ISO 31000
description
Transcript of ISO 31000
ISO 31000Dorothy Gjerdrum, ARM-P, CIRM
Chair, US ISO Technical Adv Group
Why We Need to Manage RiskThe purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise.
National Guidance on Implementing ISO 31000:2009
From NSAI in Ireland
All EU Countries• Directives on
Governance
Netherlands• Code Tabaksblatt
UK• Cadbury• Turnbull• Greenbury Rpt• BS 31100 RM
France• Vienot Com.• Mrini Report• Levy-Long Com.
Italy• Draghi
Commission
Australia/New Zeal• AS/NZS 4360:2004• Stock Exchange
Listing• New Accounting
Standards• Best Practice Stmt
Mgmt
US• Business Round Table• NYSE listing Requirements• Blue Ribbon Commission• Sarbanes Oxley Act• COSO ERM Framework
Canada• Toronto Stock Exchange
Committee• Canadian Securities
Committee• Allen committee Report• COCO
South Africa• Code of Best Practice• King Report I, II, III• Stakeholder Communication• Public Finance Mgmt Act
Japan• Corporate
Governance Forum of Japan
• J-SOX
Germany• Bill on The Control
and Transparency of organizations
• Kon TraG Bill
INTERNATIONAL - Basel I & II; ISO 31000
Global Corporate Governance Models
ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards.
Established in 1947, ISO is a network of the national standards institutes of 159 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system.
ISO 31000:2009 --> ANSI/ASSE/ISO 31000• Australia, New Zealand & Japan initiated its
creation – based on AS/NZ 4360• 30+ countries participated • 6 meetings over several years• Adopted in November of 2009, now
officially the first International Standard on Risk Management
• Guide 73 & ISO 31010 quickly followed• The American Standard on RM –
ANSI/ASSE/ISO 31000
6
Available for purchase at www.csa.ca
• Combined ISO 31000 and Implementation Guidance for Canadian organizations: ‘Q31001-11’
• Canada – Placed a stronger emphasis on
• senior management support of risk management• Linking risk management to organizational
performance
– Clarified• Sensitivities in managing risks to the public• Maturity model for risk management in organizations• Risk management process examples• Correct links between risk appetite, risk tolerance
and risk rating concepts
After Adoption…• BSI 31100 – updated Code of Practice• CSA – Canadian implementation guide • NSAI – Ireland’s implementation guide• Austria – three guidelines: embedding risk
management, risk assessment & linking to business continuity processes
• Australia & New Zealand – issued handbooks• Japan – created guidance (in Japanese)
2011: PC 262 formed to Create ISO 31004
• International work group re-engaged to create an implementation guide to ISO 31000
• Two meetings so far – expect two more each year until finalized
• Publication date of 2015? – May coincide with the next update of ISO 31000
Primary Audience
• Those accountable for the governance of organizations
• Those accountable for managing organizations• Practitioners providing advice and services to
assist decision-makers• Those who provide assurance regarding the
effectiveness of risk management
Scope of ISO 31000
This international standard provides principles and generic guidelines on risk management… it can be used by any public, private or community enterprise, association, group or individual. Therefore, this standard is not specific to any industry or sector.
What is “risk”??• Risk is present in everything we do.• ISO 31000, the international standard on risk
management, defines it this way:
Risk = the affect of uncertainty on your objectives.
• Risk can be a threat or an opportunity
Anything that could harm, prevent, delay or enhance your ability to achieve your objectives = risk
Critical Components of ISO 31000
The principles provide the
foundation and describe the qualities of
effective risk management in an organization
The framework manages the
overall process and
its full integration
into the organization
The process for managing risk
focuses on individual or
groups of risks, their
identification, analysis,
evaluation and treatment
Monitoring & review, continual improvement and communication occur
throughoutFrom ANSI/ASSE/ISO 31000
Principles
Mandate & Commitment
Design framework for managing risk
Framework RM Process
Implementrisk management
Monitor and review the framework
Continually improve the framework
Establish the context
Com
mun
icat
e an
d co
nsul
t
Mon
itor a
nd re
view
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
• Creates value• Integral part of
organizational processes• Part of decision
making• Explicitly
addresses uncertainty• Systematic,
structured & timely• Based on best
available info• Tailored• Takes human &
cultural factors into account• Transparent &
inclusive• Dynamic,
iterative & responsive to change• Facilitates
continual improvement & enhancement of the org
Components of the Framework
• Understanding the organization & its context
• Establishing RM policy• Accountability & Authority• Integration into
organizational processes• Determining appropriate
resources
• Establishing internal communication & reporting mechanisms
• Establishing external communication & reporting mechanisms
ISO 31000:2009Risk management – Principles and guidelines
Framework Example: Context
External Context• Social, cultural, political, legal,
regulatory, financial, technological, economic, natural and competitive environment
• Key drivers and trends that will have an impact on your organization
• Relationships with and perceptions & values of external stakeholders
Internal Context• Governance, organizational
structure, roles & accountabilities• Policies, objectives & strategy• Capabilities & resources• Info systems• Organizational culture• Contractual relationships• Relationships with, perceptions &
values of internal stakeholders
ISO 31000:2009Risk management – Principles and guidelines
Framework Example: Benefits• Increase likelihood of achieving
objectives• Encourage proactive
management• Be aware of the need to identify
and treat risk throughout the organization
• Improve the identification of opportunities & threats
• Effectively allocate and use resources
• Comply with relevant legal and regulatory requirements and international norms
• Improve mandatory and voluntary reporting
• Improve operational effectivness & efficiency
• Improve stakeholder confidence and trust
• Establish a reliable basis for decision making & planning
• Improve controls• Improve governanceISO 31000:2009
Risk management – Principles and guidelines
What is Different about ISO 31000?
Without risk, there is no reward or progress. Unless risk is managed effectively, organizations cannot maximize opportunities and minimize threats. Risk is all about uncertainty, or more importantly, the effect of uncertainty on the achievement of objectives. This is where ISO 31000 is clearly different from existing guidelines in that the emphasis is shifted from something happening – the event – to the effect on objectives.
Kevin W. Knight, AMChair of the ISO 31000 working group& Chair of ISO 31004 project committeeISO Focus, June 2009
Global Survey on ISO 31000
• Conducted mid-October to mid-December, 2011• LinkedIn website on ISO 31000, with >6,500
members since March of 2009– Reached out to 100+ associations, members from 74
associations participated– 1,823 responses from 111 countries– Largest # of participants from US (20%), UK (10%) and
Australia (10%)– Primary professions: risk management & IT
Survey Participants
Select Results• 65% - familiar with or knowledgeable about
ISO 31000 – 93% of Australian respondents– 67% of UK respondents– 47% of US respondents
• 35% - no knowledge – 7% of Australian respondents– 33% of UK respondents– 53% of US respondents
Countries with Highest Level of Awareness of ISO 31000
• Australia (65%)• New Zealand (47%)• Canada (42%)• United Arab Emirates (37%)• Brazil (28%)• South Africa (26%)
• Spain (21%)• Netherlands (21%)• United Kingdom (21%)• Finland (18%)• Italy (14%)• France (13%)• USA (11%)
“Fully understand ISO 31000”
How is Risk Management Used Within Your Organization?
• All decisions (40%)• Auditing/compliance (21%)• Safety/security (18%)• Report performance (9%)• Insurance (7%)• Not used in our organization (5%)
Which Standard Does Your Organization Utilize?• Our own version (40%)• ISO 31000 (36%)• ISO 27005 (20%)• COSO (18%)• PMBOK (17%)• Guide 73 (16%)• AUS/NZ 4360 (13%)• ISO 31010 (13%)