Iso 31000 presentation

ORMIS April 21, Toronto, ISO 1
ISO 31000 (Nov. 2009)
What is it? What’s new?
How to Implement?
Please interrupt, thank you
John Shortreed
ORIMS Workshop
Wednesday, April 21, 2010
Arts & Letters Club, 14 Elm Street, Toronto, Ontario

Proposed AGENDA – OK?
• Risk is “effect of uncertainty on objectives”
• Discussion of Adopt 31000 - PHB Bilton and KISS
• Overview of 31000; introduction, scope, principles,
framework, process
• How to “sell” ERM to senior management?
• The role of risk appetite risk tolerance and the ubiquitous
risk matrix/map/profile to deal with existing silos
• How will ERM help improve existing risk management?
• Next steps? How to measure success?
• Monitor, communications and consultation, and risk
ownership.
• Role of CRO? (Ans- Minimal)
• What did we learn today?

Risk - “effect of uncertainty on objectives” (ISO 31000)
• NOTE 1 An effect is a deviation from the expected — positive
and/or negative. (wrt achieving objectives)
• NOTE 2 Objectives can have different aspects (such as
financial, health and safety, and environmental goals) and can
apply at different levels (such as strategic, organization-wide,
project, product and process).
• NOTE 3 Risk is often characterized (i.e. named, e.g. credit risk) by
reference to potential events (2.17) and consequences (2.18),
or a combination of these.
• NOTE 4 Risk is often expressed in terms of a combination of
the consequences of an event (including changes in
circumstances) and the associated likelihood (2.19) of
occurrence.

There are two ways a risk can have an effect on objectives.
1. the effect of a risk when and if it should occur, or
2. the very existence of a risk whether it happens or not.
(2.) is the acceptance, or not, of being in risky situations - a friend of mine says he
can not sleep at night if his money is invested in stocks, even knowing they
provide better returns. So he invests in government bonds. It is the
uncertainty that he can not stand. Related to risk appetite.
(1.) is the traditional risk and where risk management seeks to increase the good
and decrease the bad consequences (as translated into objectives)
The "uncertainty" or ambiguity, is the essence of risk, and can be part of:
a. the risk identification (source, associated event(s) & consequence(s) )
b. the event effect or consequence as estimated by analysis methods
c. the probability itself (in addition to uncertainty of identification (a), event (b),
and effect (d)) [probability of a probability drives mathematicians mad]
d. the objectives themselves and the link between consequences and
objectives (either measurement or how objectives reflect values or how
attitudes might bias selection and metrics of objectives)
Discussion from last week

(Aside) ISO Definitions are nested – rigorous substitution rule
(2.18) Consequence - outcome of an event (2.17)
affecting objectives
and since Event - occurrence or change of a particular set of
circumstances, then
(2.18) Consequence - outcome of an occurrence or
change of a particular set of circumstances affecting
objectives
(2.26 )control - measure that is modifying risk (2.1)
(2.26 )control - measure that is modifying effect of
uncertainty on objectives
Try residual risk (2.27) – insert risk treatment, control (?) and risk

Discussion of “YES Adopt 31000 “- PHB Bilton and KISS
• survey question – which framework is right?)
• Answer - ISO 31000 should be adopted
immediately and that existing COSO, PMI, and
other frameworks and processes integrated with
31000 in the short term and in the longer term
modified to better reflect, not so much 31000, as
the “ERM risk framework” in the organization.
• The rational is that ISO incorporates these other
approaches [with gaps], is principle and performance based
and is simple enough and flexible enough to be used by
any organization.

The COSO ERM
Framework
only negative risk!
(a common problem)
 Entity objectives can be viewed in the context of
four categories:
• Strategic
• Operations
• Reporting
• Compliance

BHP Billiton RISK MANAGEMENT POLICY
Risk is inherent in our business. The identification and management
of risk is central to delivering on the Corporate Objective.
• By understanding and managing risk we provide greater certainty and
confidence for our shareholders, employees, customers and suppliers,
and for the communities in which we operate.
• Successful risk management can be a source of competitive
advantage.
• Risks faced by the Group shall be managed on an enterprise-wide
basis.
• Risk Management will be embedded into our critical business activities,
functions and processes. Risk understanding and our tolerance for risk
will be key considerations in our decision making.
• Risk issues will be identified, analysed and ranked in a consistent
manner. Common systems and methodologies will be used. (cont.)

•Risk controls will be designed and implemented to reasonably assure the
achievement of our Corporate Objective. The effectiveness of these controls
will be systematically reviewed and, where necessary, improved.
•Risk management performance will be monitored, reviewed and reported.
Oversight of the effectiveness of our risk management processes will provide
assurance to executive management, the Board and shareholders.
•The effective management of risk is vital to the continued growth and
success of our Group.
• signed Chip Goodyear
•Chief Executive Officer (see web site for all the BHP good stuff)
Done by 3 people (lead Grant Purdy) in 4 years
for all 200,000 employees, with 80,000 risk owners identified
Over 12,000 risk assessments on file (open), and then
Risk management department eliminated.
IT CAN BE DONE – Keep It Sweet and Simple
Senior Management leads the charge

Commit and Mandate
•Policy Statement
•Standards
•Guidelines
•RM Plan and RM Process
•Assurance Plan
Communicate & Train
•Stakeholder analysis
•Training needs analysis
•Communication strategy
•Training strategy
•Roles and Reporting
Structure & Accountability
•Board RM Committee
•Executive RM Group
•RM Working Group
•Facilitator for Risk Management
•RM Champions
•Risk and Control Owners
Review & Improve
•Control assurance
•RM Plan progress
•RM Maturity Evaluation
•RM KPIs
•Benchmarking
•Governance reporting
Framework Continuous
Improvement Cycle
Management Information System
-Risk Registers -Treatment Plans
-Assurance Plan -Reporting templates
Framework Implementation
Establish context
Identify risks
Analyse risks
Evaluate risks
Treat risks
Communicateandconsult
Monitorandreview
Risk assessment
Process for Managing Risk
Framework
Implementation
FrameworkContinuous
ImprovementCycle

4.2
Mandate
and
commitment
4.4
Implementing
risk
management
4.3
Design of
framework
for managing risk
4.6
Continual
improvement
of the
framework
4.5
Monitoring
and review
of the
framework
Framework for
managing risk
(Clause 4)
a) Creates value
b) Integral part of
organizational processes
c) Part of decision making
d) Explicitly addresses
uncertainty
e) Systematic, structured
and timely
f) Based on the best
available information
g) Tailored
h) Takes human and
cultural factors into
account
i) Transparent and inclusive
j) Dynamic, iterative and
responsive to change
k) Facilitates continual
improvement and
enhancement of the
organization
Principles for
managing risk
(Clause 3)
Process for managing
risk
(Clause 5)
ISO Overview
3 main clauses
plus terminology from
ISO Guide 73

How to “sell” ERM to senior management? Up to Organization not you
When implemented and maintained in accordance with this International
Standard, the management of risk enables an organization to, for example:
• increase the likelihood of achieving objectives;
• encourage proactive management;
• be aware of the need to identify and treat risk throughout the organization;
• improve the identification of opportunities and threats;
• comply with relevant legal and regulatory requirements and international norms;
• improve mandatory and voluntary reporting;
• improve governance;
• improve stakeholder confidence and trust;
• establish a reliable basis for decision making and planning;
• improve controls;
• effectively allocate and use resources for risk treatment;
• improve operational effectiveness and efficiency;
• enhance health and safety performance, as well as environmental protection;
• improve loss prevention and incident management;
• minimize losses;
• improve organizational learning; and
• improve organizational resilience.

The role of risk appetite & risk attitude
“amount and type of risk that an organization is willing to
pursue or retain”
“organization's approach to assess and eventually
pursue, retain, take or turn away from risk “
• Vague term that is still evolving, can be bottom up (from typical
decisions) or top down from basics of survival and comfort of board
and senior management
• In conceptual terms
– Identify all risks (events and consequences ) [high level]
– Estimate plausible worst case and best case scenarios – may be
expressed as a risk profile
– Examine the robustness of the organization wrt plausible cases
– Balance opportunities and threats against the organization’s
capabilities/resources and select a risk appetite or risk attitude –
how risk adverse?

Risk Tolerance is the practical step between
risk appetite and risk criteria (risk evaluation)
(also deals with silos)
• for specific consequence categories
(reputation, credit, compliance, country, etc.)
• for predetermined categories of likelihood
• find equivalent effects on objectives
• done by senior management (workshops)
• using risk matrix results as a check and
perhaps involving voting, delphi, etc.

Likelihood Scale for Tolerance (Simple Rating Scale)
(Hydro 1 Harvard Business School case study 9-109-001)
1. Remote 5% probability that the event will occur in the next 36
months
2. Unlikely 25% probability that the event will occur in the next 36
months
3. Even Odds 50% probability that the event will occur in the next
36 months
4. Very Likely 75% probability that the event will occur in the next
36 months
5. Virtually Certain 95% probability that the event will occur in the
next 36 months

Hydro 1 Risk Tolerances for 3 Silos (Fraser, 2009)
Business
Objective
Conse-
quence
5
Worst Case
4
Severe
3
Major
2
Moderate
1
Minor
Financial Net income
(shortfall)
>$150
million
$75-
$150
million
$25-
$75
million
$5-$25
million
<$5
million
Reputa
tion
Negative
Media-
Opinion
Leaders and
Public
Internation
al
Everyone
National
Most
Provin
cial
Several
Local Letters
To Govt
& Hydro
System
reliability
Outages
Customers,
or # MW for
7days, or
Fail NERC
>100,000
>1000
YES
40-100k
400-1000
Some
10-40k
100-400
Warning
1-10k
10-100
Near many
<1,000
<10
Near few

Standard sort of Risk Matrix
be careful, extremely careful, with risk matrices
works well at the understanding/communications level, BUT
Very Likely
(>.45)
Likely
(.45 - .19)
Medium
(.19 - .05)
Unlikely
(.05 - .011)
Remote
(< .011)
Minor
Moderate
Major
Severe
Catastrophic
Likelihood
Consequences
High
Medium
Low
Risk levels plotted
in structured
Workshop with
Experts, voting, Delphi…

Example of use of Risk Matrix
to set priorities
What might be wrong with this?
1. Refurbish 3. IT Upgrade
Medium
High
Low
KPI - Tx/Dx Reliability
Consequences
>10
5-10
1-5
.2-1
<0.2
Likelihood
No Impact
Medium
High
Low
KPI - Unsupplied Energy
Likelihood
VL
L
M
UL
VU
L
Consequences
Cata
Severe
Major
Mod
Minor
Medium
High
Low
KPI - SFI
Likelihood
VL
L
M
UL
VU
L
Consequences
Cata
Severe
Major
Mod
Minor
Medium
High
Low
KPI - Unavailability
Likelihood
VL
L
M
UL
VU
L
Consequences
Cata
Severe
Major
Mod
Minor
Medium
High
Low
KPI - Worst Served Cust.
Likelihood
VL
L
M
UL
VU
L
Consequences
Cata
Severe
Major
Mod
Minor
No Impact
2. Vegetation Mgmt
Medium
High
Low
KPI - Dx SAIDI
Likelihood
Consequences
Cata.
Severe
Major
Mod
Minor
Medium
High
Low
KPI - Dx SAIFI
Likelihood
Consequences
Cata.
Severe
Major
Mod
Minor

Basic and overarching in 31000 – Integration
ISO 31000 “recommends that ;
organizations develop, implement and
continuously improve a framework whose
purpose is to integrate the process for
managing risk (RMP) into the organization's
overall governance, strategy and planning,
management, reporting processes, policies,
values and culture.”
How will ERM help improve existing risk management?

Overarching in 31000 – Integration
(continued)
4.3.4 Integration into organizational processes
•Risk management (RM) should be embedded in all the
organization's practices and processes in a way that it is
relevant, effective and efficient.
•The risk management process should become part of,
and not separate from, those organizational processes
•When you make any decision/choice then part, and only
a part, of the decision process is the Risk Management
Process (RMP)

Overarching in 31000 – Integration (continued)
“2.7 risk owner - person or entity with the
accountability and authority to manage a risk ”
•Every risk (effect of uncertainty on objectives) is
owned
•Risk owners are listed in risk register
•Ownership has its privileges – get to monitor:
risk, risk controls (may be responsibility of others), cost
of controls, effectiveness of controls, value of RMP
(risk management process); and continuously improve all
•your annual evaluation includes how well you
manage your owned risks (part of the standard!)

Ironically, 48.7% of respondents describe
the sophistication of their risk oversight
processes as immature to minimally
mature. Forty-seven percent do not have
their business functions establishing or
updating assessments of risk exposures
on any formal basis. Almost 70% noted
that management does not report the
entity’s top risk exposures to the board of
directors. These trends are relatively
unchanged from those noted in the 2009
report. (NCU ERM center 2010 report)

“risk management framework –
set of components that provide the foundations and
organizational arrangements for designing, implementing,
monitoring, reviewing and continually improving risk
management throughout the organization
NOTE 1 The foundations include the policy, objectives,
mandate and commitment to manage risk
NOTE 2 The organizational arrangements include plans,
relationships, accountabilities, resources, processes and
activities
NOTE 3 The risk management framework is embedded
within the organization's overall strategic and operational
policies and practices “ (ISO 31000)

7 components to the ERM Framework
1. Mandate and commitment to
the framework (step 1)
a. Agreement in principle to proceed
b. Gap analysis
c. Context for framework
d. Design of framework
e. Implementation plan
2. Risk management policy
a. Policies for the framework, its
processes and procedures
b. Policies for risk management
decisions;
– i. Risk Appetite
– ii. Risk Criteria
– iii. Internal Risk Reporting
3. Integration into the
Organization
4. Risk Management Process
5. Communications and
Reporting
6. Accountability
• a. Risk ownership and risk register
• b. Managers’ performance evaluation
7. Monitoring, Review and
Continuous improvement
a. Responsibility for maintaining and
improving framework
b. Risk Maturity and continuous
improvement of framework

The risk management process
Establish the context
Identify risks
Analyse risks
Evaluate risks
Treat risks
Communicateandconsult
Monitorandreview
Used by every manager for every decision

Risk Assessment
• Identify the risks
• Analyze the risks (Note: when numerical estimates
of likelihood, consequences not available then
subjective risk matrix methods may be used)
• Evaluate the risks against Risk Criteria
• Result of Evaluation is to (or not to) Accept Risk-
”informed decision to take a particular risk”
• Not Acceptable, go to Risk Treatment

Risk Treatment- “process to modify risk”
“NOTE 1 Risk treatment can involve:
— avoiding the risk
—increasing risk in order to pursue an opportunity;
— removing the risk source
— changing the likelihood
— changing the consequences
— sharing the risk with another party or parties [including risk
financing]
— retaining the risk by informed decision
NOTE 3 Risk treatment can create new risks or modify existing
risks.”
Risk Treatment is often a cycle of: Control options, Assessment of
Residual Risk, Accept?, Treat risk?, Control options,
Assessment…

“communication and consultation”
“continual and iterative processes that an organization
conducts to provide, share or obtain information, and
to engage in dialogue with stakeholders regarding
the management of risk
• NOTE 1 The information can relate to the existence, nature,
form, likelihood, significance, evaluation, acceptability,
treatment aspects
• NOTE 2 Consultation is a two-way process of informed
communication between an organization and its stakeholders on
an issue prior to making a decision or determining a direction on
that issue. Consultation is:
– a process which impacts on a decision through influence
rather than power; and
– an input to decision making, not joint decision making. “

Example risk register for a specific Strategic Objective – illustration only
Courtesy of the Food Company
•High
Risk
ProfileObjective xx “Ready-to-Heat”
Action Plan
 Accelerate innovation
 Conduct competitor analysis
session
 Increase of aggressive competition
from Rice Master and Fast Rice
 Aggressive year for growth target
for the segment & brand
 Achieve new product growth
targets
Control ActivitiesRisks (uncertainties re Obj)
•JoeOwner
•yesPriorityAggressively grow and build the ready-to-heat business by expanding the
product line (15% NSV growth & maintain shares above 30%) and
broaden the availability of the product.
1. Identify initiatives and their associated
descriptions with measurable objectives
2. Prioritize order of
the key initiatives
based on their
contribution to
achieving the overall
financial and strategic
objectives within the
OP
4. List of risks that could hinder the ability to
meet the initiative’s objectives
5. List of planned activities that will modify the
risks – match the treatment strategies to risk
through the reference numbers
6. Management Team evaluates the probability
of success in achieving this initiative’s overall
objectives
3. Document the
individual in charge of
the given initiative
7. Document the
immediate next steps
for effective initiative
execution
1
2
3
1,2,3
1
Jane to develop 2-3 innovation
schemes within 2 months
Joe to do market analysis

4. Existing Controls4. Existing Controls
Preventative
5. Existing Controls5. Existing Controls
Reactive – Post Event
2. Causes
6. Risk Control
Effectiveness
7. Consequence
rating
3. Impacts
Existing Preventative Controls Existing Reactive ControlsControl Owner Control Owner
Task (future controls) Task Owner Due Date Task (future controls) Task Owner Due Date
8. Likelihood
rating
9. RISK
RATING
10, Comments
BowBow--Tie Risk Treatment ToolTie Risk Treatment Tool
11. Risk Owner
© Broadleaf Capital International, 2006
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
1.
2.
3.
4.
5.
6.
1.
2.
3.
4.
5.
6.
1.
2.
1.
2.
3.3.
Example of an integrated tool for RM Process

Companies that are considered "strong" demonstrate an enterprise-
wide view of risks, but are still focused on loss control. These
companies have control processes for major risks, thus giving them
advantages due to lower expected losses in adverse times, as such
companies can consistently identify, measure, and manage risk
exposures and losses in predetermined tolerance guidelines. Strong
ERM firms are unlikely to experience unexpected losses outside of
tolerance levels. Risk and risk management are usually important
considerations in such firms' corporate judgment.
Companies that are considered "excellent" possess all of the
characteristics of those scored "strong" and will also demonstrate
risk/reward optimization. Such companies have very well-developed
capabilities to consistently identify, measure, and manage risk
exposures and losses in predetermined tolerance guidelines. Risk and
risk management are always important considerations in such firms'
corporate judgment. It is highly unlikely that these firms will experience
losses outside of their risk tolerance.
How to measure success? – Risk Maturity?
Standard and Poor’s ERM perspective (still too negative)

Risk Maturity Score – Fraser Valley Health
Level of ERM Maturity
Elements of ERM 1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
Organization Philosophy &
Culture
Leadership Commitment
RM Capabilities
RM Process
Monitoring & Review
Reporting & Control
Integration with other
Management Systems

Organization Philosophy & Culture
Level of
Maturity
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
1. Risk
management
culture
The focus is
primarily on
responding to crises
and tends to be
reactive rather than
proactive.
People tend to be risk
averse. Risks are
identified primarily
at operational and
project levels. RM
concepts are
intuitively
understood and
practised on ad hoc
basis. A cautious
approach is taken to
RM overall.
RM is done
proactively to
anticipate risks and
develop mitigation
plans. Emerging risks
are considered. Focus
is on opportunities,
not just risk
avoidance. Risk
implications are
considered in all
major decisions.
Risks are consistently
managed. Staff are
encouraged to be
innovative. The
organization fosters a
culture of continuous
learning and
participation. Staff
are highly committed
to organization
success.
RM is done at every
level in the
organization, and is
strongly integrated
with management
practices. Individual
and organization
expectations for RM
are synchronized.
2. Roles and
responsibilities
for managing risk
Roles and
responsibilities are
not documented and
are unclear. No
individual
accountability for
managing risk. RM is
viewed as a
department rather
than a process.
Responsibilities for
managing risk have
been established (job
descriptions, terms of
reference, etc.), but
are not understood or
consistently
followed. Risk is
managed intuitively,
on an ad hoc basis.
Roles and
responsibilities for
RM are clear, well
communicated and
understood
throughout the
organization.
RM is embedded in
individual behaviour.
Individuals are
empowered to
manage risks.
Responsibility for
RM is an integral
part of goal setting
and performance
planning.
Individual
accountability for
RM is firmly
embedded in
organization culture.
Roles and
RM is aligned with
overall organization
accountability
framework.

Organization Philosophy & Culture cont’d
Level of
Maturity
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
3. Linkage to
ethics and values
No ethics policy or
guidelines in place.
Policy statements are
issued on ad hoc
basis. No clear
statements of shared
values or principles,
or attention to legal
or political
considerations.
Organization has an
ethics and values
statement. RM
philosophy is
reflected in written
code of ethics and
values. Philosophy is
attuned to legal and
political
considerations.
Policies are
communicated across
the organization but
applied
inconsistently.
Ethics and values
principles and
legal/political
considerations are
well understood by
staff, and applied
consistently
throughout the
organization. RM
approach is closely
aligned with ethics
and values.
Ethics and values
help managers take a
balanced approach to
RM, and reconcile
competing external
forces. Ethics and
values surveys
consider risk, and are
carried out regularly.
Improvements are
made.
Ethics, values and
sensitivity to
legal/political
considerations are
consistently reflected
in organization
practices and RM
approach.
Atmosphere of
mutual trust exists at
all levels of
organization. Few
infractions or
incidents occur.
4. Valuing risk
management
behaviour
High level of
scepticism exists
within organization.
Mixed messages are
given to staff. RM is
not considered in
assessing and
rewarding
performance. Staff
contribution to
managing risk is not
recognized or valued.
People are consulted
and given
opportunity to
participate in RM.
Staff contribution to
managing risk is
recognized on ad hoc
basis. Performance in
managing risks is
considered in
recognition and
rewards programs.
The working
environment supports
a proactive approach
to managing risks.
Information on risk is
shared openly.
Strong sense of
teamwork exists
across the
organization.
Recognition and
rewards programs
encourage staff to
manage risks and
take advantage of
opportunities.
Management is
committed to
continuous RM
learning. Sanctions in
place for knowingly
ignoring risks. Staff
development is a
major organization
priority.
Staff encouraged and
recognized for
identifying risks and
opportunities, and for
identifying risks not
being appropriately
managed. Staff
continuously cited
for their exemplary
behaviour. Value of
human capital in the
organization is
measured.

Leadership Commitment to Risk Management
Level of
Maturity
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
5. Leadership RM is the concern of
managers, and is
dealt with on an ad
hoc basis. RM
concepts are ill
defined and not well
understood. No
leadership
engagement.
RM initiatives are
supported by senior
management on ad
hoc basis. Risks are
managed by
operational
managers. No Board
engagement.
Senior management
regularly engaged in
formal RM process.
Minimal Board
engagement.
Senior management
oversee and
champion the
organization’s RM
framework, and lead
by example. Some
Board engagement.
Board and senior
management
commitment for RM
clearly articulated,
and strongly
embedded at all
levels of the
organization.
6. Risk
management
framework &
policy
The organization has
no formal RM
framework or policy.
Some RM policies
for specific areas
have been formally
documented to
address specific
risks.
Organization RM
framework in place.
Organization RM
framework and
policy. These are
well communicated
and followed.
Board approved RM
framework and
policy are well
communicated,
followed and
compliance is
monitored.
7. Roles and
responsibilities of
senior
management
Unclear roles and
RM. The audit
function is seen as
responsible for
identifying risks.
Specialists are
responsible for
managing risks.
Managers identify
and respond to risks
on an ad hoc basis.
Senior management
assume responsibility
for RM practices.
Collectively, they
identify and assess
key organization
risks, and develop
mitigation plans.
Senior management
roles and
RM are well
documented in
accountability
agreements or
governance
documents. They are
consistently applied
and monitored.
Senior management
promote and support
research into RM
best practice to
ensure evidence-
based approach.
They are seen as
leaders and
innovators for
implementing state of
the art RM concepts.

Risk Management Capabilities
Level of
Maturity
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
8. Risk
management
competencies
RM is not perceived
to be a formal
competency. RM
concepts are not well
understood.
RM competencies
have been identified,
and skills gap
established by some
managers. Little or
no formal training
has been done.
Training in RM is
high priority. Skills
gap is being
addressed. Training
is being sourced.
There is “cross-
fertilization” between
specialists and
managers.
RM competency
development is
integral part of
individual learning
plans, and
organization
development
programs. Staff at all
levels are being
trained, and skills
gaps addressed.
Ongoing
commitment to
ensure continuous
renewal of RM
competencies. The
organization is well
known and respected
for its RM training
program.
9. Risk
management
techniques
Limited RM tools
and techniques are
available.
Managers tend to use
their own individual
approach for risk
analysis. Available
RM techniques have
limited focus in
specialised areas
(e.g., finance,
OH&S, IT project
management).
Managers have
access to various RM
techniques that
integrate financial
and non-financial
information for risk
analysis. Tools are
used with specialist
support.
Wide range of RM
tools/techniques
available to all staff
who understand how
to use them, as well
as their benefits and
limitations.
Knowledge transfer
occurs between
specialists and
managers.
RM tools and
techniques are
integrated with other
management decision
support tools. Strong
interface with IS.
Periodic review and
update of tools and
techniques.
10. Specialist
support
No specialist support
for RM.
Specialists are used
by management to
carry out basic risk
analysis on an ad hoc
basis.
Specialists are known
throughout the
organisation and
often called upon by
managers to provide
RM analysis and
advice on specific
issues.
The expert advisory
role of specialists is
valued by all levels
of management.
Specialist support
viewed as a key
enabler in initiating
change.
Specialists advise on
broad range of issues,
on an integrated
basis, through multi-
disciplinary teams.
Externally
recognized.

Risk Management Process
Level of
Maturity
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
11. Risk
identification &
assessment
No formal process to
identify and assess
risks.
Risks are identified
for specific areas,
and assessed by
managers on an ad
hoc basis. No formal
process in place. No
attempt to aggregate
risks across the
organization.
Formal risk
assessment process
and tools available to
managers. Tools are
used with specialist
support. Risks are
identified across the
organisation to
provide aggregate
view.
Formal process and
tools available to
managers who
understand their
benefits/limitations,
and know how to
apply them. More
sophisticated tools
available with
specialist support.
Risk categories
provide aggregate
view for better
understanding.
Risk assessment
process and tools are
integrated with other
management decision
support tools. Strong
interface with
organization
management
information systems.
12. Risk
tolerance
Risk tolerance is not
defined.
Risk tolerance is not
defined. Specific risk
levels are accepted or
rejected intuitively.
Risk tolerance is
somewhat defined for
the organization and
used by management.
Common
understanding and
application of
specific risk
tolerance levels.
Risk tolerance levels
established at all
levels of the
organization guide
decision making.
13. Risk
documentation
No formal risk
documentation is
done.
No formal process in
place. Risks
documentation that
does occur is ad hoc
and inconsistent.
Formal
documentation of
risks in some areas –
i.e., risk register, RM
plans.
Formal
documentation of
risks at all levels of
the organisation.
Risk registers and
RM plans are
regularly monitored
and updated.
Formal
documentation of
risk (risk register,
RM plans) is an
integral part of
planning and
decision making –
and a requirement of
the Board.

Monitoring & Review
Level of
Maturity
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
14. Performance
measurement
No formal
performance
measurement system
in place.
Performance
measurement at
departmental level
involves monitoring
of risks. Some risk
indicators have been
developed but not
consistently applied.
Organization-wide
performance
measurement system
includes monitoring
of risk indicators.
Risk indicators are
interpreted in relation
to other corporate
performance
measures. Regular
monitoring and
review by Executive.
Strategic and
operational risk
indicators and
performance
measures are closely
linked. Regular
monitoring and
review by Executive
and the Board.
15. Review of the
risk management
practices
No measurement
framework in place
to assess RM
practices.
Evaluation of RM
practices occurs in
specific areas. This is
typically done by
internal audit.
Performance
indicators to assess
progress in
implementing
organization RM
framework, and the
effectiveness of RM
practices have been
developed.
Information is
regularly collected to
monitor outcomes
achieved as a result
of RM framework
and practices.
Benchmarks
established against
which to assess
progress.
Performance against
indicators is
measured, and results
tracked over time.
Action taken to
improve. RM
performance
indicators and
benchmarks are
regularly reviewed
and updated.

Reporting & Control
Level of
Maturity
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
16. Risk
management
plans
No formal RM plans
exist.
Formal RM plans in
place to address and
report on specific
risks. However, RM
plans are not
developed on a
consistent basis
throughout the
organization.
RM is discussed as a
part of the strategic
and business
planning processes.
Plans include an
overview of key risks
and mitigation.
Organization-wide
RM plan in place that
includes
comprehensive
analysis of
organization risks
and mitigation. Plan
is regularly reported
against, reviewed
and updated by
senior management.
Organization RM
plan is viewed as
integral to
organization success.
The plan is regularly
reviewed and
updated by senior
management, and
reported to the
Board.
17. Controls Existing controls are
not linked to
corporate objectives
or risk appetites. No
criteria in place to
evaluate controls
effectiveness.
Controls are used on
an ad hoc basis to
respond to new risks.
Limited cost/ benefit
analysis of controls.
Controls
effectiveness is not
monitored on a
regular basis.
Controls reflect
corporate objectives
and risk appetites.
Cost/ benefit analysis
of controls is
regularly conducted.
Controls compliance
and effectiveness is
monitored at high
level.
Risk significance, as
well as the cost/
benefit of mitigation
options is considered
prior to
implementing
controls. Compliance
with, and
effectiveness of,
controls is regularly
monitored and
reported throughout
the organization.
The organization’s
control environment
is integrally linked to
objectives, risk
appetites and RM
strategies. Controls
compliance and
effectiveness is
regularly monitored
and reported against,
and improvements
made as required.

Integration with Other Management SystemsLevel of
Maturity
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
18. Linkage with
strategic and
operational
planning
RM is not linked
with organization
planning processes.
Risks are considered
in development of
business and
operational plans on
ad hoc and
inconsistent basis.
Formal consideration
of risks is integral
part of strategic and
operational planning.
Formal RM process
integral to strategic
and operational
planning. Risks are
prioritized, and
cost/benefit of
mitigation options
are assessed.
RM process is fully
embedded in
organization
planning at all levels.
A variety of
modelling techniques
used to quantify
risks.
19. Linkage to
management
information
system
Limited management
information to
support RM.
Management
information exists to
varying degrees to
support RM at
departmental level.
Management
information exists for
organisation as a
whole but with
limited “drill-down”
capability.
Organization-wide
performance
management system
in place. Information
is used on ongoing
basis to support RM.
Sophisticated
decision support
tools available on-
line to support RM at
all levels of the
organization.
20. Linkage to
internal
communication
and feedback on
risks
No formal internal
communication
channels for risk
issues.
Ad hoc
communication on
risk issues at
departmental level.
Managers tend to
work independently
with some
interaction.
Communication on
risk issues follows
normal reporting
channels. Some
sharing of
information across
the organization.
Risk information is
shared across the
organization. A pro-
active effort made to
communicate
information on RM
best practices and
lessons learned.
RM best practices
and lessons learned
are regularly
communicated to the
organization via
newsletter, web page,
orientation, etc.
21. Linkage to
communication
with external
stakeholders
No formal
communication with
external stakeholders
on risk issues.
Communication with
stakeholders is ad
hoc. Risk information
is communicated on
a “need to know”
basis.
Formal process to
communication with
stakeholders on risk
issues.
Regular reporting to
stakeholders on
performance and
risks. Stakeholder
feedback obtained
and considered in
risk mitigation.
Careful consideration
of stakeholder
interests in risk
mitigation. The
organization is
widely respected by
stakeholders.

Roles in ERM – One scheme
Legitimate Internal Audit
roles with safeguards
Core Internal Audit roles
Roles Internal Audit should
not undertake
Giving assurance that the control systems are effective
Giving assurance that risks are correctly evaluated
Evaluating Risk Management processes
Evaluating reporting of material risks
Reviewing
the
m
anagem
ent of m
aterial
risks
Giving
advice
on
identifying
&
evaluating
risks
ChampioningestablishmentofERM
Facilitatingriskworkshops
CentralcoordinatingpointforERM
Monitoringrisksacrossthebusiness
Holisticreportingonrisks
FacilitatingManagement’sresponsetorisks
OperatingtheERMframework
DevelopingRM
strategyforBoardapproval
Im
posing
risk m
anagem
ent processes
Setting
the
risk
appetite
Assurance by management on
controls and
risks
Taking decisions on risk responses
Managing risks on Management’s behalf
Accountability for risks and controls
Giving assurance on the Risk Management processes
Internal Audit roles
CRO or Risk Management Department
Roles for Management
At all levels of organization

Are we done yet? Agenda Covered? Questions?
• Risk is “effect of uncertainty on objectives”
• Discussion of Adopt 31000 - PHB Bilton and KISS
• Overview of 31000; introduction, scope, principles,
framework, process
• How to “sell” ERM to senior management?
• The role of risk appetite risk tolerance and the ubiquitous
risk matrix/map/profile to deal with existing silos
• How will ERM help improve existing risk management?
• Next steps? How to measure success?
• Monitor, communications and consultation, and risk
ownership.
• Role of CRO? (Ans- Minimal)
• What did we learn today?

Opportunities
Threats
Risks: +ve
and -ve
Strategic Risk Management Process
Decision to “Take a Risk” or not
Detailed (RMP) Risk
Management ProcessRisk Control(s)
Residual Risk
Actual Risk ???
Risk Financing
Anatomy of Risk
Objectives

Iso 31000 presentation

More Related Content

What's hot

Similar to Iso 31000 presentation

Recently uploaded

Iso 31000 presentation