Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dorothy Gjerdrum, ARM-P, CIRM Chair, US ISO Technical Adv Group

Published byHarriet Hart Modified over 8 years ago

Similar presentations

Presentation on theme: "Dorothy Gjerdrum, ARM-P, CIRM Chair, US ISO Technical Adv Group"— Presentation transcript:

1 Dorothy Gjerdrum, ARM-P, CIRM Chair, US ISO Technical Adv Group

2 Why We Need to Manage Risk
The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise. National Guidance on Implementing ISO 31000:2009 From NSAI in Ireland This approach links what is most important to an organization – key objectives, mission and strategy – to the management of risk, which increases the likelihood that we’ll succeed and achieve our objectives. Optional/additional info: NSAI = National Standards Association of Ireland. This standards body created an implementation guide to ISO There is an international work group that is drafting an implementation guide to ISO It is due to be published in In the mean time, there are a few resources that are helpful from Ireland, Canada and Australia/New Zealand. This is an excerpt from one of them.

3 Global Corporate Governance Models
INTERNATIONAL - Basel I & II; ISO 31000 France Vienot Com. Mrini Report Levy-Long Com. UK Cadbury Turnbull Greenbury Rpt BS RM All EU Countries Directives on Governance Germany Bill on The Control and Transparency of organizations Kon TraG Bill Netherlands Code Tabaksblatt Italy Draghi Commission US Business Round Table NYSE listing Requirements Blue Ribbon Commission Sarbanes Oxley Act COSO ERM Framework Japan Corporate Governance Forum of Japan J-SOX Australia/New Zeal AS/NZS 4360:2004 Stock Exchange Listing New Accounting Standards Best Practice Stmt Mgmt Canada Toronto Stock Exchange Committee Canadian Securities Committee Allen committee Report COCO South Africa Code of Best Practice King Report I, II, III Stakeholder Communication Public Finance Mgmt Act

4 ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards. Established in 1947, ISO is a network of the national standards institutes of 159 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. ISO is a non-governmental organization that forms a bridge between the public and private sectors. On the one hand, many of its member institutes are part of the governmental structure of their countries, or are mandated by their government. On the other hand, other members have their roots uniquely in the private sector, having been set up by national partnerships of industry associations. Therefore, ISO enables a consensus to be reached on solutions that meet both the requirements of business and the broader needs of society. Because "International Organization for Standardization" would have different acronyms in different languages ("IOS" in English, "OIN" in French for Organisation internationale de normalisation), its founders decided to give it also a short, all-purpose name. They chose "ISO", derived from the Greek isos, meaning "equal". Whatever the country, whatever the language, the short form of the organization's name is always ISO.

5 ISO 31000:2009 --> ANSI/ASSE/ISO 31000
Australia, New Zealand & Japan initiated its creation – based on AS/NZ 4360 30+ countries participated 6 meetings over several years Adopted in November of 2009, now officially the first International Standard on Risk Management Guide 73 & ISO quickly followed The American Standard on RM – ANSI/ASSE/ISO 31000

6 Available for purchase at www.csa.ca
Combined ISO and Implementation Guidance for Canadian organizations: ‘Q ’ Canada Placed a stronger emphasis on senior management support of risk management Linking risk management to organizational performance Clarified Sensitivities in managing risks to the public Maturity model for risk management in organizations Risk management process examples Correct links between risk appetite, risk tolerance and risk rating concepts Available for purchase at

7 After Adoption… BSI 31100 – updated Code of Practice
CSA – Canadian implementation guide NSAI – Ireland’s implementation guide Austria – three guidelines: embedding risk management, risk assessment & linking to business continuity processes Australia & New Zealand – issued handbooks Japan – created guidance (in Japanese)

8 2011: PC 262 formed to Create ISO 31004
International work group re-engaged to create an implementation guide to ISO 31000 Two meetings so far – expect two more each year until finalized Publication date of 2015? – May coincide with the next update of ISO 31000

9 Primary Audience Those accountable for the governance of organizations
Those accountable for managing organizations Practitioners providing advice and services to assist decision-makers Those who provide assurance regarding the effectiveness of risk management

10 Scope of ISO 31000 This international standard provides principles and generic guidelines on risk management… it can be used by any public, private or community enterprise, association, group or individual. Therefore, this standard is not specific to any industry or sector.

11 What is “risk”?? Risk is present in everything we do.
ISO 31000, the international standard on risk management, defines it this way: Risk = the affect of uncertainty on your objectives. Risk can be a threat or an opportunity Risk is defined very broadly. Here is one example of the affect of uncertainty on an objective: Imagine that a community college wants developed new curriculum for an emerging business operation (such as stem cell research or within a culinary arts program, a program that trains butchers). That is the objective. What uncertainties might affect the objective? Will there be enough students to justify the new program? If so, the college risks paying for the expenses and salaries for teachers and staff without enough income to justify offering courses. Conversely, is there a risk that the college may lose students and tuition dollars if it doesn’t offer the new curriculum? Would students leave to take the class somewhere else? That’s uncertain. If it is uncertain whether qualified staff and facilities are available, then there is a risk that the college might not be able to create a high-quality program. If the college is the first in the area to offer this new curriculum, and it draws new students to campus, this could improve the college’s financial stability and reputation as a forward thinking institution. The new curriculum could support business and economic opportunity, which could translate to partnerships, scholarships and internships with local businesses. If we talk through the uncertainties and risks, we will position ourselves to make the best decision possible. The goal of ERM is to support decision-making and then manage both threats and opportunities. We need a process to understand the risks associated with our goals and objectives. We need a process that is broad enough to consider the opportunities that are present – when we take a risk – and the potential harm, or threat, as well. Anything that could harm, prevent, delay or enhance your ability to achieve your objectives = risk

12 Critical Components of ISO 31000
The principles provide the foundation and describe the qualities of effective risk management in an organization The framework manages the overall process and its full integration into the organization The process for managing risk focuses on individual or groups of risks, their identification, analysis, evaluation and treatment The ISO Standard has three interdependent components. Principles We understand why we’re doing this by understanding the principles. This helps us understand its importance. (The principles are all listed on the next slide.) Framework The framework tells us how we’re going to do this, who is going to be part of the process, how much it will cost, how long it will take and the structure for how we will accomplish the assessment and management of risk. We build this on a process of continual improvement, so that we will learn and adapt as we go – to assure that we make this a successful process. Process The risk management process can apply to individual risks, projects, a specific opportunity or a portfolio of risks (such as HR risks or IT risks). The same process is followed each time and documented to build consistency in an organization’s approach to managing risk. Thorough discussion of the context before each risk assessment is a critical component because internal and external circumstances are constantly changing. Monitoring & review, continual improvement and communication occur throughout From ANSI/ASSE/ISO 31000

13 Principles Framework RM Process Creates value
Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured & timely Based on best available info Tailored Takes human & cultural factors into account Transparent & inclusive Dynamic, iterative & responsive to change Facilitates continual improvement & enhancement of the org Mandate & Commitment Establish the context Design framework for managing risk Risk assessment Risk identification Continually improve the framework Implement risk management Risk analysis Communicate and consult Monitor and review Risk evaluation Monitor and review the framework Here are the details of the three components – directly from the standard itself. There are 11 key principles. If we do not adhere to these principles, then we are not creating value for the organization. The management of risk is not an activity unto itself; it serves the purpose of supporting business and operational objectives. The framework determines tone, communication and the overall process for implementing risk management in an organization. It includes things like risk management policy, determination of a “common language of risk,” making plans for training and communication and data management. The framework is set up in a continual improvement model. The RM process will be familiar to many. It is the process we use to identify, analyze and manage (or treat) risks. The critical activities of monitoring and communicating should occur throughout the process. Risk treatment

14 Components of the Framework
Understanding the organization & its context Establishing RM policy Accountability & Authority Integration into organizational processes Determining appropriate resources Establishing internal communication & reporting mechanisms Establishing external communication & reporting mechanisms These are the activities that should be addressed by a risk advisory council and approved by senior leaders (and possibly governing boards). ISO 31000:2009 Risk management – Principles and guidelines

15 Framework Example: Context
External Context Social, cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment Key drivers and trends that will have an impact on your organization Relationships with and perceptions & values of external stakeholders Internal Context Governance, organizational structure, roles & accountabilities Policies, objectives & strategy Capabilities & resources Info systems Organizational culture Contractual relationships Relationships with, perceptions & values of internal stakeholders Describing the context of operations is key to the activity of creating the framework for the process. It is also important to review before each risk assessment process. ISO 31000:2009 Risk management – Principles and guidelines

16 Framework Example: Benefits
Increase likelihood of achieving objectives Encourage proactive management Be aware of the need to identify and treat risk throughout the organization Improve the identification of opportunities & threats Effectively allocate and use resources Comply with relevant legal and regulatory requirements and international norms Improve mandatory and voluntary reporting Improve operational effectivness & efficiency Improve stakeholder confidence and trust Establish a reliable basis for decision making & planning Improve controls Improve governance The benefits of effective risk management are quite comprehensive across all organizational activities. These benefits should be front and center as any organization proceeds to implement a broader approach to risk management – and referred to often as information about the process is communicated to stakeholders. ISO 31000:2009 Risk management – Principles and guidelines

17 What is Different about ISO 31000?
Without risk, there is no reward or progress. Unless risk is managed effectively, organizations cannot maximize opportunities and minimize threats. Risk is all about uncertainty, or more importantly, the effect of uncertainty on the achievement of objectives. This is where ISO is clearly different from existing guidelines in that the emphasis is shifted from something happening – the event – to the effect on objectives. Lois’ slide Kevin W. Knight, AM Chair of the ISO working group & Chair of ISO project committee ISO Focus, June 2009

18 Global Survey on ISO 31000 Conducted mid-October to mid-December, 2011
LinkedIn website on ISO 31000, with >6,500 members since March of 2009 Reached out to 100+ associations, members from 74 associations participated 1,823 responses from 111 countries Largest # of participants from US (20%), UK (10%) and Australia (10%) Primary professions: risk management & IT

19 Survey Participants

20 Select Results 65% - familiar with or knowledgeable about ISO 31000
93% of Australian respondents 67% of UK respondents 47% of US respondents 35% - no knowledge 7% of Australian respondents 33% of UK respondents 53% of US respondents

21 Countries with Highest Level of Awareness of ISO 31000
Australia (65%) New Zealand (47%) Canada (42%) United Arab Emirates (37%) Brazil (28%) South Africa (26%) Spain (21%) Netherlands (21%) United Kingdom (21%) Finland (18%) Italy (14%) France (13%) USA (11%) “Fully understand ISO 31000”

22 How is Risk Management Used Within Your Organization?
All decisions (40%) Auditing/compliance (21%) Safety/security (18%) Report performance (9%) Insurance (7%) Not used in our organization (5%)

23 Which Standard Does Your Organization Utilize?
Our own version (40%) ISO (36%) ISO (20%) COSO (18%) PMBOK (17%) Guide 73 (16%) AUS/NZ 4360 (13%) ISO (13%)

24

25

Download ppt "Dorothy Gjerdrum, ARM-P, CIRM Chair, US ISO Technical Adv Group"

Similar presentations

Organizational Governance

Organizational Governance
Policies and Procedures for Civil Society Participation in GEF Programme and Projects presented by GEF NGO Network ECW.

Policies and Procedures for Civil Society Participation in GEF Programme and Projects presented by GEF NGO Network ECW.
Risk Management at Harvard – Panel Discussion Harvard IT Summit

Risk Management at Harvard – Panel Discussion Harvard IT Summit
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
International Risk Management Standard AS/NZS ISO 31000

International Risk Management Standard AS/NZS ISO 31000
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
Risk Management Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Risk Management Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Control and Accounting Information Systems

Control and Accounting Information Systems
Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.

Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.
Security Controls – What Works

Security Controls – What Works
© CSR Asia 2010 ISO 26000 Richard Welford CSR Asia www.csr-asia.com.

© CSR Asia 2010 ISO Richard Welford CSR Asia
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Session 6Slide 6-1 Risk Management Lessons from Outside the United States Session 6 Slide Deck.

Session 6Slide 6-1 Risk Management Lessons from Outside the United States Session 6 Slide Deck.
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
Risk Assessment Frameworks

Risk Assessment Frameworks
Eurasian Corporate Governance Roundtable

Eurasian Corporate Governance Roundtable
61 What is hazard risk management?. 62 Emergency risk management is “a systematic process that produces a range of measures that contribute to the well.

61 What is hazard risk management?. 62 Emergency risk management is “a systematic process that produces a range of measures that contribute to the well.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
OPTIONS AND REQUIREMENTS FOR ENGAGEMENT OF CIVIL SOCIETY IN GEF PROJECTS AND PROGRAMMES presented by Faizal Parish Regional/Central Focal Point GEF NGO.

OPTIONS AND REQUIREMENTS FOR ENGAGEMENT OF CIVIL SOCIETY IN GEF PROJECTS AND PROGRAMMES presented by Faizal Parish Regional/Central Focal Point GEF NGO.

Similar presentations

Ads by Google