B E S T P R AC T I C E S

January 3, 2007
AS/NZ 4360 — A Practical Choice Over COSO ERM
by Michael Rasmussen
with Laura Koetzle

EXECUT I V E S U M MA RY
Under pressure — from regulations, competition, legal liability, and corporate governance —
organizations build risk management programs and processes that encompass operational risks as well
as traditional financial risks. Many organizations look first to The Committee of Sponsoring
Organizations of the Treadway Commission (COSO) enterprise risk management (ERM), only to
discover that it is poorly written and difficult to implement. The Australia/New Zealand 4360:2004 Risk
Management Standard (AS/NZ 4360) is more mature, straightforward, and flexible with a wealth of
implementation resources for different risk scenarios.

TARGET AUDIENCE
Security and risk professional

APPROACHING RISK MANAGEMENT WITH FRAMEWORKS

Organizations — in an effort to manage risk, comply with regulations, as well as preserve or create value —
are driven to adopt risk management. Some are responding to adverse events, others to regulatory
compliance — e.g., Sarbanes-Oxley (SOX), Basel II, etc. — and all must manage complex global operations
and relationships. A few see ERM as a way to manage opportunity and drive stakeholder value. Whatever
the drivers, many firms need guidance about what risk management is and how to build a risk
management function and process. In seeking help, you’ll find an abundance of risk management
frameworks, including proprietary frameworks developed by consulting/advisory organizations, national
frameworks/standards, and industry-specific guidance. However, most risk management decisions boil
down to one of two options — COSO ERM or AS/NZ 4360. For those under the gun of SOX, the decision
has largely fallen to COSO — but is it the right choice for ERM? In implementation:

· COSO ERM starts a good discussion . . . COSO ERM is good at beginning discussions on risk
management vision while demonstrating the complex intricacies of risk management across the
organization. Particularly, it illustrates the breadth of risk management across business processes
and operations as it formulates dialogue around principles of risk management.

· . . . but fails to give enough practical advice. COSO is poorly written and many would-be
implementers find its approach to ERM confusing. COSO defines ERM as: a process, effected
by an entity’s board of directors, management, and other personnel, applied in a strategy setting

Headquarters
Forrester Research, Inc., 400 Technology Square, Cambridge, MA 02139 USA
Tel: +1 617/613-6000 • Fax: +1 617/613-5000 • www.forrester.com
Best Practices | AS/NZ 4360 - A Practical Choice Over COSO ERM 2

and across the enterprise, designed to identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives.1 That’s neither a concise nor an easy-to-grasp definition of risk,
but it does communicate an idea of risk management and gets the discussion started.

COSO ERM — Weak At The Practical Level

While COSO ERM might get the risk management dialogue started, it falls short on the practical
side. For all of its buzz in the corporate world (particularly among those working on SOX
compliance) in defining and promoting ERM, COSO ERM has significant weaknesses. Namely,
COSO ERM:

· Provides an obscure framework. As a principle-based framework, COSO ERM provides a

philosophy and vision of ERM but does not get into risk management approaches and processes
that can be easily implemented across the business.2 When it comes down to building a risk
management function and process, COSO ERM has little practical advice — often leaving the
implementer in a bewildered daze of confusion (see Figure 1).

Figure 1 The Complex Organizational And Functional Layers Of COSO ERM

NS E
IC IN
G NC
TE
G TIO RT PL
IA
RA E RA PO M
ST OP RE CO

Internal environment
SUBSIDIARY
BUSINESS UNIT

Objective setting
ENTITY LEVEL

Event identification
DIVISION

Risk assessment

Risk response

Control activities

Information and communication

Monitoring
· Focuses excessively on threats/hazards. A significant weakness of COSO ERM is its nearly
41003exclusive focus on management of threats and application of controls. Understanding and
Source: Forrester Research, Inc.
managing threats and hazards to business operations is a good thing, but concentrating solely

January 3, 2006 © 2007, Forrester Research, Inc. Reproduction Prohibited

Best Practices | AS/NZ 4360 - A Practical Choice Over COSO ERM 3

on threats/hazards leaves a risk management program unbalanced. Threat management is only

part of risk management; risk management must also encompass opportunities for corporate
gain. Organizations make money by taking risk, and they lose money by failing to manage it.3
COSO ERM entirely ignores the upside — it primarily addresses control issues such as “failure
to report financial data.”

· Misses guidance on effectiveness/efficiency of controls. Despite COSO ERM’s hyper-focus

on threats and controls — which is only natural given COSO’s roots in audit — it fails to give
practical guidance on how you should measure the effectiveness and efficiency of controls. Risk
analysis in COSO focuses on exposure and gives little to no guidance to help you understand
the effectiveness of controls to mitigate risk.

· Introduces a flawed approach to risk assessment. The COSO ERM framework confusingly
associates risk measurement with the likelihood of an event and its consequences. The
framework should instead focus on the consequences that flow from an event and the likelihood
of those consequences. Further, it prioritizes high probability, high business impact risks.
Sounds like common sense, right? Wrong. High probability and high-impact risks exist at
a micro level (on particular projects, for example), but not at a macro level, because risk is
aggregated.4 Put another way, you can have a high-likelihood, high-impact situation (e.g., if you
are standing on the tracks in the path of an oncoming high-speed train, it’s likely the train will
hit and kill you), but there is no such thing as a high-likelihood, high-impact class of events

We call these phantom risks, because if three people per week step into the path of the train, you
won’t be in business for long.5 We use likelihood-impact analysis for “point-in-time” analysis
of a specific incident (such as an individual train crash), while risk management aims to
understand the level of exposure to a type of event (e.g., the level of exposure to loss from train
accidents) over a period of time.6

· Lacks external context for risk management. The COSO ERM standard gives the impression
that risk is an entirely internal dynamic that is not influenced by external factors. It only
requires the consideration of the internal environment — not the external context — and from
there produces an inwardly focused and dangerously ignorant risk assessment.

· Fails to embrace risk as a process. COSO ERM concentrates on reporting. As such, the
framework structures a once-through process rather than an iterative process with feedback
loops and cross-links to other process elements. Also, it doesn’t integrate risk management with
business change management. Ultimately, the COSO ERM implementation focuses on a single
assessment aimed at delivering a report. In reality, risk management must be a continuous
process — reporting should then become an incidental byproduct of that process.

AS/NZ 4360 — The Choice Of The Risk Practitioner

A risk management framework needs to be adaptable across a wide range of risk management
January 3, 2006 © 2007, Forrester Research, Inc. Reproduction Prohibited
Best Practices | AS/NZ 4360 - A Practical Choice Over COSO ERM 4

scenarios. Flexibility is not only critical, it is necessary. Firms require a risk management approach
that is easy to understand and implement across the organization. The AS/NZ 4360 is a mature and
flexible risk management standard.7 It gives straightforward, easy-to-grasp definitions of risk and
risk management that — unlike COSO ERM — capture both the threat/hazard side of risk and the
opportunity side (see Figure 2):

Risk: The chance of something happening that will have an impact on objectives.

Risk management: The culture, processes, and structures that are directed toward realizing
potential opportunities whilst managing adverse effects.

Figure 2 The Steps Described In AS/NZ 4360 For Implementing A Risk Management Process

Communicate and consult

Establish Identify Analyze Evaluate Treat

the context the risks the risks the risks the risks
• Objectives • What can • Review • Evaluate • Identify
• Stakeholders happen? controls risks options
• Criteria • How can it • Likelihoods • Rank risks • Select best
• Define key happen? • Consequences responses
elements • Level of risk • Develop risk
treatment plans
• Implement

Monitor and review

41003 Source: Forrester Research, Inc.

The AS/NZ 4360 standard:

· Offers a holistic and flexible approach to risk management. The AS/NZ 4360 standard
addresses all types of risk in all types of organizations and industries. This adaptable process
enables a consistent approach to risk management throughout the organization.

· Establishes an external context for risk management. AS/NZ 4360 emphasizes the
establishment of a context for risk management — external as well as internal. ERM is not

January 3, 2006 © 2007, Forrester Research, Inc. Reproduction Prohibited

Best Practices | AS/NZ 4360 - A Practical Choice Over COSO ERM 5

a siloed function. It can have a central head, such as a chief risk officer, to coordinate risk
management across the organization, but the ownership of risk falls across varying areas
of the business and is influenced by external factors. The AS/NZ 4360 standard starts with
understanding the broad scope of drivers and influencers from both internal and external
contexts.

· Builds consultation and communication into the ERM process. ERM does not happen
in a vacuum: It requires a collaborative environment to be successful. This means that all
stakeholders (e.g., risk executive, legal, business process owner/manager, and business partner)
need to be able to have input into every stage of the risk process.

· Defines both threats and opportunities in its definition of risk. AS/NZ 4360 clearly and
concisely illustrates that risk is about taking advantage of opportunities as well as mitigating
threats. AS/NZ 4360 grasps the opportunity side of risk management by emphasizing value
creation and preservation.

· Provides a wealth of risk handbooks for practical advice. AS/NZ 4360 includes a set of
implementation handbooks for using the standard in different situations (see Figure 3).8 This
expanding set of resources provides implementers with a broad portfolio of practical help.

· Supplies the foundation for a new ISO risk management standard. AS/NZ 4360 will become
the basis of a new international risk management standard from the International Organization
for Standardization (ISO). Using the AS/NZ 4360 standard, an ISO working group is preparing
a draft standard on risk management that it plans to release as a working draft in 2007. The goal
is to have a final published international risk management standard in 2008.

Figure 3 Implementation Handbooks Included With The AS/NZ 4360 Standard

HB 141-2004 Risk Financing Guide

HB 203:2006 Environmental Risk
HB 205:2004 OHS Risk Management Handbook
HB 221:2004 Business Continuity
HB 240-2004 Risk in Outsourcing
HB 246-2004 Risk in Sport and Recreation
HB 254-2005 Governance, Risk Management, and Control Assurance

41003 Source: Forrester Research, Inc.

January 3, 2006 © 2007, Forrester Research, Inc. Reproduction Prohibited

Best Practices | AS/NZ 4360 - A Practical Choice Over COSO ERM 6

HOWEVER, NO STANDARD IS COMPLETE . . .

The challenge is that risk, like beauty, is in the eye of the beholder. A security professional sees
risk as a threat or hazard, while a business or finance manager sees an opportunity/benefit side to
risk. Some professionals focus on quantitative risk assessment, while others focus on qualitative
risk assessment. You must adapt the framework to your situation and context — which makes
the flexible, well-written, and concise AS/NZ 4360 standard the best choice. In defining a risk
management process it is necessary to understand that the first steps are to understand risk. This
involves:

· Defining risk. Although risk represents uncertainty, risk is not really the chance (the
probability) of an adverse event occurring: It is a measure of the potential damage from an
adverse event at a specified probability level. For example, the risk concept helps us consciously
analyze whether, at a 99% confidence level (where there is only a 1% chance of a more harmful
event occurring), the damage from a bank branch robbery (perhaps $10 million) is greater
than from an unauthorized trading loss in the fixed income derivatives department (perhaps $1
billion).

· Understanding that risk is a distribution. Avoid a static approach to risk analysis in which you
map a given risk to a single intersection of probability and impact. Risk is accurately calculated
as a distribution which can be represented in a bell curve showing the points at which a risk
is of greatest significance and least significance to the organization. Avoid a “point-in-time”
analysis model that does not address both the frequency and distribution of events.

R E C O M M E N D AT I O N S

CAPTURE THE INTEREST IN ERM FROM COSO, BUT IN PRACTICE RELY ON AS/NZ 4360
COSO ERM, primarily because of SOX, has started a lot of organizations talking about risk
management.9 You can build on that momentum and use it to develop a vision and cross-
organizational collaboration on risk management, but you will find that COSO ERM is confusing
and difficult to apply. AS/NZ 4360 provides a stronger, simpler, and more adaptable framework to
use as the foundation of an ERM program. If you pursue AS/NZ 4360, you will not be disappointed,
because it’s quite likely to become an influential international standard — the progression should
be similar to that of British information security standard BS:7799, which became ISO17799.

January 3, 2006 © 2007, Forrester Research, Inc. Reproduction Prohibited

Best Practices | AS/NZ 4360 - A Practical Choice Over COSO ERM 7

ENDNOTES
1
Source: COSO: The Committee of Sponsoring Organizations of the Treadway Commission (http://www.
coso.org/publications.htm).
2
COSO ERM provides some theory and structure for risk management. The issue identified in this research
piece is taking the theory into practice within an organization. The principle approach found in the COSO
ERM framework lacks the practical guidance of implementing ERM within an organization and across its
lines of business. See the October 5, 2004, Quick Take “COSO Enterprise Risk Management Framework.”
3
For further information on the opportunity side of risk, Forrester refers readers to Deloitte’s publication
series on risk intelligence and value killers, which further defines the fact that organizations make money by
taking risk and lose money by failing to manage it.
4
Forrester discusses the issue of phantom risks in COSO. See the November 8, 2005, Best Practices
“Preparedness Versus Probability In Determining Risk.”
5
COSO ERM challenges, particularly those around phantom risks, are clearly illustrated in Ali Samad-Khan’s
article in Operational Risk magazine. Source: Ali Samad-Khan, “Why COSO Is Flawed,” Operational Risk,
January 2005 (http://www.opriskadvisory.com/docs/Why_COSO_is_flawed_(Jan_2005).pdf).
6
Note: The focus on phantom risk at a risk class/aggregate level is an inherent problem with many risk
management frameworks — including the AS/NZ 4360 standard. However, the 4360 standard differs from
COSO in this area as it provides guidelines that illustrate a number of approaches for assessing risk in
qualitative or quantitative formats.
7
H. Felix Kloman, a leading expert in risk management practices, puts this succinctly in Risk Management
Reports: “Over the past fifteen years, we’ve developed a variety of local, national and global ‘standards,’ such
as Basel I, COSO I, COSO II, and the Australian/New Zealand Risk Management Standard 4360, revised in
2004. Canada, the United Kingdom, Norway, and Japan have similar standards. Basel II is being prepared
for adoption worldwide. Most efforts improve the breed, although the COSO II (Committee of Sponsoring
Organizations) monster in the United States set us back several years. The Australian/New Zealand effort
should be the bellwether, if risk management is to continue to evolve and flourish.” H. Felix Kloman, Risk
Management Reports, Volume 33, Number 10, October 2006. Additionally, Risk Management Reports
December 2004 provides further reflections on challenges with COSO ERM.
8
Source: The AS/NZ 4360:2004 Standard Portal (http://www.riskmanagement.com.au/).
9
Note that COSO ERM is not needed for SOX compliance. The regulatory guidance states that organizations
should use a control framework like COSO Internal Control, which predates COSO ERM. The regulation
requires a framework for controls but does not require a specific one.

Forrester Research (Nasdaq: FORR) is an independent technology and market research company that provides pragmatic and forward-thinking advice about
technology’s impact on business and consumers. For 22 years, Forrester has been a thought leader and trusted advisor, helping global clients lead in their markets
through its research, consulting, events, and peer-to-peer executive programs. For more information, visit www.forrester.com.
© 2007, Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, WholeView 2, Technographics, and Total Economic Impact are trademarks of
Forrester Research, Inc. All other trademarks are the property of their respective companies. Forrester clients may make one attributed copy or slide of each figure
contained herein. Additional reproduction is strictly prohibited. For additional reproduction rights and usage information, go to www.forrester.com. Information
is based on best available resources. Opinions reflect judgment at the time and are subject to change. To purchase reprints of this document, please email
resourcecenter@forrester.com. 41003