Implementing Enterprise Risk Management consistent with the framework: COSO ERM or ISO 31000?

by: Rama Kurnia

Currently the risk management is one of the important things that has to be implemented by the organization to achieve their objectives. Risk are the things that can’t be eliminated or it will take more effort rather than the benefit it the organization want to eliminate the whole risk. The logical way to face the risk are by manage it. There are several risk management framework which has generally used by the organization which is:

1. COSO Enterprise Risk Management – Integrated Framework (COSO ERM) has been released on 2004. The framework is the expansion of the COSO Internal Control – Integrated Framework. this framework started by supporting the organization mission and connect the process through the main risk categories such as strategic, operational, reporting, and compliance, implemented cascading in every level of the organization.
2. ISO 31000:2009 which has been released on 2009, consist of 3 (three) main clause which is Principles that has to be implemented as the basic construction, the framework created seamless from the commitment through the continual improvement, and finally the process which divided from identification, through analysis and treatment and monitoring the result.

From the comparison we can see 2 (two) important things:

1. Both of them have similar way to manage the risk which started from the identification, through the assessment, the way to manage the risk and monitoring the whole process. Those framework also can be implemented in the various organization but has to be tailored to be aligned with the organization objectives
2. The most important for the organization who wants to implement the standardized risk management framework are the consistency. It is the primary things since when the organization want to adopt one of the framework, they need to be measured and reviewed. The consistency in applying the standards also helps the organization to reveals their area of improvement.

When the organization able to implement the risk management, it will benefit the organization for several things:

1. Build the awareness of the risk management to all the internal stakeholders of the organization by considering risk in every activities
2. Helps the internal audit department to perform better risk based auditing since they will focus on the identified significant risk and the appropriateness of control activities
3. Create seamless risk identification and risk treatment between risk owner, risk management department, and internal audit to support the organization in achieving the objectives

implement the framework consistently and get the benefit