3.1 Implementing Risk Management
The undertaking by an organization to implement a risk management offering in a small organization or a multinational company is a daunting task. Individuals working in a small business will have hands on experience in the daily operations of the organization and will completely understand the processes, objectives, processes and goals related to the organization from the bottom up and the top down. In comparison, a large organization would require input from many individuals, departments, locations, management, senior management and shareholders to obtain the information required to fully understand the organization in its entirety. Irrespective of size and scale, all organizations require a coordinated approach to managing all the key business risks they face with the goal of obtaining favourable outcomes.
Some organizations can structure a risk management framework and process designed to manage all the key business risks they face based on the skill of individuals and designated risk management practitioners inside the organization. It is, however, recommended that an organization selects an internationally recognized standard that includes a framework and process that is best suited to that organization. The risk management framework is a foundation that supports the organization’s risk management process and is the conduit that communicates risk information from the risk management process to the organization. The risk management process consists of activities that manage and control risks and their effects on the organization. The risk management framework supports the risk management process in the organization.
The advantages of using an internationally recognized risk management standard are that its standard approach can be applied to all organizations, its concepts are periodically reviewed to adjust to evolving risk, and it will be recognizable to risk management practitioners globally in the external environment.
Compliance with a risk management standard is not mandatory; its use by an organization is advisory. The two risk management standards that will be discussed in this chapter are the ISO 31000: 2018 and the COSO ERM 2017. It should be noted that both risk management standards are available as documents or in software form for ease of use by an organization.
A standard is a document often prepared by a recognized authority that provides guidelines, nomenclature, activities, principles, requirements and a basis to ensure consistency in practices that an organization undertakes. The use of a standard is not mandatory but the use of a standard is considered to be a tenet of best practices. In contrast, a code is mandatory, requiring compliance by an organization that, if not met, will result in consequences such as fines, suspension, shut-down or prison.