April 2011

Managing the Complexity of Risk

The ISO 31000 framework aims to provide a foundation for effective risk management within the organization.

Neil Baker
Freelance Writer

Enterprise risk management (ERM) can seem like a complicated and abstract practice, a realm of specialist expertise that has only a passing connection to the day-to-day business of working in an organization. This is a paradox, as the people who do claim to understand ERM would assert that, essentially, it boils down to a few basic principles that are easy to grasp. One of these principles says that risk management is part of everybody’s job — indeed, we couldn’t function for very long in daily life, never mind at work, if we didn’t know how to manage risk.

The problem is that not all ERM experts agree on what these basic principles are and, even when they do agree, they can use different words to express them. Moreover, no two organizations will implement ERM in the same way, even if their starting point is a common set of principles and a shared terminology. In fact, it’s a basic principle of ERM that no two organizations should have the same approach, because risk management practices should be tailored to the organization and every organization is different.

From a few seeds of agreed knowledge, an amazing diversity of ERM approaches can flower. It’s rather like those infinitely spiraling patterns that mathematician Benoit Mandelbrot generated with the most simple of equations: beautiful and awe-inspiring to behold, but with a complexity beyond comprehension.

The need to overcome this complexity and adopt ERM, or just get a better grip on risk, has renewed impetus. The global economic downturn has exposed the poor risk management practices of many organizations — and not just those in the financial services industry. Pressure on tax revenues and government finances are forcing public bodies and not-for-profit organizations to review their risk management practices as well.

An organization intent on raising its game in this area most likely would turn to a best-practice model of risk management as a starting benchmark. And identifying such a model would almost certainly be the first step for an internal auditor tasked with assessing the quality of his or her organization’s risk practices. There are many models to consider. The Turnbull Guidance is very popular in the United Kingdom; The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) guidance is widely used in the United States and elsewhere.

But despite several options, the establishment of an internationally accepted risk management benchmark has been elusive. The Geneva-based International Organization for Standardization attempted to address this issue when, in 2009, it published a new standard: ISO 31000: Risk Management–Principles and Guidelines. The standard provides principles and generic guidelines on risk management that, according to the ISO, can be used by any kind of organization to manage every type of risk. Internal auditors who have used the standard say it offers significant benefits, but it is not without flaws, they caution.

GLOBAL APPEAL

Grant Purdy, an associate director at Broadleaf Capital International who chairs the Standards Australia and Standards New Zealand risk management committee and played a part in writing the ISO standard, says it is the first such benchmark to be genuinely global. “Over the past 20 years, risk and risk management have been addressed in many standards and pieces of legislation,” he says. “Most of these standards and laws have had relevance to a single jurisdiction. While they have often had similarities, none has had universal acceptance.”

 

ISO 31000 “promotes a simple way of thinking about risk management that will help remove inconsistency and ambiguity,” Purdy says. “It is based on a series of simple principles that provide both structure and flexibility.” The principles describe the components of a best practice risk management process and the characteristics or principles that such processes should demonstrate (see “The ISO Model,” below).

These processes form part of a wider risk management framework, which the ISO defines as a “set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing, and continually improving risk management throughout the organization.” By “organizational arrangements” it means plans, relationships, resources, and activities.

Every organization has such a framework. Whether it is formally established or written on the back of a dinner napkin, there is always a set of risk practices and attitudes incorporated into the way the organization operates. (The ISO defines risk “attitude” — rather than the more familiar “appetite” — as the organization’s approach to “assess and eventually pursue, retain, take, or turn away from risk.”) Management is responsible for setting the risk attitude, and the board is responsible for deciding whether it has been set in a way that is in the best interests of shareholders.

AUDIT ROLE

In December 2010 The IIA produced guidance explaining how ISO 31000 could be useful to internal auditors. Practice Guide: Assessing the Adequacy of Risk Management Using ISO 31000 puts the ISO standard in the context of The IIA’s wider International Professional Practices Framework. Under IIA Standard 2120: Risk Management, the internal audit shop must evaluate the effectiveness of the organization’s risk management and help to improve it. Standard 2100: Nature of Work says the audit shop should “evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.”

An internal auditor needs a way of measuring and providing assurance over the effectiveness of risk management to meet these requirements, the practice guide says. ISO 31000 is one of the frameworks they might use as a model.

The guide explains three different ways in which the internal audit shop can provide assurance over risk management. These represent overlapping perspectives, it says, rather than an either/or choice. The auditors can assess whether: 1) each element of the model risk management process is in place, 2) the overall process has the desired characteristics, and 3) it is maturing as the organization changes and develops.

ISO 31000 is helpful with all three, says Brian Foster, senior audit director at Microsoft Corp. and one of the IIA guide’s authors. “Whether an auditor is facilitating the creation of a risk management function, or evaluating a function that is very mature, ISO 31000 is a very valuable tool to benchmark an organization’s risk management commitment, design, execution, and monitoring,” he says.

PRACTICAL VALUE

While ISO 31000 is a relatively new standard, it is closely modeled on one that has been used in Australia and New Zealand for years, known as AS/NZS 4360. Indeed, Michael Parkinson, a director of KPMG in Australia and vice chair of professional services at The IIA, says the two are almost the same.

The ISO standard — like the AS/NZS one that it replaced — is helpful to internal auditors who are putting together an overall audit review program and working out which areas need coverage, Parkinson says, because it provides an objective way of assessing how important the control systems of any process are to the organization. While ISO 31000 is different from the ISO’s other standards in that it is not auditable or certifiable, “it nevertheless provides a basis for internal auditors to build a normative model, and it provides principles against which an auditor can test the performance of the risk management process,” he says.

At a more detailed level, Parkinson adds, the standard also can help an internal auditor plan an individual assignment. “Not everything can be tested or reviewed, so it is important to identify what is highest priority,” he says. “Part of the process for an internal audit is to assess the adequacy of control systems — this means assessing whether the controls as designed address the risks of the activity. ISO 31000 provides a robust discipline for that risk assessment.”

Parkinson also values the fact that ISO 31000 provides an internationally accepted way of identifying and analyzing risks. “It can be expanded to assist with control design and the assessment of organizational risk management practices,” he says. “The processes are simple and scalable — that is, they can be explained quickly to a client and they can be used at any level and in any part of an organization; they are completely independent of the subject matter.”

The standard also gives the discipline of risk management an internationally agreed vocabulary, he says. “This means that not only do risk managers speak a common language, but also that internal auditors can join in and understand the conversation. The risk management specialists and the internal auditors inside an organization have a lot of common objectives — having a common language and approach facilitates cooperation.”

The widespread use of ISO 31000’s predecessor in Australia and New Zealand has also helped internal auditors on the level of their own personal careers, he believes, making them “considerably more mobile.” There is less variety in house style, with organizations adopting similar risk approaches. “And where there is variety, that variety is more likely to have reasons of professional purpose rather than personal style,” he says.

BIG PICTURE

One of the benefits of ISO 31000 is that it is “framed at a suitably high level,” says Andrew MacLeod, a joint author of the IIA–Australia guide, Delivering Assurance Based on ISO 31000. The COSO approach, by contrast, has more of a compliance focus, he says. Simon King, a principal at risk management advisory firm DNV in the United Kingdom, agrees. The fact that ISO 31000 is a non-certifiable standard “is a huge advantage,” he says. “We’ve found that people like the way that ISO 31000 is not about having defined pieces of paper or following set ways of dealing with specific controls,” he says. “It provides a framework applicable to all organizations.”

Other risk management frameworks, such as those promulgated by the UK finance ministry for government-
sector auditors, can be too prescriptive, King says. “In my experience, that can lead organizations to make sometimes unattainable statements of their target maturity levels, which in turn drives unnecessary and often short-term actions to achieve certain levels,” he argues. “ISO 31000 instead provides a nonjudgmental way of showing organizations what they can do to help embed risk management and make all their risk management efforts more effective; this should make risk management programs and their effects more sustainable.”

Tim Leech, chief methodology officer at Risk Oversight Inc. in Toronto, says the ISO framework represents a “purer form” of risk management. But at the same time, he doesn’t believe ISO 31000 is necessarily a panacea for internal auditors. In organizations where the internal audit shop still functions as the primary analyst and reporter of risks and controls, performing the majority of formalized risk and control assessments, the standard asks them to assess a process that they are an important element of, he says. “This raises a fundamental question of independence and objectivity.”

Parkinson, meanwhile, says that while the ISO standard offers the attraction of a common terminology, there are differences between some of its definitions and those used in The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards), especially on key terms such as risk appetite and risk tolerance. “It is largely semantic, but it is still a concern,” he points out. “What we mean by ‘risk appetite’ is not necessarily the same as the definition used by risk managers.”

This situation, Parkinson adds, means that risk managers and internal auditors may use different meanings for the same words in their discussions with management, potentially leading to confusion and disagreement. “Internal auditors by habit use the language of their clients rather than internal audit terminology, but it is hard to do this when terms have inconsistent meanings,” he says.

Norman Marks, vice president for SAP in San Jose, Calif., sees ISO 31000 as a valuable document, though he too emphasizes its limitations. “We should understand its deficiencies because they impact our use of the standard and need to be addressed at some point,” he says. “For example, ISO 31000 does not insist that you need to have an adequate risk culture — and yet without one, risk management will not be effective. Instead, ISO says that risk management has to be adapted to the organization’s culture.”

Marks also points to the lack of any discussion on understanding the need for risk management within the enterprise and designing the risk management activity accordingly. Moreover, he says, the standard neglects to address issues pertaining to speed — such as how quickly responses have to be made and the volatility of risk levels — with respect to the design of risk management activities.

Still, Marks says the document has much potential. “ISO 31000 is not perfect,” he says, “but it is a good product that will improve over time.”

ONE SIZE DOESN’T FIT ALL

Ultimately, no framework is going to provide an off-the-shelf solution. Risk management doesn’t work like that, and neither does good internal auditing. Benoit Mandelbrot’s beautifully spiraling patterns are a mix of art as well as science — that is what makes them so beguiling. An effective risk management system requires the same combination.

 

---

Complexity?
ISO 31000 (and COSO for that matter) has absolutely nothing to do with complexity. “Complexity” has become something of a buzz word in today’s business culture, becoming more vague and imprecise than many of us attempting to understand complexity would like. The misappropriation of the concept is always done with the best of intentions. Well, Neil, any author savvy enough to introduce Mandelbrot and fractal geometry into the mix doesn’t get a free pass. I am not so much worried about “new” risks – there is not much new under the sun. I am, however, worried about certain types of risks that may become “enriched” due to the increasing complexity and uncertainty in the environment. Here’s an allegory of sorts to illustrate... Amanda was an ERM professional looking forward to a vacation at the seaside community of Amity. She performed a comprehensive ISO 31000 based risk assessment and was promptly eaten by Bruce-The-Shark the first evening of her arrival as she went for an evening swim. Retrospective: Well, shark attacks are not Talebian Black Swans even though they are popular wisdom suggests they are relatively rare. Predictive analytics were of no use to Amanda because we did not have any data suggesting a history of shark attacks at or around Amity (that may suggest crummy data, sharks seldom if ever frequented the Atlantic waters around Amity, or a change in the environment, etc.) Perhaps global warning irritated Bruce and he sought cooler water for hunting? The paradigm the “late” Amanda used, however, was retrospective. It was based on the notion that yesterday is pretty much like today and will be pretty much like tomorrow. It was also based on a Gaussian distribution (an artifact from systems assumed to be in equilibrium). I am not a complete nihilist when it comes to quant. Had Mike Nichols asked me to write the dialogue for the classic movie The Graduate, I would have said “thresholds” to Benjamin, rather than “plastics.” If you have no idea of what I speak, stop reading this silly article and go rent the movie! • We need to get an idea about when our environments (yes, the plural) change. • We need a more robust picture of our operating environments • We need to challenge, not embrace, goofy 20th century predictive models • We need to think about resilience based risk strategies & complexity science; and forget about holistic solutions between silos and other goofy Human Resources voodoo Remember, if you’re going to swim with the sharks, don’t ask the Mayor of Amity for a self-assessment of the risk.
Posted By: John Marke
2011-07-09 8:10 PM

---

managing the omplexity of risk
Worth reading and very helpful to inernal auditors-keep it up
Posted By: omary yussuf ngayenda
2011-05-18 2:59 PM

---

Contradiction about IIA role in ERM
The Institute of Internal Auditors (IIA), in coordination with its institute The IIA-UK and Ireland, has issued a position statement on The Role of Internal Audit in Enterprise-wide Risk Management http://www.theiia.org/guidance/additional-resources/coso-related-resources/the-iia-takes-a-stand-on-erm/ It is indeed strange to read that they consider legitimate the following activities : • Coordinating ERM activities. • Maintaining and developing the ERM framework. • Championing establishment of ERM. • Developing risk management strategy for board approval. These activities seem to be in contradiction with the role of Internal audit according IIA-USA and IIA-Australia (see http://www.iia.org.au/aboutIIA/whatIsInternalAudit.aspx) (see http://www.theiia.org/guidance/additional-resources/coso-related-resources/the-iia-takes-a-stand-on-erm/) I think the IIA-USA and the IIA-UK go themselves confused whereas the IIA-Australia has clearly endorsed ISO 31000 and its role of as the auditors : See : http://www.theiia.org/intAuditor/feature-articles/2011/april/managing-the-complexity-of-risk/ Here is an on-going discussion on this subject : http://www.linkedin.com/groups/Legitimate-Internal-Audit-Roles-Safeguards-1834592.S.53904876?qid=b4b41047-ab72-4a16-b15b-7c778507d62f&goback=.gmp_1834592
Posted By: Alex Dali
2011-05-12 4:14 PM

---

Managing the Complexities of Risk
MANAGING THE COMPLEXITIES OF RISK The organization’s goal to achieve maximum risk free environment in the business should not be bias upon. As the entrepreneur can feel it is not the single man’s affairs to manage the organization. The entrepreneur should value his time and money to each area of responsibility he employs in the organization. The entrepreneur must think to possess the security of services giving weight to each individual in their capacity of responsibilities. And the entrepreneur must hold each departmental head as himself, in responsible for safeguarding of the organizations’ assets and keeping the organizational environment expose to minimum of risk if not all 100% risk free. Enterprise Risk Management should also govern the human resources management of the organization. Internal Auditor can not be responsible risk free, if all the heads of departments are left free and innocent, this situation leads the organization in multiplicities and complexities of risks. Internal auditor can hold things responsible within the organizational culture of risk assessment, but deliberate efforts by the other departments to expose complexities of risk do expose organization, managing lot of risks with rule of thumb and without documentations and legal implications. To control the risk every act of the organization is managed through controls and governance. Enterprise Risk Management should be such to test the controls and variances to be looked upon. Matching ERM within different organizations is a source to study. But entrepreneur and management of organization is an identity to practices to utmost enforceable of sets, standards, optimality, and decisions. Internal auditing is to approach as not to divert from its due control to abide by law in administration , a check to point out as feasible as pre-measuring the controlling standards of safeguards of company’s assets. Rashid Pervez ID# 1394262
Posted By: Rashid Pervez
2011-05-10 6:20 AM

---

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

---

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

---