AS/NZS4360 (2004):

this standard is the first risk management standard. Its first version was in 1995 and it  defines the risk management process, with a holistic, generic and independent approach,  capable of being applied across all types of industry and organization, units, processes, projects and individuals, in addition to its wide acceptance inside and outside Australia and New Zealand. In 2009 this standard was updated  and become known as AS/NZS ISO 31000:2009 (SAI Global, 2012; Lehane, 2011;Hillson, 2006, Handbook, Risk Management Guidelines, Companion To AS/NZS 4360:2004, 2005; AS/NZS 4360:2004, 2006;Knight, 2002;).

More details available on:




Risk Management Standard - 2002:

Provided techniques, processes, and tools in addition to clear roles for boards, individuals, business units, external reporters, risk management functions and internal auditing (IRM, 2002).

More details available on :

COSO ERM framework (2004):

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM framework 2004:

It consists from a three dimensions cube framework; four vertical risk management objectives, they are Strategic, Operations, Reporting and Compliance. Eight horizontal rows of risk component, they are Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information and Communication, and Monitoring. The last dimension covers all entity units and levels, so this part should be tailored to meet the organizations structure by containing all organization parts from top to bottom; Subsidiary, Business Unit, Division, and so on.

COSO ERM framework introduces a holistic enterprise risk management approach; it shows how risk management should be considered by all entity slices horizontally and vertically with full integration. Moreover, this framework provides tools and techniques to clarify its applications, thus some practitioners claimed that this standard is more appropriate for the private financial sector.


More details available on:


ISO 31000 (2009):

Discussed the integration of risk management with all units in the organization in general. It mentioned that each process should have an owner. Also, it confirmed the importance of good communication between the risk management owner and all other units in the organization. But within all these process there is not any detailed information or distribution for roles. Purdy (2010) stated that ISO 31000 provides the general structure for managing risk to give organizations more flexibility for customization and tailoring. Moreover, the global ISO 31000 Survey (2011) found that 44% of respondents reported that ISO 31000 provided a significant improvement against 40% who reported that it is quite similar to other risk management standards.  

More details on :

GRC Capability Model:

“GRC is an integrated, holistic approach to organisation-wide governance, risk and compliance ensuring that an organisation acts ethically correct and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people, thereby improving efficiency and effectiveness”.This definition was developed by  Racz, Weippl and Seufert (2010:112-113).

GRC aims to unify governance, risk and compliance with all organisation processes to offer a holistic view of risk to the top management and the board, as well as to break compliance fragmentation. 

Moreover, GRC is an essential technology solution. It provides a wide range of intelligence software, of which the optimal one almost helps organisations to achieve GRC convergence by linking the framework with all relevant processes, providing an effective real time information and reporting system, and a robust information security system (Racz, Panitz, Amberg, Weippl,  & Seufert, 2010). 


For more details please visit :



Raida Mashal