Request a quotation
Risk Management Training


Favorites

Email Email
Print Print
Bookmark
Share

Governance, Compliance and Risk Standards

1 Governance, Compliance and Risk Management Standards

+ IRM - AIRMIC - PRMA Risk Management Standards
The Risk Management Standard was published by the Institute of Risk Management (IRM), The Association of Insurance and Risk Managers (AIRMIC) and Alarm (The Public Risk Management Association) in 2002. The standard (also available in German) represents best practice against which organizations can measure themselves. The standard has wherever possible used he terminology for risk set out by the International Organization for standardization (ISO) in its recent document ISO/IEC Guide 73 Risk Management - Vocabulary - Guidelines for Use in standards. Source: www.theirm.org. Click here for more information here.

+ AS/NZS 4360:2004
The Australian/New Zealand Risk Management Standard” provides a generic guide for managing risk. This Standard may be applied to a very wide range of activities, decisions or operations of any public, private or community enterprise, group or individual. … [it] specifies the elements of the risk management process, but it is not the purpose of this Standard to enforce uniformity of risk management systems. It is generic and independent of any specific industry or economic sector.” Source: www.riskmanagement.com.au. More information is available here.

+ ITGI Risk IT Framework 2009 (COBIT)
The Risk IT framework “complements ITGI’s COBIT which provides a comprehensive framework for the delivery of high-quality information technology-based (IT-based) services. While COBIT sets good practices for the means of risk management, Risk IT sets good practices for the ends by providing a framework for enterprises to identify, govern and manage IT risk.” Source: www.isaca.org. More information is available here.

+ COBIT 4.1 2009
COBIT is an “IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.” Source: www.isaca.org. More information is available here.

+ COSO 2009 Guidance on Monitoring Internal Control Systems
Guidance on Monitoring Internal Control Systems (2009) is based on a three volume 2008 exposure draft that elaborates on the importance of internal control as part of the five pillars of the COSO Risk Management Framework. More information is available here.

+ COSO 2009 Guidance on Monitoring Internal Control Systems
The Enterprise Risk Management – Integrated Framework “expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management. While it is not intended to and does not replace the internal control framework, but rather incorporates the internal control framework within it, companies may decide to look to this enterprise risk management framework both to satisfy their internal control needs and to move toward a fuller risk management process.” Source: www.coso.org. More information is available here.

+ COSO 1992 Internal Control — Integrated Framework
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued Internal Control – Integrated Framework. Its is a framework “to help businesses and other entities assess and enhance their internal control systems.” These have been further refined and developed with additional standards. Source: www.coso.org.
Internal control consists of five interrelated components:

  • Control Environment — This component focuses on the risk management culture within organizations. Relevant questions include: are people throughout the organization aware of the importance of risk management and do they understand the risk profile of the organization? Do management and the board of directors set the tone at the top? Is risk awareness and mitigation embedded in the values of the organization, the integrity and competence of staff? Is risk management it part of management’s philosophy and operating style and the way management assigns authority and responsibility?
  • Risk Assessment — Each organization is faced with external and internal risks that may affect the goals of the organization. Risk assessments identify relevant risks to the objectives and determines how the organization can manage the risks.
  • Control Activities — These refer to the internal control system of the organization, including policies and procedures that define approval processes, authorization levels, security of assets and the segregation of duties, etc.
  • Information and Communication — This component refers to an organization’s information and communication systems, including the production of operational and financial reports.
  • Monitoring — This component is often confused with the “control activities” component. While control activities define an organization’s internal control system, the monitoring component focuses on the monitoring of these systems, such as direct supervision and evaluation.

More information is available here.

+ ISO/IEC Guide 73- Risk Management – Vocabulary
This guide provides a basic vocabulary of the definitions of risk management generic terms. The first edition of ISO/IEC Guide 73 was prepared by the ISO Technical Management Board Working Group 2 on risk management terminology. The 2nd edition has been developed by the ISO TMB WG on risk management in association with the development of ISO 31000 to reflect changes in risk management practices and feedback from users. Source: www.iso.org. More information is available here. here.

+ ISO 31000 Risk Management
Risk mamanagement is essential for the implementation of developing programs. As uesful set of guidelines and principles has been developed by the International Organization for Standardization. In 2005, ISO introduced a New Work Item Proposal (NWIP) to look at developing a guidance standard on risk management. Following approval by ISO members, an ISO working group was established to develop a Committee Draft called ISO CD31000. The standard “gives generic guidelines for the principles and the adequate implementation of risk management. It is not intended to be used for the purposes of certification.” Source: www.iso.org. More information is available here.

+ BIP 2121:2006
A Risk management approach to business continuity. Aligning business continuity with corporate governance

+ BS 7799-3:2006
Information security management systems. Guidelines for information security risk management

+ BS 8555:2003
Guide to the implementation of an environmental management system including environmental performance evaluation.

+ BS-6079-3:2000 Project management
Guide to the management of business related project risk (UK 2000. This British Standard, a part of the BS 6079 series, provides guidance on the identification and control of business related risks encountered when undertaking projects. It is applicable to a wide spectrum of project organizations operating in the industrial, commercial and public or voluntary sectors. It is written for project sponsors and project managers, either or both of whom are almost always responsible to higher levels of authority for one or more projects of various types and sizes.

+ BS8800:1996 Guide to occupational health and safety management systems
BVQI SafetyCert: Occupational Safety and Health Management Standard
+ IAS 39 International Accounting Standard 39
The objective of this Standard is to establish principles for recognising and measuring financial assets, financial liabilities and some contracts to buy or sell non-financial items. Requirements for presenting information about financial instruments are in IAS 32 Financial Instruments: Presentation. Requirements for disclosing information about financial instruments are in IFRS 7 Financial Instruments: Disclosures.

+ IEC/DIS 31010 Risk management
Risk assessment guidelines (international, Veröffentlichungsdatum steht noch nicht fest).

+ ISO 14001:2004
ISO 14001:2004 specifies requirements for an environmental management system to enable an organization to develop and implement a policy and objectives which take into account legal requirements and other requirements to which the organization subscribes, and information about significant environmental aspects.

+ ISO 14121-1 (EN 1050)
ISO 14121-1:2007 provides guidance on the information that will be required to enable risk assessment to be carried out. Procedures are described for identifying hazards and estimating and evaluating risk. It also gives guidance on the making of decisions relating to the safety of machinery and on the type of documentation required to verify the risk assessment carried out.

+ ISO 14971
ISO 14971:2007 specifies a process for a manufacturer to identify the hazards associated with medical devices, including in vitro diagnostic (IVD) medical devices, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls.

+ ISO 17666:2003
ISO 17666:2003 extends the requirements of ISO 14300-1, the principles and requirements for integrated risk management on a space project. It explains what is needed to implement a project-integrated risk management policy by any project actor, at any level (i.e. customer, first-level supplier, or lower-level suppliers).

+ ISO 22000:2005
Specifies requirements for a food safety management system where an organization in the food chain needs to demonstrate its ability to control food safety hazards in order to ensure that food is safe at the time of human consumption.It is applicable to all organizations, regardless of size, which are involved in any aspect of the food chain and want to implement systems that consistently provide safe products.

+ ISO/IEC 16085:2006
ISO/IEC 16085:2006 defines a process for the management of risk in the life cycle. It can be added to the existing set of system and software life cycle processes defined by ISO/IEC 15288 and ISO/IEC 12207, or it can be used independently.

+ ISO/IEC 17799:2005
ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. Since 2006 has been turned into ISO 27002.

+ ISO/IEC 24762:2008
Provides guidelines on the provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management, applicable to both “in-house” and “outsourced” ICT DR service providers of physical facilities and services.

+ ISO/IEC 27002:2005
Establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.

+ ISO/IEC 27005:2008
ISO/IEC 27005:2008 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.

+ ISO/IEC Guide 73:2002
Risk management — Vocabulary — Guidelines for use in standards

+ ISO/PAS 22399:2007
Provides general guidance for an organization — private, governmental, and nongovernmental organizations — to develop its own specific performance criteria for incident preparedness and operational continuity, and design an appropriate management system.

+ ISO/TS 22367:2008
ISO/TS 22367:2008 characterizes the application of ISO 15189 as a system for reducing laboratory error and improving patient safety by applying the principles of risk management, with reference to examination aspects, especially to pre- and post-examination aspects, of the cycle of laboratory medical care. ISO/TS 22367:2008 proposes a methodology for finding and characterizing medical laboratory error that would be avoided with the application of ISO 15189.

+ JIS Q 2001:2001 Guidelines for development and implementation of a risk management system (Japan 2001)

+ M_o_R Management of Risks
M_o_R considers risk from different perspectives within an organisation: strategic, programme, project and operational. While it links to other OGC Best Practice, it respects the roles, responsibilities and terminologies used outside the disciplines of programme and project management. More information is available here.

+ OHSAS 18001/18002
Occupational health and safety management system specification

+ ONR 49000:2004 ff.
Risikomanagement für Organisationen und Systeme: Begriffe und Grundlagen (Austria 2004)

+ ONR 49000:2008 ff.
Risikomanagement für Organisationen und Systeme - Begriffe und Grundlagen - Anwendung von ISO/DIS 31000 in der Praxis (Austria 2008)

+ SGS & ISMOL ISA 2000:1997 R
Requirements for Safety and Health Management Systems

+ Technical Report NPR 5001: 1997
Guide to an occupational health and safety management system

+ UNE 81900
Series of pre-standards on the Prevention of occupational risks

+ Verordnung (EG) Nr. 761/2001
Very similar, and today integrated into ISO 14001.

If you have any questions or would like additional information, please contact us.
If you are seeking information about enterprise risk management and related risk services, please visit www.minimarisk.com.