Your Risk Management Magazine
Global standard obstacles remain

Font size : + -

email print

AUSTRALIA’S REPRESENTATIVES on the working group writing the new international risk management standard are confident there is now enough support for it to become a reality early next year, but it is uncertain whether it will supplant the competing COSO ERM Integrated Framework,which has been implemented extensively in US companies.

The national standards bodies from each country can vote for ISO standards. However, for the standard to be approved a majority of those need to agree, as well as two-thirds of the 26 countries that have been active in the development of ISO 31000.

“Before we went out with the current stage of the draft standard, we certainly had two-thirds of the participating members,”said Kevin Knight, chair of the ISO working group developing the draft ISO 31000 standard. “So I don’t envisage it not succeeding, but until we have had the vote we won’t know.”

The next round of voting and submissions on the latest draft are due this month, and after consideration of further comments, the results should be known by September, according to Australia’s nominated expert to the working group, Grant Purdy.

The working group will then determine what changes to include for the final draft, which is to be voted on by December following the working group’s final meeting in November.

Purdy said that based on an initial vote on the draft late last year and submissions, he was confident there would be a new ISO 31000 by early next year.

Both he and Knight say that if it does become an international standard, 31000 will consign the Australia/New Zealand Standard 4360 to history, but they are also keen to see it supersede any equivalent national and international standards, including its main rival, the COSO framework.

In a submission sent to Standards Australia in May, the Australian branch of a sponsoring organisation of COSO, the Institute of Internal Auditors-Australia, said COSO “is the current recognised authority document on ERM globally” and that “a competing standard is likely to cause significant confusion and frustration by users”when they have already invested heavily in enterprise risk management frameworks based on COSO.

It calls for “harmonisation” between the two, with either changes to COSO, the ISO draft standard, or both.

One senior risk and audit professional told Risk Management they already used 4360 for certain aspects of their business, but were yet to be convinced that the new international standard had gone far enough to also displace COSO.

But Purdy said that even if COSO co-exists with ISO 31000, it now seems likely that it is the COSO standard that will need to conform with the ISO standard.

“There’s a lot of bad press about the COSO,” Purdy said. “We know there are technical problems with COSO: the problem of analysing likelihood before consequence and ending up with phantom risks, [for instance], the lack of a good definition of risk and the fact that risk is only considered to be negative events,” he said.

He said another critical difference is that COSO is overly focused on internal “reporting” of risks, rather than “treating” risk, both internal and external. This was because it had been adapted from an internal control standard and was associated with the Sarbanes Oxley legislation that followed the corporate collapses of Enron and WorldCom.

“Some have really perpetuated the false belief that if you report a risk, it goes away,” he said. “It can create a culture that people don’t even bother treating a risk providing that they have reported it upward.”

But one of the biggest problems identified with COSO, he said, was the “lack of practical guidance on how to implement its form of ERM”.

By contrast, Purdy said the new international standard was largely self explanatory and companies would require little further guidance from external consultants on how to implement it.

Knight said they had had a lot of “useful dialogue with the [Institute of Internal Auditors]” and “great comments” from the US that “hadn’t been all pro-COSO”, but acknowledged that there may still be significant resistance to the international standard replacing COSO.

“I would like to think, with the passage of time, the auditors and accountants will see the wisdom of 31 000 and the fragility of COSO. I don’t know that I’ll live long enough, but certainly I’d hope to see that change.”

IIA-Australia also said that ISO 31000 would be unsuitable as a benchmark for the annual review of risk management frameworks under the revised ASX corporate governance principals and recommendations, which in most cases is now being delegated to internal audit.

Todd Davies, director, technical and policy at IIA-Australia, said so far there had been no further progress on resolving potential conflict between ISO 31 000 and the COSO framework since their submission, but the matter had been referred to ISO and COSO.

“Harmonisation between standards should be a priority for all standard setters. We hope that ISO and COSO engage with each other to avoid unnecessary duplication, discrepancies or rework for those who have already invested,” he said.

“Increasingly boards are looking to internal audit to comment on the adequacy and effectiveness of an organisation’s risk management framework. ISO 31000 is likely to be an important input, but only one component of how this work is likely to be performed.”

Ultimately, Knight and Purdy said ISO 31000 is highly likely to live on as the new Australian and New Zealand 4360:2009 when it comes up for review next year, whatever the outcome of the vote.

See Setting the standardthis edition

  • Bookmark & Share
go back
Your comment
Risk management is the place for positive industry interaction and welcomes your professional and informed opinion.
eNewsletter

Breaking news, video interviews, opinion and analysis delivered straight to your inbox. Subscribe now
Categories

Home   |    Advertising   |    About Us   |    Contact Us   |    Privacy Policy  

© 2012 Key Media Pty Ltd.