ISO 31000Dorothy Gjerdrum, ARM-P, CIRM

Chair, US ISO Technical Adv Group

Why We Need to Manage RiskThe purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise.

National Guidance on Implementing ISO 31000:2009

From NSAI in Ireland

All EU Countries• Directives on

Governance

Netherlands• Code Tabaksblatt

UK• Cadbury• Turnbull• Greenbury Rpt• BS 31100 RM

France• Vienot Com.• Mrini Report• Levy-Long Com.

Italy• Draghi

Commission

Australia/New Zeal• AS/NZS 4360:2004• Stock Exchange

Listing• New Accounting

Standards• Best Practice Stmt

Mgmt

US• Business Round Table• NYSE listing Requirements• Blue Ribbon Commission• Sarbanes Oxley Act• COSO ERM Framework

Canada• Toronto Stock Exchange

Committee• Canadian Securities

Committee• Allen committee Report• COCO

South Africa• Code of Best Practice• King Report I, II, III• Stakeholder Communication• Public Finance Mgmt Act

Japan• Corporate

Governance Forum of Japan

• J-SOX

Germany• Bill on The Control

and Transparency of organizations

• Kon TraG Bill

INTERNATIONAL - Basel I & II; ISO 31000

Global Corporate Governance Models

ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards.

Established in 1947, ISO is a network of the national standards institutes of 159 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system.

ISO 31000:2009 --> ANSI/ASSE/ISO 31000• Australia, New Zealand & Japan initiated its

creation – based on AS/NZ 4360• 30+ countries participated • 6 meetings over several years• Adopted in November of 2009, now

officially the first International Standard on Risk Management

• Guide 73 & ISO 31010 quickly followed• The American Standard on RM –

ANSI/ASSE/ISO 31000

6

Available for purchase at www.csa.ca

• Combined ISO 31000 and Implementation Guidance for Canadian organizations: ‘Q31001-11’

• Canada – Placed a stronger emphasis on

• senior management support of risk management• Linking risk management to organizational

performance

– Clarified• Sensitivities in managing risks to the public• Maturity model for risk management in organizations• Risk management process examples• Correct links between risk appetite, risk tolerance

and risk rating concepts

After Adoption…• BSI 31100 – updated Code of Practice• CSA – Canadian implementation guide • NSAI – Ireland’s implementation guide• Austria – three guidelines: embedding risk

management, risk assessment & linking to business continuity processes

• Australia & New Zealand – issued handbooks• Japan – created guidance (in Japanese)

2011: PC 262 formed to Create ISO 31004

• International work group re-engaged to create an implementation guide to ISO 31000

• Two meetings so far – expect two more each year until finalized

• Publication date of 2015? – May coincide with the next update of ISO 31000

Primary Audience

• Those accountable for the governance of organizations

• Those accountable for managing organizations• Practitioners providing advice and services to

assist decision-makers• Those who provide assurance regarding the

effectiveness of risk management

Scope of ISO 31000

This international standard provides principles and generic guidelines on risk management… it can be used by any public, private or community enterprise, association, group or individual. Therefore, this standard is not specific to any industry or sector.

What is “risk”??• Risk is present in everything we do.• ISO 31000, the international standard on risk

management, defines it this way:

Risk = the affect of uncertainty on your objectives.

• Risk can be a threat or an opportunity

Anything that could harm, prevent, delay or enhance your ability to achieve your objectives = risk

Critical Components of ISO 31000

The principles provide the

foundation and describe the qualities of

effective risk management in an organization

The framework manages the

overall process and

its full integration

into the organization

The process for managing risk

focuses on individual or

groups of risks, their

identification, analysis,

evaluation and treatment

Monitoring & review, continual improvement and communication occur

throughoutFrom ANSI/ASSE/ISO 31000

Principles

Mandate & Commitment

Design framework for managing risk

Framework RM Process

Implementrisk management

Monitor and review the framework

Continually improve the framework

Establish the context

Com

mun

icat

e an

d co

nsul

t

Mon

itor a

nd re

view

Risk identification

Risk analysis

Risk treatment

Risk evaluation

Risk assessment

• Creates value• Integral part of

organizational processes• Part of decision

making• Explicitly

addresses uncertainty• Systematic,

structured & timely• Based on best

available info• Tailored• Takes human &

cultural factors into account• Transparent &

inclusive• Dynamic,

iterative & responsive to change• Facilitates

continual improvement & enhancement of the org

Components of the Framework

• Understanding the organization & its context

• Establishing RM policy• Accountability & Authority• Integration into

organizational processes• Determining appropriate

resources

• Establishing internal communication & reporting mechanisms

• Establishing external communication & reporting mechanisms

ISO 31000:2009Risk management – Principles and guidelines

Framework Example: Context

External Context• Social, cultural, political, legal,

regulatory, financial, technological, economic, natural and competitive environment

• Key drivers and trends that will have an impact on your organization

• Relationships with and perceptions & values of external stakeholders

Internal Context• Governance, organizational

structure, roles & accountabilities• Policies, objectives & strategy• Capabilities & resources• Info systems• Organizational culture• Contractual relationships• Relationships with, perceptions &

values of internal stakeholders

ISO 31000:2009Risk management – Principles and guidelines

Framework Example: Benefits• Increase likelihood of achieving

objectives• Encourage proactive

management• Be aware of the need to identify

and treat risk throughout the organization

• Improve the identification of opportunities & threats

• Effectively allocate and use resources

• Comply with relevant legal and regulatory requirements and international norms

• Improve mandatory and voluntary reporting

• Improve operational effectivness & efficiency

• Improve stakeholder confidence and trust

• Establish a reliable basis for decision making & planning

• Improve controls• Improve governanceISO 31000:2009

Risk management – Principles and guidelines

What is Different about ISO 31000?

Without risk, there is no reward or progress. Unless risk is managed effectively, organizations cannot maximize opportunities and minimize threats. Risk is all about uncertainty, or more importantly, the effect of uncertainty on the achievement of objectives. This is where ISO 31000 is clearly different from existing guidelines in that the emphasis is shifted from something happening – the event – to the effect on objectives.

Kevin W. Knight, AMChair of the ISO 31000 working group& Chair of ISO 31004 project committeeISO Focus, June 2009

Global Survey on ISO 31000

• Conducted mid-October to mid-December, 2011• LinkedIn website on ISO 31000, with >6,500

members since March of 2009– Reached out to 100+ associations, members from 74

associations participated– 1,823 responses from 111 countries– Largest # of participants from US (20%), UK (10%) and

Australia (10%)– Primary professions: risk management & IT

Survey Participants

Select Results• 65% - familiar with or knowledgeable about

ISO 31000 – 93% of Australian respondents– 67% of UK respondents– 47% of US respondents

• 35% - no knowledge – 7% of Australian respondents– 33% of UK respondents– 53% of US respondents

Countries with Highest Level of Awareness of ISO 31000

• Australia (65%)• New Zealand (47%)• Canada (42%)• United Arab Emirates (37%)• Brazil (28%)• South Africa (26%)

• Spain (21%)• Netherlands (21%)• United Kingdom (21%)• Finland (18%)• Italy (14%)• France (13%)• USA (11%)

“Fully understand ISO 31000”

How is Risk Management Used Within Your Organization?

• All decisions (40%)• Auditing/compliance (21%)• Safety/security (18%)• Report performance (9%)• Insurance (7%)• Not used in our organization (5%)

Which Standard Does Your Organization Utilize?• Our own version (40%)• ISO 31000 (36%)• ISO 27005 (20%)• COSO (18%)• PMBOK (17%)• Guide 73 (16%)• AUS/NZ 4360 (13%)• ISO 31010 (13%)