erm202 -- are risk management standards and practices really necessary (3)
TRANSCRIPT
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
1/25
ISO 31000
Dorothy Gjerdrum, ARM-P, CIRMChair, US ISO Technical Adv Group
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
2/25
Why We Need to Manage Risk
The purpose of managing risk is to increase thelikelihood of an organization achieving its objectives
by being in a position to manage threats and
adverse situations and being ready to take
advantage of opportunities that may arise.
National Guidance
on Implementing ISO 31000:2009From NSAI in Ireland
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
3/25
All EU Countries
Directives on
Governance
Netherlands
Code Tabaksblatt
UK Cadbury
Turnbull
Greenbury Rpt
BS 31100 RM
France
Vienot Com.
Mrini Report
Levy-Long Com.
Italy
Draghi
Commission
Australia/New Zeal
AS/NZS 4360:2004
Stock Exchange
Listing
New Accounting
Standards
Best Practice StmtMgmt
US
Business Round Table
NYSE listing Requirements
Blue Ribbon Commission
Sarbanes Oxley Act
COSO ERM Framework
Canada
Toronto Stock Exchange
Committee
Canadian Securities
Committee
Allen committee Report COCO
South Africa
Code of Best Practice
King Report I, II, III
Stakeholder Communication
Public Finance Mgmt Act
Japan
Corporate
Governance Forum
of Japan
J-SOX
Germany
Bill on The Control
and Transparency of
organizations
Kon TraG Bill
INTERNATIONAL - Basel I & II; ISO 31000
Global Corporate Governance Models
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
4/25
ISO (International Organization for Standardization) is theworld's largest developer and publisher ofInternational Standards.
Established in 1947, ISO is a networkof the nationalstandards institutes of159 countries, one member percountry, with a Central Secretariat in Geneva, Switzerland,
that coordinates the system.
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
5/25
ISO 31000:2009 --> ANSI/ASSE/ISO 31000
Australia, New Zealand & Japan initiated its
creation based on AS/NZ 4360
30+ countries participated
6 meetings over several years
Adopted in November of 2009, now
officially the first InternationalStandard on
Risk Management
Guide 73 & ISO 31010 quickly followed
The American Standard on RM
ANSI/ASSE/ISO 31000
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
6/25
6
Available for purchase at www.csa.ca
Combined ISO 31000 and
Implementation Guidance for Canadianorganizations: Q31001-11
Canada
Placed a stronger emphasis on
senior management support of risk management
Linking risk management to organizational
performance
Clarified
Sensitivities in managing risks to the public
Maturity model for risk management in organizations
Risk management process examples
Correct links between risk appetite, risk tolerance
and risk rating concepts
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
7/25
After Adoption
BSI 31100 updated Code of Practice
CSA Canadian implementation guide
NSAIIrelands implementation guide
Austria three guidelines: embedding risk
management, risk assessment & linking to
business continuity processes
Australia & New Zealand issued handbooks
Japan created guidance (in Japanese)
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
8/25
2011: PC 262 formed to Create ISO 31004
International work group re-engaged to create
an implementation guide to ISO 31000
Two meetings so far expect two more each
year until finalized
Publication date of 2015? May coincide with
the next update of ISO 31000
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
9/25
Primary Audience
Those accountable for the governance of
organizations
Those accountable for managing organizations
Practitioners providing advice and services to
assist decision-makers
Those who provide assurance regarding theeffectiveness of risk management
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
10/25
Scope of ISO 31000
This international standard provides
principles and generic guidelines on risk
management it can be used by anypublic, private or community enterprise,
association, group or individual.
Therefore, this standard is not specificto any industry or sector.
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
11/25
What is risk??
Risk is present in everything we do. ISO 31000, the international standard on risk
management, defines it this way:
Risk = the affectofuncertaintyon yourobjectives.
Risk can be a threat oran opportunity
Anything that could harm, prevent, delay or enhance
your ability to achieve your objectives = risk
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
12/25
Critical Components of ISO 31000
The principlesprovide the
foundation anddescribe thequalities of
effective riskmanagement inan organization
Theframeworkmanages the
overallprocess and
its fullintegration
into theorganization
The process formanaging risk
focuses onindividual or
groups of risks,
theiridentification,
analysis,evaluation and
treatment
Monitoring & review, continual
improvement and communication occur
throughoutFrom ANSI/ASSE/ISO 31000
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
13/25
Principles
Mandate &
Commitment
Design framework
for managing risk
Framework RM Process
Implement
risk management
Monitor and review
the framework
Continuallyimprove the
framework
Establish the
context
Communicatean
dconsult
Monitorandreview
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
Creates value
Integral part oforganizationalprocesses
Part of decisionmaking
Explicitlyaddressesuncertainty
Systematic,structured &timely
Based on best
available info Tailored
Takes human &cultural factorsinto account
Transparent &inclusive
Dynamic,iterative &
responsive tochange
Facilitatescontinualimprovement &enhancement ofthe org
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
14/25
Components of the Framework
Understanding the
organization & its context
Establishing RM policy
Accountability & Authority
Integration into
organizational processes
Determining appropriate
resources
Establishing internal
communication & reporting
mechanisms
Establishing externalcommunication & reporting
mechanisms
ISO 31000:2009
Risk management Principles and guidelines
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
15/25
Framework Example: Context
External Context
Social, cultural, political, legal,
regulatory, financial,
technological, economic, natural
and competitive environment Key drivers and trends that will
have an impact on your
organization
Relationships with and
perceptions & values of externalstakeholders
Internal Context
Governance, organizational structure,
roles & accountabilities
Policies, objectives & strategy
Capabilities & resources
Info systems
Organizational culture
Contractual relationships
Relationships with, perceptions &values of internal stakeholders
ISO 31000:2009
Risk management Principles and guidelines
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
16/25
Framework Example: Benefits
Increase likelihood of achieving
objectives
Encourage proactive
management
Be aware of the need to identify
and treat risk throughout theorganization
Improve the identification of
opportunities & threats
Effectively allocate and use
resources
Comply with relevant legal and
regulatory requirements and
international norms
Improve mandatory and voluntary
reporting
Improve operational effectivness &efficiency
Improve stakeholder confidence and
trust
Establish a reliable basis for decision
making & planning Improve controls
Improve governanceISO 31000:2009Risk management Principles and guidelines
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
17/25
What is Different about ISO 31000?
Without risk, there is no reward or progress. Unless riskis managed effectively, organizations cannot maximizeopportunities and minimize threats. Risk is all about
uncertainty, or more importantly, the effect of
uncertainty on the achievement of objectives. This iswhere ISO 31000 is clearly different from existingguidelines in thatthe emphasis is shifted from
something happening the eventto the effect on
objectives. Kevin W. Knight, AMChair of the ISO 31000 working group
& Chair of ISO 31004 project committee
ISO Focus, June 2009
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
18/25
Global Survey on ISO 31000
Conducted mid-October to mid-December, 2011
LinkedIn website on ISO 31000, with >6,500
members since March of 2009
Reached out to 100+ associations, members from 74
associations participated
1,823 responses from 111 countries
Largest # of participants from US (20%), UK (10%) and
Australia (10%)
Primary professions: risk management & IT
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
19/25
Survey Participants
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
20/25
Select Results
65% - familiar with or knowledgeable aboutISO 31000
93% of Australian respondents
67% of UK respondents
47% of US respondents
35% - no knowledge
7% of Australian respondents
33% of UK respondents
53% of US respondents
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
21/25
Countries with Highest Level of
Awareness of ISO 31000
Australia (65%)
New Zealand (47%)
Canada (42%)
United Arab Emirates (37%)
Brazil (28%)
South Africa (26%)
Spain (21%)
Netherlands (21%)
United Kingdom (21%)
Finland (18%)
Italy (14%)
France (13%)
USA (11%)
Fully understand ISO 31000
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
22/25
How is Risk Management Used Within
Your Organization?
All decisions (40%)
Auditing/compliance (21%)
Safety/security (18%)
Report performance (9%)
Insurance (7%)
Not used in our organization (5%)
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
23/25
Which Standard Does Your
Organization Utilize?
Our own version (40%)
ISO 31000 (36%)
ISO 27005 (20%)
COSO (18%)
PMBOK (17%)
Guide 73 (16%) AUS/NZ 4360 (13%)
ISO 31010 (13%)
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
24/25
-
8/22/2019 ERM202 -- Are Risk Management Standards and Practices Really Necessary (3)
25/25