Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISO 31000, a risk management standard for decision-makers

Published byAndrea Moens Modified over 6 years ago

Similar presentations

Presentation on theme: "ISO 31000, a risk management standard for decision-makers"— Presentation transcript:

1 ISO 31000, a risk management standard for decision-makers
Alex Dali, MBA, ARM, CT31000 President Global Institute for Risk Management Standards - G31000

2 What is Risk Management …. …… in the Business Continuity world ?

3 Definitions Business Continuity Reducing the impacts that occur when there is a failure in Enterprise or Operational Risk Management Enterprise Risk Risks associated with not only accidental losses, but also financial, strategic, operational, and other risks. …not only accidental losses, but also business risks which have positive and negative consequences Operational Risk Risks associated with internal inadequacies of an organization or a breakdown of its controls, operations or procedures. ? Enterprise risk Operational risk inconsistency

4 4 Categories of Problems:
Risk categories Incident occurs 4 Categories of Problems: confusing Facilities Fire Flood Bomb Scare SARS,H1N1, H5N1 Terrorism etc. Business/ Operations Supply Chain Process Error Transit Strike SARS, H1N1, H5N1 Labor Strike etc. Technology Network Problem Application Error Hardware Failure Virus Power Problem etc. Organization M & A Succession IP Issue Audit Issues Financial Problems etc. Property damage Personal Finance Liability Reputation

5 Approaching the Incident
How would a risk manager approach the incident? Risk Management Identifies Threats (Facility, Environmental, Climatic, Geopolitical, Personnel, Business, Technology, etc.) Recommends Mitigation Probability Cost of Mitigation How would a business continuity manager approach the incident? BCM What are the Implications of failing to mitigate or prevent? Preparation Structure, planning, resources, testing Execution Relocation, operating under duress

6 What is Risk Management ….?
About ISO 31000, the ISO risk management standard What is Risk Management ….?

7 Why aren’t ERM Programs More Successful?
Most ERM Programs are built on “Governance” or “Compliance” models Value: “Did we do it? Good.” Measures are rarely in meaningful terms Not a KEY role in performance management, planning, budgeting and strategy formation Limited in scope and focus Not a “day-to-day” part of decision making Not based on or tied to a standard or tight framework Copyright 2012 rPM3 Solutions, LLC and ERM, LLC

8 a compliance & control risk management standard
Controls regulations Risk insurance reporting audit

9

10 Effect of uncertainty on objectives…
Risk Effect of uncertainty on objectives…

11 RISK MANAGEMENT & ISO 31000 The combination of governance, performance, decision-making and risk management has become the driving force for a global approach, structured methodology leading to risk management standardization ·       They demonstrated to Gartner some of the best examples of linking business performance, risk management and compliance.  Customers reported using the platform for several integrated performance and risk management use cases including strategic planning and assessing the impact of risks on strategic business objectives, mapping KRIs to KPIs, and calculating risk adjusted performance. ·       They provide a large number of pre-packaged analytical methods that address a number of risk management, sustainability, and business performance requirements. As the enterprise GRC platform market looks for solutions that support integrated performance and risk management, Enablon has been able to gain traction.

12 ISO 31000, a global risk management standard
Performance Uncertainty compliance regulations audit controls Objectives Risk insurance reporting Decision-making Best allocation of resources Philosophy of the ISO risk management standard G31000 Copyright - © 2015

13 "Better Risk Management is Better Management"
Creates value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured and timely Based on the best available information Tailored Takes human and cultural factors into account Transparent and inclusive Dynamic, iterative and responsive to change Facilitates continual improvement and enhancement of the organization Risk Management is part of good management Good Risk Management embeds ISO31000 Principles ISO has been widely adopted and is tried and tested by committee and increasingly by practice. Personal opinion - So corollary is the better the degree of alignment with ISO31000 the better the company is being managed Source : The 11 principles of risk management proposed in the ISO 31000:2009 standard

14 5 recommendations for Risk Management
Adopt an internationally-recognized reference Use a simple risk management architecture Promote business performance Link risk management and decision-making Encourage adequate education with benefits

15 5 recommendations for Risk Management
Adopt an internationally-recognized reference

16 Internationally-recognised reference
About ISO 31000 Internationally-recognised reference International acceptance Single global reference for stakeholders Guideline  can be tailored All type of risks – any sector/industry “Umbrella” for all existing standards Positive four-year development period during which time up to 60 experts from different sectors (industry, health & safety, quality management), representing 30 countries, worked within an ISO international working group Provides a single global reference for stakeholders in an organisation who have an interest in risk management Can apply to any activity or domain in any organisation – public or private Provides an “umbrella” for more than 60 recognised standards and guidelines that refer to risk management (per CEN – European Committee for Standardisation) Warnings : Like it or not, it should not be ignored…common reference for stakeholders There are some who perceive that ISO is an attempt at some form of world domination in the field of risk management guidelines. This is not ISO’s stated aim –It does not pretend to impose best practices but rather to harmonize principles, framework and processes. Risk management professionals should be familiar to its content Multiple frameworks create confusion

17 Value-added / benefits of ERM

18 OECD

19 ISO 31000 risk management standard strongly adopted in Europe

20 Number of members by COUNTRIES : WORLD (top ten)
2011 2012 2013 2014 2015 2016 Extract from G31000 database – 29 February 2016

21 Sectors and company’s size

22 5 recommendations for Risk Management
Use a simple risk management architecture

23 Objectives of ISO 31000 STRUCTURE
Simple risk management architecture 3-pillar structure robust and simple to apply opportunity to review existing RM practices ISO free to download in India Positive 3-pillar structure : principles, framework and process  compared to the cumbersome and confusing COSO II cube Robust and simple to apply Warning • ISO provides an opportunity to review existing risk management practices in the organization Although ISO does not impose any compulsory compliance, it would a mistake to overlook its utility as a generic reference. A risk management team may find it useful to compare its risk management framework and process to that described in ISO and to track the similarities and differences. Do not restrict risk management to the risk management process…

24 Objectives of ISO 31000 STRUCTURE
Principles Framework Mandate and Commitment Creates value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured and timely Based on the best available information Tailored Takes human and cultural factors into account Transparent and inclusive Dynamic, iterative and responsive to change Facilitates continual improvement and enhancement of the organization design of framework for managing risk continual improvement implementing risk management monitoring and review

25 Objectives of ISO 31000 STRUCTURE
Risk Management Process Communication and Consultation Establish the Context Monitoring and Review Risk Assessment ISO Guide 73 Risk Management Vocabulary Risk Identification + Risk Analysis Risk Evaluation Risk Treatment

26 5 recommendations for Risk Management
Promote business performance

27 How is risk management mainly used within your organization ?
ISO SURVEY 2012 How is risk management mainly used within your organization ?

28 Objectives of ISO 31000 SCOPE
… not a parallel management system Integrate risk in all practices and processes – at all levels. Risk management must create value Link risk management to business performance Positive ISO clearly states (when addressing the risk management framework) “This framework is not intended to prescribe a management system, but rather, to assist the organisation to integrate risk management into its overall management system. Organisations should adapt the components of the framework to their specific needs” Lessons should be learned from the troubled implementation of the ISO 9000 series during the early years, and problems encountered with the creation of parallel quality management systems. effective risk management is to promote improvement in business performance Warnings : • Use ISO as a means to interface more effectively with business units, not as an excuse for increasing the burden of management reporting Many companies that have implemented ISO standards on a large scale are wondering, after a few years, if the benefits are really worth the costs involved. ISO standards can be expensive to implement and to maintain if parallel management systems are set up to support a bureaucratic compliance reporting process. It would be a mistake to use ISO as a tool for the creation of burdensome reporting on risk. To the extent possible, use and leverage information that is already captured within the normal course of business operations &/or within the various business support functions • Keep the risk management process as simple and robust as possible While a two-phase risk management process defined in terms of risk assessment and risk Treatment may be considered somewhat minimalist, one could be tempted to simplify it further, which could lead to important matters being overlooked. Therefore, the management of risk must be part of the organisations management system rather than a stand alone add on activity. . confusing COSO II cube [assembled by a handful of sponsoring organisations – essentially US accounting associations - that shared a common interest in developing a heavyweight, compliance-focused ERM process that promotes the importance of internal control and internal audit functions]. no bureaucratic compliance reporting system

29 5 recommendations for Risk Management
Link risk management and decision-making

30 ISO 31000, a global risk management standard
Performance Uncertainty compliance regulations audit controls Objectives Risk insurance reporting Decision-making Best allocation of resources Philosophy of the ISO risk management standard G31000 Copyright - © 2016

31 5 recommendations for Risk Management
Encourage adequate education with benefits

32 Certification INDIVIDUALS
Growing understanding of the importance of effectively managing risk Increasing recognition of ISO 31000  individuals wishing for knowledge and understanding about risk management Improved decision making through explicit consideration of uncertainty and potential consequences

33 Global Institute for Risk Management Standards
Training session conducted, worldwide : # sessions : 58 # countries : 25 List of cities covered : New York, Chicago, Los Angeles, Denver, Washington, West Palm Beach, Toronto, Brussels, Paris, London, Nice, Lagos, Johannesburg, Cape Town, Madrid, Barcelona, Milano, Geneve, Amsterdam, Dubai, Riyadh, Macau, Shanghai, Singapore, Sydney, Lima, Bogota, Cairo. “Plan your training” survey:

34 Network of 103 Approved/Certified trainers
Global Institute for Risk Management Standards Worldwide network of 523 certified risk professionals via G31000 training and certification Network of 103 Approved/Certified trainers 6 languages

35 5 recommendations for Risk Management
Adopt an internationally-recognized reference Use a simple risk management architecture Promote business performance Link risk management and decision-making Encourage adequate education with benefits

36 + recommendations for Business Continuity Management
Where is the role of Business Continuity in ISO standards ? RISK & risk management

37 Where is the role of Business Continuity in ISO 31000 ?
Reducing negative consequences

38 The different aspects of Business Continuity
ISO 22301 ISO 27031 ISO/TC 223, Societal security ISO/IEC JTC 1 / SC27 Business Continuity (Relocation) Disaster Recovery (IT Recovery and Continuity) Emergency Response Crisis Management ISO 22320 BS 11200 British standard ISO/TC 223, Societal security Disruption-related risk Management ISO 31xxx ISO/TC 262, Risk Management Resilience Management ISO 28002 ISO/TC 292, Security and resilience Removing redundancies and streamlining approach Integrated Solution Under the banner of Business Continuity Management

39 ISO Management Systems
ISO TMB Joint Technical Coordination Group How to align all ISO Management Systems RISK & risk management Susan LK Briggs TC207/SC1 Representative on JTCG TF1 Chair, US Technical Advisory Group to TC207 Convenor, WG5 – ISO Revision Presented to ISO Conference, 28th May 2013

40 Integration through standardization
Extract of the presentation titled “Toward Integration: The Relationship between Risk and Continuity” Third international ISO conference – Toronto – May 2013 The obstacle is a lack of an integration vehicle An integral part of the organization’s survival strategy in uncertain times: Business continuity is part of enterprise risk management Societal security or risk management? Movement toward integration ??  ISO – umbrella for BCM

41 USEFUL LINKS ISO GLOBAL SURVEY 2012 : English version : Spanish version : French version : ISO INTERNATIONAL CONFERENCE LINKEDIN GROUP on ISO : About ISO – official link: About ISO – presentation

42 Thank you for your attention and see you on…
Alex Dali, MBA, ARM, CT31000 President Global Institute for Risk Management Standards - G31000

43 Annexe Statistics on ISO in the world

44 Number of members by COUNTRIES : WORLD (top ten)
2011 2012 2013 2014 2015

45 Number of members by COUNTRIES : WORLD (#8 to#38)
2011 2012 2013 2014 2015

46 Number of members by COUNTRIES : MIDDLE EAST
2011 2012 2013 2014 2015

47 Number of members by COUNTRIES : BRAZIL, SPAIN & LATIN AMERICA
2011 2012 2013 2014 2015

48 Number of members by COUNTRIES : EUROPE, Except UK
2011 2012 2013 2014 2015

49 Number of members by COUNTRIES : Africa (top ten)

50 Number of members by COUNTRIES : ASIA Except India
2011 2012 2013 2014 2015

51 Annexe Towards a risk maturity model based on ISO 31000…

52 G31000 RMMM – The road so far – What they got
… a risk maturity model 1 Degree of alignment between ISO31000 & ERM “system “ Questionnaire based on the scope, principles, vocabulary, framework and process Interview with key personal (several levels) Quantify gap with a simple scoring system G31000 risk maturity model and positioning based on alignment with principles Recommendation for potential improvements 2 3 4 5 6

53 G31000 RMMM – The road so far – What they got
… a risk maturity model The Results Overall Moderate alignment – framework and process dominated with 50% and 33% respectively of max mark. Scope and terms and definitions important and not far behind in terms of mark – only just into low alignment category. Scope low alignment due to need to apply and adapt and all levels and in all areas and harmonise with other systems Terms and definitions very basic set – adequate to start but other terms and defs dominate at lower levels e.g. ISO14971.

54 The Results – strengths & weaknesses of alignment
3The 3 pillars of ISO 31000 Strengths and weakness of alignment best illustrated using the 3 pillars of ISO – principles, framework and process – and their elements. Strong – mandate & commitment – policy, signed, committees and link with values Strong – Risk assessment by virtue of risk ID (ERM coms agenda item and RR) and Risk evaluation (consistent use of the 5x5 matrix and categories of consequence/ impact and likelihood, RR) Weak – continual improvement of framework (no plan), risk treatment (no use of 4T options, no formal action plans outside of minutes – not in RR) Weak – monitoring and review of the framework – little evidence that this was happening as per ToR of Comms

55 … a risk maturity model Maturity Assessment
G31000 RMMM – The road so far – What they got G31000 RMMM – The road so far – What they got … a risk maturity model 80-100% 80-100% Maturity Assessment 60-80% Improved Risk Awareness, Integration, Decision-making Value Creation and performance 60-80% 0-20% 40-60% X Co Alignment with ISO principles 20-40% 0-20% Hazard Management Compliance and control Basic ERM Implementation Full ERM Implementation Advanced Performance Hazards Insurance Safety Security Emergency response Safety Finance Compliance Business continuity. Controls Isolated SOP All risk-type Some systems integrated Awareness Risk retention ERM not linked to KPI All risk-type All BUs All systems integrated All systems audited Limited RM culture Risk financing KRI linked with KPI Correlation between alignment with principles and the G31000 risk maturity model. OKM placed as just moving out of “compliance and control” and into “Basic ERM implementation” – not surprising since only 2 years in with ERM Moving from a business with a risk focus on compliance with controls and assurance of business continuity to a greater awareness of all types of risk via an implementation of ERM with some systems linked with ERM system All risk-type All BUs All systems integrated All systems audited RM culture Decision-making Advanced performance Optimum Risk financing

56 G31000 RMMM – The current Initiative
… a risk maturity model G31000 RMMM – The road so far – What they got Core Team of Experts Mick Jackson Alex Dali Project leader Advisor Comparing 35 RMMs Experience from EY model Experience from PwC model Domenic Antonucci Marinus de Pooter Alexei Sidorenko Integrated Management System Human factors Project Management Thinka Bor-Reijingaer Rob Jeges Ben Burger

57 G31000 RMMM – The current Initiative
New 5 point maturity scale Level 1 : Initial Level 2 : Compliance & Control Level 3 : Partial ERM Level 4 : Full ERM Level 5 : Optimized Performance

58 G31000 RMMM – The current Initiative
Definition of Sub-categories

59 G31000 RMMM – The current Initiative
Criteria for 5 point maturity scale

60 G31000 RMMM – The current Initiative
Amalgamation of criteria defines the maturity scale

61 G31000 RMMM – The current Initiative
G31000 sub-categories – under review by core team

62 G31000 RMMM – The current Initiative
G31000 sub-categories – under review by core team

Download ppt "ISO 31000, a risk management standard for decision-makers"

Similar presentations

Armand Racine Consultant Chemicals Branch

Armand Racine Consultant Chemicals Branch
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Security Controls – What Works

Security Controls – What Works
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
1 Risk management and Investigation Peter Roberts

1 Risk management and Investigation Peter Roberts
Opportunities & Implications for Turkish Organisations & Projects

Opportunities & Implications for Turkish Organisations & Projects
Chicagoland IASA Spring Conference

Chicagoland IASA Spring Conference
ISO 26000 Richard Welford CSR Asia www.csr-asia.com © CSR Asia 2011.

ISO Richard Welford CSR Asia © CSR Asia 2011.
Risk Management - the process of identifying and controlling hazards to protect the force.  It’s five steps represent a logical thought process from.

Risk Management - the process of identifying and controlling hazards to protect the force.  It’s five steps represent a logical thought process from.
Stephen Vink Senior Vice President Group Risk Management and Internal Audit Lessons learned from ERM.

Stephen Vink Senior Vice President Group Risk Management and Internal Audit Lessons learned from ERM.
CERTIFICATION In the Electronics Recycling Industry © 2007 IAER Web Site - -

CERTIFICATION In the Electronics Recycling Industry © 2007 IAER Web Site - -
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the Preface to the Standards on Internal.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
IRIS - International Railway Industry Standard The Quality Standard for the Railway Industry ACRI Prague, 2nd April 2008 Angela de Heymer Manager Quality.

IRIS - International Railway Industry Standard The Quality Standard for the Railway Industry ACRI Prague, 2nd April 2008 Angela de Heymer Manager Quality.
1 Introducing Enterprise Risk Management (ERM) - The KOC Experience November 2012 Khaled Al-Awadhi Risk Management Team Kuwait Oil Company.

1 Introducing Enterprise Risk Management (ERM) - The KOC Experience November 2012 Khaled Al-Awadhi Risk Management Team Kuwait Oil Company.
WEC MADRID 18 TH MARCH 2004 ASTRAZENECA’S APPROACH TO SUPPLIER RISK MANAGEMENT.

WEC MADRID 18 TH MARCH 2004 ASTRAZENECA’S APPROACH TO SUPPLIER RISK MANAGEMENT.
Business Analysis. Business Analysis Concepts Enterprise Analysis ► Identify business opportunities ► Understand the business strategy ► Identify Business.

Business Analysis. Business Analysis Concepts Enterprise Analysis ► Identify business opportunities ► Understand the business strategy ► Identify Business.
What APEC Task Force for Emergency Preparedness (TFEP) has progressed in the implementation of HFA Presented by Vincent Liu Program Director APEC Secretariat.

What APEC Task Force for Emergency Preparedness (TFEP) has progressed in the implementation of HFA Presented by Vincent Liu Program Director APEC Secretariat.
Consultant Advance Research Team. Outline UNDERSTANDING M&E DATA NEEDS PEOPLE, PARTNERSHIP AND PLANNING 1.Organizational structures with HIV M&E functions.

Consultant Advance Research Team. Outline UNDERSTANDING M&E DATA NEEDS PEOPLE, PARTNERSHIP AND PLANNING 1.Organizational structures with HIV M&E functions.
Kathy Corbiere Service Delivery and Performance Commission

Kathy Corbiere Service Delivery and Performance Commission

Similar presentations

Ads by Google