Difference between Process Based

and Risk Based Approaches

There are subtle differences between risk based approaches and process based approaches and each serves a purpose. For comparative purposes, the following frameworks are compared:

  • Enterprise Risk Management (ERM), a risk based framework developed by the COSO (Committee of Sponsoring Organizations of the Treadway Commission. Quickly becoming THE industry standard for Enterprise Risk Management.

  • ISO, the International Standards Organization has developed a series of standards or best practices that includes taking measurements for process improvement.

  • Six Disciplines – a methodology and toolset that helps organizations meet objectives

  • Eight Disciplines – a team based approach at problem solving.

First of all, following any of these approaches vastly improves your chance of success, so if you are following any of these approaches you are light years ahead of those who are not. If you are not following any formal approach, hopefully this paper can make it easier to identify which approach to take.

If you implement ERM correctly it should be measuring progress (or lack thereof), include all of the six or eight disciplines, and ensure processes are executing effectively. However, the ERM framework developed by COSO is not very process/deliverable based. Likewise, a process or deliverables based system, if implemented correctly, should be addressing risks (SWOT analysis). However this approach creates the possibility of having the organization manage issues rather than manage risks.

Typically, ERM assumes that most of the process based approaches are already implemented in the organization in some manner. With that in mind, it is important to understand the differences and how to integrate both methodologies since most small to mediums sized businesses are process/deliverables based and the accounting/investment community will be attempting to have these organizations be risk based. There is a push for organizations to be risk based with the advent of two recent phenomena:

  • Financial auditors are now commenting on the strength of organizations internal controls(SAS112);

  • Standard and Poor’s will now be using the strength of an organization’s ERM system to determine an organization's Credit Rating. In this current economic climate an organization must do everything in its power to improve their credit rating to help them grow or even survive.

Click here for S&P guidance.

It may not necessarily come to pass that Managing Risks becomes a “Seventh or Ninth Discipline”. ISO has even released its first Risk Based standard (ISO27001 – Information Security), but most probably will not implement risk based approaches to many other standards. However, it would be best for an organization to know how best to incorporate the ERM concepts to avoid competing philosophies. Businesses will have a limited band width to adopt a major philosophy. Process based frameworks may be viewed as ‘elective’, where as ERM may eventually be viewed as ‘required’.

There are plenty of similarities in the approaches with 8 Disciplines focusing on one particular “problem”; ISO ensuring that processes continue to improve; Six Disciplines allowing organizations to meet their strategic objectives and managing the “distracting” day to day issues; and ERM managing all risks associated with an organization meeting its objectives.

At the end of the day, the process based approach may be positioned as one giant entity level control that allows a company to mitigate the risk of not meeting its objectives. The problem is that the external auditors will have a hard time recognizing that.

Most process documentation is full of controls that mitigate risks, however if those risks and controls were identified, an auditor would be able to ascertain that the risks were being mitigated. If those risks were measured by probability and impact, the organization might be able to reduce the overheads and controls that are baked into processes.

In summary, if your organization is following any process based approach, it is positioned well to manage a number of risks, but without a true risk based approach you may be spending more time managing issues rather than managing risks, which is becoming more important in these tough economic and soon to be more regulated times.

Our Value 

    • Utilizing our proprietary SingleVue™  and OpsAudit™ methodologies, we tailor comprehensive, cost-effective and flexible solutions to our clients.
    • Our solutions enhance your current business processes, rather than adding unnecessary overhead, thus creating measurable long-term value.
    • We involve your executive team, including your internal and external advisors, to guarantee solutions are absolutely consistent with your requirements.

    • We allow you to concentrate on managing your business.

            For More information, visit our home page:  www.visagesolutions.com
 


"The Visage Risk assessment tool and methodology allowed us to respond the risk assessment requirements of the FFIEC in a timely and cost effective manner ".
   Robert Kernodle, SVP and Risk Officer of Cornerstone Bank
 
"Although there is always a degree of subjectivity in any risk assessment, the Visage Risk Assessment tool and methodology is one of the best I've seen in removing subjectivity and providing the underlying support for the scoring system".
   Patrick Camblin Senior Partner in Camblin CPA, PLLC

f you would no longer like to receive periodic updates from VisageSolutions, please follow the unsubscription instructions at the bottom of the email.
Copyright © 2007 Visage Solutions, LLC.