Areas of Risk Management

“As applied to corporate finance, Risk Management is a technique for measur-ing, monitoring and controlling the financial risk or operational risk on a firm's balance sheet.”²⁶

In contrast the Basel II and Base III framework by Bank for International Settle-ments (BIS) breaks risks into the three components market risk, credit risk and operational risk. Furthermore it specifies methods for calculating capital re-quirements for each of these three components.

Today Risk Management is used in different areas. In the following some areas are pointed out.

 Enterprise Risk Management

e.g. regulated by the COSO II framework

“A key objective of this framework is to help managements of busi-nesses and other entities better deal with risk in achieving an entity’s objectives”, (COSO II, 2004).

According to COSO II, enterprise Risk Management means different things to different people, with a wide variety of labels and meanings preventing a common understanding. “An important goal, then, is to in-tegrate various Risk Management concepts into a framework in which a common definition is established, components are identified, and key concepts are described. This framework accommodates most view-points and provides a starting point for individual entities’ assessment and enhancement of enterprise Risk Management, for future initiatives of rule-making bodies, and for education”, (COSO II, 2004).

 Medical device Risk Management

The management of risks for medical devices is described in ISO 14971:2007, Medical devices - Application of Risk Management to

26 see: http://en.wikipedia.org/wiki/Risk_management, retrieved 2014-06-10

medical devices, a product safety standard²⁷. “ISO 14971:2007 speci-fies a process for a manufacturer to identify the hazards associated with medical devices, including in-vitro diagnostic (IVD) medical devic-es, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls” (ISO 14971, 2007).

 Risk Management activities as applied to Project Management

In Project Management, Risk Management includes different activities, for example assigning a risk officer; planning activities including Risk Management tasks, responsibilities, activities, resources, budget, re-ports, etc.;

Project Management for example is regulated in the ISO 21500:2012 - Guidance on Project Management. It “can be used by any type of or-ganization, including public, private or community organizations, and for any type of project, irrespective of complexity, size or duration²⁸”.

 Risk Management of Information Technology

One of the most established frameworks is the Risk IT Framework by ISACA²⁹.

The “Risk IT framework fills the gap between generic Risk Manage-ment frameworks such as COSO ERM, AS/NZS 4360, ISO 31000, the UK-based ARMS5 and domain-specific (such as security-related or project-management-related) frameworks. It provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of Risk Management, from the tone and culture at the top, to operational issues. In summary, the framework will enable enterprises to understand and manage all significant IT risk types”, (ISACA, 2009).

 Risk Management as applied to the finance sector

For the finance sector there are a number of specific standards, frameworks but also legal restraints and regulations available. For in-stance Basel II and Basel III by Bank for International Settlements

27 ISO 14971:2007, http://www.iso.org/iso/catalogue_detail?csnumber=38193, retrieved 2014-08-30

28 ISO 1500:2012 - Guidance on Project Management,

http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=50003, re-trieved 2014-10-08

29 ISACA - http://www.isaca.org

(BIS)³⁰, Sarbanes-Oxley Act of 2002 (also known as SOX, SarbOx, SOA), EuroSOX (accordingly SOX directives by the European Union are colloquially known as EuroSOX), KonTraG³¹, CobiT³², COSO II Framework³³, IFAC³⁴ Principles of the Code of Ethics, IAS (Interna-tional Accounting Standards), FATCA³⁵, etc..

These regulations and standards are also - more or less - relevant to any other enterprise, not only to banks and financial service provider.

 Risk Management as applied to different industries sectors e.g. aerospace, railway, energy, nuclear power, pharmaceutical, public, etc.

Each industry sector has its own specific regulations, standards and frameworks where Risk Management is part of it.

Criticisms on Risk Management

However, researchers at the University of Oxford and King's College London found that the notion of complementarity may be a concept that does not work in practice²⁶.

Fischer and Ferlie investigated in a four-year organizational study of Risk Man-agement in a leading healthcare organisation. They found major contradictions between rules-based Risk Management required by managers, and ethics-based self-regulation favoured by staff and clients. This produced tensions that led neither to complementarity nor to hybrid forms, but produced instead a heat-ed and intractable conflict which escalatheat-ed, resulting in crisis and organizational collapse (Fischer & Ferlie, 2013).

30 Bank for International Settlements (BIS), www.bis.org

31 KonTraG - Gesetz zur Kontrolle und Transparenz im Unternehmensbereich (Corporate Sector Supervision and Transpa-rency Act); It is a German piece of law that set new standards of cor-porate governance for German publicly listed companies. The German KonTraG is similar to the U.S. Sarbanes-Oxley Act of 2002.

32 CobiT (Control Objectives for Information and Related Technology) by ISACA, www.isaca.org

33 COSO II Framework by the Committee of Sponsoring Organizations of the Treadway Commis-sion, www.coso.org

34 IFAC - International Federation of Accountants, www.ifac.org

35 FTCA - Foreign Account Tax Compliance Act. FATCA is a United States federal law that re-quires United States persons to report their financial accounts held outside of the United States.

Individuals who live outside the United States are included. FATCA requires foreign financial in-stitutions to report to the Internal Revenue Service (IRS) about their U.S. clients.