ACCT1110- LECTURE

RISK MANAGEMENT

Risk management is the process of identifying, assessing and controlling threats to an

organization's capital and earnings. These threats, or risks, could stem from a wide variety
of sources, including financial uncertainty, legal liabilities, strategic management errors,
accidents and natural disasters. IT security threats and data-related risks, and the risk
management strategies to alleviate them, have become a top priority
for digitized companies. As a result, a risk management plan increasingly includes
companies' processes for identifying and controlling threats to its digital assets, including
proprietary corporate data, a customer's personally identifiable information (PII) and
intellectual property.

Every business and organization faces the risk of unexpected, harmful events that can cost
the company money or cause it to permanently close. Risk management allows
organizations to attempt to prepare for the unexpected by minimizing risks and extra costs
before they happen.

Importance

By implementing a risk management plan and considering the various potential risks or events before
they occur, an organization can save money and protect their future. This is because a robust risk
management plan will help a company establish procedures to avoid potential threats, minimize their
impact should they occur and cope with the results. This ability to understand and control risk
enables organizations to be more confident in their business decisions. Furthermore, strong corporate
governance principles that focus specifically on risk management can help a company reach their
goals.

Other important benefits of risk management include:

 Creates a safe and secure work environment for all staff and customers.
 Increases the stability of business operations while also decreasing legal liability.

 Provides protection from events that are detrimental to both the company and the
environment.

 Protects all involved people and assets from potential harm.

 Helps establish the organization's insurance needs in order to save on unnecessary premiums.

Risk management strategies and processes

All risk management plans follow the same steps that combine to make up the overall risk
management process:

 Establish context. Understand the circumstances in which the rest of the process will take
place. The criteria that will be used to evaluate risk should also be established and the structure of
the analysis should be defined.

 Risk identification. The company identifies and defines potential risks that may negatively
influence a specific company process or project.

 Risk analysis. Once specific types of risk are identified, the company then determines the
odds of them occurring, as well as their consequences. The goal of risk analysis is to further
understand each specific instance of risk, and how it could influence the company's projects and
objectives.

 Risk assessment and evaluation. The risk is then further evaluated after determining the
risk's overall likelihood of occurrence combined with its overall consequence. The company can
then make decisions on whether the risk is acceptable and whether the company is willing to take
it on based on its risk appetite.

 Risk mitigation. During this step, companies assess their highest-ranked risks and develop a
plan to alleviate them using specific risk controls. These plans include risk mitigation processes,
risk prevention tactics and contingency plans in the event the risk comes to fruition.

 Risk monitoring. Part of the mitigation plan includes following up on both the risks and the
overall plan to continuously monitor and track new and existing risks. The overall risk
management process should also be reviewed and updated accordingly.
 Communicate and consult. Internal and external shareholders should be included in
communication and consultation at each appropriate step of the risk management process and in
regards to the process as a whole.

Risk management strategies should also attempt to answer the following questions:

1. What can go wrong? Consider both the workplace as a whole and individual work.

2. How will it affect the organization? Consider the probability of the event and whether it will
have a large or small impact.

3. What can be done? What steps can be taken to prevent the loss? What can be done recover if
a loss does occur?

4. If something happens, how will the organization pay for it?

5.
Risk management approaches

After the company's specific risks are identified and the risk management process has been
implemented, there are several different strategies companies can take in regard to different types of
risk:

 Risk avoidance. 

While the complete elimination of all risk is rarely possible, a risk avoidance strategy is designed
to deflect as many threats as possible in order to avoid the costly and disruptive consequences of a
damaging event.

 Risk reduction. Companies are sometimes able to reduce the amount of damage certain risks
can have on company processes. This is achieved by adjusting certain aspects of an overall
project plan or company process, or by reducing its scope.

 Risk sharing. Sometimes, the consequences of a risk are shared, or distributed among

several of the project's participants or business departments. The risk could also be shared with a
third party, such as a vendor or business partner.
 Risk retaining. Sometimes, companies decide a risk is worth it from a business standpoint,
and decide to keep the risk and deal with any potential fallout. Companies will often retain a
certain level of risk if a project's anticipated profit is greater than the costs of its potential risk.

Limitations

While risk management can be an extremely beneficial practice for organizations, its limitations
should also be considered. Many risk analysis techniques -- such as creating a model or simulation --
require gathering large amounts of data. This extensive data collection can be expensive and is not
guaranteed to be reliable.

Furthermore, the use of data in decision making processes may have poor outcomes if simple
indicators are used to reflect the much more complex realities of the situation. Similarly, adopting a
decision throughout the whole project that was intended for one small aspect can lead to unexpected
results.

Another limitation is the lack of analysis expertise and time. Computer software programs have been
developed to simulate events that might have a negative impact on the company. While cost
effective, these complex programs require trained personnel with comprehensive skills and
knowledge in order to accurately understand the generated results. Analyzing historical data to
identify risks also requires highly trained personnel. These individuals may not always be assigned to
the project. Even if they are, there frequently is not enough time to gather all their findings, thus
resulting in conflicts.

Other limitations include:

 A false sense of stability. Value-at-risk measures focus on the past instead of the future.
Therefore, the longer things go smoothly, the better the situation looks. Unfortunately, this makes
a downturn more likely.

 The illusion of control. Risk models can give organizations the false belief that they can
quantify and regulate every potential risk. This may cause an organization to neglect the
 possibility of novel or unexpected risks. Furthermore, there is no historical data for new products,
so there's no experience to base models on.

 Failure to see the big picture. It's difficult to see and understand the complete picture of
cumulative risk.

 Risk management is immature. An organization's risk management policies are

underdeveloped and lack the history to make accurate evaluations.


Risk management standards

Since the early 2000s, several industry and government bodies have expanded regulatory
compliance rules that scrutinize companies' risk management plans, policies and procedures. In an
increasing number of industries, boards of directors are required to review and report on the
adequacy of enterprise risk management processes. As a result, risk analysis, internal audits and
other means of risk assessment have become major components of business strategy.

Risk management standards have been developed by several organizations, including the National
Institute of Standards and Technology (NIST) and the International Organization for
Standardization (ISO). These standards are designed to help organizations identify specific threats,
assess unique vulnerabilities to determine their risk, identify ways to reduce these risks and then
implement risk reduction efforts according to organizational strategy.

The ISO 31000 principles, for example, provide frameworks for risk management process
improvements that can be used by companies, regardless of the organization's size or target sector.
The ISO 31000 is designed to "increase the likelihood of achieving objectives, improve the
identification of opportunities and threats, and effectively allocate and use resources for risk
treatment," according to the ISO website.  Although ISO 31000 cannot be used for certification
purposes, it can help provide guidance for internal or external risk audit, and it allows organizations
to compare their risk management practices with the internationally recognized benchmarks.

The ISO recommends the following target areas, or principles, should be part of the overall risk
management process:
 The process should create value for the organization.

 It should be an integral part of the overall organizational process.

 It should factor into the company's overall decision-making process.

 It must explicitly address any uncertainty.

 It should be systematic and structured.

 It should be based on the best available information.

 It should be tailored to the project.

 It must take into account human factors, including potential errors.

 It should be transparent and all-inclusive.

 It should be adaptable to change.

 It should be continuously monitored and improved upon.

The ISO standards and others like it have been developed worldwide to help organizations
systematically implement risk management best practices. The ultimate goal for these standards is to
establish common frameworks and processes to effectively implement risk management strategies.

These standards are often recognized by international regulatory bodies, or by target industry groups.
They are also regularly supplemented and updated to reflect rapidly changing sources of business
risk. Although following these standards is usually voluntary, adherence may be required by industry
regulators or through business contracts.

Risk management examples

One example of risk management could be a business identifying the various risks associated with
opening a new location. They can mitigate risks by choosing locations with a lot of foot traffic and
low competition from similar businesses in the area.
What external benchmarks and standards are the
most beneficial to companies' risk management
strategies?
Another example could be an outdoor amusement park that acknowledges their business is
completely weather-dependent. In order to alleviate the risk of a large financial hit whenever there is
a bad season, the park might choose to consistently spend low and build up cash reserves.

Yet another example could be an investor buying stock in an exciting new company with high
valuation even though they know the stock could significantly drop. In this situation, risk acceptance
is displayed as the investor buys despite the threat, feeling the potential of the large reward outweighs
the risk.

Risk Management Standards in Global Markets

Organizations face internal and external risks, which can affect their ability to achieve the
established objectives and to satisfy stakeholders’ expectations. However, implementing an
Integrated risk management system can contribute to avoid risks or reduce their consequences
for corporate effectiveness. The most important frameworks and standards of integrated risk
management, emphasizing the increasing harmonization of best practices all over the world.

The increasing complexity of internal and external environment exposes both private and public
organizations to a multitude of risks. All organizations should properly consider such risks when
they establish strategic purposes and short-term targets, because the effectiveness of
governance depends on the ability to satisfy stakeholders’ needs and expectations

Since risks derive from natural, social, financial and organizational phenomena that could
interfere with the achievement of expected results, their existence cannot be underrated.

In the last fifteen years, a new awareness about the relationship between risks, target
setting and corporate effectiveness has contributed to spread an advanced concept of risk
management. According to this view, risk management is strictly connected to both strategy
setting and operations management and must be continuously carried out at all
organizational levels,

So that should create a risk management culture throughout the firm.

The mentioned approach is usually described as “integrated risk management” (IRM) and
“enterprise risk management”
Academicians, public agencies, auditors and market regulators and supervisors have analyzed
this approach and recommended its adoption as a vehicle for better performances in
organizations of any size and operating in any sector. Many frameworks, guidelines and
standards explain how to implement risk management in an effective way. Such documents
meet broad consent all over the world: this emphasizes an increasing search for
harmonization of risk management practices at international level, without, however,
overlooking the peculiarities of every individual organization. Compliance with standards,
guidelines and frameworks of risk management provides advantages to firms, stakeholders
and supervisors

a) From a business perspective, standards and other documents help the organization
understand the complex and delicate matter of risk management, which is also subject to rapid
evolution. In particular, the documents suggest how to design a risk management system and
make it work properly. Moreover, they identify boards’ and employees’ responsibilities for well-
functioning risk management processes.

b) As concern the stakeholders, the adoption of a universally accepted model of risk

management can enhance their trust in the organization’s ability to prevent damages,
manage uncertainty and limit the impact of unforeseen events that could provoke losses: from a
stakeholder’s point of view, this is a significant assurance of corporate asset conservation and a
premise for long-time value creation.

c) If an organization founds its risk management system on a broadly recognized framework,

the work of independent auditors, market supervisors, credit rating agencies, courts and
any other authority with monitoring powers and duties should be facilitated: indeed, it
should consist in a comparison between the procedures and mechanisms applied by the
organization and the international best practices: the higher the consistency, the more effective
the implemented system. It is conceptual and aims to provide an overview of the most important
risk management frameworks and standards issued by different institutes and authorities.

COSO’S– INTEGRATED FRAMEWORK

In 2004 the Committee of Sponsoring Organizations of the Tread way Commission (COSO)
published its Enterprise Risk Management – Integrated Framework, which became one of
the most appreciated risk management guidance for private and public organizations all over the
world . The document is currently under review: in October 2014, COSO’s board announced the
project to update the Integrated Framework, in order to promote modifications taking in account
the evolution of external environment and stakeholders’ expectations. To this purpose, COSO’s
board appointed a group of advisors and observers composed of representatives from
professional service, technological, legal, academic and public organizations, and launched
an online survey. Although the survey finished in December 2014, the revision is still
underway.

COSO’s Integrated Framework provides a broad definition of ERM, suitable for all private and
public, large and small organizations operating in any sector. According to COSO, ERM is a
process, effected by an entity’s board of directors, management and other personnel, applied in
strategy setting and across the enterprise, designed to identify potential events that may affect the
entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives. In other words, ERM is a continuous process, deeply rooted
in the business activity and influenced by the leadership style

ERM involves directors, managers and employees at every organizational level, that is to
say, people with specific responsibilities of strategy setting, target planning and
programming, and day-to-day operations, who differently contribute to achieve the expected
results. In this sense, ERM should accompany two types of activities:
 On the one hand, the evaluation of strategic alternatives by the board of directors and top
management, who need to identify the events that may impact on long-term corporate
performance;
 On the other hand, the development of operational processes by the personnel, who
concretely experience threats and opportunities and acquire a direct knowledge of risks.

Moreover, ERM requires that entities accept a certain degree of risk (risk appetite) in
relation to their units (e.g., parent company and subsidiaries), functions (e.g., production,
marketing, finance and human resources) and activities (e.g., manufacturing, sales, product
development and accounting). A high degree of risk for a certain unit, function or activity can be
accepted if it is offset by a low degree of risk for another one: the global degree of risk should
always comply with the board’s risk appetite, which differ among organizations. Then, the risk
appetite concept must be applied to all the objectives established in plans and programs: that
means identifying an acceptable range of variability (risk tolerance) for every result

ERM should offer the board a reasonable assurance of achieving the established objectives, despite the
uncertainty of business. More exactly, COSO’s Integrated Framework refers to four categories of
objectives: strategic; operations; reporting; compliance. According to the entity complexity, a fifth
category consisting in corporate asset safeguard can be added. COSO’s approach of integrated risk
management aims to improve corporate effectiveness by focusing the board’s attention on the
sources of uncertainty, i.e., risks and opportunities: risks are events that hamper the achievement of
established targets; opportunities are phenomena the entity should exploit to reach better
performances than the established ones. This relationship between risks and opportunities, on the
one hand, and objectives, on the other hand, should be analyzed in a broader context, influenced
by the culture of control the board of directors should promote and share with managers and
employees. The COSO’s model presents risk management as an integrated system of principles,
structures and processes involving the whole entity and based on the following
components:
 internal environment: the organization’s rules and corporate culture, comprising risk
management philosophy and risk appetite;
 objective setting: establishment of objectives aligned with the mission and consistent
with the risk appetite;
 event identification: recognition of external and internal events as risks and
opportunities;
 risk assessment: for every identified risk, analysis of likelihood of occurrence and
possible impact on the organization’s performance, and assessment on an inherent and a
residual basis;
 risk response: selection of measures to avoid, accept, reduce, or share risk, in line
with the board’s risk appetite and the related risk tolerance;
 control activities: procedures and mechanisms to ensure that the risk management
system is effectively functioning;
 information and communication: top-down processing to divulge information about
targets, risks and risk response; bottom-up processing to collect information
on risks and opportunities;
 monitoring: comprehensive observation of the entity’s ERM system, including the
procedures to verify its effectiveness, in order to implement corrective actions.

ISO 31000

ISO 31000:2009 is an international standard of risk management published by the

International Organization for Standardization (ISO) in cooperation with the International
Electrotechnical Commission (IEC).. This standard was originally issued in 2009 and is
currently under review, as it is prescribed for all ISO’s standards every five years.

ISO 31000 comprises two documents: ISO 31000, Risk management – Principles and guidelines
and ISO Guide,

ISO 31000 is based on a previous guide of risk management, adopted in Australia and
New Zealand. Moreover, ISO 31000 is not intended for the purpose of external
certification, which is typical of many other ISO standards. ISO 31000 aims to outline an
effective and efficient risk management framework for all organizations, which may
properly work for any type of risks.

According to ISO 31000, risk is the effect of uncertainty on objectives»: that means a positive
or negative deviation from the expected result. All entities are exposed to risks, because they
cannot fully control the environment in which they operate. To increase the possibility of
achieving the objectives established, every organization should intervene on the likelihood of an
uncertain event to happen, as well as on the consequences it would provoke in case of
occurrence.

ISO 31000 promotes an integration of risk management and corporate governance. In this sense,
risk management should be consistent with the organization’s principles and values,
strategies, policies, and management control, as well as with daily operations.

According to ISO 31000, risk management requires the development of several activities.
The entity should engage in a dialogue with internal and external stakeholders
(communication and consultation) in order to:
 inform them about the risks it is exposed to and the risk management processes it has
implemented, and
 collect their suggestion and feedback. ISO 31000 stresses the importance of
establishing the context in which risk management will be applied. The
term “context” must be considered in a broad sense: it refers to the internal and external
environment, but also to the organization’s purposes, strategies, policies, capabilities,
culture, etc. When the entity establishes the context, it also selects the risk criteria against
which to evaluate the significance of each risk. Risk criteria derive from the
organization’s risk appetite. The next phase consists in risk assessment, which involves
three activities:
 risk identification: the process of finding, recognizing and describing risks;
 risk analysis: the process aimed at understanding the nature and level of each risk;
 risk evaluation: the process of comparing the results of the risk analysis to the risk
criteria, in order to determine whether a risk is acceptable.

After that, risk treatment is necessary for non-acceptable risks. Risk treatment measures are
the following ones:
 avoiding the risk, renouncing to undertake specific activities exposed to that kind of
uncertainty;
 removing the risk source;
 intervening on the event’s likelihood of occurrence, on its consequences, or on both;
 sharing the risk with third parties (e.g., through an
insurance coverage);
 accepting the risk by informed decision;
 taking risk to pursue an opportunity.

Furthermore, continuous monitoring and review should accompany all the steps described
above: this is necessary to enable the organization to promptly react when new risks
occur, internal and external conditions change, or adjustments to the original objectives are
required.

FERMA’S RISK MANAGEMENT STANDARD

In 2003, the Federation of European Risk Management Associations (FERMA)
officially endorsed The Risk Management Standard, a document produced the year before
by three British institutes (AIRMIC, ALARM and IRM). FERMA’s Standard defines risk
management as follows: «the process whereby organisations methodically address the risks
attaching to their activities with the goal of achieving sustained benefit within each activity
and across the portfolio of all activities.

According to FERMA’s Standard, the senior management should make efforts to integrate the
risk awareness into the corporate culture and to implement risk management at every
organizational level: all of this is necessary to facilitate the translation of strategies into
tactical and operational objectives. Uncertain and potential events, determined by external or
internal factors, can be either threats or opportunities for an entity, affecting different
perspectives, such as strategic, operational and financial. Risk identification is the first step
towards risk assessment, an activity consisting of two phases:
 risk analysis, comprising risk identification, description and estimation. Each risk is
represented as a combination of probability of occurrence and consequence for the
organization: such elements can be expressed in quantitative measures, in qualitative
form, or in both;
 risk evaluation, during which the inherent risk is considered in the light of the
organization’s risk appetite.

If a risk exceeds the tolerated threshold, it must be treated. Risk treatment refers to different
solutions for avoiding, transferring, and financing the risks by means of insurance
programs, but also to several internal control procedures to prevent them or limit their
consequences.

FERMA’s Standard also recommends continuous flows of information within the

organization, which are crucial for creating a complete risk map, as well as for monitoring
the effectiveness of all the measures implemented to treat the risks. A risk management report
should also be disseminated in the stakeholders’ interest.

A COUNTRY-BASED ANALYSIS

In addition to the internationally accepted risk management standards, there are many country-
based frameworks and guidelines, most of which have been though for listed companies:
they often consist in recommendations contained in corporate governance codes and other
regulations issued by the financial market regulators and supervisors.

Some countries, such as the United Kingdom, France and Canada, have published documents
with specific focus on risk management. Other countries, such as China, refer to risk
management in publications suggesting how to structure an effective internal control system.
There are also countries, such as the US, which originally introduced risk management to
reasonably assure the achievement of reporting objectives; therefore, its adoption is
required in compliance with the standards for auditing internal control over financial
reporting.

A. The FRC’s Guidance (United Kingdom) British and foreign companies listed on the London
Stock Exchange are expected to adopt the Guidance on Risk Management, Internal Control
and Related Financial and Business Reporting, released by the Financial Reporting Council
(FRC) in September 2014. This Guidance revises, integrates and replaces previous
documents (e.g., the Turnbull Guidance) in order to promote an advanced approach of risk
management and internal control, taking into account the update of the UK Corporate
Governance Code.

The FRC’s Guidance describes risk management and internal control as a system of policies,
culture, behaviors and processes that facilitate the achievement of operational, reporting and
compliance objectives and reduce the possibility of poor decision-making.

Furthermore, the FRC’s Guidance stresses the role of the board of directors for sharing a
culture of risk management throughout the organization. Moreover, the board has the
ultimate responsibility for the overall approach to risk management and internal control.

In this regard, the board should:

 ensure the design and implementation of an appropriate risk management system,
in which the principal risks are identified and assessed;
 determine the company’s risk appetite and select the risks that should be accepted,
in the light of the corporate strategies;
 agree how the principal risks should be treated in order to reduce their likelihood or
impact;
 monitoring the effectiveness of the entire system and check that the corrective
measures introduced for its improvement are properly functioning;
 ensure sound internal and external communication on
risk management and internal control.

In particular, when the company’s directors discuss about risks, they should consider several
elements: for example, the nature and level of risks the organization can tolerate, the
probability that such risks can happen and their impact, the possibility to implement risk
response actions and their costs and benefits.

B. The AMF’s Reference Framework (France)

The French Autorité des Marchés Financiers (AMF) published its Reference Framework on
risk management and internal control systems in October 2010. The document is addressed
to listed companies and it is still in force. The Reference Framework of 2010 updated and
integrated a previous edition, issued in 2007. The current edition is based on the evolution of
corporate law in the EU and France; moreover, it considers the global diffusion of
international standards of risk management, such as COSO’s Integrated Framework and
ISO 31000.

The AMF’s Reference Framework defines risk as «the possibility of an event occurring
that could affect the company’s personnel, assets, environment, objectives or reputation.
The document also describes risk management as a dynamic system of resources, behaviors,
procedures and actions, «that is adapted to the characteristics of each company and that enables
managers to keep risks at an acceptable level for the company.

According to the AMF, risk management contributes to:

 create and preserve the company’s value and reputation;
 establish and achieve objectives;
 promote consistency between shared principles and individual conducts;
 increase the awareness of each employee about the risks involved in their activities.

According to the AMF’s Reference Framework, an effective risk management system

should respect three conditions.

a) Firstly, risk management should be found on an organizational framework designing

the roles, responsibilities, procedures, policies and flows of information connected to risk
management.
b) Secondly, risk management should comprise a three-stage process including the
following activities: risk identification, with reference to threats and missed opportunities;
risk analysis, considering likelihood of occurrence and consequences; risk response,
through the selection and implementation of measures to maintain an acceptable level of
risk.
c) Thirdly, the risk management system should be subject to ongoing oversight and
periodic review. Finally, the AMF’s Reference Framework emphasizes the
interaction between risk management and internal control: the
risks identified by the former are submitted to procedures
belonging to the latter.

C. The Canadian standard CAN/CSA Q850

Two standards of risk management, strictly connected each other, coexist in Canada. The first
one is a country-based standard published by the Canadian Standards Association (CSA).
The second derives from the national endorsement of ISO 31000.

The CSA originally issued its document in 1997 and reaffirmed it in 2002, with the
title CAN/CSA Q850 Risk Management: Guideline for Decision-Makers. After the national
endorsement of ISO 31000 in 2009, the CSA started the revision of its publication, which it
completed in 2010. The new edition, currently in force, largely reproduces ISO 31000, as its
own title stresses: CAN/CSA Q850 Implementation of CAN/CSA ISO 31000. However, it also
underlines the need of adaptation to the social peculiarities of the Canadian context, which is
marked by cultural and language differences at regional level.

D. Internal control models dealing with risk assessment

In some countries, the attention to risk management processes is due to their importance
for implementing an adequate internal control system, as required by national laws, regulations
and recommendations. For this reason, several frameworks and standards deal with both
internal control and risk management, emphasizing the relationships existing between them.
st
In this sense, China and the US offer significant examples. On 1 January 2009, China adopted
the Basic Standard for Enterprise Internal Control, promoted by the Ministry of Finance
together with the market, banking and insurance authorities. The standard, which is
mandatory for listed companies and recommended to all other large companies,
requires the introduction of an internal control system including risk assessment: companies
are expected to identify internal and external risk factors, evaluate their likelihood and
impact, and treat them with suitable measures. The case of the US draws attention to
implementing internal control and risk management procedures in order to ensure fair and
transparent financial reporting. In 2007 the Securities and Exchange Commission (SEC)
approved the Auditing Standard No. 5 (An audit of internal control over financial reporting
that is integrated with an audit of financial statements), prepared by the Public Company
Accounting Oversight Board (PCAOB) in accordance with 2002 Sarbanes-Oxley Act. This
auditing standard recommends a top-down approach for assessing the risk of mistakes in
financial accounting and reporting. In this regard, risk assessment should enable the company to
identify the accounts exposed to high risk of inaccuracy, and to check the existence of
internal control procedures involving all corporate accounts (or at least the information about
selected operations, such as related party transactions). Finally, the linkage between internal
control and risk management is underlined in many corporate governance codes
for listed companies, where emphasis is often put on the board’s responsibilities. The
Italian code is a good example of this.

The analysis presented the previous sections showed a significant harmonization all over the
world in relation to the suggested practices of risk management. This is probably due to the
growing global competition, which encourages the improvement of corporate governance
systems as a key for supporting the company’s success and the stakeholders’ trust.
In particular, the three international standards and frameworks (COSO’s, ISO’s and
FERMA’s) have inspired the national ones and present substantial similarities that overtake
different lexical choices (i.e., different words to express the same meaning). In this regard,

RISK DEFINITION
COSO’s ERM Events can have negative impact, positive impact, or both.
Events with a negative impact represent risks, events with positive impact represent
opportunities.

ISO 31000
Risk is the effect of uncertainty on objectives; an effect is a deviation from the expected –
positive and/or negative.

FERMA
Risk is the combination of the probability of an event and its consequences. There is the
potential for events and consequences that constitute opportunities for benefit (upside) or
threats to success (downside).

RISK MANAGEMENT PHASES

COSO’s ERM
 Event identification.
 Risk assessment.
 Risk response.
ISO 31000
 Risk assessment (including risk identification, risk analysis
and risk evaluation).
 Risk treatment.
FERMA
 Risk assessment (including risk analysis, risk identification,
risk description and risk estimation).
 Risk treatment.

MONITORING AND REVIEW

COSO’s ERM
 Control activities: policies and procedures to ensure the risk responses are effectively carried
out.
 Monitoring: ongoing management activities including checks, separate evaluations, or both.

ISO 31000
 Monitoring: continual checking, supervising, critically observing of risk management
framework, risk management process, risks and control activities.
 Review: activity undertaken to determine the suitability, adequacy and effectiveness of
risk management framework, risk management process and control activities to achieve
established objectives.

FERMA
 Reviews to ensure that risks are effectively identified and
assessed and that appropriate controls and responses are in
place.
 Regular audits to identify opportunities for improvement.

INTERNAL REPORTING
COSO’s ERM
Information and communication:
 top-down processing (to share information on targets, risks and opportunities, and risk
response throughout the organization)
 bottom-up processing (to collect information on risks and opportunities for decision-
making)

ISO 31000

Communication and consultation with internal stakeholders to provide, share or obtain

information on risk management

FERMA

Risk reporting and communication: exchange of information

between the board of directors, business units and individuals.

EXTERNAL REPORTING
COSO’s ERM
Information and communication:
 exchange of information between entities, particularly throughout the supply chain;
 dissemination of information to agencies, market supervisors, financial analysts and all other
external stakeholders.
ISO 31000

Communication and consultation with external stakeholders to provide share or obtain

information regarding risk management

FERMA

Risk reporting and communication to the stakeholders to inform them about risk management
policies and effectiveness in achieving objectives.

First, COSO’s, ISO’s and FERMA’s documents share the same approach when it comes to
integrating risk management with strategy setting, objective establishment and management
control. Furthermore, they all consider risk management as a pervasive process that involves and
receives contribution from the whole organization. All the three documents also recommend
the exchange of information about the risks between the board, top management and
employees: this should create and foster a common culture of risk identification and control that
is important for the adoption of a proactive
behavior in relation to the uncertainty.

However, the standards of risk management seem to raise conflicting judgements. Recent
surveys have demonstrated that many organizations, including listed companies, have no
familiarity with such standards; therefore, they develop unstructured, informal and isolated
risk management processes, which often consider only selected activities or corporate units.

To conclude, the factual situation suggests that standards, guidelines and frameworks of risk
management can be truly effective just in culturally advanced organizations, which deeply
understand the benefits provided by a global and integrated approach of risk management.