The webinar covers:
• Principles of risk management as defined in ISO 31000:2009
• Elicit the factors in defining the organization's risk culture
• Review the succeeding steps on implementing the risk management framework and its upfront challenges for organizations
Presenter:
This webinar was presented by Joshua Rey S. Albarina, Leading PECB certified ISO 31000:2009 Risk Manager in the Philippines. Currently he is the Senior Consultant for ISO programs of SAS Management. His areas of expertise are Sustainability practices (Energy and Environment), Organizational Resilience (Business Continuity, Asset and Risk Management), Business excellence (Quality and Six Sigma), IT practices (Information security and IT Governance).
Link of the recorded session published on YouTube: https://youtu.be/1zQQ1_v0o4k
Foundations of Risk Management - Principles and Culture
1.
2. Joshua Albarina
Senior Consultant- Service Delivery
Joshua Rey S. Albarina is a Leading PECB certified ISO 31000:2009 Risk Manager in the Philippines. Currently he is the Senior
Consultant for ISO programs of SAS Management. His areas of expertise are Sustainability practices (Energy and Environment),
Organizational Resilience (Business Continuity, Asset and Risk Management), Business excellence (Quality and Six Sigma), IT
practices (Information security and IT Governance).
.
(+632) 949 3004
joshua.albarina@saservices.com.ph
www.saservices.com.ph
https://ph.linkedin.com/in/jralbarina
www.twitter.com/sas_mngt
www.facebook.com/sasmanagementinc
3. Foundations of Risk Management: Principles & Culture
Appreciating perspectives on enterprise risk and resilience
4. What’s next?
• The context of the organization and the in-depth understanding
of a risk-oriented culture
• The 11 principles of risk management- a closer look
• Moving forward: shifting the culture- where to begin?
5. The Enterprise in a Nutshell
OrganizationInput
Products
Services
Waste
Excess
Controls
Threats/ other uncertainties
Risk management
Organizational culture
Character
Behavior
AttitudePrinciples
Contingencies
7. The 11 principles of risk management
Principle 1: Risk Management creates and protects value
Ensuring business are realized… the way it is planned.
8. The 11 principles of risk management
Principle 2: Risk Management is an integral part of all organizational processes
Each has a role to perform, but carefully done- to make that right sound.
9. The 11 principles of risk management
Principle 3: Risk Management is part of decision making
One choice can make a difference- either make or break.
10. The 11 principles of risk management
Principle 4: Risk Management explicitly addresses uncertainty
Knowing what’s next- with a degree of certainty.
11. The 11 principles of risk management
Principle 5: Risk Management is systematic, structured and timely
With order comes certainty… and reliability.
12. The 11 principles of risk management
Principle 6: Risk Management is based on the best available information
Sound information, sound decisions, predictable results.
13. The 11 principles of risk management
Principle 7: Risk Management is tailored
One program, one design, one owner.
14. The 11 principles of risk management
Principle 8: Risk Management takes human and cultural factors into account
It takes people to move things together.
15. The 11 principles of risk management
Principle 9: Risk Management is transparent and inclusive
Greater transparency, more accountability
16. The 11 principles of risk management
Principle 10: Risk Management is dynamic, iterative and response to change
Adapt, then adopt.
17. The 11 principles of risk management
Principle 11: Risk Management facilitates continual improvement of the organization
Defining effective resilience in a changing context.
18. Moving forward
• Principles are both guides and enablers
• Shifting cultures require two-way communication across all
management levels and in both contexts
• Starting the whole process begins at the top
19. Some principles governing culture change
Abraham Maslow: Hierarchy of Needs
• A popular theory on human motivation
• suggests that the most basic level of needs
must be met before the individual will strongly
desire the higher needs
• mostly explains our priorities
Lecture notes:
Originally, the objectives were defined in the presentation of webinar:
Have a closer look on the Principles of risk management as defined in ISO 31000:2009
Elicit the factors in defining the organization's risk culture
Review the succeeding steps on implementing the risk management framework and its upfront challenges for organizations
Intentionally, these are the objectives:
Objective 1- answers the question of “what’s inside in an organization practicing risks in various levels and sections?”
Objective 2- going into each principles and provide cases/ examples citing its reasons and relationships with other principles
Objective 3- answers the question of “what makes the need to sustain the enterprise?”
Presentation sequence:
The gray box- typical setup of companies with controls based on industry best practices
The shades-of-brown box- presents the individual’s perspective in enabling the enterprise
The Principles
Notes:
While risk assessment methods follow a practical approach based on global frameworks (COSO, ISO 31000) across various types of risks (i.e. Strategic, Financial, Operational, Compliance), how it creates value to the organization is as dependent as to how they recognize the significance of this practice. In a similar fashion, the whole process, while ideal, is only as dependent as to how the resources are managed, preferably its people through the organizational culture.
Such is influenced according to an individual’s character, based on his behavior that is dictated by his attitude.
From an individual context, organization principles, when communicated properly, influences attitude, behavior, and eventually its character in which influences the organization’s culture on how the company’s strategic goals will be met.
An individual’s attitude, regardless of which context, is highly influenced according to the principles he adheres, and by practice is quite an investment- one reason why companies “reasonably” consider allocating its resources to holistically develop its people.
Principles (along with policies and frameworks), while it influences individuals within the organization, , it also influences the entire organization. That is why for management systems and other best practices, the principles, along with policies, dictates the direction and its approach to its implementation as much as frameworks guide the organization to effectively comply with its requirements.
Notes:
As principles are enablers discussed earlier in the previous slide, the tone of this discussion focuses on understanding the justifications on why enterprises needs to have a risk management adapted within the organization across all management levels.
While it is understood that there are a number of frameworks to select and methodologies to develop the risk management program within the context, the guideline’s concept is meant to be simple, universal, and spontaneous to appreciate its importance, prompting enterprises to adapt the practice while adopting to the evolving economic landscape and innovation within the company’s processes and technologies.
Here in this slide, which was taken from the guideline, illustrates a recommended framework on enterprise risk management in a holistic approach, regardless of which sector one comes from. The popular section of the framework occurs on the third block, which represents the risk assessment methodology of ISO 31000:2009.
As per update, the guideline has commenced revision and will be subject for release on the year 2017.
ISO 31000:2009, Clause 3a:
Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation
How is it possible? Let’s take the case of manufacturing companies practicing the EMS, or any environmental best practices an organization can adopt.
During the planning phase, the team’s expected to identify the impacts for each environmental aspects within the given context that is subject for the establishment of the system. As per ISO’s annex SL, clause 6.1, one must identify uncertainties that can affect the program’s success, be it a positive risk, negative risk, or neutral, such as the impact of using aerosols with traces or composition of Methylene dichloride, which is a classified carcinogen, or cancer-causing agent based on recorded information from MSDS and other reliable knowledge repositories- to employees exposed to it. If the organization’s EMS is to reduce environmental impact using alternative chemicals to avoid the use, such factors like the variance of its operational costs based on the alternative chemical’s price in the market. Depending on the company’s risk thresholds based on its profile, it can affect the company’s performance to EMS as well. More importantly, in its operations.
ISO 31000:2009, Clause 3b:
Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes
Analogous to the picture on the slide (each orchestra players are part of the entire symphonic sound as interpreted by the orchestra’s conductor), each departments in an organization, regardless of the scope of the company’s business goals and objectives, have a role to play. While effectively planning the tactics and activities based on the strategy, it’s also about asking “how can a department achieve the defined objectives as exact as it should be? While for most finance institutions, where risk management comes as a separate entity, the nature of its activities will encompass the enterprise, preferably in its products and services, given the cash flow’s volatile nature and its significant value to the enterprise and in overall, the economy.
ISO 31000:2009, Clause 3c:
Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action.
A school of fish in a bowl on one side, while they share the same resource, may change situations depending on the context regardless if it is internal or external. Depending on the defined priorities, one can make a wise decision- but, how wise can it be?
Managing risks, by its nature, tells a decision maker to rationalize over a given situation while relying on instinct and gut feel, which oftentimes can help, especially when it comes to sudden disruptions due to encountered threats within the enterprise. In the case of business continuity, a sound business continuity plan is as good as how risks were managed due to sized threats. The ability of an enterprise to “jump” to conclusions and decisions can affect the business, either way. However when based on risks, there is a level of confidence and predictability which in turn, benefits the enterprise in various aspects.
ISO 31000:2009, Clause 3d:
Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed
Example: the case of NASA’s new horizons- answering a simple question, over a 3-billion mile distance, 26 years in the making, 10 years of travel- “What does Pluto look like?”
Despite the fact that it was more of a science mission, every step was identified, analyzed, evaluated, treated, and anticipated any possible scenarios of different extents to gather scientific data that will change the course of history.
When it comes to scientific data, especially for companies where metrics are the nature of their business (like testing, measurement, verification and business analytics), any form of uncertainty can be translated into scientific or mathematical guesses, or in some ways, predictable guesses, such as hypotheses or inferences, verified through a scientific method. Regardless if the approach of solving it is long or next to impossible, the method aims to determine and define the unknowns and see if the results validate one of the stated hypothesis.
In a similar way, risk management explicitly addresses uncertainty, given a proper approach. As in most companies, where all activities must be managed to deliver results, it can be explicitly done through a tangible approach.
ISO 31000:2009, Clause 3e:
A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable and reliable results.
With respect to other frameworks on risk management, ISO 31000 provides a level of organized approach to addressing risks and uncertainties that will benefit the organization in two ways- one is to promote a culture of continual improvement as seen in the middle block of the framework. The second one is it enables organizations an opportunity to integrate other best practices implemented within the organization through a careful understanding of the context and effectively address risk through a three-step risk assessment procedure, which is popular to many industry sectors. For example, in the case of IT service companies, where information security and service management are both key factors to ensure business value to their clients, Understanding the risks associated when implementing an information security protocol to a key IT service as defined in its portfolio will require a thorough and a systematic understanding of the impacts and consequences, which will help the management identify what actions or decisions to make to ensure service continuity while at the same time, protect the associated information assets from threats based on its vulnerabilities.
ISO 31000:2009, Clause 3f:
The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgment. However, decision makers should inform themselves of, and should take into account any limitations of the data or modelling used or the possibility of divergence among experts
A case in point are the stock traders, where they base their decisions on two types of analyses of information- Fundamental and technical information. To simplify the difference, a simple analogy of identifying the right candidate for the job based on his character during the interview, which is the fundamental analysis, and its work portfolio according to what was written on his CV, which provides the technical analysis of the candidate. An audit practice, known as corroboration, is a technique that balances both these analyses to provide accurate and reliable information to the interviewer as much as possible.
In a large enterprise, where strategic objectives are at a high level, making sound decisions are based on data released by reliable sources, who have dedicated their years of expertise to provide their clients a level of foresight and hindsight to come up with a set of strategic goals that can be cascaded to the management to exercise the four stages of governance- planning, acquisition and establishment, execute and deliver, and checking (which can be broken down to monitoring, measuring and reviewing).
ISO 31000:2009, Clause 3g:
Risk management is aligned with the organization’s external and internal context and risk profile.
Because of the identified context within the organization (refer back to the framework), which marks the first step of the risk assessment process, it follows that the assessment techniques, treating the defined risks, generated risk registers and the refined tactical and operational activities contributing to a riskless conformance to the business are aligned to the company’s strategy. Having said these, such solutions or even the program itself may be applicable, but not exactly the entire piece of it.
As contexts are unique per organization, so are its corresponding programs, regardless of which framework they have adapted. And one reason why ISO exist is to provide organizations an idea on how a framework must be carried out, however tuned to the company’s business, creating value to its business and reputation across its neighbors.
ISO 31000:2009, Clause 3h:
Risk management recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organization’s objectives
The principle on focus is similar to an old custom of ours known as the community spirit, or in our language, the “Bayanihan”. This tradition is popular in the early decades, especially for newly married couples living within a community of folks with the hope of building a family. Moving a house from one community to another will require the support of everyone, carrying the small house together as a way of support.
Establishing a risk management program, as well as with any business practices that are applicable to the organization, will surely require resources- People, process, and technology. Of the three, the most important resource are the people, which is why as it was mentioned earlier that an organization’s approach on risk management is as good as how the people respond to it, manifested through its culture. If we go back to the slide showing the enterprise in a nutshell, an organization’s culture is defined by its people, which is defined according to its character, that is based on his behavior to the environment, which eventually is a function of his attitude that is influenced according to the principles the man adheres to.
While risk management is something that nearly everyone unconsciously do, it takes risk-oriented individuals to build a risk-oriented culture.
ISO 31000:2009, Clause 3i:
Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organization, ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria
In this illustration, an iceberg floats depending on its foundation underneath and the area it covers. As the ocean water temperature rises and so is the environment, the more vulnerable the iceberg becomes. What makes the iceberg stable, though, and the focus on the discussion on this principle, is the mass underneath the floating top that creates its foundation.
In a similar context, the foundation of an organization’s risk management is only as good as to how they keep everyone closely involved. Communication and consultation with stakeholders is important as they make judgements about risk based on their perceptions of risks, which can vary due to differences in values, needs, assumptions, concepts and concerns of stakeholders. As their views can have a significant impact on the decisions made, the stakeholders’ perceptions should be identified, recorded and taken into account in the decision making process.
ISO 31000:2009, Clause 3j:
Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of the risks take place, new risks emerge, some change, and others disappear
The picture depicts more of the animal’s ability to adapt to its surroundings and adopt according to the changing situations, as a way of either self-defense or offense. In a similar fashion, resiliency, flexibility to changes and iterative improvements to the system requires the organization’s ability to adapt to its surroundings and adopt according to the changing situations.
An emphasis is placed on continual improvement in risk management through the setting of organizational performance goals, measurement, review and the subsequent modification of processes, systems, resources, capability and skills.
This can be indicated by the existene of explicit performance goals against which both the organization and manger’s performance is measured.
ISO 31000:2009, Clause 3k:
Organizations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organization
The last principle reminds us of a quality philosophy developed by Masaki Imai, and has revolutionized the perspective on quality to continually strive for the better, enabling a ‘good change’ within the organization. This, however, is not really far from it, as it tells basically the organization that as we are reminded that managing risks involves everyone within the organization to explicitly address uncertainty, which involves a systematic approach using the best available information in order to deliver the desired value while at the same time, establishing it as a culture to enable continual improvement.
Redirect thought points to the second objective, considering the case of answering why companies need to be resilient, in which from the perspective of human survival, establishing resilience places deeper weight on addressing individual and immediate needs, while enterprise needs are addressed, particularly its company’s strategy.
Between the three resources- people, process, technology, the human factor shows, across most perspectives, a bigger weight in organizational resilience.
At the very end, when organizations recognize the need to be resilient, the people behind it will, when from a perspective of survival, either comply or abandon, depending on his adaptability to the principles of the organization, and more importantly, the culture from which he is in. Above all, perhaps if we take things at a deeper length, understanding the reason why risk management frameworks exist (when for one thing, it benefits the organization) is establishing resilience and sustainability for the things that will enable survival among individuals in a rapidly changing world.