erm202 -- are risk management standards and practices really necessary (3)

8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)

1/25

ISO 31000

Dorothy Gjerdrum, ARM-P, CIRMChair, US ISO Technical Adv Group


2/25

Why We Need to Manage Risk

The purpose of managing risk is to increase thelikelihood of an organization achieving its objectives

by being in a position to manage threats and

adverse situations and being ready to take

advantage of opportunities that may arise.

National Guidance

on Implementing ISO 31000:2009From NSAI in Ireland


3/25

All EU Countries

Directives on

Governance

Netherlands

Code Tabaksblatt

UK Cadbury

Turnbull

Greenbury Rpt

BS 31100 RM

France

Vienot Com.

Mrini Report

Levy-Long Com.

Italy

Draghi

Commission

Australia/New Zeal

AS/NZS 4360:2004

Stock Exchange

Listing

New Accounting

Standards

Best Practice StmtMgmt

US

Business Round Table

NYSE listing Requirements

Blue Ribbon Commission

Sarbanes Oxley Act

COSO ERM Framework

Canada

Toronto Stock Exchange

Committee

Canadian Securities

Committee

Allen committee Report COCO

South Africa

Code of Best Practice

King Report I, II, III

Stakeholder Communication

Public Finance Mgmt Act

Japan

Corporate

Governance Forum

of Japan

J-SOX

Germany

Bill on The Control

and Transparency of

organizations

Kon TraG Bill

INTERNATIONAL - Basel I & II; ISO 31000

Global Corporate Governance Models


4/25

ISO (International Organization for Standardization) is theworld's largest developer and publisher ofInternational Standards.

Established in 1947, ISO is a networkof the nationalstandards institutes of159 countries, one member percountry, with a Central Secretariat in Geneva, Switzerland,

that coordinates the system.


5/25

ISO 31000:2009 --> ANSI/ASSE/ISO 31000

Australia, New Zealand & Japan initiated its

creation based on AS/NZ 4360

30+ countries participated

6 meetings over several years

Adopted in November of 2009, now

officially the first InternationalStandard on

Risk Management

Guide 73 & ISO 31010 quickly followed

The American Standard on RM

ANSI/ASSE/ISO 31000


6/25

6

Available for purchase at www.csa.ca

Combined ISO 31000 and

Implementation Guidance for Canadianorganizations: Q31001-11

Canada

Placed a stronger emphasis on

senior management support of risk management

Linking risk management to organizational

performance

Clarified

Sensitivities in managing risks to the public

Maturity model for risk management in organizations

Risk management process examples

Correct links between risk appetite, risk tolerance

and risk rating concepts


7/25

After Adoption

BSI 31100 updated Code of Practice

CSA Canadian implementation guide

NSAIIrelands implementation guide

Austria three guidelines: embedding risk

management, risk assessment & linking to

business continuity processes

Australia & New Zealand issued handbooks

Japan created guidance (in Japanese)


8/25

2011: PC 262 formed to Create ISO 31004

International work group re-engaged to create

an implementation guide to ISO 31000

Two meetings so far expect two more each

year until finalized

Publication date of 2015? May coincide with

the next update of ISO 31000


9/25

Primary Audience

Those accountable for the governance of

organizations

Those accountable for managing organizations

Practitioners providing advice and services to

assist decision-makers

Those who provide assurance regarding theeffectiveness of risk management


10/25

Scope of ISO 31000

This international standard provides

principles and generic guidelines on risk

management it can be used by anypublic, private or community enterprise,

association, group or individual.

Therefore, this standard is not specificto any industry or sector.


11/25

What is risk??

Risk is present in everything we do. ISO 31000, the international standard on risk

management, defines it this way:

Risk = the affectofuncertaintyon yourobjectives.

Risk can be a threat oran opportunity

Anything that could harm, prevent, delay or enhance

your ability to achieve your objectives = risk


12/25

Critical Components of ISO 31000

The principlesprovide the

foundation anddescribe thequalities of

effective riskmanagement inan organization

Theframeworkmanages the

overallprocess and

its fullintegration

into theorganization

The process formanaging risk

focuses onindividual or

groups of risks,

theiridentification,

analysis,evaluation and

treatment

Monitoring & review, continual

improvement and communication occur

throughoutFrom ANSI/ASSE/ISO 31000


13/25

Principles

Mandate &

Commitment

Design framework

for managing risk

Framework RM Process

Implement

risk management

Monitor and review

the framework

Continuallyimprove the

framework

Establish the

context

Communicatean

dconsult

Monitorandreview

Risk identification

Risk analysis

Risk treatment

Risk evaluation

Risk assessment

Creates value

Integral part oforganizationalprocesses

Part of decisionmaking

Explicitlyaddressesuncertainty

Systematic,structured &timely

Based on best

available info Tailored

Takes human &cultural factorsinto account

Transparent &inclusive

Dynamic,iterative &

responsive tochange

Facilitatescontinualimprovement &enhancement ofthe org


14/25

Components of the Framework

Understanding the

organization & its context

Establishing RM policy

Accountability & Authority

Integration into

organizational processes

Determining appropriate

resources

Establishing internal

communication & reporting

mechanisms

Establishing externalcommunication & reporting

mechanisms

ISO 31000:2009

Risk management Principles and guidelines


15/25

Framework Example: Context

External Context

Social, cultural, political, legal,

regulatory, financial,

technological, economic, natural

and competitive environment Key drivers and trends that will

have an impact on your

organization

Relationships with and

perceptions & values of externalstakeholders

Internal Context

Governance, organizational structure,

roles & accountabilities

Policies, objectives & strategy

Capabilities & resources

Info systems

Organizational culture

Contractual relationships

Relationships with, perceptions &values of internal stakeholders

ISO 31000:2009

Risk management Principles and guidelines


16/25

Framework Example: Benefits

Increase likelihood of achieving

objectives

Encourage proactive

management

Be aware of the need to identify

and treat risk throughout theorganization

Improve the identification of

opportunities & threats

Effectively allocate and use

resources

Comply with relevant legal and

regulatory requirements and

international norms

Improve mandatory and voluntary

reporting

Improve operational effectivness &efficiency

Improve stakeholder confidence and

trust

Establish a reliable basis for decision

making & planning Improve controls

Improve governanceISO 31000:2009Risk management Principles and guidelines


17/25

What is Different about ISO 31000?

Without risk, there is no reward or progress. Unless riskis managed effectively, organizations cannot maximizeopportunities and minimize threats. Risk is all about

uncertainty, or more importantly, the effect of

uncertainty on the achievement of objectives. This iswhere ISO 31000 is clearly different from existingguidelines in thatthe emphasis is shifted from

something happening the eventto the effect on

objectives. Kevin W. Knight, AMChair of the ISO 31000 working group

& Chair of ISO 31004 project committee

ISO Focus, June 2009


18/25

Global Survey on ISO 31000

Conducted mid-October to mid-December, 2011

LinkedIn website on ISO 31000, with >6,500

members since March of 2009

Reached out to 100+ associations, members from 74

associations participated

1,823 responses from 111 countries

Largest # of participants from US (20%), UK (10%) and

Australia (10%)

Primary professions: risk management & IT


19/25

Survey Participants


20/25

Select Results

65% - familiar with or knowledgeable aboutISO 31000

93% of Australian respondents

67% of UK respondents

47% of US respondents

35% - no knowledge

7% of Australian respondents

33% of UK respondents

53% of US respondents


21/25

Countries with Highest Level of

Awareness of ISO 31000

Australia (65%)

New Zealand (47%)

Canada (42%)

United Arab Emirates (37%)

Brazil (28%)

South Africa (26%)

Spain (21%)

Netherlands (21%)

United Kingdom (21%)

Finland (18%)

Italy (14%)

France (13%)

USA (11%)

Fully understand ISO 31000


22/25

How is Risk Management Used Within

Your Organization?

All decisions (40%)

Auditing/compliance (21%)

Safety/security (18%)

Report performance (9%)

Insurance (7%)

Not used in our organization (5%)


23/25

Which Standard Does Your

Organization Utilize?

Our own version (40%)

ISO 31000 (36%)

ISO 27005 (20%)

COSO (18%)

PMBOK (17%)

Guide 73 (16%) AUS/NZ 4360 (13%)

ISO 31010 (13%)


24/25


25/25

erm202 -- are risk management standards and practices really necessary (3)

Documents