ISO 31000 What is it? What’s new? How to Implement?
ISO 31000 (Nov. 2009) What is it? What’s new? How to Implement? Please interrupt, thank you John Shortreed ORIMS Workshop Wednesday, April 21, 2010 Arts & Letters Club, 14 Elm Street, Toronto, Ontario ORMIS April 21, Toronto, ISO 1 Proposed AGENDA – OK? • • • • • • • • • • Risk is “effect of uncertainty on objectives” Discussion of Adopt 31000 - PHB Bilton and KISS Overview of 31000; introduction, scope, principles, framework, process How to “sell” ERM to senior management? The role of risk appetite risk tolerance and the ubiquitous risk matrix/map/profile to deal with existing silos How will ERM help improve existing risk management? Next steps? How to measure success? Monitor, communications and consultation, and risk ownership. Role of CRO? (Ans- Minimal) What did we learn today? ORMIS April 21, Toronto, ISO 2 Risk - “effect of uncertainty on objectives” (ISO 31000) • NOTE 1 An effect is a deviation from the expected — positive and/or negative. (wrt achieving objectives) • NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process). • NOTE 3 Risk is often characterized (i.e. named, e.g. credit risk) by reference to potential events (2.17) and consequences (2.18), or a combination of these. • NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (2.19) of occurrence. ORMIS April 21, Toronto, ISO 3 There are two ways a risk can have an effect on objectives. 1. 2. the effect of a risk when and if it should occur, or the very existence of a risk whether it happens or not. (2.) is the acceptance, or not, of being in risky situations - a friend of mine says he can not sleep at night if his money is invested in stocks, even knowing they provide better returns. So he invests in government bonds. It is the uncertainty that he can not stand. Related to risk appetite. (1.) is the traditional risk and where risk management seeks to increase the good and decrease the bad consequences (as translated into objectives) The "uncertainty" or ambiguity, is the essence of risk, and can be part of: a. the risk identification (source, associated event(s) & consequence(s) ) b. the event effect or consequence as estimated by analysis methods c. the probability itself (in addition to uncertainty of identification (a), event (b), and effect (d)) [probability of a probability drives mathematicians mad] d. the objectives themselves and the link between consequences and objectives (either measurement or how objectives reflect values or how attitudes might bias selection and metrics of objectives) Discussion from last week ORMIS April 21, Toronto, ISO 4 (Aside) ISO Definitions are nested – rigorous substitution rule (2.18) Consequence - outcome of an event (2.17) affecting objectives and since Event - occurrence or change of a particular set of circumstances, then (2.18) Consequence - outcome of an occurrence or change of a particular set of circumstances affecting objectives (2.26 )control - measure that is modifying risk (2.1) (2.26 )control - measure that is modifying effect of uncertainty on objectives Try residual risk (2.27) – insert risk treatment, control (?) and risk ORMIS April 21, Toronto, ISO 5 Discussion of “YES Adopt 31000 “- PHB Bilton and KISS • survey question – which framework is right?) • Answer - ISO 31000 should be adopted immediately and that existing COSO, PMI, and other frameworks and processes integrated with 31000 in the short term and in the longer term modified to better reflect, not so much 31000, as the “ERM risk framework” in the organization. • The rational is that ISO incorporates these other approaches [with gaps], is principle and performance based and is simple enough and flexible enough to be used by any organization. ORMIS April 21, Toronto, ISO 6 Entity objectives can be viewed in the context of four categories: • • • • Strategic Operations Reporting Compliance The COSO ERM Framework only negative risk! (a common problem) ORMIS April 21, Toronto, ISO 7 BHP Billiton RISK MANAGEMENT POLICY Risk is inherent in our business. The identification and management of risk is central to delivering on the Corporate Objective. • By understanding and managing risk we provide greater certainty and confidence for our shareholders, employees, customers and suppliers, and for the communities in which we operate. • Successful risk management can be a source of competitive advantage. • Risks faced by the Group shall be managed on an enterprise-wide basis. • Risk Management will be embedded into our critical business activities, functions and processes. Risk understanding and our tolerance for risk will be key considerations in our decision making. • Risk issues will be identified, analysed and ranked in a consistent manner. Common systems and methodologies will be used. (cont.) ORMIS April 21, Toronto, ISO 8 •Risk controls will be designed and implemented to reasonably assure the achievement of our Corporate Objective. The effectiveness of these controls will be systematically reviewed and, where necessary, improved. •Risk management performance will be monitored, reviewed and reported. Oversight of the effectiveness of our risk management processes will provide assurance to executive management, the Board and shareholders. •The effective management of risk is vital to the continued growth and success of our Group. • signed Chip Goodyear •Chief Executive Officer (see web site for all the BHP good stuff) Done by 3 people (lead Grant Purdy) in 4 years for all 200,000 employees, with 80,000 risk owners identified Over 12,000 risk assessments on file (open), and then Risk management department eliminated. IT CAN BE DONE – Keep It Sweet and Simple Senior Management leads the charge ORMIS April 21, Toronto, ISO 9 Commit and Mandate •Stakeholder analysis •Training needs analysis •Communication strategy •Training strategy •Roles and Reporting Establish context Analyse risks Evaluate risks Framework Implementation Monitor and review Identify risks Communicate and consult Risk assessment Framework Continuous Improvement Cycle Communicate & Train Framework Implementation •Policy Statement •Standards •Guidelines •RM Plan and RM Process •Assurance Plan Treat risks Process for Managing Risk Review & Improve •Control assurance •RM Plan progress •RM Maturity Evaluation •RM KPIs •Benchmarking •Governance reporting Structure & Accountability Management Information System -Risk Registers -Treatment Plans -Assurance Plan -Reporting templates Framework Continuous Improvement Cycle •Board RM Committee •Executive RM Group •RM Working Group •Facilitator for Risk Management •RM Champions •Risk and Control Owners a) Creates value b) Integral part of organizational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organization Principles for managing risk (Clause 3) ISO Overview 4.2 Mandate and commitment 3 main clauses plus terminology from ISO Guide 73 4.3 Design of framework for managing risk 4.6 Continual improvement of the framework 4.4 Implementing risk management 4.5 Monitoring and review of the framework Framework for managing risk (Clause 4) ORMIS April 21, Toronto, ISO Process for managing risk (Clause 5) 11 How to “sell” ERM to senior management? Up to Organization not you When implemented and maintained in accordance with this International Standard, the management of risk enables an organization to, for example: • increase the likelihood of achieving objectives; • encourage proactive management; • be aware of the need to identify and treat risk throughout the organization; • improve the identification of opportunities and threats; • comply with relevant legal and regulatory requirements and international norms; • improve mandatory and voluntary reporting; • improve governance; • improve stakeholder confidence and trust; • establish a reliable basis for decision making and planning; • improve controls; • effectively allocate and use resources for risk treatment; • improve operational effectiveness and efficiency; • enhance health and safety performance, as well as environmental protection; • improve loss prevention and incident management; • minimize losses; • improve organizational learning; and • improve organizational resilience. ORMIS April 21, Toronto, ISO 12 The role of risk appetite & risk attitude “amount and type of risk that an organization is willing to pursue or retain” “organization's approach to assess and eventually pursue, retain, take or turn away from risk “ • Vague term that is still evolving, can be bottom up (from typical decisions) or top down from basics of survival and comfort of board and senior management • In conceptual terms – Identify all risks (events and consequences ) [high level] – Estimate plausible worst case and best case scenarios – may be expressed as a risk profile – Examine the robustness of the organization wrt plausible cases – Balance opportunities and threats against the organization’s capabilities/resources and select a risk appetite or risk attitude – how risk adverse? ORMIS April 21, Toronto, ISO 13 Risk Tolerance is the practical step between risk appetite and risk criteria (risk evaluation) (also deals with silos) • for specific consequence categories (reputation, credit, compliance, country, etc.) • for predetermined categories of likelihood • find equivalent effects on objectives • done by senior management (workshops) • using risk matrix results as a check and perhaps involving voting, delphi, etc. ORMIS April 21, Toronto, ISO 14 Likelihood Scale for Tolerance (Simple Rating Scale) (Hydro 1 Harvard Business School case study 9-109-001) 1. Remote 5% probability that the event will occur in the next 36 months 2. Unlikely 25% probability that the event will occur in the next 36 months 3. Even Odds 50% probability that the event will occur in the next 36 months 4. Very Likely 75% probability that the event will occur in the next 36 months 5. Virtually Certain 95% probability that the event will occur in the next 36 months ORMIS April 21, Toronto, ISO 15 Hydro 1 Risk Tolerances for 3 Silos (Fraser, 2009) Business Objective Consequence 5 4 Worst Case Severe 3 Major Financial Net income (shortfall) >$150 million $75$150 million $25$5-$25 $75 million million <$5 million Negative Media- Internation al National Provin cial Local Opinion Leaders and Public Letters To Govt & Hydro Everyone Most Several 1-10k 10-100 <1,000 <10 Near many Near few Reputa tion System Outages reliability Customers, or # MW for 7days, or >100,000 >1000 40-100k 10-40k 400-1000 100-400 Fail NERC YES Some Warning ORMIS April 21, Toronto, ISO 2 1 Moderate Minor 16 Standard sort of Risk Matrix Likelihood be careful, extremely careful, with risk matrices works well at the understanding/communications level, BUT Very Likely (>.45) Likely (.45 - .19) Medium (.19 - .05) High Medium Unlikely (.05 - .011) Low tro Ca tas Se ve re Ma jor Mo de rat Mi no r e Risk levels plotted in structured Workshop with Consequences Experts, voting, Delphi… ph ic Remote (< .011) ORMIS April 21, Toronto, ISO 17 1. Refurbish 2. Vegetation Mgmt 3. IT Upgrade KPI - Dx SAIDI KPI - Tx/Dx Reliability Likelihood Cata. Severe Major Severe Cata Major Mod VU L Minor UL Mod High Medium Low L M Minor Likelihood VL High Medium Low Likelihood KPI - Unsupplied Energy Consequences High No Impact Medium Low KPI - Unavailability > 10 5-10 Cata. Consequences Severe Minor Severe Cata Major Mod Minor UL VU L Major M Consequences High Medium Low Mod High Medium Low L Likelihood Likelihood VL 1-5 <0.2 KPI - Dx SAIFI KPI - SFI .2-1 Consequences Consequences Likelihood VL High Medium Low L M Severe Cata Major Mod Minor UL VU L Consequences KPI - Worst Served Cust. Likelihood VL High Medium Low L Example of use of Risk Matrix to set priorities What might be wrong with this? No Impact M Consequences Cata Severe Major Mod Minor UL VU L ORMIS April 21, Toronto, ISO 18 How will ERM help improve existing risk management? Basic and overarching in 31000 – Integration ISO 31000 “recommends that ; organizations develop, implement and continuously improve a framework whose purpose is to integrate the process for managing risk (RMP) into the organization's overall governance, strategy and planning, management, reporting processes, policies, values and culture.” ORMIS April 21, Toronto, ISO 19 Overarching in 31000 – Integration (continued) 4.3.4 Integration into organizational processes •Risk management (RM) should be embedded in all the organization's practices and processes in a way that it is relevant, effective and efficient. •The risk management process should become part of, and not separate from, those organizational processes •When you make any decision/choice then part, and only a part, of the decision process is the Risk Management Process (RMP) ORMIS April 21, Toronto, ISO 20 Overarching in 31000 – Integration (continued) “2.7 risk owner - person or entity with the accountability and authority to manage a risk ” •Every risk (effect of uncertainty on objectives) is owned •Risk owners are listed in risk register •Ownership has its privileges – get to monitor: risk, risk controls (may be responsibility of others), cost of controls, effectiveness of controls, value of RMP (risk management process); and continuously improve all •your annual evaluation includes how well you manage your owned risks (part of the standard!) ORMIS April 21, Toronto, ISO 21 Ironically, 48.7% of respondents describe the sophistication of their risk oversight processes as immature to minimally mature. Forty-seven percent do not have their business functions establishing or updating assessments of risk exposures on any formal basis. Almost 70% noted that management does not report the entity’s top risk exposures to the board of directors. These trends are relatively unchanged from those noted in the 2009 report. (NCU ERM center 2010 report) ORMIS April 21, Toronto, ISO 22 “risk management framework – set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization NOTE 1 The foundations include the policy, objectives, mandate and commitment to manage risk NOTE 2 The organizational arrangements include plans, relationships, accountabilities, resources, processes and activities NOTE 3 The risk management framework is embedded within the organization's overall strategic and operational policies and practices “ (ISO 31000) ORMIS April 21, Toronto, ISO 23 7 components to the ERM Framework 1. Mandate and commitment to the framework (step 1) a. Agreement in principle to proceed b. Gap analysis c. Context for framework d. Design of framework e. Implementation plan 2. Risk management policy a. Policies for the framework, its processes and procedures b. Policies for risk management decisions; – i. Risk Appetite – ii. Risk Criteria – iii. Internal Risk Reporting 3. Integration into the Organization 4. Risk Management Process 5. Communications and Reporting 6. Accountability • • a. Risk ownership and risk register b. Managers’ performance evaluation 7. Monitoring, Review and Continuous improvement a. Responsibility for maintaining and improving framework b. Risk Maturity and continuous improvement of framework ORMIS April 21, Toronto, ISO 24 Commit and Mandate •Stakeholder analysis •Training needs analysis •Communication strategy •Training strategy •Roles and Reporting Establish context Analyse risks Evaluate risks Framework Implementation Monitor and review Identify risks Communicate and consult Risk assessment Framework Continuous Improvement Cycle Communicate & Train Framework Implementation •Policy Statement •Standards •Guidelines •RM Plan and RM Process •Assurance Plan Treat risks Process for Managing Risk Review & Improve •Control assurance •RM Plan progress •RM Maturity Evaluation •RM KPIs •Benchmarking •Governance reporting Structure & Accountability Management Information System -Risk Registers -Treatment Plans -Assurance Plan -Reporting templates Framework Continuous Improvement Cycle •Board RM Committee •Executive RM Group •RM Working Group •Facilitator for Risk Management •RM Champions •Risk and Control Owners The risk management process Used by every manager for every decision Monitor and review Identify risks Analyse risks Evaluate risks Treat risks Communicate and consult Establish the context ORMIS April 21, Toronto, ISO 26 Risk Assessment • Identify the risks • Analyze the risks (Note: when numerical estimates of likelihood, consequences not available then subjective risk matrix methods may be used) • Evaluate the risks against Risk Criteria • Result of Evaluation is to (or not to) Accept Risk”informed decision to take a particular risk” • Not Acceptable, go to Risk Treatment ORMIS April 21, Toronto, ISO 27 Risk Treatment- “process to modify risk” “NOTE 1 Risk treatment can involve: — avoiding the risk —increasing risk in order to pursue an opportunity; — removing the risk source — changing the likelihood — changing the consequences — sharing the risk with another party or parties [including risk financing] — retaining the risk by informed decision NOTE 3 Risk treatment can create new risks or modify existing risks.” Risk Treatment is often a cycle of: Control options, Assessment of Residual Risk, Accept?, Treat risk?, Control options, Assessment… ORMIS April 21, Toronto, ISO 28 “communication and consultation” “continual and iterative processes that an organization conducts to provide, share or obtain information, and to engage in dialogue with stakeholders regarding the management of risk • NOTE 1 The information can relate to the existence, nature, form, likelihood, significance, evaluation, acceptability, treatment aspects • NOTE 2 Consultation is a two-way process of informed communication between an organization and its stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is: – a process which impacts on a decision through influence rather than power; and – an input to decision making, not joint decision making. “ ORMIS April 21, Toronto, ISO 29 Example risk register for a specific Strategic Objective – illustration only Courtesy of the Food Company 1. Identify initiatives and their associated descriptions with measurable objectives Objective xx “Ready-to-Heat” Aggressively grow and build the ready-to-heat business by expanding the product line (15% NSV growth & maintain shares above 30%) and broaden the availability of the product. Risks (uncertainties re Obj) 1 2 3 4. List of risks that could hinder the ability to meet the initiative’s objectives Risk Profile •High Priority •yes Owner •Joe 2. Prioritize order of the key initiatives based on their contribution to achieving the overall financial and strategic objectives within the OP Control Activities Increase of aggressive competition from Rice Master and Fast Rice Aggressive year for growth target for the segment & brand Achieve new product growth targets Action Plan 6. Management Team evaluates the probability of success in achieving this initiative’s overall objectives 1,2,3 1 Accelerate innovation Conduct competitor analysis session 3. Document the individual in charge of the given initiative 5. List of planned activities that will modify the risks – match the treatment strategies to risk through the reference numbers Jane to develop 2-3 innovation schemes within 2 months Joe to do market analysis ORMIS April 21, Toronto, ISO 7. Document the immediate next steps for effective initiative execution 30 Bow-Tie Risk Treatment Tool 2. Causes © Broadleaf Capital International, 2006 3. Impacts 1. 1. 2. 2. 3. 3. 4. 4. 5. 4. Existing Controls Preventative 6. 7. 5. Existing Controls Reactive – Post Event 5. 6. 7. 8. 8. 9. 9. 10. 10. Existing Preventative Controls Control Owner 1. 1. 2. 2. 3. Control Owner Existing Reactive Controls 3. Example of an integrated tool for RM Process 4. 4. 5. 5. 6. 6. Task (future controls) Task Owner Due Date Task (future controls) 1. 1. 2. 2. 3. 3. 6. Risk Control Effectiveness 7. Consequence rating 8. Likelihood rating 9. RISK RATING ORMIS April 21, Toronto, ISO Task Owner 10, Comments Due Date 11. Risk Owner 31 How to measure success? – Risk Maturity? Standard and Poor’s ERM perspective (still too negative) Companies that are considered "strong" demonstrate an enterprisewide view of risks, but are still focused on loss control. These companies have control processes for major risks, thus giving them advantages due to lower expected losses in adverse times, as such companies can consistently identify, measure, and manage risk exposures and losses in predetermined tolerance guidelines. Strong ERM firms are unlikely to experience unexpected losses outside of tolerance levels. Risk and risk management are usually important considerations in such firms' corporate judgment. Companies that are considered "excellent" possess all of the characteristics of those scored "strong" and will also demonstrate risk/reward optimization. Such companies have very well-developed capabilities to consistently identify, measure, and manage risk exposures and losses in predetermined tolerance guidelines. Risk and risk management are always important considerations in such firms' corporate judgment. It is highly unlikely that these firms will experience ORMIS April 21, Toronto, ISO 32 losses outside of their risk tolerance. Risk Maturity Score – Fraser Valley Health Level of ERM Maturity Elements of ERM 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized Organization Philosophy & Culture Leadership Commitment RM Capabilities RM Process Monitoring & Review Reporting & Control Integration with other Management Systems ORMIS April 21, Toronto, ISO 33 Organization Philosophy & Culture Level of Maturity 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized 1. Risk management culture The focus is primarily on responding to crises and tends to be reactive rather than proactive. People tend to be risk averse. Risks are identified primarily at operational and project levels. RM concepts are intuitively understood and practised on ad hoc basis. A cautious approach is taken to RM overall. RM is done proactively to anticipate risks and develop mitigation plans. Emerging risks are considered. Focus is on opportunities, not just risk avoidance. Risk implications are considered in all major decisions. Risks are consistently managed. Staff are encouraged to be innovative. The organization fosters a culture of continuous learning and participation. Staff are highly committed to organization success. RM is done at every level in the organization, and is strongly integrated with management practices. Individual and organization expectations for RM are synchronized. 2. Roles and responsibilities for managing risk Roles and responsibilities are not documented and are unclear. No individual accountability for managing risk. RM is viewed as a department rather than a process. Responsibilities for managing risk have been established (job descriptions, terms of reference, etc.), but are not understood or consistently followed. Risk is managed intuitively, on an ad hoc basis. Roles and responsibilities for RM are clear, well communicated and understood throughout the organization. RM is embedded in individual behaviour. Individuals are empowered to manage risks. Responsibility for RM is an integral part of goal setting and performance planning. Individual accountability for RM is firmly embedded in organization culture. Roles and responsibilities for RM is aligned with overall organization accountability framework. ORMIS April 21, Toronto, ISO 34 Organization Philosophy & Culture cont’d Level of Maturity 1 Initial 2 Repeatable 3. Linkage to ethics and values No ethics policy or guidelines in place. Policy statements are issued on ad hoc basis. No clear statements of shared values or principles, or attention to legal or political considerations. Organization has an ethics and values statement. RM philosophy is reflected in written code of ethics and values. Philosophy is attuned to legal and political considerations. Policies are communicated across the organization but applied inconsistently. 4. Valuing risk management behaviour High level of scepticism exists within organization. Mixed messages are given to staff. RM is not considered in assessing and rewarding performance. Staff contribution to managing risk is not recognized or valued. People are consulted and given opportunity to participate in RM. Staff contribution to managing risk is recognized on ad hoc basis. Performance in managing risks is considered in recognition and rewards programs. 3 Defined 4 Managed 5 Optimized Ethics and values principles and legal/political considerations are well understood by staff, and applied consistently throughout the organization. RM approach is closely aligned with ethics and values. Ethics and values help managers take a balanced approach to RM, and reconcile competing external forces. Ethics and values surveys consider risk, and are carried out regularly. Improvements are made. Ethics, values and sensitivity to legal/political considerations are consistently reflected in organization practices and RM approach. Atmosphere of mutual trust exists at all levels of organization. Few infractions or incidents occur. The working environment supports a proactive approach to managing risks. Information on risk is shared openly. Strong sense of teamwork exists across the organization. Recognition and rewards programs encourage staff to manage risks and take advantage of opportunities. Management is committed to continuous RM learning. Sanctions in place for knowingly ignoring risks. Staff development is a major organization priority. Staff encouraged and recognized for identifying risks and opportunities, and for identifying risks not being appropriately managed. Staff continuously cited for their exemplary behaviour. Value of human capital in the organization is measured. ORMIS April 21, Toronto, ISO 35 Leadership Commitment to Risk Management Level of Maturity 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized 5. Leadership RM is the concern of managers, and is dealt with on an ad hoc basis. RM concepts are ill defined and not well understood. No leadership engagement. RM initiatives are supported by senior management on ad hoc basis. Risks are managed by operational managers. No Board engagement. Senior management regularly engaged in formal RM process. Minimal Board engagement. Senior management oversee and champion the organization’s RM framework, and lead by example. Some Board engagement. Board and senior management commitment for RM clearly articulated, and strongly embedded at all levels of the organization. 6. Risk management framework & policy The organization has no formal RM framework or policy. Some RM policies for specific areas have been formally documented to address specific risks. Organization RM framework in place. Organization RM framework and policy. These are well communicated and followed. Board approved RM framework and policy are well communicated, followed and compliance is monitored. 7. Roles and responsibilities of senior management Unclear roles and responsibilities for RM. The audit function is seen as responsible for identifying risks. Specialists are responsible for managing risks. Managers identify and respond to risks on an ad hoc basis. Senior management assume responsibility for RM practices. Collectively, they identify and assess key organization risks, and develop mitigation plans. Senior management roles and responsibilities for RM are well documented in accountability agreements or governance documents. They are consistently applied and monitored. Senior management promote and support research into RM best practice to ensure evidencebased approach. They are seen as leaders and innovators for implementing state of the art RM concepts. ORMIS April 21, Toronto, ISO 36 Risk Management Capabilities Level of Maturity 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized 8. Risk management competencies RM is not perceived to be a formal competency. RM concepts are not well understood. RM competencies have been identified, and skills gap established by some managers. Little or no formal training has been done. Training in RM is high priority. Skills gap is being addressed. Training is being sourced. There is “crossfertilization” between specialists and managers. RM competency development is integral part of individual learning plans, and organization development programs. Staff at all levels are being trained, and skills gaps addressed. Ongoing commitment to ensure continuous renewal of RM competencies. The organization is well known and respected for its RM training program. 9. Risk management techniques Limited RM tools and techniques are available. Managers tend to use their own individual approach for risk analysis. Available RM techniques have limited focus in specialised areas (e.g., finance, OH&S, IT project management). Managers have access to various RM techniques that integrate financial and non-financial information for risk analysis. Tools are used with specialist support. Wide range of RM tools/techniques available to all staff who understand how to use them, as well as their benefits and limitations. Knowledge transfer occurs between specialists and managers. RM tools and techniques are integrated with other management decision support tools. Strong interface with IS. Periodic review and update of tools and techniques. 10. Specialist support No specialist support for RM. Specialists are used by management to carry out basic risk analysis on an ad hoc basis. Specialists are known throughout the organisation and often called upon by managers to provide RM analysis and advice on specific issues. The expert advisory role of specialists is valued by all levels of management. Specialist support viewed as a key enabler in initiating change. Specialists advise on broad range of issues, on an integrated basis, through multidisciplinary teams. Externally recognized. ORMIS April 21, Toronto, ISO 37 Risk Management Process Level of Maturity 1 Initial 2 Repeatable 3 Defined 11. Risk identification & assessment No formal process to identify and assess risks. Risks are identified for specific areas, and assessed by managers on an ad hoc basis. No formal process in place. No attempt to aggregate risks across the organization. Formal risk assessment process and tools available to managers. Tools are used with specialist support. Risks are identified across the organisation to provide aggregate view. Formal process and tools available to managers who understand their benefits/limitations, and know how to apply them. More sophisticated tools available with specialist support. Risk categories provide aggregate view for better understanding. Risk assessment process and tools are integrated with other management decision support tools. Strong interface with organization management information systems. 12. Risk tolerance Risk tolerance is not defined. Risk tolerance is not defined. Specific risk levels are accepted or rejected intuitively. Risk tolerance is somewhat defined for the organization and used by management. Common understanding and application of specific risk tolerance levels. Risk tolerance levels established at all levels of the organization guide decision making. 13. Risk documentation No formal risk documentation is done. No formal process in place. Risks documentation that does occur is ad hoc and inconsistent. Formal documentation of risks in some areas – i.e., risk register, RM plans. Formal documentation of risks at all levels of the organisation. Risk registers and RM plans are regularly monitored and updated. Formal documentation of risk (risk register, RM plans) is an integral part of planning and decision making – and a requirement of the Board. ORMIS April 21, Toronto, ISO 4 Managed 5 Optimized 38 Monitoring & Review Level of Maturity 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized 14. Performance measurement No formal performance measurement system in place. Performance measurement at departmental level involves monitoring of risks. Some risk indicators have been developed but not consistently applied. Organization-wide performance measurement system includes monitoring of risk indicators. Risk indicators are interpreted in relation to other corporate performance measures. Regular monitoring and review by Executive. Strategic and operational risk indicators and performance measures are closely linked. Regular monitoring and review by Executive and the Board. 15. Review of the risk management practices No measurement framework in place to assess RM practices. Evaluation of RM practices occurs in specific areas. This is typically done by internal audit. Performance indicators to assess progress in implementing organization RM framework, and the effectiveness of RM practices have been developed. Information is regularly collected to monitor outcomes achieved as a result of RM framework and practices. Benchmarks established against which to assess progress. Performance against indicators is measured, and results tracked over time. Action taken to improve. RM performance indicators and benchmarks are regularly reviewed and updated. ORMIS April 21, Toronto, ISO 39 Reporting & Control Level of Maturity 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized 16. Risk management plans No formal RM plans exist. Formal RM plans in place to address and report on specific risks. However, RM plans are not developed on a consistent basis throughout the organization. RM is discussed as a part of the strategic and business planning processes. Plans include an overview of key risks and mitigation. Organization-wide RM plan in place that includes comprehensive analysis of organization risks and mitigation. Plan is regularly reported against, reviewed and updated by senior management. Organization RM plan is viewed as integral to organization success. The plan is regularly reviewed and updated by senior management, and reported to the Board. 17. Controls Existing controls are not linked to corporate objectives or risk appetites. No criteria in place to evaluate controls effectiveness. Controls are used on an ad hoc basis to respond to new risks. Limited cost/ benefit analysis of controls. Controls effectiveness is not monitored on a regular basis. Controls reflect corporate objectives and risk appetites. Cost/ benefit analysis of controls is regularly conducted. Controls compliance and effectiveness is monitored at high level. Risk significance, as well as the cost/ benefit of mitigation options is considered prior to implementing controls. Compliance with, and effectiveness of, controls is regularly monitored and reported throughout the organization. The organization’s control environment is integrally linked to objectives, risk appetites and RM strategies. Controls compliance and effectiveness is regularly monitored and reported against, and improvements made as required. ORMIS April 21, Toronto, ISO 40 Integration with Other Management Systems Level of Maturity 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized 18. Linkage with strategic and operational planning RM is not linked with organization planning processes. Risks are considered in development of business and operational plans on ad hoc and inconsistent basis. Formal consideration of risks is integral part of strategic and operational planning. Formal RM process integral to strategic and operational planning. Risks are prioritized, and cost/benefit of mitigation options are assessed. RM process is fully embedded in organization planning at all levels. A variety of modelling techniques used to quantify risks. 19. Linkage to management information system Limited management information to support RM. Management information exists to varying degrees to support RM at departmental level. Management information exists for organisation as a whole but with limited “drill-down” capability. Organization-wide performance management system in place. Information is used on ongoing basis to support RM. Sophisticated decision support tools available online to support RM at all levels of the organization. 20. Linkage to internal communication and feedback on risks No formal internal communication channels for risk issues. Ad hoc communication on risk issues at departmental level. Managers tend to work independently with some interaction. Communication on risk issues follows normal reporting channels. Some sharing of information across the organization. Risk information is shared across the organization. A proactive effort made to communicate information on RM best practices and lessons learned. RM best practices and lessons learned are regularly communicated to the organization via newsletter, web page, orientation, etc. 21. Linkage to communication with external stakeholders No formal communication with external stakeholders on risk issues. Communication with stakeholders is ad hoc. Risk information is communicated on a “need to know” basis. Formal process to communication with stakeholders on risk issues. Regular reporting to stakeholders on performance and risks. Stakeholder feedback obtained and considered in risk mitigation. Careful consideration of stakeholder interests in risk mitigation. The organization is widely respected by stakeholders. ORMIS April 21, Toronto, ISO 41 Roles in ERM – One scheme al th e ris k ap pe tit e ap pro v ng Se tti ER Mf the ate gy str RM De ve lop in g Legitimate Internal Audit roles with safeguards for Bo ard ram ew ork on ri sks repo rting Op era ting Holis tic sks acro ss Monitorin g ri Central coordinating point for ERM ks M ris ER of ing at alu ev & Internal Audit roles risks nse to s respo ing ify nt Core Internal Audit roles t’ gemen ops ide m an ag rep em ort Ev en ing alu to atin of fm gR ma isk at t e ria Ma er l ri i nag Givi sk a l r ng a e m s ssur isk e nt p ance s roc that ess risks es are Giving corr assura e c nce on tly e the Ris valu k Mana ated gemen t proce sses Giving assurance that the control systems are effectiv e lua tin g na ting Ma Facilita rksh k wo on nt me lish tab es e vic ad th e ris ing ilitat Fac g nin pio am Ch g vin Gi Ev a Re vie wi ng the busin ess CRO or Risk Management Department ro tp n e s se s ce on nt em e g m a ge an na isks m a r k ym d ris e b ls an g c s n ro nse ra sin su cont spo e po s r A isk Im on r s n cisio g de n i k ehalf Ta ent’s b m e g a n on Ma g risks in g a n Ma s Accountability for risks and control Roles Internal Audit should not undertake Roles for Management At all levels of organization ORMIS April 21, Toronto, ISO 42 Are we done yet? • • • • • • • • • • Agenda Covered? Questions? Risk is “effect of uncertainty on objectives” Discussion of Adopt 31000 - PHB Bilton and KISS Overview of 31000; introduction, scope, principles, framework, process How to “sell” ERM to senior management? The role of risk appetite risk tolerance and the ubiquitous risk matrix/map/profile to deal with existing silos How will ERM help improve existing risk management? Next steps? How to measure success? Monitor, communications and consultation, and risk ownership. Role of CRO? (Ans- Minimal) What did we learn today? ORMIS April 21, Toronto, ISO 43 Risks: +ve and -ve Objectives Anatomy of Risk Threats Opportunities Strategic Risk Management Process Decision to “Take a Risk” or not Risk Control(s) Detailed (RMP) Risk Management Process Residual Risk Risk Financing Actual Risk ??? ORMIS April 21, Toronto, ISO 44
© Copyright 2024