Posts Tagged ‘ 4360 ’

More subdued view of ISO 31000

December 3, 2009

Chris McClean, who blogs for Forrester reminds us that ISO 31000 will not be a game-changer nor start a revolution in the immediate future. He agrees with many that organizations will benefit from a “commonly accepted risk vocabulary and a clearly defined process framework for risk management” however the biggest hurdles in risk management do not usually come from a misunderstanding of concepts, but rather from a difficulty translating those concepts into practical tools and processes.” As your Riskczar, I am not one to get too excited by a framework, but it’s nice that 31000 is getting some well-deserved attention.…

Read more »

COSO ERM book is like an 8-Track player

November 24, 2009

I have to give my props to Harry Cendrowski and William C. Mair of Cendrowski Corporate Advisors for writing a book about enterprise risk management, but writing one titled “Enterprise Risk Management and COSO: A Guide for Directors, Executives, and Practitioners,” with the word “COSO” right there in the title is troubling to me. The authors note: “Two comprehensive foundations for risk assessment developed by the Committee of Sponsoring Organizations of the Treadway Commission – COSO’s ‘Internal Control–Integrated Framework’ and the ‘Enterprise Risk Management–Integrated Framework’ – serve as the foundation for detailed chapters on risk management.”   I don’t know…

Read more »

Internal audit is not risk management even in New Zealand

November 19, 2009

Keeping with today’s theme “internal auditors are not risk managers”, here’s something I quite enjoyed courtesy of a report from Marsh in New Zealand called The 2008 State Sector Risk Management Practices Report. Page 17 it reads: Internal Auditors play an important role in evaluating the risk management processes of an organisation and advocating their continued improvement. However, to preserve its organisational independence and objective judgement, Internal Audit professional standards indicate the function should not take any direct responsibility for making risk management decisions for the enterprise or managing the risk management function. Internal auditors typically perform an annual risk…

Read more »

I’ll review ISO 31000 if you send me a copy

November 19, 2009

It looks like the long-awaited new International Standard, ISO 31000:2009, Risk management – Principles and guidelines is finally out and can be yours for only CHF 112, or about USD 110 or CAD 116. Here’s the link to the press release http://www.iso.org/iso/pressrelease.htm?refid=Ref1266 I am fresh out of Swissees these days. If anyone has a copy and would like me to review it for readers of Riskczar.com, please email the pdf to me at riskczar@gmail.com. UPDATE 11/22/09 – Apparently for copyright reasons, I will need to get my own copy. Thanks Tim and Dave.

Read more »

Marcano rants about the misuse of “mitigate”

November 2, 2009

I came across a great post by Antony Marcano who rants about the misuse of the word “mitigate”. (For your information, this post is considered great because I agree with it.) You can read his entire post here: http://www.testingreflections.com/node/view/8138 Mr. Marcano, a “lover of language”, dislikes it that mitigate is over used as a risk management strategy. As I have written about before, as a fan of 4360 and Felix Kloman, I prefer to use the term “risk treatment” because mitigate is merely one form of treatment. Even Mr. Marcano sort of gets that one wrong but he is “no…

Read more »

From AS/NZS 4360 to ISO 31000 – A history lesson

October 23, 2009

A consultant from New Zealand named Chris Peace, traces the history of the AS/NZS 4360 standard and the new ISO 31000, due out just in time for Christmas, in this copy of Safety and Health Practitioner dated October 16, 2009. Although the original 1995 edition of the AS/NZS 4360 standard was developed from earlier risk-management ideas and processes it was nonetheless ground-breaking as the first standard published on risk management. The subsequent 1999 edition added the “communicate and consult” stage, and a number of handbooks on aspects of risk management was also developed, the majority jointly by Australia and New…

Read more »

ERM policy for United Nations agency

September 14, 2009

It’s nice to see that an agency of the United Nations, The International Fund for Agricultural Development (www.IFAD.org), has an enterprise risk management policy. This one is pretty straightforward with a good format and definitions. IFAD ERM policy (Riskczar).pdf They claim to be in bed with COSO ERM on this one but I saw traces of 4360 in there; they used the word “treatment” which I thought was an Oz/Kiwi thing. See folks ERM works any place and for any type of organization.

Read more »

H. Felix Kloman – COSO ERM vs ANZ 4360 Deathmatch

September 9, 2009

Here’s a 2003 article written by Mr. Kloman where he reviews a draft version (at the time) of 4360 and one of COSO ERM authored by PwC. Although he is not reviewing the final versions, one can still draw similar conclusion. The terms “winner” or “draw” were added by me. Mr Kloman noted: 4360: Model of clarity (winner) COSO: Feels like an elephant stepped on me 4360: Just calls it risk management (without the enterprise, business, integrated, holistic, business, etc.) (draw) COSO: Adds the E to the risk management 4360: Defines risk as:  “exposure to the consequences of uncertainty, or…

Read more »

Risk Management Frameworks are Boring

May 5, 2008

There are plenty of frameworks out there on the Internet that you can read or download for free so why not just read one of those? Well, first of all, frameworks are boring; people who write policies for a living even think frameworks are boring. The Riskczar suggest you try to read he two most popular ERM frameworks are the COSO ERM Framework and the Australia/New Zealand 4360 Framework. And try to read 4360 first because it’s shorter that the Executive Summary of the COSO ERM Framework and less boring.

Read more »