7 The risk management process
There are a number of formal risk management processes, which will be covered in more detail in Session 2. They are typically written at a high level and it is recommended that the detailed approach followed is adapted to fit the task. However, there is a set of commonly recognised process steps. In this case, and for the rest of this module, the International Organization for Standardization (ISO) 31000:2018 standard will be referred to.
The process is iterative and when performed properly has multiple feedback loops between the different process steps. Unlike many processes, the risk process can operate at any (and all) levels of an organisation, works for any activity and applies to all types of risk. You will explore each of these steps in more detail in the coming sessions.
Box 1 COSO and ISO 31000
There are many similarities between COSO and ISO 31000. They share many common principles. Both focus on identifying, assessing and treating risks and monitoring them on a regular basis. They also both focus on the importance of good governance and culture to enable good risk management.
The main differences stem from their backgrounds. COSO evolved from a focus on financial reporting, whereas ISO evolved from a quality management system focus – so has more of a process or quality system focus.
COSO therefore has a greater focus on strategic risks and loss prevention (i.e. predominantly threat (downside) risks). It is aimed at the board (and senior leaders) and focuses on controls as the main treatment activity.
ISO on the other hand takes a much wider scope, looking to work for all risks (threat and opportunities) at all levels of an organisation. It looks to understand the risks to all objectives.
The terminology used is similar (but not the same) so firms looking to apply both approaches should understand the differences and potential conflicts between the two.