October 4, 2004 by Canadian Underwriter
The search for a global standard for risk management begins with finding a common language, say speakers at the 29th annual RIMS Canada Conference being held this week in Winnipeg, Manitoba.
“We see the growing emergence of a more common terminology…what that means for you and me is we have to change our language,” says David Mair, president of Risk Excellence and RIMS past president. Management is not going to adopt the language of the risk manager, so the risk manager is going to have to learn the varied dialects of business, “from the tool room to the board room”.
Some international standards are building on this need for definition to achieve enterprise-wide risk management within corporations, points out Kevin Knight, president of the Australian Institute of Risk Management. That country recently published the latest revision of its “4360” risk management standard, which Knight says does borrow some new elements from the Canadian standard relative to the importance of communication, identifying the broad array of stakeholders and most importantly, to understand each stakeholder’s perception of risk. This taps into the need for risk managers to be able to “talk to managers at all levels of an organization”.
Also recently, AIRMIC (the U.K. association for risk managers) published its guidance on ERM, which uses some aspects of the ISO 73 standard, including a definition of risk which highlights that “risk itself is not the consequence”, and does not perceive risk as a wholly negative concept. “If you take no risk, there is no reward,” he notes, something the ISO definition does take into account.
However, Mair notes, the ISO standard is flawed, specifically because it does not have significant input from risk managers from a wide array of sectors. “We [risk managers] are not going to be held accountable for standards that are not ‘ours’.”
Also, he adds, the COSO ERM framework is likely to gain a great deal of attention in the corporate ranks, and while it might not become the “one and only” standard, because its sponsoring organizations are large and varied, it will “find a very broad audience”, Mair says.
Knight points out that the Australian standard, like the ISO wording, takes a broader definition of risk. “Risk is a chance of something happening that will have an impact on objectives.” It also promotes the concept of risk as a management function, the responsibility of those with the authority to delegate and make decisions. Both speakers point to the need for any standard to reflect the “ownership” of risk at the highest corporate levels, and the link which must exist between a corporation’s risk management strategy and its overall corporate strategy.