Carol Williams has a web site, ERM Insights, where she writes about risk management (I prefer to talk about the management of risk, rather than risk management, to ensure we are talking about how the organization addresses what might happen, i.e., risk, rather than talking about a function or team).
Recently, she shared her advice on frameworks and standards in ISO 31000 VS. COSO – Comparing And Contrasting The World’s Leading Risk Management Standards.
I like what she has to say (maybe because she quotes me) and recommend that you read and consider it.
Let me add to her discussion.
As Carol says, “the overarching goal of your risk-related activities should be to support decision-making by helping identify and properly assess both risks and opportunities to achieving strategic objectives”.
So the first step should be to understand how your organization makes decisions. Is decision-making centralized or distributed? Are employees empowered or limited?
You should also consider:
- At what speed and frequency does the path ahead seem to change (i.e., how volatile is risk both from internal and external sources)?
- The business you are in and what the sources of risk are. For example, I would consider different processes for managing a loan portfolio, customer credit, major projects, derivatives trading, and…