Dorothy Gjerdrum, ARM-P, CIRM Chair, US ISO Technical Adv Group
Why We Need to Manage Risk The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise. National Guidance on Implementing ISO 31000:2009 From NSAI in Ireland This approach links what is most important to an organization – key objectives, mission and strategy – to the management of risk, which increases the likelihood that we’ll succeed and achieve our objectives. Optional/additional info: NSAI = National Standards Association of Ireland. This standards body created an implementation guide to ISO 31000. There is an international work group that is drafting an implementation guide to ISO 31000. It is due to be published in 2014. In the mean time, there are a few resources that are helpful from Ireland, Canada and Australia/New Zealand. This is an excerpt from one of them.
Global Corporate Governance Models INTERNATIONAL - Basel I & II; ISO 31000 France Vienot Com. Mrini Report Levy-Long Com. UK Cadbury Turnbull Greenbury Rpt BS 31100 RM All EU Countries Directives on Governance Germany Bill on The Control and Transparency of organizations Kon TraG Bill Netherlands Code Tabaksblatt Italy Draghi Commission US Business Round Table NYSE listing Requirements Blue Ribbon Commission Sarbanes Oxley Act COSO ERM Framework Japan Corporate Governance Forum of Japan J-SOX Australia/New Zeal AS/NZS 4360:2004 Stock Exchange Listing New Accounting Standards Best Practice Stmt Mgmt Canada Toronto Stock Exchange Committee Canadian Securities Committee Allen committee Report COCO South Africa Code of Best Practice King Report I, II, III Stakeholder Communication Public Finance Mgmt Act
ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards. Established in 1947, ISO is a network of the national standards institutes of 159 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. ISO is a non-governmental organization that forms a bridge between the public and private sectors. On the one hand, many of its member institutes are part of the governmental structure of their countries, or are mandated by their government. On the other hand, other members have their roots uniquely in the private sector, having been set up by national partnerships of industry associations. Therefore, ISO enables a consensus to be reached on solutions that meet both the requirements of business and the broader needs of society. Because "International Organization for Standardization" would have different acronyms in different languages ("IOS" in English, "OIN" in French for Organisation internationale de normalisation), its founders decided to give it also a short, all-purpose name. They chose "ISO", derived from the Greek isos, meaning "equal". Whatever the country, whatever the language, the short form of the organization's name is always ISO.
ISO 31000:2009 --> ANSI/ASSE/ISO 31000 Australia, New Zealand & Japan initiated its creation – based on AS/NZ 4360 30+ countries participated 6 meetings over several years Adopted in November of 2009, now officially the first International Standard on Risk Management Guide 73 & ISO 31010 quickly followed The American Standard on RM – ANSI/ASSE/ISO 31000
Available for purchase at www.csa.ca Combined ISO 31000 and Implementation Guidance for Canadian organizations: ‘Q31001-11’ Canada Placed a stronger emphasis on senior management support of risk management Linking risk management to organizational performance Clarified Sensitivities in managing risks to the public Maturity model for risk management in organizations Risk management process examples Correct links between risk appetite, risk tolerance and risk rating concepts Available for purchase at www.csa.ca
After Adoption… BSI 31100 – updated Code of Practice CSA – Canadian implementation guide NSAI – Ireland’s implementation guide Austria – three guidelines: embedding risk management, risk assessment & linking to business continuity processes Australia & New Zealand – issued handbooks Japan – created guidance (in Japanese)
2011: PC 262 formed to Create ISO 31004 International work group re-engaged to create an implementation guide to ISO 31000 Two meetings so far – expect two more each year until finalized Publication date of 2015? – May coincide with the next update of ISO 31000
Primary Audience Those accountable for the governance of organizations Those accountable for managing organizations Practitioners providing advice and services to assist decision-makers Those who provide assurance regarding the effectiveness of risk management
Scope of ISO 31000 This international standard provides principles and generic guidelines on risk management… it can be used by any public, private or community enterprise, association, group or individual. Therefore, this standard is not specific to any industry or sector.
What is “risk”?? Risk is present in everything we do. ISO 31000, the international standard on risk management, defines it this way: Risk = the affect of uncertainty on your objectives. Risk can be a threat or an opportunity Risk is defined very broadly. Here is one example of the affect of uncertainty on an objective: Imagine that a community college wants developed new curriculum for an emerging business operation (such as stem cell research or within a culinary arts program, a program that trains butchers). That is the objective. What uncertainties might affect the objective? Will there be enough students to justify the new program? If so, the college risks paying for the expenses and salaries for teachers and staff without enough income to justify offering courses. Conversely, is there a risk that the college may lose students and tuition dollars if it doesn’t offer the new curriculum? Would students leave to take the class somewhere else? That’s uncertain. If it is uncertain whether qualified staff and facilities are available, then there is a risk that the college might not be able to create a high-quality program. If the college is the first in the area to offer this new curriculum, and it draws new students to campus, this could improve the college’s financial stability and reputation as a forward thinking institution. The new curriculum could support business and economic opportunity, which could translate to partnerships, scholarships and internships with local businesses. If we talk through the uncertainties and risks, we will position ourselves to make the best decision possible. The goal of ERM is to support decision-making and then manage both threats and opportunities. We need a process to understand the risks associated with our goals and objectives. We need a process that is broad enough to consider the opportunities that are present – when we take a risk – and the potential harm, or threat, as well. Anything that could harm, prevent, delay or enhance your ability to achieve your objectives = risk
Critical Components of ISO 31000 The principles provide the foundation and describe the qualities of effective risk management in an organization The framework manages the overall process and its full integration into the organization The process for managing risk focuses on individual or groups of risks, their identification, analysis, evaluation and treatment The ISO Standard has three interdependent components. Principles We understand why we’re doing this by understanding the principles. This helps us understand its importance. (The principles are all listed on the next slide.) Framework The framework tells us how we’re going to do this, who is going to be part of the process, how much it will cost, how long it will take and the structure for how we will accomplish the assessment and management of risk. We build this on a process of continual improvement, so that we will learn and adapt as we go – to assure that we make this a successful process. Process The risk management process can apply to individual risks, projects, a specific opportunity or a portfolio of risks (such as HR risks or IT risks). The same process is followed each time and documented to build consistency in an organization’s approach to managing risk. Thorough discussion of the context before each risk assessment is a critical component because internal and external circumstances are constantly changing. Monitoring & review, continual improvement and communication occur throughout From ANSI/ASSE/ISO 31000
Principles Framework RM Process Creates value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured & timely Based on best available info Tailored Takes human & cultural factors into account Transparent & inclusive Dynamic, iterative & responsive to change Facilitates continual improvement & enhancement of the org Mandate & Commitment Establish the context Design framework for managing risk Risk assessment Risk identification Continually improve the framework Implement risk management Risk analysis Communicate and consult Monitor and review Risk evaluation Monitor and review the framework Here are the details of the three components – directly from the standard itself. There are 11 key principles. If we do not adhere to these principles, then we are not creating value for the organization. The management of risk is not an activity unto itself; it serves the purpose of supporting business and operational objectives. The framework determines tone, communication and the overall process for implementing risk management in an organization. It includes things like risk management policy, determination of a “common language of risk,” making plans for training and communication and data management. The framework is set up in a continual improvement model. The RM process will be familiar to many. It is the process we use to identify, analyze and manage (or treat) risks. The critical activities of monitoring and communicating should occur throughout the process. Risk treatment
Components of the Framework Understanding the organization & its context Establishing RM policy Accountability & Authority Integration into organizational processes Determining appropriate resources Establishing internal communication & reporting mechanisms Establishing external communication & reporting mechanisms These are the activities that should be addressed by a risk advisory council and approved by senior leaders (and possibly governing boards). ISO 31000:2009 Risk management – Principles and guidelines
Framework Example: Context External Context Social, cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment Key drivers and trends that will have an impact on your organization Relationships with and perceptions & values of external stakeholders Internal Context Governance, organizational structure, roles & accountabilities Policies, objectives & strategy Capabilities & resources Info systems Organizational culture Contractual relationships Relationships with, perceptions & values of internal stakeholders Describing the context of operations is key to the activity of creating the framework for the process. It is also important to review before each risk assessment process. ISO 31000:2009 Risk management – Principles and guidelines
Framework Example: Benefits Increase likelihood of achieving objectives Encourage proactive management Be aware of the need to identify and treat risk throughout the organization Improve the identification of opportunities & threats Effectively allocate and use resources Comply with relevant legal and regulatory requirements and international norms Improve mandatory and voluntary reporting Improve operational effectivness & efficiency Improve stakeholder confidence and trust Establish a reliable basis for decision making & planning Improve controls Improve governance The benefits of effective risk management are quite comprehensive across all organizational activities. These benefits should be front and center as any organization proceeds to implement a broader approach to risk management – and referred to often as information about the process is communicated to stakeholders. ISO 31000:2009 Risk management – Principles and guidelines
What is Different about ISO 31000? Without risk, there is no reward or progress. Unless risk is managed effectively, organizations cannot maximize opportunities and minimize threats. Risk is all about uncertainty, or more importantly, the effect of uncertainty on the achievement of objectives. This is where ISO 31000 is clearly different from existing guidelines in that the emphasis is shifted from something happening – the event – to the effect on objectives. Lois’ slide Kevin W. Knight, AM Chair of the ISO 31000 working group & Chair of ISO 31004 project committee ISO Focus, June 2009
Global Survey on ISO 31000 Conducted mid-October to mid-December, 2011 LinkedIn website on ISO 31000, with >6,500 members since March of 2009 Reached out to 100+ associations, members from 74 associations participated 1,823 responses from 111 countries Largest # of participants from US (20%), UK (10%) and Australia (10%) Primary professions: risk management & IT
Survey Participants
Select Results 65% - familiar with or knowledgeable about ISO 31000 93% of Australian respondents 67% of UK respondents 47% of US respondents 35% - no knowledge 7% of Australian respondents 33% of UK respondents 53% of US respondents
Countries with Highest Level of Awareness of ISO 31000 Australia (65%) New Zealand (47%) Canada (42%) United Arab Emirates (37%) Brazil (28%) South Africa (26%) Spain (21%) Netherlands (21%) United Kingdom (21%) Finland (18%) Italy (14%) France (13%) USA (11%) “Fully understand ISO 31000”
How is Risk Management Used Within Your Organization? All decisions (40%) Auditing/compliance (21%) Safety/security (18%) Report performance (9%) Insurance (7%) Not used in our organization (5%)
Which Standard Does Your Organization Utilize? Our own version (40%) ISO 31000 (36%) ISO 27005 (20%) COSO (18%) PMBOK (17%) Guide 73 (16%) AUS/NZ 4360 (13%) ISO 31010 (13%)