The Open Applications Group (OAGi) has announced the formation of a new RiskML Work Group to define an XML vocabulary for the definition of risk and control libraries. Formation of the RiskML WG is set against the backdrop of recent Sarbanes-Oxley legislation where "there is increased likelihood of ERP customers and Audit Firms exchanging a great deal of risk and control information. The separation of the External Audit from the Risk Assurance activity will mean that Audit firms will be exchanging risk and control information. Mapping different formats from different audit firms and different ERP solutions is inefficient, expensive and adds no value to the parties involved."

The RiskML WG will therefore create a standardized vocabulary to describe a risk and control library facilitating risk library information exchange and a standardized mechanism for publication. It will focus on the Risk and Control structure described in the COSO framework. Key deliverables include a Class Diagram, Use Case Diagram, XML Schema Definition, and corresponding documentation. New OAGIS Business Object Documents (BODs)/Nouns to be added include: Financial Statement, Process, Objective, Risk, Control, and Testing Procedure.

The Open Applications Group is "a non-profit consortium focusing on best practices and processes based on XML content for eBusiness and Application Integration. Its members have created a consensus based framework for business software application interoperability and have developed a repeatable process for quickly developing high quality business content and XML representations of that content." Other OAGi Content Working Group Projects include: Core Components, CRM XML, Internet Parts Order, Inventory Visibility, Location Services, Logistics XML, Semantic Integration, and STAR (Standards for Technology in Automotive Retail).

From the Announcement

The announcement was given in a posting from David M. Connelly (CEO, Open Applications Group):

"I am pleased to announce the formation of a new OAGIS Workgroup. RiskML is an XML vocabulary for the definition of Risk and Control Libraries."

"With the advent of recent legislation there is an increased likelihood of ERP customers and Audit Firms exchanging a great deal of risk and control information. The separation of the External Audit from the Risk Assurance activity means that Audit firms will be exchanging risk and control information. Mapping different formats from different audit firms and different ERP solutions is inefficient, expensive and adds no value to the parties involved."

"This is a real market need for a standardized vocabulary to describe a risk and control library facilitating risk library information exchange and a standardized mechanism for publication and we are pleased to announce and invite you to join the RiskML Workgroup. This effort will be operating as an OAGIS Workgroup and thus will be taking advantage of the largest and richest XML vocabulary in the world..."

About the COSO Framework

A draft COSO Enterprise Risk Management Framework "defines and describes enterprise risk management and provides a standard against which business and other entities -- large or small, in the public or private sector, for profit or not -- can assess their enterprise risk management and determine how to improve it... The [document] Executive Summary sets out key elements of the Enterprise Risk Management Framework, including the definition, components and underlying principles of enterprise risk management, as well as its benefits and limitations and roles and responsibilities of various parties..."

"Managements of some companies and other entities have developed processes to identify and manage risk across the enterprise, and many others have begun development or are considering doing so. While considerable information on enterprise risk management is available, including much published literature, no common terminology exists, and there are few if any widely accepted principles that can be used by management as a guide in developing an effective risk management architecture."

"Recognizing the need for definitive guidance on enterprise risk management, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) initiated a project to develop a conceptually sound framework providing integrated principles, common terminology and practical implementation guidance supporting entities' programs to develop or benchmark their enterprise risk management processes. A related objective is for this resulting framework to serve as a common basis for managements, directors, regulators, academics and others to better understand enterprise risk management, its benefits and limitations, and to effectively communicate about enterprise risk management issues..." [adapted from the Draft Executive Summary]

Page 8 of the RiskML Project Definition document provides a summary and visual depiction of COSO's five interrelated components of internal control; these topics are elaborated in the draft specification:

• The Control Environment encompasses every facet of the internal control framework and sets the tone of an organization, influencing the control consciousness of its people.
• Risk Assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed.
• Control Activities are the policies and procedures that help ensure management directives are carried out. Control activities are developed to specifically address each control objective to mitigate risks identified in the risk assessment.
• Information and Communication is the identification, capture and communication of pertinent information in a form and timeframe that enable people to carry out their responsibilities. This process should also work in reverse, communicating information on results, deficiencies and emerging issues from employees to management.
• Monitoring is the process of assessing the quality of the control system's performance over time through ongoing and special evaluations.