The Global Village Future of Risk Management
ISO 31000:2009, an incentive or a constraint for implementing Risk Management in an organization? Things to watch out for. Alex Dali Managing Partner ATLASCOPE ARM, EFARM, Master in Risk Management & Insurance Member of the AFNOR French Commission on RISKS Co-author of the article ISO 31000 : the Gold Standard published by StrategicRISK, September 2009
Internationally-recognised reference International consensus single global reference for stakeholders wide application umbrella for more than 60 standards should not be ignored
ISO Standard vs ISO Guideline? Risk Management Principles and Guidelines Voluntary application, not prescriptive, no legal requirement specifically not intended for certification ISO certifiable standard? NO!
Simple risk management architecture 3-pillar structure robust and simple to apply Opportunity to review existing RM practices Track similarities and differences
a) Creates value b) Integral part of organizational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organization Principles (Clause 3) Continual improvement of the Framework (4.6) Mandate and Commitment (4.2) Design of framework (4.3) Monitoring and review of the Framework (4.5) Framework (Clause 4) Implementing risk Management (4.4) Ferma Risk Management Forum 2009 Establishing C o m u n i c a t i o n & c o n s u l t a t i o n 5.2 the context (5.3) Risk assessment (5.4) Risk identification (5.4.2) Risk analysis (5.4.3) Risk evaluation (5.4.4) Risk treatment (5.5) Process (Clause 5) M o n i t o r i n g & r e v i e w (5.6) ISO 31000:2009 Figure 1 Relationship between the principles, framework and process
not a parallel management system avoid the troubled implementation of ISO 9000 series Promote business performance No bureaucratic compliance reporting system
Text of the ISO 31000 standard The text is short and clear Not radically new Exaggeration and self-serving statements
Engineer Modéliste Manager Health Finance Public sector Ferma Risk Management Forum 2009 Vocabulary ISO Guide 73 risk = danger risk = event risk = uncertainty towards objectives risk = threat (purely negative) risk = return risk = disruption of service or job losses All activities of an organization involve risks All activities of an organization involve combinations of probabilities of events and their consequences!!! All activities of an organization involve effects of uncertainty on its objectives
Vocabulary ISO Guide 73 Review by the same committee 51 definitions related to RISK Many improvements use language meaningful to your organisation remove terms and definitions invented locally
Credit Rating Agency enquiries e x tr a c t s S&P - Development of ERM analysis in response Points of interest : Strategy, management vision, diagnostic, communications Exclusions : Treatment (risk-control measures) Existing ERM processes not very formalized A decentralized ERM organization Underfunded and underintegrated ERM Weak ERM culture and strategic risk management
Standards & Poors Ferma Risk Management Forum 2009 Rating and cost of capital
Quality OH&S Finance Supply chain Environment Food safety Information security Equipements safety
COSO - ERM «ERM is effective if management has reasonable assurance that they understand the following : Strategic objective are being achieved Operational objectives are being achieved Reporting is reliable Laws and regulations are being complied with» Is it risk management or compliance?
Reference by law remain AZ/NZS 4360 : 2009 AS/NZS4360 2004 Australia/NZ JIS Q 200x Japan? FERMA:2004 COSO ERM Europe USA Certification of RM Certification? BSI 31100 CAN/CSA- ONR 49000:2008 AIRMIC, ALARM, Q850-1997 CAN/CSA- ONR 49000 IRM:2002 BSI 31100 Q850-20xx Austria Canada Great-Britain. (Germany/Switzerland )