The ISO standard on risk management

Similar documents
Risk Management Policy

ก ก Tools and Techniques for Enterprise Risk Management (ERM)

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

Master Class: Construction Health and Safety: ISO 31000, Risk and Hazard Management - Standards

Risk treatment: introduction

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

DRAFT SAINT LUCIA NATIONAL STANDARD DNS/ISO 31000: 2009 RISK MANAGEMENT PRINCIPLES AND GUIDELINES (ISO 31000: 2009, IDT) Stage 40 Enquiry Stage

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security risk management

Risk Management Framework

Senior Director, Fire Life Safety & Risk Management

Risk Management Policy Adopted by:

RISK MANAGEMENT FRAMEWORK

Risk Management Strategy Highland Council Pension Fund

Goodman Group. Risk Management Policy. Risk Management Policy

M_o_R (2011) Foundation EN exam prep questions

Risk Management Policy. September 2015

AS/NZS IEC 62198:2015

West Coast District Municipality. Risk Management Policy

RISK MANAGEMENT FRAMEWORK

Scouting Ireland Risk Management Framework

An Overview of the Enterprise Risk Management Process

Risk Management Strategy

Risk Management Policy and Framework

Introduction to ISO Key Points and Benefits

CMP for Special Regs and Safety Issues. 1. INTRODUCTION Purpose Scope Submissions to Australian Sailing:...

University Risk Management Policy

CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK MANAGEMENT POLICY

APPENDIX 1. Transport for the North. Risk Management Strategy

28 July May October 2016

Approved by: Diocesan Council 17 December 2015

Enterprise Risk Management Sources. Universe. Tolerance. Appetite

ENTERPRISE RISK MANAGEMENT Framework

Executive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B

The Global Village. Future of Risk Management. Ferma Risk Management Forum 2009 Prague, 4-7 October

Risk Management Policy

Business Auditing - Enterprise Risk Management. October, 2018

Chapter 7: Risk. Incorporating risk management. What is risk and risk management?

0470_022817_03_chap01.fm Page 11 Wednesday, September 8, :29 PM. Part I The basics of project risk management

Risk Management Procedure

There are many definitions of risk and risk management.

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

Risk Management Policy

Risk Appetite Survey Current state of the Insurance Industry

Version: th November 2010 RISK MANAGEMENT POLICY

Sensitivity analysis for risk-related decision-making

Enterprise Risk Management Integrated Framework

Risk Management Policy and Procedures.

Risk Management Policy

An Introductory Presentation for ECU Staff

RISK MANAGEMENT POLICY

ENTERPRISE RISK MANAGEMENT POLICY FRAMEWORK

Nagement. Revenue Scotland. Risk Management Framework. Revised [ ]February Table of Contents Nagement... 0

RISK MANAGEMENT POLICY

Risk Management in Italy: State of the art and perspectives. PMI Rome Italy Chapter

Presentation by: Nasumba Kizito Kwatukha CPA,CIA, CISA,CFE,CISSP,CRMA,CISM,IIK 6 th JULY 2017

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

RISK MANAGEMENT POLICY October 2015

Practical aspects of determining and applying a risk appetite for SMEs

Risk management policy

Risk Management Framework. Group Risk Management Version 2

Applying COSO s Enterprise Risk Management Integrated Framework. September 29, 2004

Risk Evaluation, Treatment and Reporting

Section Defining Risk Management. 11. Principles of Risk Management

Policy No. Contact Brian Orpin Version 3.0 Issue Date 28/11/2014 Telephone Review Date IA Date 09/08/2013

GRINDROD SOUTH AFRICA//Policy Risk and opportunity governance framework

British Library Risk Management Policy Framework (2017)

Risk Management Policy

Risk Management Policies and Procedures

RISK MANAGEMENT POLICY

Delivering Clarity to Credit Unions Through Expertise and Experience

Applying COSO s Enterprise Risk Management Integrated Framework

POLICY. Policy Title: Integrated Risk Management. Director, Strategic and Governance Services Centre

University of the Sunshine Coast (USC) Risk Appetite Statement

Kidsafe NSW Risk Management Plan. August 2014

HSC Business Services Organisation Board

Sections of the ORSA Report

Procedures for Management of Risk

2014 Own Risk and Solvency Assessment (ORSA) Feedback Pilot Project Observations of the Group Solvency Issues (E) Working Group

Guide. Risk Management For Community Service Organisations

Dilemmas in risk assessment

Perpetual s Risk Management Framework

Risk Management Strategy

Uncertainty in risk engineering: concepts

Risk Management Policy

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

PRINCE2 Sample Papers

SEACO TAX POLICY. Seaco Tax Policy Page 1

LONDON BOROUGH OF ENFIELD RISK MANAGEMENT STRATEGY

Risk Management at Central Bank of Nepal

Risk Management. Sylvester K.Ndongoli B.Sc.. Project management (Continuing), JKUAT March. 2017

SOL PLAATJE MUNICIPALITY

Risk Management Framework. Metallica Minerals Ltd

PANAMA MARITIME AUTHORITY

Risk Management Framework Policy (incorporating the Risk Management Policy and Strategy)

RISK MANAGEMENT. Budgeting, d) Timing, e) Risk Categories,(RBS) f) 4. EEF. Definitions of risk probability and impact, g) 5. OPA

Four Steps for Managing Safety. Qualitative Approach. Gilles MOTET.

AFERM Best Practices: Guideposts, Risk Registers and a Maturity Model

RISK MANAGEMENT FRAMEWORK

Thirty-Second Board Meeting Risk Management Policy

AN INTRODUCTION TO RISK CONSIDERATION

Transcription:

The ISO 31 000 standard on risk management Eric Marsden <emarsden@risk-engineering.org> well thy appetite, lest Sin Surprise thee, and her black attendant Death. Govern John Milton, Paradise Lost

The ISO 31000 standard An international standard that provides principles and guidelines for effective risk management published in 2009 (revision under way in 2017) Generic approach: not specific to any industry or sector can be applied to any type of risk (financial, technological, natural, project) can be applied to any type of organization A brief standard (24 pages) Provides foundations for discussing risk management and undertaking a critical review of an organization s risk management process 2 / 30

The ISO 31000 standard: scope Includes: definitions and terms relevant to risk management a set of principles that inform effective risk management recommendations for establishing a risk management framework recommendations for establishing a risk management process Does not include: detailed instructions/guidance on how to manage specific risks advice relevant to any specific domain any elements related to certification 3 / 30

Related standards The International Organization for Standardization (iso) is an international, membership-based ngo based in Geneva, represented in 163 member countries has published over 19 000 international standards Web: www.iso.org iso Guide 73:2009 on Risk management Vocabulary provides definitions for commonly used terminology in risk management and risk assessment iso 31004:2013 on Risk management Guidance for the implementation of ISO 31000 how do I implement iso 31000 in my organization? iso 31010:2009 on Risk management Risk assessment techniques guidance on selecting and applying systematic techniques for risk assessment 4 / 30

Background to development of ISO 31000 standard The coso framework on Enterprise Risk Management mostly internal control/auditing: sees risk management primarily as a compliance activity iso 31000 sees risk management as a strategic process for making risk-adjusted decisions The Australian/New Zealand risk management standard, as/nzs 4360 Work started on iso 31000 in 2005, using as/nzs 4360 as a first draft consensus-driven process with input from risk management professionals around the world Standard published in 2009, well received by critics revision underway in 2017 5 / 30

Some controversy in the standard s creation The iec Advisory Committee on Safety removed its support from the iso working group, arguing that: safety risks are a special case and should be excluded from a general-purpose risk management process any risk to people is unacceptable I E C : I n t e r n a t i o n a l E l e c t r o t e c h n i c a l C o m m i s s i o n Position of the iso working group on risk: most human activities lead to some safety risks a uniform process for managing risks is useful Source: Purdy (2010). ISO 31000:2009 Setting a new standard for risk management, Risk Analysis 30:6 6 / 30

New notions in the ISO 31000 standard 7 / 30

What s new? A new definition of risk The notion of risk appetite The risk management framework A management philosophy where risk management is an inseparable aspect of managing change and other forms of decision-making 8 / 30

The classical definition of risk Risk: a combination of the probability and scope of the consequences. iso risk management vocabulary, 2002 More precisely, after Kaplan and Garrick, we ask: What can go wrong? How likely is it to go wrong? If it does go wrong, what are the consequences? Further reading: Kaplan & Garrick (1984), On the quantitative definition of risk, Risk Analysis 1:1 9 / 30

The classical definition of risk: example Scenario Annual probability Consequences Fire on tank F 0.45 10 4 3 killed, 20M loss Fire on tank F 1.2 10 4 1 injured, 20M loss Small leak on pipe D 3 10 3 1M equivalent of environmental damage Large leak on pipe D 1 10 3 20M equivalent of environmental damage Risk on this installation is the set of all the lines in this table. 10 / 30

Classical definition and financial risks Risk = set of triples scenario i, p i, consequence i For financial risks (where consequences can be all uncontroversially be expressed in monetary units), can be converted into an expected loss. Risk is then the mathematical expectation of the total loss. E(loss) = p i consequence i i T h i s d e f i n i t i o n a l s o w o r k s w h e n s o m e c o n s e q u e n c e s a r e p o s i t i v e 11 / 30

Classical definition and safety risks Place each scenario in your organization s risk matrix, according to its probability and level of consequences. Examine whether the sum of possible outcomes is acceptable. Frequency very infrequent infrequent fairly frequent frequent very frequent Consequence catastrophic very large large medium small F o r s a f e t y r i s k s, a l l c o n s e q u e n c e s a r e n e g a t i v e Unacceptable Reduce risks as low as reasonably practicable Acceptable 12 / 30

A new definition of risk Risk: the effect of uncertainty on an organization s ability to meet its objectives 13 / 30

A new definition of risk Risk: the effect of uncertainty on an organization s ability to meet its objectives An effect is a deviation from what was expected, which can be positive or negative. Safety risks are generally negative (losses, deaths, pollution). Financial risks may be positive. This definition is relevant for safety, financial risks, strategic risks, project risks. 13 / 30

A new definition of risk Risk: the effect of uncertainty on an organization s ability to meet its objectives Lack of information or knowledge concerning an event, its consequences or its likelihood 13 / 30

A new definition of risk Risk: the effect of uncertainty on an organization s ability to meet its objectives Makes the role of objectives explicit: an activity is only undertaken to reach some goal. Objectives can be financial, health and safety, environmental goals. They can apply at a strategic level, or per project, per product, per site. This definition leads to more transparency in discussions with stakeholders because objectives (possibly competing) are made explicit. 13 / 30

A new definition of risk objective O The organization establishes its objectives: at time t 1 it wants to be at position O. start t 0 t 1 time Figure adapted from slides by G. Motet 14 / 30

A new definition of risk objective O The organization establishes its objectives: at time t 1 it wants to be at position O. It establishes an action plan to move from its current position to position O. start t 0 t 1 time Figure adapted from slides by G. Motet 14 / 30

A new definition of risk The presence of uncertainty means that unexpected perturbations can cause deviations from the plan defined at t 0. If unchecked, these would mean that the organization does not achieve its objective of reaching position O. This is risk, the effect of uncertainty on the possibility of reaching your objectives. time Figure adapted from slides by G. Motet 14 / 30

A new definition of risk The risk management activity consists of trying to anticipate and looking out for deviations from the plan, and implementing corrective actions so that the organization s objectives are reached despite the unexpected perturbations. time Figure adapted from slides by G. Motet 14 / 30

15 / 30 Risk appetite

Concept of risk appetite Risk appetite: the amount and type of risk that an organization is prepared to pursue, retain or take in pursuit of its objectives Represents a balance between the potential benefits of innovation (and risk) and the threats that change inevitably brings Helps to guide people within the organization on the level of risk permitted and encourage consistency of approach across an organization Generally expressed (for a company) by a broad statement of approach, which is written by the board 16 / 30

Expressing an organization s risk appetite: example Organization operates within a low overall risk range. The Organization s lowest risk appetite relates to safety and compliance objectives, including employee health and safety, with a marginally The higher risk appetite towards its strategic, reporting, and operations objectives. This means that reducing to reasonably practicable levels the risks originating from various medical systems, products, equipment, and our work environment, and meeting our legal obligations will take priority over other business objectives. Risk appetite statement used by a health-care organization Source: Understanding and Communicating Risk Appetite, COSO, 2012 17 / 30

Expressing an organization s risk appetite: example Willingness to accept risk Low Medium High 1 2 3 4 5 Earnings volatility Capital requirements A p p e t i t e m a y v a r y a c r o s s r i s k c a t e g o r i e s Reputation Credit ratings Regulatory standing Source: Understanding and articulating risk appetite, KPMG, 2008 18 / 30

Components of the standard The standard comprises three main elements: Communication & consultation Establishing the context Risk identification Risk analysis Risk evaluation Monitoring & review the risk management process how are risks identified, analyzed and treated? Risk treatment mandate the risk management framework the overall structure and operation of risk management across the organization similar to the plan/do/check/act (pdca) cycle design of management framework continual improvement implement risk management monitoring & review a set of principles which guide risk management activities 19 / 30

The ISO 31000 risk management process Risk identification: what could prevent us from achieving our objectives? Risk identification Risk analysis Risk evaluation Risk treatment Risk analysis: understanding the sources & causes of the identified risks; studying probabilities and consequences given the existing controls, to identify the level of residual risk. Risk evaluation: comparing risk analysis results with risk criteria to determine whether the residual risk is tolerable. Risk treatment: changing the magnitude and likelihood of consequences, both positive and negative, to achieve a net increase in benefit. 20 / 30

The ISO 31000 risk management process Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment 20 / 30

The ISO 31000 risk management process Establishing the context Define the scope for the risk management process, define organization s objectives, establish the risk evaluation criteria. Includes: Risk identification Risk analysis Risk evaluation external context: regulatory environment, market conditions, stakeholder expectations internal context: organization s governance, culture, standards and rules, capabilities, existing contracts, worker expectations, information systems, etc. Risk treatment 20 / 30

The ISO 31000 risk management process Establishing the context Risk identification Risk analysis Risk evaluation Risk treatment Monitoring & review Monitoring and review Measure risk management performance against indicators, which are periodically reviewed for appropriateness. Check for deviations from the risk management plan. Check whether the risk management framework, policy and plan are still appropriate, given organizations external and internal context. Report on risk, progress with the risk management plan and how well the risk management policy is being followed. Review the effectiveness of the risk management framework. 20 / 30

The ISO 31000 risk management process Communication & consultation Establishing the context Risk identification Risk analysis Risk evaluation Risk treatment Monitoring & review Communication and consultation Early on: helps understand stakeholders interests and concerns, to check that the risk management process is focusing on the right elements. Later on: helps explain the rationale for decisions and for particular risk treatment options. 20 / 30

The risk management framework Determines how risk management is integrated with the organization s management system Should include: risk architecture: roles and responsibilities of individuals and committees that support the risk management process (who owns different risks?) strategy: objectives of the risk management activity in the organization protocols: how the strategy will be implemented and risks managed (procedures, indicators, risk reporting and escalation procedures) continual improvement mandate design of management framework monitoring & review implement risk management 21 / 30

Sample risk architecture & responsibility allocation 1. RM responsibilities for the CEO / Board: The Board Audit Committee Overall responsibility for risk Receive routine reports from GRMC management Set annual audit programme and priorities Ensure risk management is Monitor progress with audit recommendations embedded into all processes and activities Provide risk assurance to the Board Review group risk profile Oversee RM structures and processes Group Risk Management Committee (GRMC) Formulate strategy and policy based on risk appetite, Disclosures Committee risk attitudes and risk exposures Review and evaluate disclosure Receive reports from business units, review risk controls and procedures management activities and compile the group risk register Consider materiality of information disclosed to external parties Receive reports from business units and make reports and recommendations to the Board Track RM activity in the business units and keep the risk management context under review Business units Produce specific policy statements, as necessary Direct and monitor Prepare and update the business unit risk register Reports for evaluation Set risk priorities for business unit Monitor projects and risk improvements Prepare reports for GRMC Manage control risk self-certification activities Determine strategic approach to risk and set risk appetite Establish the structure for risk management Understand the most significant risks Manage the organisation in a crisis 2. RM responsibilities for the business unit manager: Build risk aware culture within the unit Agree risk management performance targets Ensure implementation of risk improvement recommendations Identify and report changed circumstances / risks 3. RM responsibilities for individual employees: Understand, accept and implement RM processes Report inefficient, unnecessary or unworkable controls Report loss events and near miss incidents Co-operate with management on incident investigations 4. RM responsibilities for the risk manager: Develop the risk management policy and keep it up to date Document the internal risk policies and structures Co-ordinate the risk management (and internal control) activities Compile risk information and prepare reports for the Board 5. RM responsibilities for specialist risk management functions: Assist the company in establishing specialist risk policies Develop specialist contingency and recovery plans Keep up to date with developments in the specialist area Support investigations of incidents and near misses 6. RM responsibilities for internal audit manager: Develop a risk-based internal audit programme Audit the risk processes across the organisation Receive and provide assurance on the management of risk Report on the efficiency and effectiveness of internal controls Source: A structured approach to Enterprise Risk Management, Airmic/Alarm/IRM, 2010 22 / 30

How do the components fit together? Risk management principles i n f l u e n c e t h e d e s i g n & m p l e m n t a t i o n o e f o r g a n t i o n s r i s k m a n a g e m e n t f r a m e w o r k a n d p r o c e s s creates and protects value is based on the best information is an integral part of organizational processes is tailored is part of decision-making takes human and cultural factors into account explicitly addresses uncertainty is transparent and inclusive is systematic, structured and timely is dynamic, iterative and responsive to change facilitates continual improvement of the organization 23 / 30

How do the components fit together? Principles guide the creation of the framework Framework mandate principles continual improvement design of management framework implement risk management monitoring & review 23 / 30

How do the components fit together? Framework mandate The framework defines the risk management process Process principles continual improvement design of management framework implement risk management Communication & consultation Establishing the context Risk identification Risk analysis Risk evaluation Risk treatment Monitoring & review monitoring & review 23 / 30

How do the components fit together? Framework mandate Process principles continual improvement design of management framework implement risk management Communication & consultation Establishing the context Risk identification Risk analysis Risk evaluation Risk treatment Monitoring & review monitoring & review Feedback on the performance of the process is used for monitoring and reviews 23 / 30

A non-certifiable standard Many iso standards are certifiable: your organization can obtain (purchase!) a certificate from an accredited conformity assessment body stating that its activities on a specific perimeter conform to the standard example: many large organizations certify their quality management system to the iso 9001 standard The 31000 standard provides guidance rather than requirements, so is not intended for the purposes of certification 24 / 30

Relationship with other standards 25 / 30

Reading the standard You can purchase the iso standard in pdf format from the iso Store for a mere 110. Or you can consult the publication of the Bureau of Indian Standards identical to iso 31 000:2009 Risk management Principles and guidelines made available to interested readers on the web to promote the timely dissemination of this information in an accurate manner to the public https://web.archive.org/web/20140822235145/https://law.resource.org/pub/in/bis/s07/is.iso.31000.2009.pdf 26 / 30

Importance of effective risk management 3.3 3.0 2.5 2.0 1.5 1.0 0.9 Price-to-book ratio (P/B) 1st Quartile Avg. P/B = 2.6 2nd Quartile Avg. P/B = 1.7 5 10 15 20 25 30 35 40 45 50 Better Source: PricewaterhouseCoopers analysis, based on Bloomberg data, 2007 3rd Quartile Avg. P/B = 1.5 Risk management score Worse 4th Quartile Avg. P/B = 1.3 Importance of effective risk management for safety risks is evident. For financial risks, evidence shows that the financial markets value good risk management, and better ratings of risk management performance lead to lower capital costs for firms. Source: PricewaterhouseCoopers report Seizing opportunity: linking risk and performance, 2009 27 / 30

Image credits Flower on slide 8: motiqua via flic.kr/p/6mb7up, CC-BY licence Venus flytrap (slide 15): Aurore D via flic.kr/p/5qdqe7, CC BY-NC-ND licence 28 / 30

A structured approach to Enterprise Risk Management (ERM) and the requirements of iso 31000, Airmic/Alarm/IRM, 2010, from theirm.org/media/886062/iso3100_doc.pdf Further reading Research in to the Definition and Application of the concept of risk appetite, airmic.com/system/files/risk_appetite_research_report.pdf La norme iso 31000 en 10 questions, G. Motet, available (in French) from foncsi.org/fr/publications/collections/cahiers-securiteindustrielle/10-questions-norme-iso31000/ For more free course materials on risk engineering, visit risk-engineering.org 29 / 30

Feedback welcome! This presentation is distributed under the terms of the Creative Commons Attribution Share Alike licence @LearnRiskEng Was some of the content unclear? Which parts were most useful to you? Your comments to feedback@risk-engineering.org (email) or @LearnRiskEng (Twitter) will help us to improve these course materials. Thanks! fb.me/riskengineering google.com/+riskengineeringorgcourseware For more free course materials on risk engineering, visit risk-engineering.org 30 / 30

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback