ISO 31000 Dorothy Gjerdrum, ARM-P, CIRM Chair, US ISO Technical Adv Group

ISO 31000
Dorothy Gjerdrum, ARM-P, CIRM
Chair, US ISO Technical Adv Group
Why We Need to Manage Risk
The purpose of managing risk is to increase the
likelihood of an organization achieving its objectives
by being in a position to manage threats and
adverse situations and being ready to take
advantage of opportunities that may arise.
National Guidance
on Implementing ISO 31000:2009
From NSAI in Ireland
Global Corporate Governance Models
INTERNATIONAL - Basel I & II; ISO 31000
France
• Vienot Com.
• Mrini Report
• Levy-Long Com.
UK
•
•
•
•
Cadbury
Turnbull
Greenbury Rpt
BS 31100 RM
All EU Countries
• Directives on
Governance
Germany
• Bill on The Control
and Transparency of
organizations
• Kon TraG Bill
US
• Business Round Table
• NYSE listing Requirements
• Blue Ribbon Commission
• Sarbanes Oxley Act
• COSO ERM Framework
Netherlands
• Code Tabaksblatt
Italy
• Draghi
Commission
Japan
• Corporate
Governance Forum
of Japan
• J-SOX
Australia/New Zeal
• AS/NZS 4360:2004
• Stock Exchange
Listing
• New Accounting
Standards
• Best Practice Stmt
Mgmt
Canada
• Toronto Stock Exchange
Committee
• Canadian Securities
Committee
• Allen committee Report
• COCO
South Africa
• Code of Best Practice
• King Report I, II, III
• Stakeholder Communication
• Public Finance Mgmt Act
ISO (International Organization for Standardization) is the
world's largest developer and publisher of
International Standards.
Established in 1947, ISO is a network of the national
standards institutes of 159 countries, one member per
country, with a Central Secretariat in Geneva, Switzerland,
that coordinates the system.
ISO 31000:2009 --> ANSI/ASSE/ISO 31000
• Australia, New Zealand & Japan initiated its
creation – based on AS/NZ 4360
• 30+ countries participated
• 6 meetings over several years
• Adopted in November of 2009, now
officially the first International Standard on
Risk Management
• Guide 73 & ISO 31010 quickly followed
• The American Standard on RM –
ANSI/ASSE/ISO 31000
6
• Combined ISO 31000 and
Implementation Guidance for Canadian
organizations: ‘Q31001-11’
• Canada
– Placed a stronger emphasis on
•
•
senior management support of risk management
Linking risk management to organizational
performance
– Clarified
•
•
•
•
Sensitivities in managing risks to the public
Maturity model for risk management in organizations
Risk management process examples
Correct links between risk appetite, risk tolerance
and risk rating concepts
Available for purchase at www.csa.ca
After Adoption…
•
•
•
•
BSI 31100 – updated Code of Practice
CSA – Canadian implementation guide
NSAI – Ireland’s implementation guide
Austria – three guidelines: embedding risk
management, risk assessment & linking to
business continuity processes
• Australia & New Zealand – issued handbooks
• Japan – created guidance (in Japanese)
2011: PC 262 formed to Create ISO 31004
• International work group re-engaged to create
an implementation guide to ISO 31000
• Two meetings so far – expect two more each
year until finalized
• Publication date of 2015? – May coincide with
the next update of ISO 31000
Primary Audience
• Those accountable for the governance of
organizations
• Those accountable for managing organizations
• Practitioners providing advice and services to
assist decision-makers
• Those who provide assurance regarding the
effectiveness of risk management
Scope of ISO 31000
This international standard provides
principles and generic guidelines on risk
management… it can be used by any
public, private or community enterprise,
association, group or individual.
Therefore, this standard is not specific
to any industry or sector.
What is “risk”??
• Risk is present in everything we do.
• ISO 31000, the international standard on risk
management, defines it this way:
Risk = the affect of uncertainty on your
objectives.
• Risk can be a threat or an opportunity
Anything that could harm, prevent, delay or enhance
your ability to achieve your objectives = risk
Critical Components of ISO 31000
The principles
provide the
foundation and
describe the
qualities of
effective risk
management in
an organization
From ANSI/ASSE/ISO 31000
The
framework
manages the
overall
process and
its full
integration
into the
organization
The process for
managing risk
focuses on
individual or
groups of risks,
their
identification,
analysis,
evaluation and
treatment
Monitoring & review, continual
improvement and communication occur
throughout
Principles
RM Process
Mandate &
Commitment
Establish the
context
Risk assessment
Design framework
for managing risk
Continually
improve the
framework
Implement
risk management
Monitor and review
the framework
Risk analysis
Risk evaluation
Risk treatment
Monitor and review
Risk identification
Communicate and consult
• Creates value
• Integral part of
organizational
processes
• Part of decision
making
• Explicitly
addresses
uncertainty
• Systematic,
structured &
timely
• Based on best
available info
• Tailored
• Takes human &
cultural factors
into account
• Transparent &
inclusive
• Dynamic,
iterative &
responsive to
change
• Facilitates
continual
improvement &
enhancement of
the org
Framework
Components of the Framework
• Understanding the
organization & its context
• Establishing RM policy
• Accountability & Authority
• Integration into
organizational processes
• Determining appropriate
resources
• Establishing internal
communication & reporting
mechanisms
• Establishing external
communication & reporting
mechanisms
ISO 31000:2009
Risk management – Principles and guidelines
Framework Example: Context
External Context
• Social, cultural, political, legal,
regulatory, financial,
technological, economic, natural
and competitive environment
• Key drivers and trends that will
have an impact on your
organization
• Relationships with and
perceptions & values of external
stakeholders
ISO 31000:2009
Risk management – Principles and guidelines
Internal Context
• Governance, organizational structure,
roles & accountabilities
• Policies, objectives & strategy
• Capabilities & resources
• Info systems
• Organizational culture
• Contractual relationships
• Relationships with, perceptions &
values of internal stakeholders
Framework Example: Benefits
• Increase likelihood of achieving
objectives
• Encourage proactive
management
• Be aware of the need to identify
and treat risk throughout the
organization
• Improve the identification of
opportunities & threats
• Effectively allocate and use
resources
ISO 31000:2009
Risk management – Principles and guidelines
• Comply with relevant legal and
regulatory requirements and
international norms
• Improve mandatory and voluntary
reporting
• Improve operational effectivness &
efficiency
• Improve stakeholder confidence and
trust
• Establish a reliable basis for decision
making & planning
• Improve controls
• Improve governance
What is Different about ISO 31000?
Without risk, there is no reward or progress. Unless risk
is managed effectively, organizations cannot maximize
opportunities and minimize threats. Risk is all about
uncertainty, or more importantly, the effect of
uncertainty on the achievement of objectives. This is
where ISO 31000 is clearly different from existing
guidelines in that the emphasis is shifted from
something happening – the event – to the effect on
objectives.
Kevin W. Knight, AM
Chair of the ISO 31000 working group
& Chair of ISO 31004 project committee
ISO Focus, June 2009
Global Survey on ISO 31000
• Conducted mid-October to mid-December, 2011
• LinkedIn website on ISO 31000, with >6,500
members since March of 2009
– Reached out to 100+ associations, members from 74
associations participated
– 1,823 responses from 111 countries
– Largest # of participants from US (20%), UK (10%) and
Australia (10%)
– Primary professions: risk management & IT
Survey Participants
Select Results
• 65% - familiar with or knowledgeable about
ISO 31000
– 93% of Australian respondents
– 67% of UK respondents
– 47% of US respondents
• 35% - no knowledge
– 7% of Australian respondents
– 33% of UK respondents
– 53% of US respondents
Countries with Highest Level of
Awareness of ISO 31000
•
•
•
•
•
•
Australia (65%)
New Zealand (47%)
Canada (42%)
United Arab Emirates (37%)
Brazil (28%)
South Africa (26%)
•
•
•
•
•
•
•
Spain (21%)
Netherlands (21%)
United Kingdom (21%)
Finland (18%)
Italy (14%)
France (13%)
USA (11%)
“Fully understand ISO 31000”
How is Risk Management Used Within
Your Organization?
•
•
•
•
•
•
All decisions (40%)
Auditing/compliance (21%)
Safety/security (18%)
Report performance (9%)
Insurance (7%)
Not used in our organization (5%)
Which Standard Does Your
Organization Utilize?
•
•
•
•
•
•
•
•
Our own version (40%)
ISO 31000 (36%)
ISO 27005 (20%)
COSO (18%)
PMBOK (17%)
Guide 73 (16%)
AUS/NZ 4360 (13%)
ISO 31010 (13%)