Business can’t survive without taking risks, but those risks must be balanced against opportunities. Risk management frameworks can offer guidance in setting up best practices around enterprise risk management—but the popular COSO shouldn’t be considered the only game in town.
By Linda L. Briggs
Risk management is a red-hot topic in business today, which means that risk management frameworks and standards are also in vogue. As is often true in business, one framework has captured most of the attention, and consequently the mindshare, of US businesses working to get a handle on their risk strategies. That framework is COSO Enterprise Risk Management – Integrated Framework, an enterprise risk management framework commissioned in the early 1990s by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and written by PricewaterhouseCoopers. In the years since its development, and especially recently, COSO Enterprise Risk Management – Integrated Framework has been widely accepted by companies looking for best process guidance around business risk.
But a strong alternative to COSO is offered by a newer risk management framework conceived half a world away, called the AS/NZS Australia and New Zealand 4360:2004 Risk Management Standard. AS/NZS 4360 avoids some of COSO’s weaknesses and assesses risk in a more mature and flexible manner. In addition, another little-known enterprise risk management framework that has garnered little attention but that offers a potential alternative to COSO is M_o_R (Management of Risk), from the UK’s Office of Government Commerce (OGC).
Rather than letting the market make your decision by default, consider taking a closer look at all three of these comprehensive risk management frameworks. We outline them here, along with additional resources so you can make your own choice.
(And lest you think we’re overlooking options like CobiT, ITIL, and ISO 27002, we’ll look at those in a second article that examines risk assessment frameworks and standards.)