Risk management is a must in today’s global economy
by Sandford Liebesman
The global economy has provided organizations with many opportunities that didn’t exist even 10 years ago. On the other hand, the internet and extensive outsourcing from the United States to countries such as China and Mexico have "flattened" the Earth, presenting organizations with many new risks.
The designers of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework, the guidance document commonly used to ensure compliance to the Sarbanes-Oxley Act (SOX), recognized as early as 1992 the importance of risk management by including it as one element of the system of internal control. Now, ISO 9001 developers are including risk in the 2015 revision.
There is an assessment process that can be used to manage risk to an organization’s objectives. The process consists of defining the objectives, specifying the risks to the objectives and defining methods of managing the risks. The objectives should be measurable so the effect on them can be determined.
Risk and analysis
Four types of risk worry an organization:
- Strategic risk is concerned with the inability to achieve high-level goals. To assess it, management should consider technology changes, creditors’ demands, competitors’ actions, economic and political conditions, and customer needs.
- Operational risk concentrates on factors that prevent the efficient use of resources. Factors include the management system, customer satisfaction, the supply chain, revenue recognition, natural disasters, information security risks and the logistical risks of homeland security.
- Compliance risk affects the ability to conform to legal and regulatory requirements. These risks focus on financial, environmental, health and safety, and security factors. Government mandated environmental, health and safety requirements cause concern because of the risk of fines, shutdowns or criminal prosecution. There is also a concern about conformance to quality and environmental standards and specifications.
- Organizational risk is based on the organization’s structure and is found on two levels—the entity level and the activity level. External factors affecting organizational risks include technology developments, competition and new legislation. Internal factors are information system processing, quality of personnel hired and changes in management responsibilities.
The first step in one particular risk analysis method is to determine the risk appetite and risk tolerance. This is necessary so all who are part of the organization can understand the risk philosophy. Risk appetite is the amount of risk—on a broad level—an entity is willing to accept. Risk tolerance relates to the amount of risk acceptable for each of the entity’s specific objectives.
After this is decided, there are tools to determine the risk level and manage the risks of concern. One key tool is an organization’s set of financial and quality controls. A control is a tool that can be used to identify and manage risks. These are especially important for using the COSO guidance to comply with SOX and will be important for certification to the next revision of ISO 9001.
Financial controls are set up in accordance with generally accepted accounting principles. They provide reasonable assurance that transactions are recorded as necessary and include accurate maintenance of records. They also may be used to provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition or disposition of assets or other examples of fraud.
Quality controls are built around quality records and decision points. In ISO 9001, controls appear as "shall" statements. For example, clause 5.6.1 requires top management to "review the organization’s quality management system at planned intervals, to ensure its continuing suitability, adequacy and effectiveness."
SOX compliance includes financial controls at the entity and activity levels. The controls are used in a top-down, risk-based approach defined in the Public Company Accounting Oversight Board auditing standard AS5 and the Securities and Exchange Commission management guidance.
Examples and tools
Let’s look at an example of risk management at a teaching hospital.1 One of the major risks at hospitals is patient falls, which are a major contributor to the average length of stay. The Joint Commission, which accredits healthcare organizations, has developed tools to help manage risk and requires use of the tools to maintain accreditation. When the teaching hospital conducted a risk assessment and established quality controls, it found that detailed intervention procedures and additional training in fall prevention were required.
As another example of the expansion of the risk management philosophy, all management system standards will now be required to adopt the structure defined in ISO Guide 83. This will directly affect ISO 9001 and ISO 14001, as well as other International Organization for Standardization (ISO) standards. In ISO 9001, the first three clauses will remain the same as in ISO 9001:2008, but clauses 4 to 10 will be different. Clause 6 is the one that will include risk management.
ISO 9001 and the COSO internal control guidance document are both used to comply with the requirements of SOX. While they cover different activities in an organization, both current versions need updating.
COSO is a management system that was originally developed in the 1980s in response to the savings and loan scandal. It is used for internal control over operations and for compliance to external financial reporting requirements. COSO consists of five elements used to manage systems of internal control:
- Risk assessment: The possibility that an event will occur and adversely affect the achievement of objectives.
- Control environment: The set of standards, processes and structures that provide the basis for carrying out internal control across the organization.
- Control activities: The actions established by policies and procedures to help ensure that management directives to mitigate risks are carried out.
- Information and communication: Communication occurs internally and externally, and provides information to carry out internal control activities.
- Monitoring activities: Ongoing and separate evaluations are used to determine whether the five components of internal control—including controls that affect the principles within each component—are present and functioning.
The COSO Internal Control—Integrated Framework has been updated from its 1992 framework in the areas of technology, globalization, governance and the integration of controls with risk. The revised framework also specifies 17 principles that represent the fundamental concepts associated with a system of internal control. The principles associated with risk assessment are:
- The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives.
- The organization identifies risks to the achievement of its objectives and analyzes them as a basis for determining how the risks should be managed.
- The organization considers the potential for fraud in assessing risks to the achievement of objectives.
- The organization identifies and assesses changes that could significantly impact the system of internal control.
Organizations should start their risk management development with an open discussion of risk and its effect on the organization. The discussion should cover:
- An overview of the risk management method and common tools.
- A case study illustrating use of the method.
- A preliminary look at the new ISO 9001 risk management requirements.
It’s also important to understand how the COSO guidance incorporates risk management into an organization, and that the implementation of risk management must be consistent across the organization.
- Sandford Liebesman, Competitive Advantage: Linked Management Systems, Paton Professional, 2011.
Sandford Liebesman, president of Sandford Quality Consulting in Morristown, NJ, had more than 30 years of experience in quality at Bell Laboratories, Lucent Technologies and Bellcore (Telcordia). He is an ASQ fellow and past chair of the Electronics and Communications Division. Liebesman also is a member of the U.S. Technical Advisory Group to ISO Technical Committee 176 and the ANSI Z1 Subcommittee on Quality Management.