520 words.
Many contemplating Enterprise Risk Management search for the appropriate framework or standard to govern the ERM program; e.g., ISO 31000; its predecessor AS/NZ 4360; COSO; or another (often developed for a specific industry). The framework certainly will have some specific utility, but it is limited, and no guarantee of success.
False assumptions regarding Enterprise Risk Management and its frameworks
First, let’s discard several wrong ideas.
1. Do not think that what people call ERM is universally consistent. Its definition and practice is highly variable. [1]
2. Do not accept a description of ERM from a seemingly authoritative source as definitive. For example, the Investopedia [2] definition gives only the COSO version, but no evidence that COSO is either universally adopted, or particularly effective.
3. Do not assume that organizations, having something they call ERM, necessarily use an international standard. About half do not. [3]
4. Do not assume that you can implement a given framework cover-to-cover, to the letter. You will have to interpret it to apply it to the business.
5. Do not assume that a framework gives complete information to enable successful implementation.
Two important deficiencies
The standards are lacking in two important aspects which are decisive for a successful program.
First, they do not specify how to conduct risk assessment effectively. They simply assume everyone knows how to do it well.
Second, the standards do not address the principles of successful program implementation. Without them, new management initiatives, including Enterprise Risk Management, routinely fail.
Prescriptive vs principles-based
There is a distinction discernible between two broad types of standards: (a) prescriptive and (b) principles-based.
(a) The prescriptive documents tell you how to organize your business, and state the various types of risk that you will encounter. These can be dangerous limitations.
(b) The principles-based documents, by contrast, do not give a pre-conceived analysis of the business, nor do they limit the sources of risk.
Specific utility
In my experience, an international or professional standard used as a framework is useful because it:
1. sets out the general steps in the risk management process;
2. explains broad concepts, giving people in the organization a way to discuss risk;
3. gives a glossary of terms;
4. lends an official air and credibility to the program, by virtue of being broadly recognized.
As long as the standard chosen fulfills these tasks, and is compatible with the business without being overly prescriptive, it should serve well.
Conclusion
Beyond these points, the framework has little utility. As I mentioned above, I have found that various frameworks, policies, and other guidance documents, whether prescriptive or principles-based, do not give instruction on how to achieve a rigorous, incisive and truly compelling risk assessment [4], which is essential. Nor do they address the complex problem of how to implement a new administrative program in the organization, so that it gains acceptance and take-up. [5]
Notes
[1] See my blog post Does Enterprise Risk Management Have Proven Effectiveness?
[2] Investopedia Enterprise Risk Management (ERM): What Is It and How It Works
[3] E. McBride (2012) Enterprise Risk Management: Framework Presence and Effectiveness
[4] How to do Risk Identification podcast E10
[5] Principles of Successful ERM Implementation podcast E15