ISO 31000 Risk Management


Published on

Presentation of ISO 31000:2009, Risk management, Principles and guidelines. This document explain the standard history, certification & accreditation, main concepts and scope. Implementation and implications are already included. Managing risk is other important topic developed in the document. Finally a short list of related standards are mentioned

Published in: Technology, Economy & Finance
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

ISO 31000 Risk Management

  1. 1. Twitter: @ramirocid ISO 31000 - Risk Management Ramiro Cid | @ramirocid ISO 31000 - Risk Management
  2. 2. Twitter: @ramirocid ISO 31000 - Risk Management 2 Index 1. Introduction Page 3 2. Certification and Accreditation Page 4 3. History Page 5 4. Main concepts Page 6 5. Scope Page 7 6. Implementation Page 8 7. Implications Page 9 8. Managing risk Page 10 9. Related standards Page 11
  3. 3. Twitter: @ramirocid ISO 31000 - Risk Management 3 Introduction The full name of this standard is: “ISO 31000:2009, Risk management – Principles and guidelines” This standard provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector. Using ISO 31000 can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment. ISO 31000 family is expected to include: ISO 31000:2009 - Principles and Guidelines on Implementation ISO/IEC 31010:2009 - Risk Management - Risk Assessment Techniques ISO Guide 73:2009 - Risk Management - Vocabulary
  4. 4. Twitter: @ramirocid ISO 31000 - Risk Management 4 Certification and Accreditation Certification: However, ISO 31000 cannot be used for certification purposes, but does provide guidance for internal or external audit programs. Organizations using it can compare their risk management practices with an internationally recognized benchmark, providing sound principles for effective management and corporate governance. ISO 31000 has not been developed with the intention for certification. (2009) Accreditation: Starting from Mar 2013, accreditation and certification of Professional Certificate Lead Trainer & Consultant for ISO 31000 would be organized and conferred by Academy of Professional Certification (APC, in Hong Kong. APC is an authorized representative of ISO/TC262 for HKSAR Hong Kong.(2013)
  5. 5. Twitter: @ramirocid ISO 31000 - Risk Management 5 History ISO 31000 was published as a standard on the 13th of November 2009, and provides a standard on the implementation of risk management. A revised and harmonized ISO/IEC Guide 73 was published at the same time. The purpose of ISO 31000:2009 is to be applicable and adaptable for "any public, private or community enterprise, association, group or individual. Accordingly, the general scope of ISO 31000 - as a family of risk management standards - is not developed for a particular industry group, management system or subject matter field in mind, rather to provide best practice structure and guidance to all operations concerned with risk management.
  6. 6. Twitter: @ramirocid ISO 31000 - Risk Management 6 Main concepts Risk: “Effect of uncertainty on objectives” Positive and negative consequences Safety, compliance, strategy, anything under the sun Risk management: “coordinated activities to direct and control and organization with regard to risk” Risk management framework: “set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management processes throughout the organization”. Risk management process: “systematic application of management policies, procedures and practices to the tasks of communication, consultation, establishing the context, identifying, analyzing, evaluating, treating, monitoring and reviewing risk”.
  7. 7. Twitter: @ramirocid ISO 31000 - Risk Management 7 Scope ISO 31000:2009 provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization. This approach to formalizing risk management practices will facilitate broader adoption by companies who require an enterprise risk management standard that accommodates multiple ‘silo-centric’ management systems. The scope of this approach to risk management is to enable all strategic, management and operational tasks of an organization throughout projects, functions, and processes to be aligned to a common set of risk management objectives. Accordingly, ISO 31000:2009 is intended for a broad stakeholder group including: Executive level stakeholders Appointment holders in the enterprise risk management group Risk analysts and management officers Line managers and project managers Compliance and internal auditors Independent practitioners.
  8. 8. Twitter: @ramirocid ISO 31000 - Risk Management 8 Implementation The intent of ISO 31000 is to be applied within existing management systems to formalize and improve risk management processes as opposed to wholesale substitution of legacy management practices. Subsequently, when implementing ISO 31000, attention is to be given to integrating existing risk management processes in the new paradigm addressed in the standard. The focus of many ISO 31000 'Harmonisation' programmes have centred on: Transferring accountability gaps in enterprise risk management Aligning objectives of the governance frameworks with ISO 31000 Embedding management system reporting mechanisms Creating uniform risk criteria and evaluation metrics
  9. 9. Twitter: @ramirocid ISO 31000 - Risk Management 9 Implications Most implications for adopting the new standard concern the re-engineering of existing management practices to conform with the documentation, communication and socialization of the new risk management operating paradigm; as opposed to wholesale re-orientation of management practice throughout an organization. Accordingly, most senior position holders in an enterprise risk management organization will need to be cognizant of the implication for adopting the standard and be able to develop effective strategies for implementing the standard across supply chains and commercial operations. Certain aspects of top management accountability, strategic policy implementation and effective governance frameworks, will require more consideration by organizations that have previously used now redundant risk management methodologies. In some domains that concern risk management, in particular security and corporate social responsibility, which may operate using relatively unsophisticated risk management processes, more material change will be required, particularly regarding a clearly articulated risk management policy, formalizing risk ownership processes, structuring framework processes and adopting continuous improvement programs.
  10. 10. Twitter: @ramirocid ISO 31000 - Risk Management 10 Managing risk ISO 31000:2009 gives a list in order of preference on how to deal with risk: 1. Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk 2. Accepting or increasing the risk in order to pursue an opportunity 3. Removing the risk source 4. Changing the likelihood 5. Changing the consequences 6. Sharing the risk with another party or parties (including contracts and risk financing) 7. Retaining the risk by informed decision
  11. 11. Twitter: @ramirocid ISO 31000 - Risk Management 11 Related standards A number of other standards also relate to risk management: ISO Guide 73:2009, Risk management - Vocabulary complements ISO 31000 by providing a collection of terms and definitions relating to the management of risk. ISO/IEC 31010:2009, Risk management – Risk assessment techniques focuses on risk assessment. Risk assessment helps decision makers understand the risks that could affect the achievement of objectives as well as the adequacy of the controls already in place. ISO/IEC 31010:2009 focuses on risk assessment concepts, processes and the selection of risk assessment techniques.
  12. 12. Twitter: @ramirocid ISO 31000 - Risk Management Questions? Many thanks! @ramirocid Ramiro Cid CISM, CGEIT, ISO 27001 LA, ISO 22301 LA, ITIL