Skip to content
Skip to main content

About this free course

Download this course

Share this free course

Risk management
Risk management

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

7 The risk management process

There are a number of formal risk management processes, which will be covered in more detail in Session 2. They are typically written at a high level and it is recommended that the detailed approach followed is adapted to fit the task. However, there is a set of commonly recognised process steps. In this case, and for the rest of this module, the International Organization for Standardization (ISO) 31000:2018 standard will be referred to.

Described image
Figure 1 ISO 31000 diagram

The process is iterative and when performed properly has multiple feedback loops between the different process steps. Unlike many processes, the risk process can operate at any (and all) levels of an organisation, works for any activity and applies to all types of risk. You will explore each of these steps in more detail in the coming sessions.

Box 1 COSO and ISO 31000

There are many similarities between COSO and ISO 31000. They share many common principles. Both focus on identifying, assessing and treating risks and monitoring them on a regular basis. They also both focus on the importance of good governance and culture to enable good risk management.

The main differences stem from their backgrounds. COSO evolved from a focus on financial reporting, whereas ISO evolved from a quality management system focus – so has more of a process or quality system focus.

COSO therefore has a greater focus on strategic risks and loss prevention (i.e. predominantly threat (downside) risks). It is aimed at the board (and senior leaders) and focuses on controls as the main treatment activity.

ISO on the other hand takes a much wider scope, looking to work for all risks (threat and opportunities) at all levels of an organisation. It looks to understand the risks to all objectives.

The terminology used is similar (but not the same) so firms looking to apply both approaches should understand the differences and potential conflicts between the two.