ISO 31000: 2018 for Risk Management and its interrelation with COSO ERM 2017

Recently, these reference models for Risk Management and Internal Control have been updated.

Although the ISO 31000 standard continues to be the main guide for risk management in the Organizations, given the breadth with which they address the guidelines and activities, it is also important to consider the elements proposed by the COSO ERM 2017 model, which reinforce the philosophy of increasing the value of organizations through proper management of business risks.

Next, we mention the main elements of each of these two models:

ISO 31000: 2018

It presents in a comprehensive manner the guidelines and processes for its proper implementation and execution.

It is the main basis on which the different Risk Management Systems are structured (For example: SARLAFT).

It reinforces the importance of Management's commitment and leadership as a key factor for success in the process of implementing, strengthening and sustaining the Risk Management culture.

The basic principles for an adequate structure of a Risk Management System were simplified. They looked like this:

1. Integration: Conceive risk management as a whole, systemic approach, and not by independent units or silos.

2. Structured: A system that allows for consistent and comparable results, which can measure their evolution.

3. Adaptable: Risk system aligned to the organizational context, to its needs and capabilities.

4. Inclusive: Consider not only the entire organization, but also all interested parties, achieving a greater conception of the risks that must be managed.

5. Dynamic and that anticipates changes, proactive thinking and prospective against risk.

6. Better information available: Importance of generating clear, timely and secure information for risk analysis and therefore adequate decision making. Emphasis on confidentiality of information.

7. Consider human and cultural factors as important agents that generate both internal and external risks.

8. Continuous improvement: Iterative process, permanent improvement.

Risk management is conceived as a strategic tool for decision making and as a generator of value for the organization.

The communication of the risks must lead to the generation of greater awareness of the risks at all levels of the organization.

The phases of the risk management process remain the same, in relation to ISO 31000: 2009.

COSO ERM - 2017

It is the most updated version of the internal control framework used by organizations to optimize internal control systems.

It enhances the management of risks as the main element for the management of Internal Control, hence its new name COSO ERM.

It conceives risk management as a more integrated process throughout the Organization, from which the corporate strategy and execution model must be born.

It is intended that these risks are not only controlled but also "managed" and aligned with the strategy and objectives, all depending on the performance of the organization.

It contains 5 principles as the basis of the implementation:
  1. ‍Government and Culture: Management is responsible for establishing the tone of the organization in relation to the risk culture and understanding of risk at all levels.
  2. ‍Establishment of strategies and objectives: The establishment of the strategy considers the management of risks and the establishment of organizational objectives. In turn, the risk appetite is established, aligned to said strategy. Organizational objectives put the strategy into practice, while serving as a basis for identification, evaluation and response to risks.
  3. ‍Performance: The risks of greatest impact must be identified and evaluated. These should be classified according to their impact in relation to the risk appetite that has been defined. The results of the evolution of these risks should be reported to the interested parties.
  4. ‍Review: The organization must know how well the risks are working, as well as the changes to establish the actions and determine the needs for new revisions.
  5. Information, communication and reporting: Risk management involves a continuous process of obtaining internal and external information, necessary to analyze risks, and must flow and be communicated throughout the organisation.

Risk management was previously conceived as a tool for "value protection"; now it is a strategy that helps to create value for shareholders.

The new conceptual framework of COSO ERM replaces the cube with the components, objectives and business units, towards a scheme that contemplates the strategies, objectives and execution, throughout the entire organization: