nz 4360 — a practical choice over coso erm

HeadquartersForrester Research, Inc., 400 Technology Square, Cambridge, MA 02139 USATel: +1 617/613-6000 • Fax: +1 617/613-5000 • www.forrester.com

BEST PRAC TICES

EXECUTIVE SUMMARYUnder pressure — from regulations, competition, legal liability, and corporate governance — organizations build risk management programs and processes that encompass operational risks as well as traditional financial risks. Many organizations look first to The Committee of Sponsoring Organizations of the Treadway Commission (COSO) enterprise risk management (ERM), only to discover that it is poorly written and difficult to implement. The Australia/New Zealand 4360:2004 Risk Management Standard (AS/NZ 4360) is more mature, straightforward, and flexible with a wealth of implementation resources for different risk scenarios.

TARGET AUDIENCE

Security and risk professional

APPROACHING RISK MANAGEMENT WITH FRAMEWORKS

Organizations — in an effort to manage risk, comply with regulations, as well as preserve or create value — are driven to adopt risk management. Some are responding to adverse events, others to regulatory compliance — e.g., Sarbanes-Oxley (SOX), Basel II, etc. — and all must manage complex global operations and relationships. A few see ERM as a way to manage opportunity and drive stakeholder value. Whatever the drivers, many firms need guidance about what risk management is and how to build a risk management function and process. In seeking help, you’ll find an abundance of risk management frameworks, including proprietary frameworks developed by consulting/advisory organizations, national frameworks/standards, and industry-specific guidance. However, most risk management decisions boil down to one of two options — COSO ERM or AS/NZ 4360. For those under the gun of SOX, the decision has largely fallen to COSO — but is it the right choice for ERM? In implementation:

· COSO ERM starts a good discussion . . . COSO ERM is good at beginning discussions on risk management vision while demonstrating the complex intricacies of risk management across the organization. Particularly, it illustrates the breadth of risk management across business processes and operations as it formulates dialogue around principles of risk management.

· . . . but fails to give enough practical advice. COSO is poorly written and many would-be implementers find its approach to ERM confusing. COSO defines ERM as: a process, effected by an entity’s board of directors, management, and other personnel, applied in a strategy setting

January 3, 2007

AS/NZ 4360 — A Practical Choice Over COSO ERMby Michael Rasmussenwith Laura Koetzle

Best Practices | AS/NZ 4360 - A Practical Choice Over COSO ERM 2

© 2007, Forrester Research, Inc. Reproduction ProhibitedJanuary 3, 2006

and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.1 That’s neither a concise nor an easy-to-grasp definition of risk, but it does communicate an idea of risk management and gets the discussion started.

COSO ERM — Weak At The Practical Level

While COSO ERM might get the risk management dialogue started, it falls short on the practical side. For all of its buzz in the corporate world (particularly among those working on SOX compliance) in defining and promoting ERM, COSO ERM has significant weaknesses. Namely, COSO ERM:

· Provides an obscure framework. As a principle-based framework, COSO ERM provides a philosophy and vision of ERM but does not get into risk management approaches and processes that can be easily implemented across the business.2 When it comes down to building a risk management function and process, COSO ERM has little practical advice — often leaving the implementer in a bewildered daze of confusion (see Figure 1).

Figure 1 The Complex Organizational And Functional Layers Of COSO ERM

· Focuses excessively on threats/hazards. A significant weakness of COSO ERM is its nearly exclusive focus on management of threats and application of controls. Understanding and managing threats and hazards to business operations is a good thing, but concentrating solely

Source: Forrester Research, Inc.41003

ENTITY

LEVEL

DIV

ISION

BU

SINESS U

NIT

SUB

SIDIA

RY

Monitoring

Control activities

Risk response

Risk assessment

Event identification

Objective setting

Internal environment

Information and communication

COMPLIANCE

REPORTING

OPERATIONS

STRATEGIC



on threats/hazards leaves a risk management program unbalanced. Threat management is only part of risk management; risk management must also encompass opportunities for corporate gain. Organizations make money by taking risk, and they lose money by failing to manage it.3 COSO ERM entirely ignores the upside — it primarily addresses control issues such as “failure to report financial data.”

· Misses guidance on effectiveness/efficiency of controls. Despite COSO ERM’s hyper-focus on threats and controls — which is only natural given COSO’s roots in audit — it fails to give practical guidance on how you should measure the effectiveness and efficiency of controls. Risk analysis in COSO focuses on exposure and gives little to no guidance to help you understand the effectiveness of controls to mitigate risk.

· Introduces a flawed approach to risk assessment. The COSO ERM framework confusingly associates risk measurement with the likelihood of an event and its consequences. The framework should instead focus on the consequences that flow from an event and the likelihood of those consequences. Further, it prioritizes high probability, high business impact risks. Sounds like common sense, right? Wrong. High probability and high-impact risks exist at a micro level (on particular projects, for example), but not at a macro level, because risk is aggregated.4 Put another way, you can have a high-likelihood, high-impact situation (e.g., if you are standing on the tracks in the path of an oncoming high-speed train, it’s likely the train will hit and kill you), but there is no such thing as a high-likelihood, high-impact class of events

We call these phantom risks, because if three people per week step into the path of the train, you won’t be in business for long.5 We use likelihood-impact analysis for “point-in-time” analysis of a specific incident (such as an individual train crash), while risk management aims to understand the level of exposure to a type of event (e.g., the level of exposure to loss from train accidents) over a period of time.6

· Lacks external context for risk management. The COSO ERM standard gives the impression that risk is an entirely internal dynamic that is not influenced by external factors. It only requires the consideration of the internal environment — not the external context — and from there produces an inwardly focused and dangerously ignorant risk assessment.

· Fails to embrace risk as a process. COSO ERM concentrates on reporting. As such, the framework structures a once-through process rather than an iterative process with feedback loops and cross-links to other process elements. Also, it doesn’t integrate risk management with business change management. Ultimately, the COSO ERM implementation focuses on a single assessment aimed at delivering a report. In reality, risk management must be a continuous process — reporting should then become an incidental byproduct of that process.

AS/NZ 4360 — The Choice Of The Risk Practitioner

A risk management framework needs to be adaptable across a wide range of risk management



scenarios. Flexibility is not only critical, it is necessary. Firms require a risk management approach that is easy to understand and implement across the organization. The AS/NZ 4360 is a mature and flexible risk management standard.7 It gives straightforward, easy-to-grasp definitions of risk and risk management that — unlike COSO ERM — capture both the threat/hazard side of risk and the opportunity side (see Figure 2):

Risk: The chance of something happening that will have an impact on objectives.

Risk management: The culture, processes, and structures that are directed toward realizing potential opportunities whilst managing adverse effects.

Figure 2 The Steps Described In AS/NZ 4360 For Implementing A Risk Management Process

The AS/NZ 4360 standard:

· Offers a holistic and flexible approach to risk management. The AS/NZ 4360 standard addresses all types of risk in all types of organizations and industries. This adaptable process enables a consistent approach to risk management throughout the organization.

· Establishes an external context for risk management. AS/NZ 4360 emphasizes the establishment of a context for risk management — external as well as internal. ERM is not


Establish the context

• Objectives• Stakeholders• Criteria• Define key

elements

Identify the risks

• What canhappen?

• How can ithappen?

• Reviewcontrols

• Likelihoods• Consequences• Level of risk

Analyzethe risks

Evaluatethe risks

• Evaluaterisks

• Rank risks

• Identifyoptions

• Select bestresponses

• Develop risktreatment plans

• Implement

Treatthe risks

Communicate and consult

Monitor and review



a siloed function. It can have a central head, such as a chief risk officer, to coordinate risk management across the organization, but the ownership of risk falls across varying areas of the business and is influenced by external factors. The AS/NZ 4360 standard starts with understanding the broad scope of drivers and influencers from both internal and external contexts.

· Builds consultation and communication into the ERM process. ERM does not happen in a vacuum: It requires a collaborative environment to be successful. This means that all stakeholders (e.g., risk executive, legal, business process owner/manager, and business partner) need to be able to have input into every stage of the risk process.

· Defines both threats and opportunities in its definition of risk. AS/NZ 4360 clearly and concisely illustrates that risk is about taking advantage of opportunities as well as mitigating threats. AS/NZ 4360 grasps the opportunity side of risk management by emphasizing value creation and preservation.

· Provides a wealth of risk handbooks for practical advice. AS/NZ 4360 includes a set of implementation handbooks for using the standard in different situations (see Figure 3).8 This expanding set of resources provides implementers with a broad portfolio of practical help.

· Supplies the foundation for a new ISO risk management standard. AS/NZ 4360 will become the basis of a new international risk management standard from the International Organization for Standardization (ISO). Using the AS/NZ 4360 standard, an ISO working group is preparing a draft standard on risk management that it plans to release as a working draft in 2007. The goal is to have a final published international risk management standard in 2008.

Figure 3 Implementation Handbooks Included With The AS/NZ 4360 Standard


HB 141-2004 Risk Financing Guide

HB 203:2006 Environmental Risk

HB 205:2004 OHS Risk Management Handbook

HB 221:2004 Business Continuity

HB 240-2004 Risk in Outsourcing

HB 246-2004 Risk in Sport and Recreation

HB 254-2005 Governance, Risk Management, and Control Assurance



HOWEVER, NO STANDARD IS COMPLETE . . .

The challenge is that risk, like beauty, is in the eye of the beholder. A security professional sees risk as a threat or hazard, while a business or finance manager sees an opportunity/benefit side to risk. Some professionals focus on quantitative risk assessment, while others focus on qualitative risk assessment. You must adapt the framework to your situation and context — which makes the flexible, well-written, and concise AS/NZ 4360 standard the best choice. In defining a risk management process it is necessary to understand that the first steps are to understand risk. This involves:

· Defining risk. Although risk represents uncertainty, risk is not really the chance (the probability) of an adverse event occurring: It is a measure of the potential damage from an adverse event at a specified probability level. For example, the risk concept helps us consciously analyze whether, at a 99% confidence level (where there is only a 1% chance of a more harmful event occurring), the damage from a bank branch robbery (perhaps $10 million) is greater than from an unauthorized trading loss in the fixed income derivatives department (perhaps $1 billion).

· Understanding that risk is a distribution. Avoid a static approach to risk analysis in which you map a given risk to a single intersection of probability and impact. Risk is accurately calculated as a distribution which can be represented in a bell curve showing the points at which a risk is of greatest significance and least significance to the organization. Avoid a “point-in-time” analysis model that does not address both the frequency and distribution of events.

R E C O M M E N D A T I O N S

CAPTURE THE INTEREST IN ERM FROM COSO, BUT IN PRACTICE RELY ON AS/NZ 4360

COSO ERM, primarily because of SOX, has started a lot of organizations talking about risk management.9 You can build on that momentum and use it to develop a vision and cross-organizational collaboration on risk management, but you will find that COSO ERM is confusing and difficult to apply. AS/NZ 4360 provides a stronger, simpler, and more adaptable framework to use as the foundation of an ERM program. If you pursue AS/NZ 4360, you will not be disappointed, because it’s quite likely to become an influential international standard — the progression should be similar to that of British information security standard BS:7799, which became ISO17799.


Forrester Research (Nasdaq: FORR) is an independent technology and market research company that provides pragmatic and forward-thinking advice about technology’s impact on business and consumers. For 22 years, Forrester has been a thought leader and trusted advisor, helping global clients lead in their markets through its research, consulting, events, and peer-to-peer executive programs. For more information, visit www.forrester.com.

© 2007, Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, WholeView 2, Technographics, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Forrester clients may make one attributed copy or slide of each figure contained herein. Additional reproduction is strictly prohibited. For additional reproduction rights and usage information, go to www.forrester.com. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. To purchase reprints of this document, please email [email protected]. 41003

ENDNOTES1 Source: COSO: The Committee of Sponsoring Organizations of the Treadway Commission (http://www.

coso.org/publications.htm).

2 COSO ERM provides some theory and structure for risk management. The issue identified in this research piece is taking the theory into practice within an organization. The principle approach found in the COSO ERM framework lacks the practical guidance of implementing ERM within an organization and across its lines of business. See the October 5, 2004, Quick Take “COSO Enterprise Risk Management Framework.”

3 For further information on the opportunity side of risk, Forrester refers readers to Deloitte’s publication series on risk intelligence and value killers, which further defines the fact that organizations make money by taking risk and lose money by failing to manage it.

4 Forrester discusses the issue of phantom risks in COSO. See the November 8, 2005, Best Practices “Preparedness Versus Probability In Determining Risk.”

5 COSO ERM challenges, particularly those around phantom risks, are clearly illustrated in Ali Samad-Khan’s article in Operational Risk magazine. Source: Ali Samad-Khan, “Why COSO Is Flawed,” Operational Risk, January 2005 (http://www.opriskadvisory.com/docs/Why_COSO_is_flawed_(Jan_2005).pdf).

6 Note: The focus on phantom risk at a risk class/aggregate level is an inherent problem with many risk management frameworks — including the AS/NZ 4360 standard. However, the 4360 standard differs from COSO in this area as it provides guidelines that illustrate a number of approaches for assessing risk in qualitative or quantitative formats.

7 H. Felix Kloman, a leading expert in risk management practices, puts this succinctly in Risk Management Reports: “Over the past fifteen years, we’ve developed a variety of local, national and global ‘standards,’ such as Basel I, COSO I, COSO II, and the Australian/New Zealand Risk Management Standard 4360, revised in 2004. Canada, the United Kingdom, Norway, and Japan have similar standards. Basel II is being prepared for adoption worldwide. Most efforts improve the breed, although the COSO II (Committee of Sponsoring Organizations) monster in the United States set us back several years. The Australian/New Zealand effort should be the bellwether, if risk management is to continue to evolve and flourish.” H. Felix Kloman, Risk Management Reports, Volume 33, Number 10, October 2006. Additionally, Risk Management Reports December 2004 provides further reflections on challenges with COSO ERM.

8 Source: The AS/NZ 4360:2004 Standard Portal (http://www.riskmanagement.com.au/).

9 Note that COSO ERM is not needed for SOX compliance. The regulatory guidance states that organizations should use a control framework like COSO Internal Control, which predates COSO ERM. The regulation requires a framework for controls but does not require a specific one.

http://www.forrester.com/go?docid=35598&src=41003pdf

http://www.forrester.com/go?docid=38151&src=41003pdf

nz 4360 — a practical choice over coso erm

Documents