Approaches to risk management
80
range of risk management topics, including business continuity, information security, 
corporate governance and compliance management.
The ISO 31000 risk management standard was first published in 2009 and was 
itself an update and enhancement of the earlier AS/NZS standard 4360. AS/NZS 
4360 was first published in 1995, and updated in 1999 and 2004. ISO 31000 is cur-
rently (November 2016) undergoing a substantial review and update. Various other 
standards have also been published during the past 20 years, including the Association 
of Project Management Project Risk Analysis and Management (PRAM) and the UK 
Office of Government Commerce (OGC) Management of Risk (MoR) guidance.
There is an established format for an ISO management standard specification and 
this is described in Chapter 9. This format is used for standards against which an 
organization can be certified, and the most well-established of the ISO management 
standard specifications is ISO 9001 on quality management. Generally speaking, the 
established risk management standards, including ISO 31000, the IRM standard and 
the COSO ERM cube, do not adopt the ISO format. Part of the reason for this is that 
the ISO technical committee responsible for ISO 31000 has taken the position that 
risk management activities are not appropriate for external certification.
The challenge for standards organizations is to ensure that the risk management 
standards they publish are relevant to the future success of the organization. As can 
be seen from the text box below, COSO has taken the approach, in updating the 
COSO ERM framework, that greater consideration should be paid to stakeholder 
expectations and the relationship between risk and strategy. In particular, the COSO 
consultation document suggests that organizations that integrate enterprise risk 
management into strategic planning can obtain a range of benefits including:
●
●
increasing range of opportunities by considering both positive and negative 
aspects of risk;
●
●
improving performance by identifying and managing risk on an entity-wide 
basis;
●
●
reducing negative surprises, increasing gain and profiting from advantageous 
developments;
●
●
reducing performance variability by taking actions to minimize disruption;
●
●
improving resource deployment and achieving enhanced resource allocation.
Although there is considerable benefit in adopting an established risk management 
standard, it is undoubtedly the case that organizations will need to change and adapt 
the detailed requirements of any existing standard to their specific circumstances 
and/or external, internal and risk management contexts. Greater acceptance of a risk 
management approach within an organization will be achieved when the approach 
has been customized specifically for the organization by the organization itself.
One of the key features of developing approaches to risk management is that
the plan–implement–measure–learn (PIML) approach is being increasingly adopted. 
This is often referred to as plan–do–check–act (PDCA) and it is the basis of the US 
standard ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness and 
Continuity Management Systems.

Download 3.45 Mb.

Do'stlaringiz bilan baham: