References

            Short summary

In 2015 two surveys have been carried out by the Italian Institute of Statistics in cooperation with University of Rome Tor Vergata and UNECE, in order to analyze to what extent Risk management systems are adopted among NSOs members of UNECE as well as among countries and international organizations not belonging to UNECE but yet participating in Commission’s activities. The surveys were aimed at building criteria through which the practices could be identified and classified. Due to the complexity of the matter as well as in order to get more solid achievements, a multi-method model was chosen in order to use heterogeneous yet complementary approaches for analysis. According to the explorative approach, both qualitative and quantitative-descriptive tools were used: a mixed model allows to include context factors that enable a deeper understanding of phenomena, also taking into account the strategic components of the practices observed. The first Survey was submitted in May 2015 to 60 countries and 4 organizations; the response rate was around 57%. Among all respondents, thirteen countries were selected for an In-depth analysis of the Risk management most interesting practices from a NSO point of view. The selected countries were invited to answer to a second questionnaire during September 2015.

To validate as well as underpin the Guidelines, a closing survey has been designed to get a full picture of the implementation routes for Risk management systems among statistical organizations.

This Survey has been made up of six different questionnaires addressed to as many organizational areas (Risk management; Statistical quality analysis; Statistical production process management; Organizational process management; Internal control and/or internal auditing; Services supporting statistical production). The sample selected has consisted of organizations presenting different levels of Risk maturity; therefore, the approach has been comprehensive enough to catch the diverse perspectives and so to help bring out elements that are as much as possible representative of the different contexts analysed. A dedicated Survey section made up of no more than 6 (six) questions has been provided for each target-audience area.

The third Survey was submitted in July 2016 to 26 NSOs and 1 statistical organization; the average of the responses rate of the all sections was around 53%.

1.        UNECE – MCOFE Survey on Risk Management Practice, April, 2015

Respondent countries / organizations: Australia, Austria, Canada, Croatia, Eurostat, Ireland, Italy, Lithuania, Poland, Norway, México, Romania, The Netherlands, Belgium, Estonia, Cyprus, Finland, Germany, Hungary, Iceland, Israel, Japan, New Zealand, Republic of Armenia, Republic of Macedonia, Republic of Moldova, Russia, Serbia, Slovakia,  Slovenia, South Africa, Spain, Sweden, Turkey, United Kingdom.

2.        In-Depth Survey on Risk Management, September, 2015

Respondent countries: Australia, Austria, Canada, Croatia, Ireland, Lithuania, México, Romania, The Netherlands, Sweden.

3.        Final Survey on Risk Management, July, 2016

Respondent countries: Armenia, Australia, Austria, Canada, Estonia, Finland, Lithuania, Malta, Mexico, Norway, Poland, Republic of Armenia, Romania, Slovenia, The Netherlands, United Kingdom, USA, Croatia.

The Guide updates and replaces the Australian National Audit Office's (ANAO) 2005 Public Sector Audit Committees Better Practice Guide. While many of the principles and practices remain the same, this Guide incorporates a number of enhancements. These include a discussion on: a committee's responsibilities in relation to Risk management and other portfolio entities; the benefits of periodically engaging with the entity Chief Executive/Board, including in relation to the committee's responsibilities for reviewing high risk programs and projects. This Guide is intended to complement the Fraud Control Guidelines, and to augment the key fraud control strategies referred to in the Guidelines. While this document is an important tool for senior management and those who have direct responsibilities for fraud control, elements of this Guide will be useful to a wider audience, including employees, contractors and service providers. The aim of the Guide is to provide guidance on the operation of the Audit Committees of public sector entities operating under both the Financial Management and Accountability Act 1997 and the Commonwealth Authorities and Companies Act 1997. As with all of the ANAO's Better Practice Guides, each entity is encouraged to use it to identify, and apply, better practice principles and practices that are tailored to its particular circumstances. The Guide discusses a range of functions and responsibilities, grouped under nine broad areas, that are appropriate for an Audit Committee.

           Highlights

The Standard is a joint Australia/New Zealand adoption of ISO 31000:2009, and supersedes AS/NZS 4360:2004. It was approved on behalf the Council of Standards Australia on 6 November 2009 and on behalf of the Council of Standards New Zealand on 16 October 2009. Its predecessor, AS/NZS 4360 Risk management, was first published in 1995. After AS/NZS 4360 was last revised in 2004, the joint Australia/New Zealand committee OB-007 decided that rather than undertake a similar revision in 2009, it would have promoted the development of an international standard on risk management, which could then be adopted locally. The standard provides organizations with guiding principles, a generic framework, and a process for managing risk. New to this edition is the inclusion of 11 risk management principles an organization should comply with, and a management framework for the effective implementation and integration of these principles into an organization's management system. Emphasis is given to considering risk in terms of the effect of uncertainty on objectives, rather than the risk incident. This edition also includes an informative annex that sets out the attributes of enhanced risk management for those organizations that have already been working on managing their risks and may wish to strive for a higher level of achievement.

               Highlights

The Basel Committee on Banking Supervision, which includes supervisory authorities from Belgium, Canada, France, Germany, Italy, Japan, Luxembourg, the Netherlands, Sweden, Switzerland, the United Kingdom, and the United States, introduced the Framework for Internal Control Systems in 1998. The Basel Committee distributed this Guidance to supervisory authorities worldwide in the belief that the principles presented will provide a useful framework for the effective supervision of internal control systems. More generally, the Committee wished to emphasize that sound internal controls are essential. The five elements of internal control are: management oversight and control culture, risk recognition and assessment, control activities and segregation of duties, information and communication, and monitoring activities and correcting deficiencies. The effective functioning of these five elements is key to an organization achieving its performance, information, and compliance objectives. The guidance does not focus on specific areas or activities within a banking organization. The exact application depends on the nature, complexity and risks of the organization’s activities. While closely linked to the specific sector, the principles of this guidance can be taught and effectively applied throughout different areas.

           Highlights

The Chartered Institute of Management Accountants is the world’s largest and leading professional body of management accountants. It has more than 229,000 members and students in 176 countries. It has strong relationships with employers and sponsor leading research. The Chartered Institute of Management Accountants supports its members and students with its Technical Information Service (TIS) for their work and needs. Topic Gateways are intended as a refresher or introduction to topics of interest to CIMA members. They include a basic definition, a brief overview and a fuller explanation of practical application. Finally they signpost some further resources for detailed understanding and research. The Guide was prepared by Technical Information Service.

              Highlights

ORM is the guiding Navy instruction for implementing the Operational Risk Management program. CNRMA manages and oversees shore installation management support and execution within the Mid-Atlantic region. The naval vision is to develop an environment in which every individual (officer, enlisted and civilian) is trained and motivated to personally manage risk in everything they do on and off duty, both in peacetime and during conflict, thus enabling successful completion of all operations or activities with the minimum amount of risk. Commands have a number of responsibilities relative to ORM, including designating

the Executive Officer as the ORM Program Manager to oversee command ORM training and implementation and ensuring that at a minimum one officer and one senior enlisted are qualified as ORM instructors. While closely linked to this specific sector, the principles of this guidance can be taught and effectively applied throughout different areas: many ORM techniques can be incorporated into operational planning and decision making processes related to various sector of activity.

           Highlights

COSO is a voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. The members of COSO are: the American Institute of Certified Public Accountants, the American Accounting Association, Financial Executives International, the Institute of Management Accountants and The Institute of Internal Auditors. ERM is a widely used framework in the United States and around the world. Over two decades ago, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued “Internal Control – Integrated Framework” to help businesses and other entities assess and enhance their internal control systems. That framework has since been incorporated into policy, rule and regulation and used by thousands of enterprises and organizations to better control their activities in moving toward achievement of their established objectives. In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers, to develop a framework that would be readily usable by managements to evaluate and improve their organizations’ enterprise risk management. COSO engaged PricewaterhouseCoopers after concluding there was a need for a broadly recognized enterprise risk management framework. PricewaterhouseCoopers was assisted by an advisory council composed of representatives from the five COSO organizations. Because of the importance of the project, the Framework was exposed for public comment before final publication. COSO recognized that while many organizations may be engaged in some aspects of enterprise risk management, there has been no common base of knowledge and principles to enable boards and senior management to evaluate an organization’s approach to risk management and assist them in building effective programs to identify, measure, prioritize and respond to risks. “ERM – Integrated Framework” expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management for all organizations, regardless of size. The framework defines essential enterprise risk management components, discusses key principles and concepts, suggests a common language, and provides clear direction and guidance for enterprise risk management.

• Highlights

Chartered Professional Accountants of Canada (CPA Canada) is the national organization established to support a unified Canadian accounting profession. As one of the world’s largest national accounting bodies, with more than 200,000 members across the country and around the world, CPA Canada carries a strong influential voice: it plays an important role in influencing international accounting, audit and assurance standards. CoCo was introduced in 1992 with the objective of improving organizational performance and decision-making with better controls, risk management, and corporate governance. In 1995, Guidance on Control was produced and described the CoCo framework and defining controls. The framework includes 20 criteria for effective control in four areas of an organization: purpose (direction), commitment (identity and values), capability (competence), monitoring and learning (evolution). This model describes internal control as actions that foster the best result for an organization. These actions, which contribute to the achievement of the organization’s objectives, focus on: effectiveness and efficiency of operations; reliability of internal and external reporting; compliance with applicable laws and regulations and internal policies. CoCo indicates that control comprises: “Those elements of an organization (including its resources, systems, processes, culture, structure, and tasks) that, taken together, support people in the achievement of the organization’s objectives.”

               Highlights

The Financial Reporting Council is the UK’s independent regulator responsible for promoting high quality corporate governance and reporting to foster investment. It promotes high standards of corporate governance through the UK Corporate Governance Code. It sets standards for corporate reporting, audit and actuarial practice and monitor and enforce accounting and auditing standards. The FRC issues guidance and other publications to assist boards and board committees in considering how to apply the UK Corporate Governance Code to their particular circumstances. These publications cover, among others: “Risk management, Internal Control and Related Financial and Business Reporting”. This guidance revises, integrates and replaces the previous editions of the FRC's Internal Control: Guidance to Directors (formerly known as the Turnbull Guidance) and the Going Concern and Liquidity Risk: Guidance for Directors of UK Companies and reflects changes made to the UK Corporate Governance Code. It links the traditional Turnbull guidance on internal control with emerging good practice for risk management reflected in the conclusions of both the FRC’s Boards and Risk report and the final recommendations of the Sharman Panel of Inquiry into Going Concern and Liquidity Risk. Internal Control: Guidance for Directors on the Combined Code (The Turnbull guidance) was first issued in 1999. In 2004, the Financial Reporting Council established the Turnbull Review Group to consider the impact of the guidance and the related disclosures and to determine whether the guidance needed to be updated. In reviewing the impact of the guidance, consultations revealed that it had very successfully gone a long way to meeting its original objectives. Boards and investors alike indicated that the guidance had contributed to a marked improvement in the overall standard of risk management and internal control since 1999. The second version was issued in 2005  (Internal Control: Revised Guidance for Directors on the Combined Code). Consistent with the amendments to any Principles in the 2014 edition of the Code and with the aim of aligning the terminology, a new version of the Guidance was issued in 2014.

               Highlights

The standards provide guidance on assessing risks and internal controls system for federal agencies in programmatic, financial, and compliance operations. On September 10, 2014 GAO issued its revision of Standards for Internal Control in the Federal Government. The 2014 revision will supersede GAO/AIMD-00-21.3.1, Standards for Internal Control in the Federal Government (November 1999). Federal Managers' Financial Integrity Act (FMFIA) requires that federal agency executives periodically review and annually report on the agency's internal control systems. FMFIA requires the Comptroller General to prescribe internal controls standards. These internal control standards, first issued in 1983, present the internal control standards for federal agencies for both program and financial management. The Green Book may also be adopted by state, local, and quasi-governmental entities, as well as not-for-profit organizations, as a framework for an internal control system. Green Book revisions involved an extensive, deliberative process, including public comments and input from the Green Book Advisory Council. GAO considered all comments and input in finalizing revisions to the standards. The standards in The Green Book are organized by the five components of internal control. Each of the five components contains several principles. Principles are the requirements of each component. Contol environment (5 principles); Risk assessment (4 principles); Control activiteis (3 principles); Information and communication (3 principles); Monitoring (2 principles).

• Highlights

The Risk Management Standard was originally published by the Institute of Risk Management (IRM), The Association of Insurance and Risk Manager (AIRMIC) and The Public Risk Management Association (Alarm) in 2002. It was subsequently adopted by the Federation of European Risk Management Association (FERMA). The Standard is the result of work by a team drawn from the major risk management organizations in the UK. In addition, the team sought the views and opinions of a wide range of other professional bodies with interests in risk management, during an extensive period of consultation. Despite the publication of ISO 31000, the Global Risk Management Standard, IRM has decided to retain its support for the original risk management standard because it is a simple guide that outlines a practical and systematic approach to the management of risk for business managers (rather than just risk professionals).

              Highlights

ISO has developed more than 16,000 international standards for stakeholders such as industry and trade associations, science and academia, consumers and consumer associations, governments and regulators, and societal and other interest groups.

Specifically, as for the family of Standards developed and published under the direct responsibility of TC 262, the first editions of ISO 31000 and ISO Guide 73 were published in 2009. ISO 31000 has been adopted as a national standard by more than 50 national standards bodies covering over 70 % of the global population. It has also been adopted by a number of UN agencies and national governments as a basis for developing their own risk-related standards and policies. All the terms and definitions in ISO 31000 are contained in ISO Guide 73, so any changes to the terms and definitions in ISO 31000 must be identical in both documents. At this end, ISO 31000, and its accompanying Guide 73 on risk management terminology come up for revision every five years.

The family of Standards developed by TC 176 are particularly relevant to support organizations in the process mapping activity and has been used as a reference source for drawing up that section. Its scope is the standardization in the field of quality management (generic quality management systems and supporting technologies), as well as quality management standardization in specific sectors. ISO/TC 176 is also entrusted with an advisory function to all ISO and IEC technical committees to ensure the integrity of the generic quality system standards and the effective implementation of the ISO/IEC sector policy on quality management systems deliverables.

The family of Standards published under the direct responsibility of JTC 1/SC 7 and TC 159/SC 4 are particularly useful to support organizations in the design and implementation of the RM Information systems. JTC 1/SC7 has the following mandate from ISO and IEC: standardization of processes, supporting tools and supporting technologies for the engineering of software products and systems. As for the TC 159/SC 4, its scope is the standardization in the field of ergonomics, addressing human characteristics and performance.

              Highlights

OCEG is a global, nonprofit think tank and community. It informs, empowers, and helps advance more than 50,000 members on governance, risk management, and compliance (GRC). Its members include c-suite, executive, management, other professionals from small and midsize businesses, international corporations, nonprofits and government agencies. Founded in 2002, OCEG is headquartered in Scottsdale, AZ. The OCEG framework is centered on the GRC Capability Model (commonly known as the Red Book). It describes key elements of an effective GRC system that integrates the principle of “Good governance”, “Risk management”, “Compliance”. The first Red Book was released in 2004: after months of analysis, collaboration, and vetting, the first OCEG standard emerges. Originally called the OCEG Capability Model, the cover was a deep red. It quickly became known as the OCEG Red Book. This standard provided both high-level and detailed practices that helped organizations address compliance and ethics issues. The standard gained wide adoption with over 100,000 downloads in a single year. Version 2.0 was published in 2009; version 2.1 was issued in 2012. The Red Book version 3.0 reflects 10 years of use and consideration by OCEG's global membership, which is now approaching 50,000 individuals worldwide. The Red Book Steering Committee attended several drafting and review sessions and prepared comments on each draft of the Red Book documents throughout the development process.

• Highlights

Formed in 1901, BSI was the world’s first National Standards Body. The BSI Kitemark was first registered by BSI on 12 June 1903. Originally known as the British Standard Mark, it has grown into one of Britain’s most important and most recognized consumer quality marks. Through more than a century of growth, BSI now delivers a comprehensive business services portfolio to clients, helping them raise their performance and enhance their competitiveness worldwide. Based on the consensus of the UK committee of risk management experts, BS 31100 provides practical and specific recommendations on how to implement the key principles of effective risk management as specified in ISO 31000. According to British Standards Institute (BSI), “BS 31100 will provide a basis for understanding, developing, implementing and maintaining risk management within any organization, in order to enhance an organization’s likelihood of successfully achieving its objectives”. This British Standard establishes the principles and terminology for risk management, and gives recommendations for the model, framework, process and implementation of risk management. The recommendations of BS 31100 are generic and intended to be applicable and scalable to all organizations across the public and private sector, regardless of type, size and nature. How recommendations are implemented will depend on an organization’s operating environment and complexity. BS 31100 is intended for use by anyone with responsibility for: ensuring that an organization manages to achieve its objectives; ensuring risks are managed in specific areas or activities; overseeing risk management in an organization; providing assurance on an organization’s risk management”. The first edition was issued in 2008: this version was replaced by the 2011 edition.

              Highlights

The Institute of Directors in Southern Africa (IoDSA) established in July 1993 the King Committee on Corporate Governance: it produced the first King Report on Corporate Governance which was published in 1994. The first King Report was recognized internationally, when published, as the most comprehensive publication on the subject embracing the inclusive approach to corporate governance. The King Report on Corporate Governance for South Africa – 2002 (King II Report) was launched at an Institute of Directors (IoDSA) Conference attended by 700 persons at the Sandton Convention Centre, 26 March 2002. The Institute of Directors in Southern Africa (IoDSA) formally introduced the King Code of Governance Principles and the King Report on Governance (King III) at the Sandton Convention Centre in Sandton, Johannesburg, in 2009. King III came into effect on 1 March 2010 – until then King II applied. The new Code and Report also falls in line with the Companies Act no 71 of 2008, which became effective on 1 May 2011. Like its 56 commonwealth peers, King III has been written in accordance to comply or explain principle based approach of governance, but specifically the apply or explain regime. This regime is currently unique in the Netherlands and now in South Africa. Whilst this approach remains a hotly debated issue globally, the King III Committee continues to believe it should be a non-legislative code on principles and practices.

               Highlights

The UNECE High-Level Group for the Modernisation of Official Statistics (HLG-MOS) was set up by the Bureau of the Conference of European Statisticians in 2010 to oversee and coordinate international work relating to statistical modernisation. It promotes standards-based modernisation of statistical production and services. It reports directly to the Conference of European Statisticians and received its mandate from this body. The mission of the HLG-MOS is to oversee development of frameworks, and sharing of information, tools and methods, which support the modernisation of statistical organizations. The aim is to improve the efficiency of the statistical production process, and the ability to produce outputs that better meet user needs.

The Joint UNECE / Eurostat / OECD Work Sessions on Statistical Metadata (METIS) have prepared a Common Metadata Framework (CMF). Part C of this framework is entitled "Metadata and the Statistical Cycle". This part refers to the phases of the statistical business process and provides generic terms to describe them. Since November 2013, this work has been taken over by the Modernisation Committee on Standards, under the HLG-MOS. During a workshop on the development of Part C of the CMF, held in Vienna in July 2007, the participants agreed that the business process model used by Statistics New Zealand would provide a good basis for developing a Generic Statistical Business Process Model. Following several drafts and public consultations, version 4.0 of the GSBPM was released in April 2009. It was subsequently widely adopted by the global official statistics community, and formed one of the cornerstones of the HLG vision and strategy for standards-based modernisation. In December 2012, a complementary model, the Generic Statistical Information Model (GSIM) was released. The work to develop and subsequently implement the GSIM resulted in the identification of several possible enhancements to the GSBPM. During 2013, the HLG launched a project on "Frameworks and Standards for Statistical Modernisation" which included a broader review of the GSBPM and the GSIM, to improve consistency between the documentation of the models, and to incorporate feedback based on practical implementations. The current version of the GSBPM (version 5.0) is the direct result of this work. Whilst it is considered final at the time of release, it

 is also expected that future updates may be necessary in the coming years, either to reflect further experiences from implementing the model in practice, or due to the evolution of the nature of statistical production.

The Generic Activity Model for Statistical Organizations (GAMSO) Version 1.0 was endorsed for release by the HLG-MOS on 1 March 2015. Statistical organizations are invited to use GAMSO and provide feedback based on practical implementations on the GAMSO Review. GAMSO will be reviewed in 2016 taking into account this feedback. GAMSO describes and defines the activities that take place within a typical statistical organization. It extends and complements the GSBPM by adding additional activities needed to support statistical production. When the GSBPM was developed, such activities were referred to as over-arching processes, and were listed, but not elaborated in any great detail. Over the years there have been several calls to expand the GSBPM to better cover these activities. The GAMSO was therefore developed to meet these needs.

               Highlights

In central government a number of reports, particularly the National Audit Office’s 2000 report “Supporting innovation – managing risk in government departments” and the Strategy Unit 2002 report “Risk – improving government’s capacity to handle risk and uncertainty”, have driven forward the risk management agenda and the development of Statements on Internal Control. In 2001 Treasury produced “Management of Risk – A Strategic Overview” which rapidly became known as the Orange Book: it provided a basic introduction to the concepts of risk management that proved very popular as a resource for developing and implementing risk management processes in government organizations. This Guidance is the successor to the 2001 Orange Book. It continues to provide broad based general guidance on the principles of risk management, but has been enhanced to reflect the lessons learned about risk management through the experience. The most significant shift since the publication of the 2001 is that all government organizations had, in 2004, basic risk management processes in place. This means that the main risk management challenge did not lie in the initial identification and analysis of risk and the development of the risk management process, but rather in the ongoing review and improvement of risk management. It focuses on both internal processes for risk management and consideration of the organization’s risk management in relation to the wider environment in which it functions.