Welcome to the session on ‘Understanding Risk Management

Frameworks’.

In this session
By the end of this session, you should be able to:

 Discover the different frameworks available for mitigating risks in your

organisation

 Analyse how organisations can enhance their ability to manage uncertainty

and improve their understanding of opportunities through the COSO framework

 Examine how organisations can better identify opportunities and threats, and

do so effectively using the ISO 31000 framework

Introduction to Risk
Management Frameworks
“It is not the beauty of a building you should look at; it's the

construction of the foundation that will stand the test of time.”

- David Allan Coe

Throughout our lives, we learn many lessons, study new concepts and

understand different meanings. All of our understanding and learning

experiences are dependent upon the firmness of our foundation, that is, our

fundamentals.

These fundamentals establish a platform on which we build our advanced

knowledge. If these fundamentals shake, so will our understanding, which

stands with their support.

 Similarly, a framework acts as a fundamental to the foundation of an

organisation. A framework provides an organisation the foundation for

expanding any knowledge. Frameworks are also used effectively to develop

and implement an enterprise risk management (ERM) process.

learnt the meaning of a framework and saw the widely used ERM

frameworks: COSO and ISO 31000.

In the video, you learnt that a framework is a basis, a foundation on which

one can build something. In risk management, an ERM framework is a

common methodology, which one can follow and use for developing a risk

management process.

There exist numerous frameworks to implement an ERM process. However,

the COSO and ISO 31000 frameworks are used most widely.

The COSO ERM and ISO 31000 frameworks cover, in great detail, all the

aspects of ERM, including reporting, compliance, strategy and operations.

Organisations can implement one or both the frameworks to significantly

reduce the risks they are exposed to.

COSO

 The COSO framework was developed by the Committee of Sponsoring

Organizations of the Treadway Commission.

 It is geared towards audit and financial entities.

 It is primarily used in North America.

 It broadly focuses on corporate governance as an ERM enabler.

ISO 31000
 The ISO 31000 framework was developed by the International Organization

for Standardization.

 It is used across the world and across various industries.

 It focuses exclusively on risk management as a part of overall strategic

planning.

In addition to COSO and ISO 31000, you also learnt about COBIT and saw its

relevance for IT firms.

Having learnt the meaning of a framework and have also learnt about COSO

and ISO 31000, the two widely used ERM frameworks, in the next segment,

you will learn about the differences between COSO and ISO 31000

Introduction to Risk Management Frameworks

Richard Industries, a North America-based firm, provides audit and financial services.
The company has taken the initial steps to implement the risk management process. It
has created an internal audit department that is responsible for risk identification, risk
assessment and risk mitigation, with its risk culture is enforced by policies.

Which framework is Richard Industries' risk management process more inclined

towards?

COSO

✓ Correct
Feedback:

Richard Industries’ risk management process includes characteristics of the

COSO framework. It broadly focuses on corporate governance, and the firm is
located in North America.

Introduction to Risk Management Frameworks

Info Globe Ltd., an advisory firm, provides various services such as digital marketing,
financial consulting, product development and change management. Financial
consulting contributes to 10% of its total business.

The board of directors and the senior management are extremely involved in the risk
management process of the company; this helps them in improvising their strategic
planning. Info Globe has an integrated risk management framework that is used
across the business units of the organisation.

To which framework is Info Globe Ltd.’s risk management process more inclined?
ISO 31000

✓ Correct
Feedback:

Info Globe Ltd.’s risk management process is focussed on risk management as

part of the overall strategic planning and is used across business units.

COSO vs. ISO 31000

In the previous segment, you learnt that the COSO and ISO 31000

frameworks cover all the aspects of ERM in great detail. Organisations can

implement the most suitable framework based on their attributes to

significantly reduce the risks they are exposed to.

But which framework is the most suitable for an organisation’s ERM process

and which one would benefit them the most?

In the forthcoming video, you will learn about the key differences between

the COSO framework and the ISO 31000 framework

No single framework is right for a company. Many companies, thus, take the

attributes of both the frameworks when developing their ERM programs.

 Having learnt about the advantages and limitations of the COSO and ISO

31000 frameworks, in the next segment, we will look at the ISO 31000

process.

COSO Vs ISO 31000

Fill in the blank with the correct option from those given below.

At H&M, the Swedish retail brand, the board of directors handles the company’s
internal control and risk management. The overall aim of the internal control is to
safeguard the company’s assets and, consequently, its shareholders’ investment. This
is to ensure that the business is managed in the most appropriate and effective
manner possible, that there is reliable financial reporting and compliance with
applicable laws and regulations.

Based on the given information, H&M’s risk management process is more inclined
towards the ____________ framework.

COSO

✓ Correct
Feedback:

H&M’s risk management process is targeted at internal audit and accounting and
has a broad focus on corporate governance, which is a characteristic of the COSO
framework.

COSO Vs ISO 31000

McDonald's’ internal control over financial reporting includes policies and procedures
that:

 Pertain to the maintenance of records that, in reasonable detail, accurately

and fairly reflect the transactions and dispositions of the assets of the company;
 Provide reasonable assurance that transactions are recorded as necessary to
permit preparation of financial statements in accordance with generally accepted
accounting principles, and that receipts and expenditures of the company are being
made only in accordance with the authorisation of the management and the directors
of the company; and
 Provide reasonable assurance regarding the prevention or timely detection of
unauthorised acquisition, use or disposition of the company’s assets that could have a
material effect on the financial statements.
Source: https://corporate.mcdonalds.com/content/dam/gwscorp/nfl/investor-relations-
content/annual-reports/2019%20Annual%20Report.pdf

Based on the given information, McDonald’s’ risk management process is more

inclined towards the ____________ framework.

Fill in the blank with the correct option from those given below.

COSO

✓ Correct
 Feedback:

McDonald's' risk management process is targeted at internal audit and

accounting and has a broad focus on corporate governance.

ISO 31000:2009 Process

In the previous segment, you learnt about the ISO 31000 framework, its

advantages and disadvantages. Now, in this segment, you will learn more

about the ISO 31000 framework, which is used worldwide and by different

organisations.

But before proceeding further, why do you think these organisations use this

framework? How can organisations of different types benefit from the same

framework?

This boils down to all the organisations having a common base to risk

management, and this base is created through the process of the ISO 31000

framework.
ISO 31000
After tests revealed high levels of lead and MSG, India's Food Safety Administration
(FDA) instructed Nestlé India to recall its famous 2-minute Maggi noodles by the end
of May 2015. The company was aware of the repercussions of having higher than
permissible levels of these components in its product.

The multinational FMCG company initially denied the allegations that the noodles were
unsafe, stating on their official social media pages that no request to recall any goods
had been issued.

Lead content found in Maggi samples sent in the consumer market for consumption is
a sign of ___________ failure.

Fill in the blank with the correct option from those given below.

Risk monitoring

✓ Correct
Feedback:

Maggi did not perform accurate quality checks of its product samples. Even
though the risk had been identified, it was not monitored properly, which led to
the huge debacle.

Implementation of an
ERM framework: Case
Study
 “If knowledge is not put into practice, it does not benefit one.”

- Muhammad Tahir-ul-Qadri

Now that you have gathered knowledge on the different ERM frameworks, in

this segment, we will analyse them through a case study. Such an analysis

will help you to comprehend the applicability and benefits of ERM

frameworks in real life.

the organisation functioned as a decentralised manufacturing company, with

operations running across the globe. It faced certain risk management

challenges. Its decentralised and autonomous nature made it difficult to

identify and manage risk.

The company took these steps to mitigate risk:

 Education: It educated the senior management on the need for an integrated

ERM process.

 Process design: It developed a global risk process using the attributes of the

ISO and COSO frameworks.

 Stakeholder buy-in: It presented the process to various global operation

groups for comment and buy-in.

 Rollout plan: It developed a plan for rollout, including the formation of

operational and global risk committees.

 Risk identification: It performed a risk identification process through

surveys and brainstorming sessions.

During the implementation of the ERM process, the company faced two main

challenges:
 It faced difficulty coordinating among different time zones for

scheduling meetings since all of its employees were scattered around the world, due

to its global operations.

 It faced difficulty gaining buy-in from some of the operations areas.

One key rebuttal that the concerned stakeholders raised was to question the need of

using an ERM framework given the company had been able to succeed so far without

it.

Nevertheless, the company managed to resolve these issues and

implemented its ERM process to manage risk:

 Periodic reviews: It conducted periodic reviews wherein operational risk

committees met quarterly to review top risk-mitigation strategies and discuss

emerging risks.

 Global ERM plan: It implemented a global ERM plan wherein risk

assessments were conducted annually. The required information was reported to the

global risk committee for review purposes and assessment of corporate risk profile

was also undertaken.

 Proactive ERM: It developed and implemented an emerging risk process to

mitigate emerging risks of the company.

Session Summary
This session covered the following topics:

1. Enterprise risk management (ERM) is an important component of any

business. The COSO and ISO 31000 frameworks cover all the aspects of ERM in

great detail, including reporting, compliance, strategy and operations. Organisations

 can implement one or both the frameworks to significantly reduce the risks they are

exposed to.

2. COSO

 The COSO framework was developed by the Committee of Sponsoring

Organizations of the Treadway Commission.

 It is geared towards audit and financial entities.

 It is primarily used in North America.

 It broadly focuses on corporate governance as an ERM enabler.

3. ISO 31000

 The ISO 31000 framework was developed by the International Organization for

Standardization.

 It is used across the world and across various industries.

 It focuses exclusively on risk management as a part of overall strategic planning.

4. The ISO and COSO ERM frameworks have certain advantages and

disadvantages, which are listed below.

COSO Versus ISO 31000

1. The session also discussed the ISO 31000:2009 process, which is depicted

below.
 ISO 31000

1. Implementation of the ISO 31000:2009 process offers certain advantages,

which are listed below

ISO 31000

1. Through a case study, you learnt how an ERM process is implemented. In the

case study, the company took these steps to mitigate risk:

 Education: It educated the senior management on the need for an integrated ERM

process.

 Process design: It developed a global risk process using the attributes of the ISO

and COSO frameworks.

 Stakeholder buy-in: It presented the process to various global operation groups for

comment and buy-in.

 Rollout plan: It developed a plan for rollout, including the formation of operational

and global risk committees.

 Risk identification: It performed a risk identification process through surveys and

brainstorming sessions.

2. The company then implemented its ERM process to manage risk:

 Periodic reviews: It conducted periodic reviews wherein operational risk

committees met quarterly to review top risk-mitigation strategies and discuss

emerging risks.

 Global ERM plan: It implemented a global ERM plan wherein risk assessments

were conducted annually. The required information was reported to the global risk

committee for review purposes and an assessment of the corporate risk profile was

also undertaken.

 Proactive ERM: It developed and implemented an emerging risk process to mitigate

emerging risks of the company.

Graded Assessments
Q1) Healthcare Group, a pharmaceutical firm, takes a methodical outlook to enterprise
risk management. Throughout its value chain, from the early identification of new,
promising compounds to the manufacture and distribution of drugs to patients, it is
constantly exposed to risks. In the pharmaceutical industry, certain uncertainties are
inevitable, such as delays or failures of promising new drugs in the R&D pipeline.
Other challenges, such as supply disruptions and competitive threats, are well known
to every global manufacturing organisation.
R&D risk, supply chain risk, safety and quality risks, commercialisation risk, security
risk, financial risk and regulatory risk are some of the most significant threats that it
faces.

Based on the given information, which framework is Healthcare Group more inclined to
use as a base in its risk management process?

ISO 31000

✓ Correct
Feedback:

ISO 31000 is used worldwide by different organisations exclusively focussing on

risk management as part of the overall strategic planning. Healthcare Group’s
risk management process is focussed exclusively on risk management as part of
the overall strategic planning.
Q2) Honeywell International is a Fortune 100 company in America that invents and
manufactures technologies to address tough challenges linked to global macrotrends
such as safety, security and energy. The organisation faces various risks such as credit
and market risk, foreign currency risk management, interest rate risk
management and the fair value of financial instruments.

They have an internal risk committee that is responsible for financial risk and
implemention of the risk management strategy, which is created based on discussions
with the board of directors and the senior management.

Based on the given information, which framework is Honeywell more inclined to use as
a base in its risk management process?

COSO

✓ Correct
Feedback:

COSO is targeted at internal audit and accounting and has a broad focus on
corporate governance. Honeywell International’s risk management process is
targeted at internal audit and accounting and has a broad focus on corporate
governance.