ISO 31000 Dorothy Gjerdrum, ARM-P, CIRM Chair, US ISO Technical Adv Group
ISO 31000 Dorothy Gjerdrum, ARM-P, CIRM Chair, US ISO Technical Adv Group Why We Need to Manage Risk The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise. National Guidance on Implementing ISO 31000:2009 From NSAI in Ireland Global Corporate Governance Models INTERNATIONAL - Basel I & II; ISO 31000 France • Vienot Com. • Mrini Report • Levy-Long Com. UK • • • • Cadbury Turnbull Greenbury Rpt BS 31100 RM All EU Countries • Directives on Governance Germany • Bill on The Control and Transparency of organizations • Kon TraG Bill US • Business Round Table • NYSE listing Requirements • Blue Ribbon Commission • Sarbanes Oxley Act • COSO ERM Framework Netherlands • Code Tabaksblatt Italy • Draghi Commission Japan • Corporate Governance Forum of Japan • J-SOX Australia/New Zeal • AS/NZS 4360:2004 • Stock Exchange Listing • New Accounting Standards • Best Practice Stmt Mgmt Canada • Toronto Stock Exchange Committee • Canadian Securities Committee • Allen committee Report • COCO South Africa • Code of Best Practice • King Report I, II, III • Stakeholder Communication • Public Finance Mgmt Act ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards. Established in 1947, ISO is a network of the national standards institutes of 159 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. ISO 31000:2009 --> ANSI/ASSE/ISO 31000 • Australia, New Zealand & Japan initiated its creation – based on AS/NZ 4360 • 30+ countries participated • 6 meetings over several years • Adopted in November of 2009, now officially the first International Standard on Risk Management • Guide 73 & ISO 31010 quickly followed • The American Standard on RM – ANSI/ASSE/ISO 31000 6 • Combined ISO 31000 and Implementation Guidance for Canadian organizations: ‘Q31001-11’ • Canada – Placed a stronger emphasis on • • senior management support of risk management Linking risk management to organizational performance – Clarified • • • • Sensitivities in managing risks to the public Maturity model for risk management in organizations Risk management process examples Correct links between risk appetite, risk tolerance and risk rating concepts Available for purchase at www.csa.ca After Adoption… • • • • BSI 31100 – updated Code of Practice CSA – Canadian implementation guide NSAI – Ireland’s implementation guide Austria – three guidelines: embedding risk management, risk assessment & linking to business continuity processes • Australia & New Zealand – issued handbooks • Japan – created guidance (in Japanese) 2011: PC 262 formed to Create ISO 31004 • International work group re-engaged to create an implementation guide to ISO 31000 • Two meetings so far – expect two more each year until finalized • Publication date of 2015? – May coincide with the next update of ISO 31000 Primary Audience • Those accountable for the governance of organizations • Those accountable for managing organizations • Practitioners providing advice and services to assist decision-makers • Those who provide assurance regarding the effectiveness of risk management Scope of ISO 31000 This international standard provides principles and generic guidelines on risk management… it can be used by any public, private or community enterprise, association, group or individual. Therefore, this standard is not specific to any industry or sector. What is “risk”?? • Risk is present in everything we do. • ISO 31000, the international standard on risk management, defines it this way: Risk = the affect of uncertainty on your objectives. • Risk can be a threat or an opportunity Anything that could harm, prevent, delay or enhance your ability to achieve your objectives = risk Critical Components of ISO 31000 The principles provide the foundation and describe the qualities of effective risk management in an organization From ANSI/ASSE/ISO 31000 The framework manages the overall process and its full integration into the organization The process for managing risk focuses on individual or groups of risks, their identification, analysis, evaluation and treatment Monitoring & review, continual improvement and communication occur throughout Principles RM Process Mandate & Commitment Establish the context Risk assessment Design framework for managing risk Continually improve the framework Implement risk management Monitor and review the framework Risk analysis Risk evaluation Risk treatment Monitor and review Risk identification Communicate and consult • Creates value • Integral part of organizational processes • Part of decision making • Explicitly addresses uncertainty • Systematic, structured & timely • Based on best available info • Tailored • Takes human & cultural factors into account • Transparent & inclusive • Dynamic, iterative & responsive to change • Facilitates continual improvement & enhancement of the org Framework Components of the Framework • Understanding the organization & its context • Establishing RM policy • Accountability & Authority • Integration into organizational processes • Determining appropriate resources • Establishing internal communication & reporting mechanisms • Establishing external communication & reporting mechanisms ISO 31000:2009 Risk management – Principles and guidelines Framework Example: Context External Context • Social, cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment • Key drivers and trends that will have an impact on your organization • Relationships with and perceptions & values of external stakeholders ISO 31000:2009 Risk management – Principles and guidelines Internal Context • Governance, organizational structure, roles & accountabilities • Policies, objectives & strategy • Capabilities & resources • Info systems • Organizational culture • Contractual relationships • Relationships with, perceptions & values of internal stakeholders Framework Example: Benefits • Increase likelihood of achieving objectives • Encourage proactive management • Be aware of the need to identify and treat risk throughout the organization • Improve the identification of opportunities & threats • Effectively allocate and use resources ISO 31000:2009 Risk management – Principles and guidelines • Comply with relevant legal and regulatory requirements and international norms • Improve mandatory and voluntary reporting • Improve operational effectivness & efficiency • Improve stakeholder confidence and trust • Establish a reliable basis for decision making & planning • Improve controls • Improve governance What is Different about ISO 31000? Without risk, there is no reward or progress. Unless risk is managed effectively, organizations cannot maximize opportunities and minimize threats. Risk is all about uncertainty, or more importantly, the effect of uncertainty on the achievement of objectives. This is where ISO 31000 is clearly different from existing guidelines in that the emphasis is shifted from something happening – the event – to the effect on objectives. Kevin W. Knight, AM Chair of the ISO 31000 working group & Chair of ISO 31004 project committee ISO Focus, June 2009 Global Survey on ISO 31000 • Conducted mid-October to mid-December, 2011 • LinkedIn website on ISO 31000, with >6,500 members since March of 2009 – Reached out to 100+ associations, members from 74 associations participated – 1,823 responses from 111 countries – Largest # of participants from US (20%), UK (10%) and Australia (10%) – Primary professions: risk management & IT Survey Participants Select Results • 65% - familiar with or knowledgeable about ISO 31000 – 93% of Australian respondents – 67% of UK respondents – 47% of US respondents • 35% - no knowledge – 7% of Australian respondents – 33% of UK respondents – 53% of US respondents Countries with Highest Level of Awareness of ISO 31000 • • • • • • Australia (65%) New Zealand (47%) Canada (42%) United Arab Emirates (37%) Brazil (28%) South Africa (26%) • • • • • • • Spain (21%) Netherlands (21%) United Kingdom (21%) Finland (18%) Italy (14%) France (13%) USA (11%) “Fully understand ISO 31000” How is Risk Management Used Within Your Organization? • • • • • • All decisions (40%) Auditing/compliance (21%) Safety/security (18%) Report performance (9%) Insurance (7%) Not used in our organization (5%) Which Standard Does Your Organization Utilize? • • • • • • • • Our own version (40%) ISO 31000 (36%) ISO 27005 (20%) COSO (18%) PMBOK (17%) Guide 73 (16%) AUS/NZ 4360 (13%) ISO 31010 (13%)
© Copyright 2024