A guide to industry standards for risk management
In previous posts, we discussed different industry standards for risk management, including: ISO 31000, ISO 9001-2015 clause 6, COSO and PMBOK. In this post, we’ll provide a summary of these industry standards, as well as some insight into what guidelines you should be paying attention to.
The International Organization for Standardization (ISO), a standard-setting body made up of representatives from various national standards organizations, develops voluntary international standards. Among the areas covered under ISO’s standards is risk management – enter ISO 31000.
ISO 31000 is a group of standards relating to risk management codified by ISO. Simply put, the purpose of ISO 31000 is to provide principles and general guidelines on risk management.
Specifically, this family of standards includes:
ISO 31000:2009 – Principles and Guidelines on Implementation
ISO/IEC 31010:2009 – Risk Management – Risk Assessment Techniques
ISO Guide 73:2009 – Risk Management – Vocabulary
According to the International Organization for Standardization, ISO 31000 is intended to be applicable and adaptable for “any public, private or community enterprise, association, group or individual.”
ISO 9001:2015 clause 6
According to ASQ, ISO 9001 is “the international standard that specifies requirements for a quality management system (QMS).” Many organizations use the standard “to consistently provide products and services that meet customer and regulatory requirements.” It is important to note that ISO 9001 is the most widely recognized standard in the ISO 9000 series. ASQ states that it is also the only one in the series “to which organizations can certify.”
ISO 9001 debuted in 1987 and the current version was released in September 2015, thus the designation “ISO 9001:2015.”
ISO is considered by many to be the authority when it comes to risk management guidelines and its standards are widely recognized as the law in our industry. ISO 9001:2015 is certainly no exception. As its focus is quality management systems, ISO 9001:2015 must not be overlooked by risk managers.
Clause 6 of ISO 9001:2015 is focused on planning. This section builds on previous clauses, primarily clause 4 on risks and opportunities. Clause 6 advises practitioners that once risks and opportunities have been identified, it is essential that an organization outlines how these will be addressed through planning. According to the clause, planning should clearly define the strategies, tactics and personnel involved in addressing risks. Clause 6 also emphasizes a proactive approach in order to minimize issues.
Clause 6 focuses on the QMS and its “quality objectives,” which ISO says must be:
Updated as necessary
The acronym “COSO” is short for the Committee of Sponsoring Organizations of the Treadway Commission. According to its website, COSO is a joint initiative of five private sector organizations – the American Accounting Association, the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Association of Accountants and Financial Professionals in Business, and the Institute of Internal Auditors (IIA).
In 1985, COSO was organized to sponsor the National Commission on Fraudulent Financial Reporting. According to COSO, the Commission is “an independent private-sector initiative that studied the casual factors that can lead to fraudulent financial reporting.” In addition, the Commission developed recommendations for both public companies and their independent auditors. It also created recommendations for regulators such as the SEC, as well as educational institutions.
COSO’s goal is to serve as a thought leader in three primary areas: enterprise risk management (ERM), internal control, and fraud deterrence. In 2004, COSO published Enterprise Risk Management – Integrated Framework. Beginning in 2009, COSO also began publishing papers on ERM, which are available for download free of charge.
According to COSO, its Enterprise Risk Management – Integrated Framework:
Defines essential risk management components
Discusses key ERM principles and concepts
Suggests a common ERM language
Provides clear direction and guidance for enterprise risk management
NOTE: In September, the Enterprise Risk Management – Integrated Framework, was updated. The 2017 revision addresses the evolution of enterprise risk management – learn more about it here.
PMBOK is an acronym for the Project Management Body of Knowledge, a set of standard terminology and guidelines for project management. The PMBOK is published by the Project Management Institute (PMI) – a US nonprofit professional organization for project management – and is currently in its fifth edition.
One of the knowledge areas covered in the PMBOK is Project Risk Management. As Rupen Sharma, PMP, of Bright Hub Project Management says, the PMBOK includes both “tools and techniques defined by the PMI that can help you manage risks more effectively.”
Specifically, the Project Risk Management knowledge area consists of these processes:
Plan Risk Management
Perform Qualitative Risk Analysis
Perform Quantitative Risk Analysis
Plan Risk Responses
Monitor and Control Risks