Having just returned from the G31000 annual conference where I had a chance to present and participate in a panel discussion, I’d like to share my thoughts on current risk standards and a bit on where we seem to be headed. Full disclosure, this forum I attended promotes ISO31000 (31K), which grew out of the Australian/New Zealand 4360 standard.
For starters, I found the statistics generated by an extensive G31000 sponsored survey nothing short of astounding. Adoption of ISO31000 around the world has reached an all-time high. After getting its DNA from ASZ4360 in the late '90s, with very competent shepherding by Kevin Knight, this most flexible risk “standard” represents a comprehensive guide for practitioners to design and implement customized risk strategies, which would then inform and flesh out their resulting frameworks. Your framework, of course, defines the tactics you would use to “make things happen.” The survey of over 1,800 respondents in 111 countries (with 40% from the U.S., UK and Australia) by G31000, the organization that has helped evolve and perpetuate global use of this standard, reveals that 60% have a clear understanding or some knowledge of 31K while 40% confirmed that they use the standard to guide “all” key decision making in their organizations. Interestingly, 74% said that they believe their professional associations should strongly endorse or recommend 31K as the best standard in order to achieve organizational success.
Contrasting 31K with other common risk standards, the survey showed that twice as many adhere to 31K over COSO ERM, the auditor/accountant designed standard that emerged around the time of Sarbanes Oxley and that, in the opinion of many, frankly derailed early efforts to deploy ERM strategies in favor of the more narrow focus on financial reporting accuracy. Many firms adopted COSO ERM in lieu of others and while useful in many respects, its control environment focus leaves it less flexible and customizable (notwithstanding the recent issuance of the COSO 2013 update of their Internal Controls framework). Interestingly, 40% of respondents claim to have created and use their own “standards,” though I strongly suspect this finding is more likely a reference to risk frameworks since practitioners don’t typically create their own “standards,” however, it is not impossible to do so. After all, if it is self-designed, I would argue it hardly meets the definition of a standard typically externally promulgated.
Disappointingly, results for U.S. respondents reflect a 31K take-up rate that lies in stark contrast to the global take-up rate. Only 20% of U.S. based respondents claim to use 31K, while 12% claim to use COSO ERM. This latter statistic is the more surprising of the two as the longstanding impression among U.S. ERM experts has been that COSO was much more commonly used. All the better however, since migration away from COSO to 31K would be an advisable strategy for those that prefer less prescriptive risk guidance.
Finally, a surprising 43% believe that 31K ought to have certification as a requirement, with only 9% supporting it as a mandate. While on its face, organizational certification may seem useful, I believe users will ultimately regret the way it layers costs and time requirements on organizations whose time and resources can be better applied to the management of risks. Encouragingly, 24% plan to implement 31K in the future, which will undoubtedly only increase its gravitational pull towards even wider adoption over time.
Chris Mandel, SVP, Strategic Solutions