Risk Standards Gain Traction
Having just returned from the G31000 annual conference, I’d like to share my thoughts on current risk standards and where we seem to be headed. Full disclosure, this forum I attended promotes ISO31000 (31K), which grew out of the Australian/New Zealand 4360 standard.
For starters, the statistics generated by an extensive G31000 sponsored survey were nothing short of astounding. Adoption of ISO31000 around the world has reached an all-time high. After getting its DNA from ASZ4360 in the late ‘90s, with very competent shepherding by Kevin Knight, this most flexible risk “standard” represents a comprehensive guide for practitioners to design and implement customized risk strategies, which would then inform and flesh out their resulting frameworks. Your framework of course defines the tactics you would use to “make things happen.”
The survey of more than 1,800 respondents in 111 countries (with 40 percent from the U.S., UK and Australia) by G31000, the organization that has helped evolve and perpetuate global use of this standard, revealed that 60 percent have a clear understanding or some knowledge of 31K while 40 percent use the standard to guide “all” key decision making in their organizations. Interestingly, 74 percent said that they believe their professional associations should strongly endorse or recommend 31K as the best standard in order to achieve organizational success.
Contrasting 31K with other common risk standards, the survey showed that twice as many adhere to 31K over COSO ERM, the auditor/accountant designed standard that emerged at the time of Sarbanes Oxley and that, some say, derailed early efforts to deploy ERM strategies in favor of the more narrow focus on financial reporting accuracy.
The survey … revealed that 60 percent have a clear understanding or some knowledge of 31K while 40 percent use the standard to guide “all” key decision making in their organizations.
While useful in many respects, its control environment focus leaves it less flexible and customizable (notwithstanding the recent issuance of the COSO 2013 update of their Internal Controls framework). Interestingly, 40 percent of respondents claim to have created and use their own “standards,” though I strongly suspect this finding is more likely a reference to risk frameworks since practitioners don’t typically create their own “standards,” however, it is not impossible to do so.
Disappointingly, results for U.S. respondents reflect a 31K take-up rate that lies in stark contrast to the global take-up rate. Only 20 percent of U.S. based respondents claim to use 31K, while 12 percent claim to use COSO ERM.
This latter statistic is the more surprising of the two as the longstanding impression among U.S. ERM experts has been that COSO was much more commonly used. All the better however, since migration away from COSO to 31K would be an advisable strategy for those that prefer less prescriptive risk guidance.
Finally, a surprising 43 percent believe that 31K ought to have certification as a requirement, with only 9 percent supporting it as a mandate. While on its face, organizational certification may seem useful, I believe users will ultimately regret the way it layers costs and time requirements on organizations whose time and resources can be better applied to the management of risks. Encouragingly, 24 percent plan to implement 31K in the future, which will undoubtedly only increase its gravitational pull towards even wider adoption over time.
Read all of Chris Mandel’s Risk Insider contributions.