1) Risk criteria help determine what risks are significant for an organization based on its objectives and context. Governance criteria include risk capacity, attitude, appetite, and tolerance. 2) Risk capacity refers to the maximum level of risk an organization can assume. Risk attitude is an organization's cultural mindset towards risk. Risk appetite is the amount of risk an organization is willing to accept. Risk tolerance are the boundaries for risk-taking. 3) Assessment criteria measure the potential size of risk outcomes, such as impact and likelihood. Impact types include financial, reputational, legal and more. Likelihood estimates the possibility a risk event will occur.

1. ENTERPRISE RISK MANAGEMENT
ISO 31000 - 2009
MOHAMAD HASSAN AK., MAFIS, QIA, CRMP, CRMA

2. ERM - ISO 31000

3. DETERMINE RISK CRITERIA
• What make an ERM implementation unique to
each organization
• Influenced by business objectives as well as
external & internal context.
• By definition: ”terms of reference against which the significance
of risk is evaluated”.
• Type of risk criteria:
– Governance risk criteria
– Assessment risk criteria

4. Governance Risk Criteria
Risk
Capacity
Risk
Attitude
Risk
Appetite
Risk
Tolerance

5. Risk Capacity
• Board and senior management must understand both individual
outcomes and aggregated outcomes from multiple events that could
cause organization to cease operations.
• Not only responsible determining business objectives, but also
ensuring organization survives.
Inadequate capital
Inadequate cash flow
Violations of laws &
regulations
Damage to
reputation

6. Risk Attitude
• Organization’s approach to assess and eventually pursue, retain, take,
or turn away from risk.
• An organization’s risk attitude is essentially its cultural mindset with
regard to risk.
• Risk attitude must be instilled overtime
Risk
Averse
Risk
Embracing
RISK ATTITUDE SPECTRUM

7. Risk Appetite
• Amount of risk, on broad level, an entity is willing to accept in pursuing
of value (COSO ERM)
• Element of risk appetite in shaping definition:
 Risk appetite is an integral part of strategic planning
 Not all risk outcomes are easily measurable; qualitative (type) and quantitative
(amount)
 Appetite may reflect the desire to pursue positive outcomes as well as to minimize
negative outcomes
 An organization must accept some level of risk to be successful
• Examples of risk appetite statements:
 Invest at least 15 percent of revenues
 Maintain a debt/equity ratio 1.5 or less
 Put no more than 50 percent capital at risk
 Not build key manufacturing plants in areas prone to floods or earthquakes

8. Risk Tolerance
• Readiness to bear the risk after risk treatment in order to achieve
objectives.
• Risk-taking boundaries within which managers and employees are
expected to perform in pursuing of the organization’s strategic,
operations, reporting, and compliance objectives.
• Examples:
 Annual operating results should be not be less than 90 percent of budget
 Customer satisfaction rating should meet or exceed 95 percent.

9. Assessment Risk Criteria
• A measure of the size of potential risk
Impact
outcomes, should event occur.
• Impact types include, but not limited to,
financial
reputational,
legal,
environmental, and safety outcomes.
• Reflects an estimate of the possibility that
Likelihood
risk events will occur are result in the
assessed risk outcomes

10. Inherent Criteria
Capability
Criteria
consequence
Other Risk
Assessment
Criteria
Readiness &
Preparedness
Significance
Agility
Severity
Resilience
Frequency
Controllability
Velocity
Monitorability
Volatility
Maturity
Interdependency
Degree of
Confidence