ISO 31000: The challenges of implementing a new approach

Professor Martin Loosemore FRICS, FCIOB

WHY ARE WE HERE?

High risk (and opportunity) environment - large, high-value, innovative projects with long risk exposure.

Surge in risk-related legislation.

Pre-qualification requiring a demonstrable capability in risk management.

Corporate responsibility and citizenship evolving fast.

Rapid growth (skills shortages and capacity problems).

Customer base changing.

Penalties for non-compliance becoming increasingly severe.

Risk and opportunity management is our core business

Working overseas (culture, pressures, everything is new)

Protect and enhance our reputation

COMPETITIVE ADVANTAGE

57% Regularly declined tenders due to a lack of confidence in managing high risks OR added too largecontingency and lost the job as a result.

59% Companies did not review risks on a regular basis.

38% Directors were not confident in their risk management systems.

22 COMMON PROBLEMS

1. COMPLIANCE RATHER THAN BEST PRACTICE.

CSA 1997 BS6079-3 (2000) IRGC 2004 COSO (2004) AS/NZS4360 (2004) ISO 31000 (2008)

1. Initiation

2. Preliminary

analysis

3. Estimation

4. Evaluation

5. Control

6. Action/monitor

7. Communicate

1. Context

2. Identification

3. Analysis

4. Evaluation

5. Treatment

6. Communicate

7. Review/update

1. Pre-assessment

2. Appraisal

3. Tolerability and

acceptability

judgement

4. Risk management

5. Communicate

1. Environment

2. Objectives

3. Identification

4. Assessment

5. Response

6. Control

7. Communicate

8. Monitoring

1. Context

2. Identification

3. Analysis

4. Evaluation

5. Treatment

6. Communicate/

consult

7. Monitor/review

1. Mandate/

commitment

2. Context

3. Identification

4. Analysis

5. Evaluation

6. Treatment

7. Communicate/

8. consult

9. Monitor/review

Key: CSA – Canadian Standards Association; IRGC – International Risk Governance Council; COSO – Committee of Sponsoring Organizations; ISO – International Standards Organisation; AS/NZ – Standards Australia and Standards New Zealand; BS – British Standards

2. HUNGER FOR PROFIT WITHOUT A RISK APPETITE.

3. FROM THE BOTTOM RATHER THAN THE TOP.

4. CRISIS MANAGEMENT RATHER THAN RISK MANAGEMENT.

22 COMMON PROBLEMS

5. RISK TRANSFER RATHER THAN RISK MANAGEMENT.

6. SELFISH RATHER THAN COOPERATIVE.

7. INCESTUOUS RATHER THAN CONSULTATIVE.

8. NEGATIVE RATHER THAN POSITIVE.

22 COMMON PROBLEMS

Likelihood

Consequence

Insignificant Minor Moderate Major Catastrophic

Almost certain L M H H E

Very likely L M M H E

Likely L L M H E

Unlikely L L M H H

Rare L L M H H

E = Extreme, H = High, M = Medium, L = Low

22 COMMON PROBLEMS

10. UNSYSTEMATIC RATHER THAN CONSISTENT.

9. PROJECT-BASED RATHER THAN PORTFOLIO-BASED.

11. SILO MENTALITY.

12. BUCK-PASSING RATHER THAN TAKE RESPONSIBILITY.

22 COMMON PROBLEMS

13. COMPLEX RATHER THAN SIMPLE.

14. CENTRALISED RATHER THAN DECENTRALISED.

15. PERIODIC RATHER THAN CONTINUOUS.

16. COMMERCIAL RISKS RATHER THAN OPERATIONAL RISKS.

22 COMMON PROBLEMS

17. QUANTITATIVE RATHER THAN QUALITATIVE.

18. ANALYSIS RATHER THAN IDENTIFICATION.

19. PERIPHERAL RATHER THAN CORE ACTIVITY.

20. ONE DIMENSIONAL RATHER THAN 3 D.

22 COMMON PROBLEMS

21. PAPER-BASED RATHER THAN MULTIMEDIA.

22. TECHNOLOGY RATHER THAN PEOPLE.

22 COMMON PROBLEMS

Awareness

Confidence Image

Processes

Application Skills

CultureResources

RMMT - www.synergymcg.com

RISK MANAGEMENT MATURITY

Ris

k m

anag

emen

t mat

urity

Time

Hardwarephase

Systemsphase

Peoplephase

Ignorancephase

RISK MANAGEMENT MATURITY

Corporate socialresponsibility

STEP ONE

UNDERSTAND WHY YOU WANTA NEW APPROACH

FOR MULTIPLEX?

Very big risky projects – one problem can wipe out margins or company.

New legislation was requiring it

Pre-qualification requiring a demonstrable capability in risk management.

Rapid growth was stretching existing systems.

Customers becoming more risk averse.

Risk and opportunity was seen as essential to protect and enhance reputation.

End of supply chain and being passed a lot of risk.

STEP TWO

UNDERSTAND YOUR PHILOSOPHY AND MATURITY

Breaking down barriers

FOR MULTIPLEX: A NEW WAY TO MANAGE RISK

Risk portfolios

Benefits of risk/opportunity management

Cost of risk/opportunity management

Pro-activity

Project life cycle

Risk seen as an asset

Meaningful consultation

Taking responsibility

A NEW WAY TO MANAGE RISK

Simple

RISK MANAGEMENT MATURITY AUDIT

Awareness

Confidence Image

Processes

Application Skills

CultureResources 32 44 23 1

1

3

2

4

4

2

3

1

43

21

12

34

1

43

21

12

34

STEP THREE

DEVELOP THE SYSTEM

FOCUS GROUPS WITH KEY STAKEHOLDERS.

DOCUMENT THE SYSTEM

PILOT THE SYSTEM, COLLECT FEEDBACK AND REFINE IT.

Development and implementation process

THE END RESULT

2008 Beijing Olympics

www.risk-opportunity.com

Companies using multimedia to manage risks include

STEP FOUR

IMPLEMENT THE SYSTEM

Lessons

Easy to change behaviour but difficult to keep it changed!

Need to educate your employees, clients and business partners about their role in the process

Risk Manager

External specialist consultants.

Information manager

(Collection, storage,

maintenance and dissemination of

risk-related information.)

Intranet Manager(Maintain MFM’s

web site.)

Risk analysts.(Assistance in statistical risk

analysis –using MRI, Pinnacle,

@Risk, Cougar and RCM

Turbo)

Technical advisers.(Advice on contractual,

legal, insurance,

safety, environmental matters etc.)

Human Resources(Selection,

training, appraisal, rewards

etc)

Effective support is crucial

Lessons

People find the concept of risk difficult to understand – many need help

Be patient – its takes more time than you think (5% rule!)

Expect resistance – from strange places

Lessons

Manage the risks of risk management!

Lessons

Senior management leadership and commitment is crucial

Expect knock-on effects