In my previous post "Enterprise Risk Management Framework Limitations" I list common false assumptions regarding the well known frameworks. You will see in that post how they are deficient in certain important aspects, and so cannot give you unfailing guidance to set up a successful ERM regime. I should add that the popular standards such as ISO 31000 and COSO are extraordinarily expensive.
It is quite possible that you are using a standard that has real utility, because it gives technical specifications or compliance requirements for your industry. In my experience, however, after paying for a certain IT standard (an ISO document), I found that it merely listed the same old risk management steps already available in the parent document, without any insight into IT risk categories or procedures to identify risk in IT systems.
Even with the foregoing in mind, I still recognize that people need a framework, a general guideline, to get started and perhaps serve as the basic reference for their ERM program. Such an "anchor" document should provide a good conceptual overview; list the risk management steps; give vocabulary; and lend a certain prestige by being internationally recognized.
Would you like to know about just such a framework that is free of charge? I recommend the Guidelines for Managing Risk in the Western Australia Public Sector.
It was published in 1999, is out of print, and has been superceded by other standards. But, as one who sat on the technical committee for the Canadian ISO 31000, I can tell you that "newer" does not always mean "better".
The Guidelines for Managing Risk in the Western Australia Public Sector admirably fulfills the minimum requirements I listed above. It comes from the same tradition as the AS NZ 4360, which means elegantly written, concise and well organized content. The Western Australia document is a mere 31 pages, and still manages to include an exec summary; a list of risk management document types; and four case studies. It also starts to overcome the typical deficiencies in all standards by addressing practical points on implementation.
If you are starting out, or want to simplify your risk management program, I recommend using the Guidelines for Managing Risk in the Western Australia Public Sector in conjunction with what I call High Quality Risk Assessment (explained in Solving the ERM Puzzle).
The Western Australia Guidelines can be freely downloaded, used and quoted, as long as acknowledgements are given. I will give two locations to download this document as a pdf:
- The Government of Alberta at one point (maybe on my recommendation?) had adopted it, but seems to have dropped it. Even so, it is still available on one of their pages:
http://www.alberta.ca/albertacode/images/ags-accountability-ERM-Western-Australia-ERM-Guidelines.pdf
2. Just in case it is taken down, I have taken the liberty of posting this document on my Dropbox account.
Guidelines for Managing Risk in the Western Australia Public Sector