International risk management standards comparison. National risk management standards and principles of their functioning
In addition to international risk management standards, there are also national risk management standards adopted in states with Anglo-Saxon law (Australia, New Zealand, Japan, Great Britain, South Africa, Canada).
Rice. 3 - History of risk management standardization.
Simultaneously with the national management standards, numerous requirements of regulators to build and improve the risk management process of companies related to industry specifics appeared. Among the industry risk management standards, the most well-known are the standards affecting the activities of insurance companies, reinsurance companies (Solvency, Solvency II) and banks (Basel, Basel II, Basel III).
Risk management standards provide for the unification of:
The terminology used in this area;
Components of the risk management process;
Construction approaches organizational structure risk management.
However, despite the unification carried out within each risk management standard, the terminology is unified, the methods and goals of risk management differ in different standards. On Fig. 3 presents national and international standards, the terminology of which is minimally different. When trying to combine different standards, confusion is possible, since the definition basic terms are different in them.
Standard “Risk Management of Organizations. Integrated Model” developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This document provides a conceptual framework for enterprise risk management and provides detailed guidance on how to establish an enterprise risk management system within an organization.
The organization's risk management process as interpreted by COSO consists of eight interconnected components:
1) definition internal environment;
2) goal setting;
3) determination (identification) of risk events;
4) risk assessment;
5) risk response;
6) controls;
7) information and communications;
8) monitoring.
Thus, in relation to the definition of the components of the risk management process, the document under consideration follows the understanding of the process already established in the risk management standards.
Rice. 4 - COSO CUBE.
In world practice, the standard, called the “COSO Cube” (Fig. 4), establishes the relationship between the goals of the organization (strategic, operational goals, reporting and compliance with the law), the organizational structure of the company (levels of the company, division, economic unit, subsidiary) and already identified components of the risk management process.
1. Indoor environment
Lays the foundation for an approach to risk management. Includes:
Board of Directors;
Philosophy of risk management;
risk appetite;
Honesty and ethical values;
The importance of competence;
organizational structure;
Delegation of powers and distribution of responsibility;
Personnel management standards.
2. Goal setting
Objectives must be defined before management begins to identify events that may affect their achievement.
The company's management has a properly organized process for selecting and setting goals, and these goals correspond to the mission of the organization and the level of its risk appetite.
3. Risk assessment
Risks are analyzed in terms of their likelihood of occurrence and degree of impact in order to determine what actions need to be taken in relation to them.
Risks are assessed in terms of inherent and residual risk.
4. Identification of potential events
Internal and external events that affect the achievement of the objectives of the organization should be determined taking into account their separation into risks or opportunities.
Opportunities should be taken into account by management in the process of formulating strategy and setting goals.
5. Risk response
Management chooses a risk response method:
Evasion;
Adoption;
decline;
Broadcast.
The developed measures make it possible to bring the identified risk in line with the acceptable level of risk and the risk appetite of the organization.
Policies and procedures are designed and established in such a way as to provide “reasonable” assurance that the response to emerging risk is effective and timely.
7. Information and communication
The necessary information defined, recorded and communicated in a form and timeframe that enables employees to perform their duties.
Effective exchange of information within the organization vertically and horizontally.
8. Monitoring
The organization's entire risk management process is monitored and adjusted as necessary.
Monitoring is carried out as part of ongoing management activities or through periodic evaluations.
The Federation of European Risk Management Associations (FERMA) risk management standard is a joint development of the Institute for Risk Management (IRM), the Association for Risk Management and Insurance (AIRMIC) and the National Forum for Risk Management in the Public Sector (ALARM) (2002).
Unlike the COSO ERM Standard discussed above, in terms of the terminology used, this standard adheres to the approach adopted in the documents of the International Organization for Standardization (ISO / IEC Guide 73 Risk Management - Vocabulary - Guidelines for use in standards). In particular, risk is defined by the standard as “a combination of the probability of an event and its consequences” (Fig. 4).
Rice. 5 - Risk management process according to FERMA standards.
Risk management is seen as central part strategic management of an organization whose task is to identify risks and manage them. At the same time, it is noted that risk management as one system risk management should include a program for monitoring the implementation of tasks, an assessment of the effectiveness of ongoing activities, as well as a reward system at all levels of the organization.
In accordance with the FERMA Standard, four groups of organizational risks are distinguished: strategic, operational and financial, as well as hazard risks.
In addition, the document contains:
1. a brief description of key stages of the risk management process, within which attention is drawn to detailed description requirements for detailing information in risk reports depending on the consumer of this information (among the consumers of internal reports are the board of directors of the company, its separate structural unit, a specific employee of the organization; external reports - external counterparties of the organization). In particular, a company risk report to external users of information should include a description of:
system methods internal control, namely, the characteristics of the areas of responsibility of the organization's management in matters of risk management;
Ways to identify risks and their practical application in the current system organization risk management;
The main instruments of the internal control system in relation to the most significant risks;
Existing risk monitoring and tracking mechanisms.
2. Description of the organizational structure of risk management (board of directors - structural unit - risk manager), as well as the main requirements for the development normative documents in the field of risk management at the corporate level (Program for Organizational Risk Management).
The appendix to the standard gives examples of risk analysis methods and technologies used in practice. Experts recognize the Australian and New Zealand Risk Management Standard as one of the most complete and elaborated national standards in the field of risk management. The AS/NZS 4360 standard has a general (non-industry) character; its main provisions have been adapted for building risk management systems by a number of transnational companies.
Rice. 6 - Risk Management Process, AS/NZS 4360
According to AS/NZS 4360, risk management at the company level is a combination of five successive stages and two end-to-end processes (Fig. 6). At the same time, risk management in the standard is understood as “a set of culture, processes and structures focused on the use of potential opportunities while managing negative impacts”.
Stage 1. Definition of the environment (environment)
Among the factors that determine the need for analysis and identification of the internal environment of the company, the following should be highlighted:
Risk management should be carried out in the context of the defined goals and objectives of the organization;
One of the main risks of the company is the occurrence of obstacles in the process of achieving the set strategic, operational, project and other goals;
A clear formulation of the principles of the company's organizational policy and goals will help determine the main directions of corporate policy in the field of risk management;
The goals and objectives of the company by business segments, as well as the targets formed during the implementation of individual corporate projects, should be considered in accordance with the goals of the company as a whole. Within the framework of the risk management stage under consideration, a range of target performance indicators is also determined, a list of elements of the company's strategy, parameters of its functioning, which will be influenced by risk management processes, is compiled, and a balance of possible costs and benefits is ensured (the so-called risk management environment identification stage). Required resources and accounting procedures should also be determined.
Stage 2. Risk identification
At this stage, the risks due to the characteristics of the external and internal environment analyzed in the previous stage should be identified: all possible sources of risk are considered, as well as the available information on the perception of risk (risk awareness) by stakeholders, both internal to the organization and external . Special requirements are imposed on the quality of information (the highest possible level of relevance, completeness, accuracy and temporal correspondence with the resources available to obtain it) and its sources. It is important that the personnel involved in risk identification have full knowledge of the processes or activities that are being analyzed. The latter necessitates the participation in this process of special working groups composed of experts of various profiles.
Stage 3. Risk analysis
The result of passing the stage under consideration is the determination of the level of risk, reflecting the assessment of the consequences and probability of risk events. Use quantitative and qualitative analysis. Value and Significance qualitative analysis significantly increase if the definition of risk is formed by a wide range of stakeholders.
Stage 4. Risk assessment
The task of this stage is to make a decision on the acceptability / inadmissibility of the risk (with regard to the acceptable risk, the risk treatment procedures provided for in stage 5 of the considered risk management process are not applied).
Risk assessment involves the study of the levels of control of a risk event, the costs of implementing an impact, the potential costs and benefits associated with a risk event. The results of the work of experts at this stage may require a revision of the risk criteria established at the first stage of the process (thus, the task of ensuring that all significant risks fall into the scope of analysis is solved).
Stage 5. Risk treatment
At this stage, work is carried out with assessed and ranked risks, in respect of which a decision was made on their unacceptability / inadmissibility for the company in accordance with the criteria defined on initial stages the risk management process under consideration. Alternative risk treatment options:
The avoidance of risk, carried out either by terminating activities associated with an unacceptable level of risk for the company, or by choosing other, more acceptable areas of activity that meet the objectives of the organization, or by choosing an alternative, less risky methodology in relation to the organization of the process or activity under consideration.
Reducing the likelihood of a risk event and (or) possible consequences implementation; it is important to consider that a balance must be found between the level of risk and the costs associated with reducing the risk to a given level. When the developed approaches to reduce risk are categorized as justified, while having high implementation costs, necessary costs require budgeting. The procedures recommended under this alternative are: control; process improvement; training and staff development; audit and determination of compliance with established rules.
Sharing risk with third parties. It should be borne in mind that the transferor faces a new risk associated with the inability of the organization that accepted the risk to effectively manage it.
Risk retention. This alternative applies to residual as well as unidentified risks.
Conclusion
Despite the differences in the goals and methods of risk management, each standard states the need for the continuity of risk monitoring and control processes.
Risk assessment is an integral part of risk management, which provides a structured process to identify which organizational objectives may be affected by risks. Risk assessment is used to analyze risks in terms of consequences and their likelihood, before an organization decides on further action, if required.
Risk assessment provides decision makers and responsible parties with a clear understanding of the risks that may affect the achievement of objectives, as well as information on the adequacy and effectiveness of controls. The standard provides a basis for deciding on the most appropriate approach and will be used to make decisions for specific risks as well as to choose between different options.
The choice of a certain standard as the main one for an enterprise is a serious task, sometimes an organization uses several standards at the same time, which leads to uncertainties in risk management processes. The choice of a risk management standard or its balanced extension requires a detailed understanding of the requirements of each standard and how they are applied (implemented) in practice, and also depends on the level of maturity of both the risk management processes and the organization's information technology management processes.
List of used literature.
1. GOST 1.1-2002 “Interstate standardization system. Terms and Definitions".
2. GOST R 51897 – 2002 “Risk management. Terms and Definitions".
3. Organizational risk management. integrated model. Summary of COSO, 2004.
4. Organizational risk management. Integrated Model // Risk Management, Nos. 5–6, 7–8, 9–10, 11–12, 2007; 1–2, 2008.
5. Risk Management Standards of the Federation of European Associations of Risk Managers, 2003.
6. I. Philopoulos. Policy making and institutional framework for risk assessment in the EU. Recommendations for establishing a risk assessment system in the country.
7. AS/NZS 4360:2004 - Risk Management, issued by Standards Australia.121
8. CSA (1997) Risk Management: Guideline for Decision-Makers - A National Standard of Canada / Canadian Standards Association (1997 reaffirmed 2002) CAN/CSA-Q850-97.
9. Draft International Standard ISO/DIS 31000 "Risk management - Principles and guidelines on implementation", ISO, 2008.
10. Kevin W. Knight Risk Management – a journey, no destination. January, 2006.
11. Kevin W. Knight. Risk Management: an integral component of corporate governance and good management. ISO Bulletin, October 2003.
12. Marc Saner. Information Brief on International Risk Management Standards. Institute On Governance, Canada, November 30, 2005.
13. Enterprise Risk Management - Integrated Framework Executive Summary.-Committee of Sponsoring Organization of the Treadway Commission (COSO), 2004.
14. GOST R 51898-2002 Safety aspects. Rules for inclusion in standards.
Similar information.
Currently in Russia there are a huge number of state standards, of which only a small proportion, less than 1% are standards associated with entrepreneurial risks, and in fact this species risk is extremely important for any business entity. World practice of risk management considers the standard a model to which it is worth striving. There are few standards in the field of risk management. At the same time, the roots of the existing Russian risk management standards, as well as a huge number of recommended industry practices, come from abroad, laying the foundation for the principles of foreign reality.
For general idea about risk management standards, you need to familiarize yourself with some of them: the FERMA standard, some of the postulates of the Sarbanes-Oxley Act, the COSO II standard and the South African standard - KING II.
The FERMA risk management standard was developed jointly by The Institute of Risk Management in the UK, The Association of Insurance and Risk Management and The National Forum for Risk Management in the Public Sector (The National Forum for Risk Management in the Public Sector) and adopted in 2002. The scheme laid down in the document serves as the basis for the implementation of the risk management system. These risk management standards contain: definition of risk, risk management, explanation of internal and external factors risks, risk management processes, risk assessment procedures, risk analysis methods and technologies, risk management activities, as well as the responsibilities of the risk manager. According to this document, risk is considered as a combination of probability and its event, and risk management is considered as a central part of the strategic management of an organization. For example, the main functions of a risk specialist, according to the FERMA standard, are the development and implementation of a risk management program, coordination of interaction between various structural divisions organization, development of programs to reduce unplanned losses and organization of measures to maintain the continuity of business processes. The main idea of this standard is that the adoption of the standard is necessary to reach agreement on the terminology used, the process of practical application of risk management, the organizational structure of risk management, and the goals of risk management. It is especially important to understand that risk management is not just a tool for commercial and public organizations, but a guide for any action (both in the short and long term).
One of the few legally approved standards in the field of risk management is the Sarbanes-Oxley Act. This law deals primarily with issues of internal control and the reliability of financial statements, and also indirectly regulates the risk management process. The law does not provide guidance on the development of specific financial control procedures. The standard proposes the analysis of incoming data on the progress of processes and the verification of compliance through an audit.
In 2001, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), together with PriceWaterHouseCoopers, initiated a project to develop the principles of risk management (Enterprise Risk Management - Integrated Framework). In accordance with the developed principles, risk management is a process that covers all the activities of an enterprise, in which employees are involved in various levels management; a tool to achieve the set strategic goals; risk identification and management technology; a way to insure the activities of the enterprise against possible errors management or board of directors.
The South African standard "KING II" is a collection of standard solutions in the practice of risk management, is constantly updated and serves as a training manual for risk managers. This standard does not focus on certain specific business and corporate governance, but, at the same time, the ideology of the process and the desired stages are clearly expressed. Thus, careful adaptation of procedures to the specifics of a particular company can lead to the desired result.
It must be said that most of analyzed standards - "COSO II", "FERMA" - operate on the basis of the agreement of their participants. One of the few statutory standards for risk management is the Sarbanes-Oxley Act. But even this law does not guarantee the success of actions and procedures.
However, the existing foreign standards for building a risk management system, as practice shows, are poorly applicable in the Russian reality, or are partially applicable. Therefore, in Russian Federation on the basis of foreign ones, their own standards in the field of risk management were developed, which we will dwell on in more detail.
The standards of the 51901 series “Risk Management” provide general guidelines for the application of risk management in an enterprise, contain a methodology for using various methods on risk assessment, taking into account the specifics of the application of a particular method in assessing individual economic risks. So, GOST R 51901.1-2002 “Risk management. Risk Analysis of Technological Systems” establishes guidelines for the selection and implementation of risk analysis methods, mainly for assessing the risks of technological systems; GOST R 51901.2-2005 “Risk management. Reliability management systems” describes the concepts and principles of the reliability management system, defines the main processes of this system (planning, resource sharing, management and adaptation processes) and reliability tasks at the stages life cycle products related to planning, design, measurement, analysis and improvement; GOST R 51901.3-2007 “Risk management. Guidelines for Reliability Management” establishes guidelines for the management of reliability in the design, development, evaluation of products and process improvement; GOST R 51901.4-2005 “Risk management. Guidelines for use in design" establishes general provisions risk management in design, its sub-processes and influencing factors; GOST R 51901.5-2005 “Risk management. Guidelines for the Application of Reliability Analysis Methods” contains a brief overview of commonly used reliability analysis methods, descriptions of the main methods and their advantages and disadvantages, input data and other conditions of use; GOST R 51901.6-2005 “Risk management. Reliability Improvement Program” establishes requirements and makes recommendations for eliminating weaknesses from hardware objects and software in order to improve reliability; GOST R 51901.10-2009 “Risk management. Fire risk management procedures at the enterprise” contains the main provisions of fire risk management and establishes the basic principles for the analysis and interpretation of fire risk; GOST R 51901.11-2005 “Risk management. Research of danger and working capacity. Application Guidance provides guidance on hazard and system operability investigations using the set of guide words defined in this International Standard, and provides guidance on the application of the HAZOP examination method and procedures, including the definition, preparation, examination, and final documentation; GOST R 51901.12-2007 “Risk management. Failure Modes and Consequences Analysis Method” establishes methods for analyzing failure modes and consequences of failure modes, consequences and criticality and gives recommendations for their application; GOST R 51901.13-2005 “Risk management. Fault tree analysis” establishes a fault tree analysis method and contains guidance on its application; GOST R 51901.14-2007 “Risk management. Structural scheme Reliability and Boolean Methods” describes methods for constructing a system reliability model and using this model to calculate its reliability and readiness indicators; GOST R 51901.15-2005 “Risk management. Application of Markov methods” establishes guidelines for the application of Markov methods for reliability analysis; GOST R 51901.16-2005 “Risk management. Increasing reliability. Statistical Criteria and Evaluation Methods” describes models and quantitative methods reliability improvement estimates based on system failure data obtained in accordance with the reliability improvement program. These procedures allow you to determine point estimates, confidence intervals, and test hypotheses for system reliability enhancement characteristics.
Thus, the standards of the 51901 "Risk Management" series describe in detail the use of various methods and approaches to assessing and analyzing risks, aimed specifically at their practical implementation and use in the enterprise. For clarity, many standards consider practical examples.
The risk management standards of the IEC, ISO series are based on the translation of international standards developed by the International Electrotechnical Commission, international organization according to ISO standardization. The main objects of ISO standardization are represented by industries: mechanical engineering, chemistry, ores and metals, information technology, construction, medicine and healthcare, Environment, quality assurance systems. IEC standards more specific than ISO standards and more suitable for direct application. Great importance IEC attaches to the development of safety standards - main goal standardization in the field of security is the search for protection against various kinds danger.
IEC activities include: traumatic hazard, electric shock hazard, explosion hazard, equipment radiation hazard, incl. and from ionizing radiation, biological hazard, etc. For example, GOST R IEC 62305-1-2010 “Risk management. Lightning protection. Part 1. General principles” establishes general principles lightning protection of buildings, structures and their parts, including the people in them, engineering networks related to the building (structure) and other objects; GOST R ISO 17776-2010 “Risk management. Guidelines for the selection of methods and tools for hazard identification and risk assessment for offshore oil and gas production installations” contains a description of the main methods recommended for hazard identification and risk assessment related to the development and operation of offshore oil and gas fields, including seismic exploration, topographic surveys, exploration and development drilling, field development, including provision of resources, as well as decommissioning and disposal of related equipment; GOST R ISO 17666-2006 “Risk management. Space systems» establishes principles and requirements for integrated risk management for space project, on the basis of which the implementation of the integrated enterprise policy into the risk management system is carried out during the implementation of the project by each project participant at all levels (consumer, first-level supplier, suppliers lower level); GOST R IEC 61160-2006 “Risk management. Formal Design Review provides guidance on how to perform design review procedures as a means of stimulating product and process improvement. The standard establishes guidance for planning and conducting project reviews and provides detailed description participation in the analysis of reliability specialists, maintenance, repair and maintenance.
The ISO/IEC Joint Programming Committee deals with the distribution of responsibility between the two organizations on issues related to related fields of technology, the standards developed by the committee include ISO/IEC 16085:2006 “Systems and software development. Life cycle processes. Risk management” and the identical GOST R ISO/IEC 16085-2007 “Risk management. Application in the life cycle processes of systems and software”, which establishes a risk management process for ordering, supplying, developing, operating and maintaining software.
In addition to the listed standards related to the management of economic risks, there are also specialized ones that regulate the process of risk management in such areas as medicine, ecology, information technology, etc.
Nowadays, professionals have come to realize that in order to create effective system risk management needs to be developed common foundations regulatory framework organization's risk management systems. But due to the fact that there are many ways to achieve this goal, it is almost impossible to combine all areas in a single document. That is why already existing standards risk management is not meant to be normative. However, following the components of the considered standards and choosing at the same time various ways and methods, organizations will be able to achieve their goals in terms of risk management.
Literature
1. Potapkina M. Risk management standards: methods of application in Russian reality [Electronic resource]. Access mode: www.buk.irk.ru/library/potapkina1.doc.
2. International risk management standards”. Teaching aid [Electronic resource]. Access mode: www.minzdravsoc.ru/.../Mezhdunarodnye_standardy_upravleniya_riskami.doc.
3. International standardization. ISO. IEC [Electronic resource]. Access mode: http://www.asu-tp.org/index.php?option
Risk management as a management technology over the past 10-15 years has been experiencing a period of its active development abroad and in Russia. Of particular importance is the issue of developing a common understanding of the purpose and objectives of the risk management system, the terminology used, the organizational structure and the risk management process itself, adapted to modern Russian conditions. World practice offers one of the universal approaches to solving this problem - unification and standardization in the field of risk management.
According to the definition of the International Organization for Standardization (ISO - ISO), a standard is a normative document that is developed on the basis of consensus, adopted by a body recognized at the appropriate level and establishes for general and repeated use rules, general principles and characteristics relating to various types of activities or their results. , and which aims to achieve an optimal degree of order in a particular area. Standards should be based on the generalized results of science, technology and practical experience and aimed at achieving optimal benefits for society
In recent years, there has been a clear tendency to replicate in a number of countries, including Russia, risk management standards developed for the first time 10–15 years ago and relating mainly to man-made dangerous factors. These include GOST 27.310-95 “Analysis of the types, consequences and criticality of failures”, GOST R 51901-2002 “Reliability management. Risk analysis of technological systems”, GOST R 51897‑2002 “Risk management. Terms and definitions”, as well as GOST s ISO / TO 12100-1 and 2 - 2002 “Equipment safety. Basic concepts, general principles of design” and others.
GOST R 51901.2-2005 Risk management. Reliability management systems,
GOST R 51901.13-2005 Risk management. Fault tree analysis and a number of others Within 5-6 years, 8 risk management standards were developed, and this work is far from being completed. In 2009, a new standard was prepared and adopted in August 2010 - ISO 31000 " General instructions principles and implementation of risk management”.
Increased attention on the part of consultants in the field of risk management operating in the Russian market is given to the document “Risk Management of Organizations. Integrated Model” developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
The Russian Risk Management Society, in addition to the COSO recommendations, considers the Federation of European Risk Management Associations (FERMA) Risk Management Standard, which is a joint development of the Institute for Risk Management (IRM), the Association for Risk Management and Insurance (AIRMIC) and the National Forum for Risk Management in the Public Sector (ALARM) (2002).