ISO 31000, a risk management standard for decision-makers
Alex Dali, MBA, ARM, CT31000
President
Global Institute for Risk Management Standards - G31000
Major Risks Faced by Airlines
Strategic risk
Business design choices
Financial risk
Variability of revenue and costs
Operational risk
Tactical aspects of running the business
Hazard risk
Safety of physical assets
5
Quality
Environment
Supply chain
Health &Safety
IT security
Energy
Project
Nonconformities
Pollution
Accident, disease
Interruption
Data breach, cyber crime
Non-quality, cost overrun , delays
Disruption
ISO 9001
ISO 14001
ISO 45001
ISO 50001
ISO 27001
ISO 21500
Business ethics Bribery
ISO 28000
Law & regulations Non-compliance ISO 19600
ISO 37001
Continuity Incident ISO 22301
Specialized risk in ISO standards
Why aren’t ERM Programs More Successful?
Copyright 2012 rPM3 Solutions, LLC and ERM, LLC
6
Most ERM Programs are built on “Governance” or “Compliance” models Value: “Did we do it? Good.”
Measures are rarely in meaningful terms
Not a KEY role in performance management, planning, budgeting and strategy formation
Limited in scope and focus Not a “day-to-day” part of
decision making Not based on or tied to a
standard or tight framework
7
a compliance & control risk management standard
Risk
compliance
reporting
regulations
insurance
Controls
audit
8
ISO 31000, a global risk management standardISO 31000, a Global Risk Management Standard
UncertaintyPerformance
Risk
Decision-making
Best allocation of
resourcesPhilosophy of the ISO 31000 risk
management standard
compliance
audit
reporting
Objectives
regulations
insurance
controls
RISK MANAGEMENT & ISO 31000
10
The combination of governance,
performance, decision-making and risk
management has become the driving force
for a global approach, structured
methodology leading to risk management
standardization
5 recommendations
11
1. Adopt an internationally-recognized reference
2. Use a simple risk management architecture
3. Promote business performance
4. Link risk management and decision-making
5. Encourage adequate education with benefits
13
About ISO 31000
Internationally-recognised reference
• International acceptance
• Single global reference for stakeholders
• Guideline can be tailored
• All type of risks – any sector/industry
• “Umbrella” for all existing standards
• Multiple frameworks create confusion
15
ISO 31000 adopted as national risk management standard
76 countries
23 languages
International
Organization for
Standardization
ISO Central Secretariat
BIBC II
Chemin de Blandonnet
8
CP 401
1214 Vernier, Geneva
Switzerlandwww.ISO.org
Link : https://goo.gl/VTTfQy
Number of members by COUNTRIES : WORLD (top ten)
16
2011
Extract from G31000 database –
15 June 2016
2012 2013 2014 2015 2016
Objectives of ISO 31000 STRUCTURE
Simple risk management architecture
• 3-pillar structure
• robust and simple to apply
• opportunity to review existing RM
practices
• ISO 31000 free to download in India
• Do not restrict risk management to the risk management process…
Objectives of ISO 31000 STRUCTURE
a) Creates value
b) Integral part of organizational processes
c) Part of decision making
d) Explicitly addresses uncertainty
e) Systematic, structured and timely
f) Based on the best available information
g) Tailored
h) Takes human and cultural factors into account
i) Transparent and inclusive
j) Dynamic, iterative and responsive to change
k) Facilitates continual improvement and enhancement of the organization
MANDATE AND
COMMITMENT
DESIGN OF
FRAMEWORK
FOR MANAGING
RISK
IMPLEMENTING
RISK
MANAGEMENT
MONITORING
AND REVIEW
CONTINUAL
IMPROVEMENT
PRINCIPLES FRAMEWORK
20
Plan-Do-Check-Act
cycle
Objectives of ISO 31000 STRUCTURE
ESTABLISH THE
CONTEXT
RISK IDENTIFICATION
RISK ANALYSIS
RISK EVALUATION
RISK TREATMENT
CO
MM
UN
ICA
TIO
NA
ND
CO
NS
UL
TA
TIO
N
MO
NIT
OR
ING
AN
DR
EV
IEW
RISK MANAGEMENT PROCESS
ISO GUIDE 73
RISK
MANAGEMENT
VOCABULARY
+
21
Objectives of ISO 31000 SCOPE
… not a parallel management system
• Integrate risk in all practices and
processes – at all levels.
• Risk management must create value
• Link risk management to business
performance
• no bureaucratic compliance reporting system
26
ISO 31000, a global risk management standardISO 31000, a Global Risk Management Standard
UncertaintyPerformance
Risk
Decision-making
Best allocation of
resourcesPhilosophy of the ISO 31000 risk
management standard
compliance
audit
reporting
Objectives
regulations
insurance
controls
G31000 Copyright - © 2015
Certification INDIVIDUALS
Growing understanding of the importance of
effectively managing risk
Increasing recognition of ISO 31000
individuals wishing for knowledge and
understanding about risk management
Improved decision making through explicit
consideration of uncertainty and potential
consequences
29
Global Institute for Risk Management Standards
Training session conducted, worldwide :# sessions : 78
# countries : 25
List of cities covered : New York, Chicago, Los
Angeles, Denver, Washington, West Palm Beach,
Toronto, Brussels, Paris, London, Nice, Lagos,
Johannesburg, Cape Town, Madrid, Barcelona,
Milano, Geneve, Amsterdam, Dubai, Riyadh, Macau,
Shanghai, Singapore, Sydney, Lima, Bogota, Cairo.
“Plan your training” survey:
http://www.G31000.org/survey
30
Global Institute for Risk Management Standards
Network of 123
Approved/Certified trainers
Worldwide network of 1232 certified risk
professionals via G31000 training and
certification
5 recommendations
32
1. Adopt an internationally-recognized reference
2. Use a simple risk management architecture
3. Promote business performance
4. Link risk management and decision-making
5. Encourage adequate education with benefits
Alex Dali, MBA, ARM, CT31000
President
Global Institute for Risk Management Standards - G31000
Thank you for your attention
38
About ISO 31000
Engineer risk = hazard
Scenario risk = event
Manager risk = uncertainty on objectives
Health risk = threat (purely negative)
Finance risk = return
Public sector risk = discontinuity of service
Organisations of all types face a range of
risks…
Organisations of all types face a range of
combinations of the probability of an event
and its consequences …
39
About risk management standards
CAN/CSA-
Q850-1997
Canada
JIS Q 2001
Japan
FERMA:2004
Europe
AS/NZS4360
95/99/04
Australia
COSO 2 (ERM) :
2004
USA
JIS Q 31000
Japan
•AIRMIC, ALARM, IRM:2002
• M_o_R:2002/2007/2011
UK
ONR
49000:2008
Austria(DE/CH)
AZ/NZS
ISO31000
2009
CAN/CSA-
ISO 31000
Canada
• BS ISO31000
• BS 31100 Guide
?
40
About ISO 31000
Quality
Environment
OH&S IT securityFinance
EquipmentFood safety Supply chain
Project
Susan LK BriggsTC207/SC1 Representative on JTCG TF1
Chair, US Technical Advisory Group to TC207
Convenor, WG5 – ISO 14001 Revision
Presented at the 2nd international ISO 31000
Conference 2013, Toronto, Canada
ISO TMB Joint Technical Coordination Group
How to align all
ISO Management Systems Introducing the concept of RISK
Paul C Palmes
Chairman, International Technical Committee TC
176, SC1 (revision of ISO 9001:2015)
US Technical Advisory Group to TC 176, SC1/HOD
Presented at the 3rd international ISO 31000
Conference 2014, New York, USA
ISO TC 176 – SC1 - Concepts and terminology
Risk-based Thinking introduced in the
Revision of ISO 9001: 2015Direct references to ISO 31000
44
Objectives of ISO 31000 SCOPE
ISO Standard vs ISO Guideline ?
• Risk Management – Principles and
Guidelines
• voluntary application, not prescriptive, no
legal requirement
• specifically not intended for certification
• ISO certifiable standard ? NO !
45
All organisation: Any sector, any activity, any size
All risk: Any type of risk, + or - consequences
Generic guidelines: Harmonizes processus, not practices
Global reference: Harmonize RM in existing and future
standards
Global application: Objectives, context, structure,
operations, processes, functions, projects, products, services,
or assets
Objectives of ISO 31000 SCOPE
Objectives of ISO 31000 BENEFITS
1. Standard = consensus (compromise)
2. Standards regulation voluntary endorsment
3. Wide range of input one point of view
4. Apply to any activity or domain in any organisation
5. Integrated appoach for the management of risk
6. Very general allowing interpretation guideline
7. Regular updates through ISO
8. Recognizing best practices
9. Facilitate communication and training
10. Recognization for the profession
QUIZZ on the ISO 31000 STANDARD
Question 1 : The ISO 31000 document is a
A Technical specifications for Risk Management
B Guidance standard for Risk Management
C Certificable standard for Risk Management
D Umbrella standard for in existing or future
standards
QUIZZ on the ISO 31000 STANDARD
Question 1 : The ISO 31000 document is a
A Technical specifications for Risk Management
B Guidance standard for Risk Management
C Certificable standard for Risk Management
D Umbrella standard for existing or future
standards
USEFUL LINKS
51
• ISO 31000 GLOBAL SURVEY 2012 :
• English version : http://goo.gl/CckZv
Spanish version : http://goo.gl/sKF4J
French version : http://goo.gl/xs8hy
• ISO 31000 INTERNATIONAL CONFERENCE
http://G31000.org/conferences/
• LINKEDIN GROUP on ISO 31000 :
http://www.linkedin.com/groups?mostPopular=&gid=1834592
• About ISO 31000 – official link:
http://www.iso.org/iso/catalogue_detail?csnumber=43170
• About ISO 31000 – presentation
http://www.crasp.gov.br/crasp/conteudo/APRESENTA%C3%87%C3
%83O%20-%20ISO%2031000.pdf