practices and principles to more productive ends. Yet, the debate surrounding risk management standards has been plodding along for over a decade.
My first peek behind the standards/framework curtain was as a member of the Executive Council of the Risk and Insurance Management Society Inc. in 2001. We knew that the Committee of Sponsoring Organizations (COSO) was about to circulate a draft of their enterprise risk management (ERM) framework. RIMS leadership believed that we needed to weigh in on what appeared to be an effort driven by auditors and accountants with scant contribution from the risk management community.
We sought to influence the draft and submitted our concerns about its narrow focus. Our efforts were rebuffed. Admittedly, we were late to the party, but it was even clearer that the auditors wanted to steer this ship and weren't interested in our view.
While COSO's ERM efforts weren't fundamentally bad, without risk practitioner input, they were severely slanted toward an auditor's view of risk and controls, with (no surprise) a heavy emphasis on controls. They were devoid of several critical risk management elements. While, historically, risk managers have driven the standards debate, the broad acceptance of the COSO ERM approach is of great concern for how truly effective risk management should be practiced. Buyer beware.
The Australians were early out of the gate with their standard (NZS-4360) which has been widely and well received outside the United States. In 2002, the Institute of Risk Management published their standard, adding to the debate, but simultaneously introducing competing "standards" that while well intentioned, led to more confusion among risk managers about which way is the right way.
Even the International Federation of Risk and Insurance Management Associations (IFRIMA) weighed in in 2004 and declared through its then Chairwoman, Susan Meltzer, "Risk professionals don't fit into a certain mold. Frankly, that is the intrigue of this profession for many of us. Across different industries, throughout different countries the job description varies tremendously."
And therein lays the crux of the question about standards: are organizations so different that risk standards may not provide any real value? After practicing this discipline for more than 20 years I was fairly convinced that standards are a fool's game. I agree with Meltzer that each risk program, especially ERM programs, should be designed for and customized to the needs of organizations adopting these strategies.The International Standards Organization (ISO) has just released ISO 31000. The good news is that this "standard" is not intended to be a standard, but a generic guideline for managing all risks.
I think they, like IFRIMA, got it right.Theirs is not the "how" as much as the "what." And while the how still challenges many, only through the thorough understanding of their organizations will risk managers deploy risk management strategies successfully.
CHRIS MANDEL is the enterprise risk manager for a leading financial institution and a former president of the Risk and Insurance Management Society.
October 1, 2009
Copyright 2009© LRP Publications