Enterprise Risk Management (Preview)

26 Part 1 – Concepts and Methods a risk management process that includes risk identification, analysis, evaluation, treatment and reporting. The process also suggests that communication, consultation, monitoring and review take place at all stages of the risk management process. Akin to the COSO ERM framework, the ISO guidelines are not prescriptive. They are intended to help organizations design and implement risk management solutions adapted to their context and needs for value creation and protection. The ISO 31000 Risk Management - Guidelines can be examined online using the search engine available at www.iso.org. The ISO guidelines advocate that risks should be identified based on the context of the organization, namely its external and internal environments. The guidelines maintain that risks involve both the positive and negative effects of uncertainties on objectives. The objectives may relate to different types of goals “such as financial, health and safety, and environmental goals.” 36 Objectives can also apply at different levels of the organization such as “strategic, organization-wide, project, product and processes.” 37 The ISO guidelines promote the need to implement a comprehensive approach and process to ensure that risks are managed effectively. The guidelines provide a common approach for managing any type of risk, and they can be applied to any kind of organiza- tional activity. 38 The ISO guidelines also propose that risk management can be applied to an entire organization, as well as individually to specific operational areas, functions, activities, programs or projects. The guidelines mention that “the components of the framework and the way in which they work together should be customized to the needs of the organization.” 39 Moreover, the ISO guidelines emphasize that risk management needs to be well integrated with everything else that an organization does. ORGANIZATIONAL TRANSFORMATIONS Risk management is a necessity, not a luxury. It is growing in importance and causing shifts in organizational culture. It is also making organizations rethink their governance structures and management practices at the enterprise level, and within management functions and business units. These organizational changes are caused by the growing volume, complexity and significance of risks. They are also caused by the increasing frequency and unpredictability of risks, and the speed or velocity at which risk events unfold. These dynamics are more prevalent than they have ever been. In this context, stakeholders have rising expectations regarding risk management. Stakeholder Expectations Organizations are successful when they meet or preferably exceed stakeholder expec- tations. Stakeholders have varying expectations, but there are many common elements that all stakeholders cherish. These common elements are typically reflected in organizational value statements that demonstrate leadership, trust, integrity, fairness, social responsi- bility, etc. Risk management helps organizations achieve their mission and vision, improve their performance and operate in a manner that is consistent with their values. Expectations are met by demonstrating leadership in adopting good management practices, providing useful information, complying with regulations and creating value for key stakeholders such as suppliers, employees, customers and investors. For example,