iso 31000, 2009 - the institute of internal auditors
TRANSCRIPT
ISO 31000, 2009The New International Standard for
Risk ManagementBy
Remonde BrangmanRisk Advisory Practice Leader
CBIZ MHM, LLC Mid-Atlantic
Session Objectives
• Why is ISO 31000 relevant?• Scope• History and development of ISO standards• Key definitions• Principles• Framework• Process
Why ISO 31000?
• First Recognized International Standard• A roadmap to the future of ERM• Introduces a new perspective on Risk Management• Provides greater specific guidance to Risk Managers
Scope• Provides principles and generic guidelines• Can be used by any public, private or community enterprise,
association, group or individual – not industry or sector specific
• Can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets
• Can be applied to any type of risk, whatever its nature, whether having positive or negative consequences
• It is not intended to promote uniformity of risk management across organizations
Why implement Risk Management?• Increase the likelihood of achieving objectives;• Encourage proactive management;• Be aware of the need to identify and treat risk throughout the organization;• Improve the identification of opportunities and threats;• Comply with relevant legal and regulatory requirements and international norms;• Improve mandatory and voluntary reporting;• Improve governance;• Improve stakeholder confidence and trust;• Establish a reliable basis for decision making and planning;• Improve controls;• Effectively allocate and use resources for risk treatment;• Improve operational effectiveness and efficiency;• Enhance health and safety performance, as well as environmental protection;• Improve loss prevention and incident management;• Minimize losses;• Improve organizational learning; and • Improve organizational resilience
Risk Management Evolution
Compliance oriented
Financial focus
Negative risk events
Driven from credit and market risk modeling
Top down approach
Complex methodologies
Lacking front line involvementand buy-in
Not seen as a model forsmall businesses
Traditional Risk Management Modern Risk Management
Management oriented
Broad organizational focused
Positive and negativerisk events
Driven from strategic and organizational objectives
Both top down and bottom up
Simplified methodologies
Organizational buy-in
Excepted model forall businesses
Principles
Framework
Process
ISO 31000 Methodology
History and Development
ISO (International Organization for Standardization) is the world’s largest developer and publisher of International Standards.
Established in 1947, ISO is a network of the national standards institutes of 159 countries.
History and Development - continued•Australia, New Zealand and Japan initiated its creation – over 18 countries participated•US Technical Advisory Group established in 2008•Adopted in November 2009, now officially the first International Standard on Risk Management•ISO 31010 – Risk assessment Process issued•Guide 73 (terminology guide) issued
DefinitionsRisk:
Effect of uncertainty on objectives
NOTE 1: An effect is a deviation from the expected — positive and/or negative.NOTE 2: Objectives can have different aspects (such as financial, health and safety,
and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).
NOTE 3: Risk is often characterized by reference to potential events (2.17) and consequences (2.18), or a combination of these.
NOTE 4: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (2.19) of occurrence.
NOTE 5: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood
DefinitionsRisk management:Coordinated activities to direct and control an organization with regard to r isk
Risk management framework:A set of components that provide the foundations and organizational arrangements for
designing, implementing, monitoring (2.28), reviewing and continually improving risk management (2.2) throughout the organization
• NOTE 1 The foundations include the policy, objectives, mandate and commitment to manage r isk (2.1).
• NOTE 2 The organizational arrangements include plans, relationships, accountabilities, resources, processes and
• activities.• NOTE 3 The risk management framework is embedded within the organization's
overall strategic and operational• policies and practices.
ISO 31000 Approach
Principles
Framework
Process
Integrated approachthat includes risk / opportunitymanagement
Keep it simple and practical –complexity is not an advantage
Requires strong and Sustained management commitment
Incorporates most ofthe key elements ofthe COSO framework
Principles
Risk Management must:
1. Create and protect value2. Be an integral part of all organizational processes3. Be part of decision making4. Explicitly address uncertainty5. Be systematic, structured and timely6. Be based on the best available information7. Be tailored to the organization8. Take human and cultural factors into account9. Be transparent and inclusive10. Be dynamic, iterative and responsive to change11. Facilitate the continual improvement of the organization
Risk Management Framework
Design of framework for managing risk•Understanding the organization and context
•Establishing policy•Accountability
•Integration into processes•Resources
•Establishing internal and externalcommunication and reporting mechanisms
Continual improvement Implementing risk managementFramework and process
Monitoring and review
Mandate and Commitment
Risk Management Process
Communicationand consultation
Monitoringand review
Establishing the context
Risk analysis
Risk evaluation
Risk treatment
Risk identification
Risk Assessment
Risk Management Heat Map
321
3
2
1 O - 8
12
R - 3
3
3
2
1
Oppor tunities RisksLikelihood Likelihood
Impa
ct o
n O
bjec
tives
Impa
ct o
n O
bjec
tives
Management addresses these key r isks andoppor tunities in its plans and pr ior itiesNote: Some adjustment to current pr ior ities may be required
O - 14 R - 34
R - 72
O - 21 R - 11
Developed byJay Mattingly
Framework Design: Clarifying Who Does What(Sample Federal Organization)
(Based on the Institute of Internal Auditors Position Paper & revised by CSA)