A Risk Standard?

Risk management as a discipline has wandered in the wilderness since its genesis in the 1980s, at least relative to the rigor so many disciplines adopt.

By Christopher E. Mandel

I don't just mean rigor as it relates to quantification or measurement. I mean rigor in the context of uniformity and consistency. Yes, we've been doing it on our own, many different ways for awhile now, much to the chagrin of senior managers and boards that abhor these characteristics.

While it's not chaotic, the result is a myriad of different programs, processes, frameworks and even fundamental principles. Admittedly, the fundamentals are very similar for most practitioners, but the differences are bothering regulators, rating agencies and boards. Does it matter? I think it does and increasingly so, as the discipline seeks more recognition, resources, validity and respect for its professional and intellectual output.

Are you ready for ETCOR? (08/01/11)
Mr. Clean (07/18/11)
Make the Right Debt Your Friend (09/15/11)
Requisite Risk Knowledge (09/01/11)
Tweet Smartly and Be Wary (08/23/11)

Enter ISO 31000. Yes, that's the International Standards Organization, a body whose "standards" are often subject to strict rules of verification and formal certification. Firms avail themselves of these certifications (e.g. ISO 9001 for quality) often for competitive advantage purposes as well as to meet the expectations of stakeholders.

Is this bureaucracy and unnecessary regimentation, resulting in competitive disadvantage? Possibly, but it doesn't have to be. There are good reasons for adopting a standard that will produce better outcomes that will further legitimize the practice.

Ah, but the fight is fierce among competitive alternatives including COSO's ERM "framework" (2004) and OCEG's GRC Capability Model (2009). As you would expect, there's plenty of overlap among and between these three predominant "standards" and the many others.

It might seem good to understand the difference between models, frameworks and standards. Yet since only one of these three is subject to certification, I would suggest it doesn't matter. Each offers similar guidance on how best to manage risk. A key distinction tends to be the type of functionaries responsible for producing them (e.g. COSA is auditor, OCEG is compliance and ISO is risk manager-driven). Each brings a specific view of risk to the table, some subordinating it to other interests and others making risk preeminent.

Another distinction is the intended purpose of each. Three purposes which tend to dominate are whether the certification is objective, compliance or regulation-oriented. These "purposes" allow for users with varying cultural priorities to choose the one which best aligns with their mission. And while I have a strong bias towards ISO 31000, I think the issue of cultural alignment is critical.

If you're astute enough to have support from key risk stakeholders, you'll have worked through the priorities driven by the biases that discipline leaders sometimes stubbornly cling to. The end result may not put risk managers in the lead, but it's much more critical to have stakeholders singing from the same song sheet. I think you'd agree, it wouldn't be wise for your head auditor to be giving the audit committee, a materially different view of risk than the risk manager. Not a good career advancing strategy.

While I have no room here to get into the case for ISO 31000, carefully consider how this well-written "standard" can effectively guide your risk management strategy. The key to success is keeping your chosen standard from becoming bureaucratic and distractive from what should be your real priorities in managing risk.

CHRIS MANDEL is the president of Excellence in Risk Management LLC, a long term risk management leader and former president of RIMS.

April 1, 2011

Newsletter Sign-up