SlideShare a Scribd company logo
ORMIS April 21, Toronto, ISO 1
ISO 31000 (Nov. 2009)
What is it? What’s new?
How to Implement?
Please interrupt, thank you
John Shortreed
ORIMS Workshop
Wednesday, April 21, 2010
Arts & Letters Club, 14 Elm Street, Toronto, Ontario
ORMIS April 21, Toronto, ISO 2
Proposed AGENDA – OK?
• Risk is “effect of uncertainty on objectives”
• Discussion of Adopt 31000 - PHB Bilton and KISS
• Overview of 31000; introduction, scope, principles,
framework, process
• How to “sell” ERM to senior management?
• The role of risk appetite risk tolerance and the ubiquitous
risk matrix/map/profile to deal with existing silos
• How will ERM help improve existing risk management?
• Next steps? How to measure success?
• Monitor, communications and consultation, and risk
ownership.
• Role of CRO? (Ans- Minimal)
• What did we learn today?
ORMIS April 21, Toronto, ISO 3
Risk - “effect of uncertainty on objectives” (ISO 31000)
• NOTE 1 An effect is a deviation from the expected — positive
and/or negative. (wrt achieving objectives)
• NOTE 2 Objectives can have different aspects (such as
financial, health and safety, and environmental goals) and can
apply at different levels (such as strategic, organization-wide,
project, product and process).
• NOTE 3 Risk is often characterized (i.e. named, e.g. credit risk) by
reference to potential events (2.17) and consequences (2.18),
or a combination of these.
• NOTE 4 Risk is often expressed in terms of a combination of
the consequences of an event (including changes in
circumstances) and the associated likelihood (2.19) of
occurrence.
ORMIS April 21, Toronto, ISO 4
There are two ways a risk can have an effect on objectives.
1. the effect of a risk when and if it should occur, or
2. the very existence of a risk whether it happens or not.
(2.) is the acceptance, or not, of being in risky situations - a friend of mine says he
can not sleep at night if his money is invested in stocks, even knowing they
provide better returns. So he invests in government bonds. It is the
uncertainty that he can not stand. Related to risk appetite.
(1.) is the traditional risk and where risk management seeks to increase the good
and decrease the bad consequences (as translated into objectives)
The "uncertainty" or ambiguity, is the essence of risk, and can be part of:
a. the risk identification (source, associated event(s) & consequence(s) )
b. the event effect or consequence as estimated by analysis methods
c. the probability itself (in addition to uncertainty of identification (a), event (b),
and effect (d)) [probability of a probability drives mathematicians mad]
d. the objectives themselves and the link between consequences and
objectives (either measurement or how objectives reflect values or how
attitudes might bias selection and metrics of objectives)
Discussion from last week
ORMIS April 21, Toronto, ISO 5
(Aside) ISO Definitions are nested – rigorous substitution rule
(2.18) Consequence - outcome of an event (2.17)
affecting objectives
and since Event - occurrence or change of a particular set of
circumstances, then
(2.18) Consequence - outcome of an occurrence or
change of a particular set of circumstances affecting
objectives
(2.26 )control - measure that is modifying risk (2.1)
(2.26 )control - measure that is modifying effect of
uncertainty on objectives
Try residual risk (2.27) – insert risk treatment, control (?) and risk
ORMIS April 21, Toronto, ISO 6
Discussion of “YES Adopt 31000 “- PHB Bilton and KISS
• survey question – which framework is right?)
• Answer - ISO 31000 should be adopted
immediately and that existing COSO, PMI, and
other frameworks and processes integrated with
31000 in the short term and in the longer term
modified to better reflect, not so much 31000, as
the “ERM risk framework” in the organization.
• The rational is that ISO incorporates these other
approaches [with gaps], is principle and performance based
and is simple enough and flexible enough to be used by
any organization.
ORMIS April 21, Toronto, ISO 7
The COSO ERM
Framework
only negative risk!
(a common problem)
 Entity objectives can be viewed in the context of
four categories:
• Strategic
• Operations
• Reporting
• Compliance
ORMIS April 21, Toronto, ISO 8
BHP Billiton RISK MANAGEMENT POLICY
Risk is inherent in our business. The identification and management
of risk is central to delivering on the Corporate Objective.
• By understanding and managing risk we provide greater certainty and
confidence for our shareholders, employees, customers and suppliers,
and for the communities in which we operate.
• Successful risk management can be a source of competitive
advantage.
• Risks faced by the Group shall be managed on an enterprise-wide
basis.
• Risk Management will be embedded into our critical business activities,
functions and processes. Risk understanding and our tolerance for risk
will be key considerations in our decision making.
• Risk issues will be identified, analysed and ranked in a consistent
manner. Common systems and methodologies will be used. (cont.)
ORMIS April 21, Toronto, ISO 9
•Risk controls will be designed and implemented to reasonably assure the
achievement of our Corporate Objective. The effectiveness of these controls
will be systematically reviewed and, where necessary, improved.
•Risk management performance will be monitored, reviewed and reported.
Oversight of the effectiveness of our risk management processes will provide
assurance to executive management, the Board and shareholders.
•The effective management of risk is vital to the continued growth and
success of our Group.
• signed Chip Goodyear
•Chief Executive Officer (see web site for all the BHP good stuff)
Done by 3 people (lead Grant Purdy) in 4 years
for all 200,000 employees, with 80,000 risk owners identified
Over 12,000 risk assessments on file (open), and then
Risk management department eliminated.
IT CAN BE DONE – Keep It Sweet and Simple
Senior Management leads the charge
Commit and Mandate
•Policy Statement
•Standards
•Guidelines
•RM Plan and RM Process
•Assurance Plan
Communicate & Train
•Stakeholder analysis
•Training needs analysis
•Communication strategy
•Training strategy
•Roles and Reporting
Structure & Accountability
•Board RM Committee
•Executive RM Group
•RM Working Group
•Facilitator for Risk Management
•RM Champions
•Risk and Control Owners
Review & Improve
•Control assurance
•RM Plan progress
•RM Maturity Evaluation
•RM KPIs
•Benchmarking
•Governance reporting
Framework Continuous
Improvement Cycle
Management Information System
-Risk Registers -Treatment Plans
-Assurance Plan -Reporting templates
Framework Implementation
Establish context
Identify risks
Analyse risks
Evaluate risks
Treat risks
Communicateandconsult
Monitorandreview
Risk assessment
Process for Managing Risk
Framework
Implementation
FrameworkContinuous
ImprovementCycle
ORMIS April 21, Toronto, ISO 11
4.2
Mandate
and
commitment
4.4
Implementing
risk
management
4.3
Design of
framework
for managing risk
4.6
Continual
improvement
of the
framework
4.5
Monitoring
and review
of the
framework
Framework for
managing risk
(Clause 4)
a) Creates value
b) Integral part of
organizational processes
c) Part of decision making
d) Explicitly addresses
uncertainty
e) Systematic, structured
and timely
f) Based on the best
available information
g) Tailored
h) Takes human and
cultural factors into
account
i) Transparent and inclusive
j) Dynamic, iterative and
responsive to change
k) Facilitates continual
improvement and
enhancement of the
organization
Principles for
managing risk
(Clause 3)
Process for managing
risk
(Clause 5)
ISO Overview
3 main clauses
plus terminology from
ISO Guide 73
ORMIS April 21, Toronto, ISO 12
How to “sell” ERM to senior management? Up to Organization not you
When implemented and maintained in accordance with this International
Standard, the management of risk enables an organization to, for example:
• increase the likelihood of achieving objectives;
• encourage proactive management;
• be aware of the need to identify and treat risk throughout the organization;
• improve the identification of opportunities and threats;
• comply with relevant legal and regulatory requirements and international norms;
• improve mandatory and voluntary reporting;
• improve governance;
• improve stakeholder confidence and trust;
• establish a reliable basis for decision making and planning;
• improve controls;
• effectively allocate and use resources for risk treatment;
• improve operational effectiveness and efficiency;
• enhance health and safety performance, as well as environmental protection;
• improve loss prevention and incident management;
• minimize losses;
• improve organizational learning; and
• improve organizational resilience.
ORMIS April 21, Toronto, ISO 13
The role of risk appetite & risk attitude
“amount and type of risk that an organization is willing to
pursue or retain”
“organization's approach to assess and eventually
pursue, retain, take or turn away from risk “
• Vague term that is still evolving, can be bottom up (from typical
decisions) or top down from basics of survival and comfort of board
and senior management
• In conceptual terms
– Identify all risks (events and consequences ) [high level]
– Estimate plausible worst case and best case scenarios – may be
expressed as a risk profile
– Examine the robustness of the organization wrt plausible cases
– Balance opportunities and threats against the organization’s
capabilities/resources and select a risk appetite or risk attitude –
how risk adverse?
ORMIS April 21, Toronto, ISO 14
Risk Tolerance is the practical step between
risk appetite and risk criteria (risk evaluation)
(also deals with silos)
• for specific consequence categories
(reputation, credit, compliance, country, etc.)
• for predetermined categories of likelihood
• find equivalent effects on objectives
• done by senior management (workshops)
• using risk matrix results as a check and
perhaps involving voting, delphi, etc.
ORMIS April 21, Toronto, ISO 15
Likelihood Scale for Tolerance (Simple Rating Scale)
(Hydro 1 Harvard Business School case study 9-109-001)
1. Remote 5% probability that the event will occur in the next 36
months
2. Unlikely 25% probability that the event will occur in the next 36
months
3. Even Odds 50% probability that the event will occur in the next
36 months
4. Very Likely 75% probability that the event will occur in the next
36 months
5. Virtually Certain 95% probability that the event will occur in the
next 36 months
ORMIS April 21, Toronto, ISO 16
Hydro 1 Risk Tolerances for 3 Silos (Fraser, 2009)
Business
Objective
Conse-
quence
5
Worst Case
4
Severe
3
Major
2
Moderate
1
Minor
Financial Net income
(shortfall)
>$150
million
$75-
$150
million
$25-
$75
million
$5-$25
million
<$5
million
Reputa
tion
Negative
Media-
Opinion
Leaders and
Public
Internation
al
Everyone
National
Most
Provin
cial
Several
Local Letters
To Govt
& Hydro
System
reliability
Outages
Customers,
or # MW for
7days, or
Fail NERC
>100,000
>1000
YES
40-100k
400-1000
Some
10-40k
100-400
Warning
1-10k
10-100
Near many
<1,000
<10
Near few
ORMIS April 21, Toronto, ISO 17
Standard sort of Risk Matrix
be careful, extremely careful, with risk matrices
works well at the understanding/communications level, BUT
Very Likely
(>.45)
Likely
(.45 - .19)
Medium
(.19 - .05)
Unlikely
(.05 - .011)
Remote
(< .011)
Minor
Moderate
Major
Severe
Catastrophic
Likelihood
Consequences
High
Medium
Low
Risk levels plotted
in structured
Workshop with
Experts, voting, Delphi…
ORMIS April 21, Toronto, ISO 18
Example of use of Risk Matrix
to set priorities
What might be wrong with this?
1. Refurbish 3. IT Upgrade
Medium
High
Low
KPI - Tx/Dx Reliability
Consequences
>10
5-10
1-5
.2-1
<0.2
Likelihood
No Impact
Medium
High
Low
KPI - Unsupplied Energy
Likelihood
VL
L
M
UL
VU
L
Consequences
Cata
Severe
Major
Mod
Minor
Medium
High
Low
KPI - SFI
Likelihood
VL
L
M
UL
VU
L
Consequences
Cata
Severe
Major
Mod
Minor
Medium
High
Low
KPI - Unavailability
Likelihood
VL
L
M
UL
VU
L
Consequences
Cata
Severe
Major
Mod
Minor
Medium
High
Low
KPI - Worst Served Cust.
Likelihood
VL
L
M
UL
VU
L
Consequences
Cata
Severe
Major
Mod
Minor
No Impact
2. Vegetation Mgmt
Medium
High
Low
KPI - Dx SAIDI
Likelihood
Consequences
Cata.
Severe
Major
Mod
Minor
Medium
High
Low
KPI - Dx SAIFI
Likelihood
Consequences
Cata.
Severe
Major
Mod
Minor
ORMIS April 21, Toronto, ISO 19
Basic and overarching in 31000 – Integration
ISO 31000 “recommends that ;
organizations develop, implement and
continuously improve a framework whose
purpose is to integrate the process for
managing risk (RMP) into the organization's
overall governance, strategy and planning,
management, reporting processes, policies,
values and culture.”
How will ERM help improve existing risk management?
ORMIS April 21, Toronto, ISO 20
Overarching in 31000 – Integration
(continued)
4.3.4 Integration into organizational processes
•Risk management (RM) should be embedded in all the
organization's practices and processes in a way that it is
relevant, effective and efficient.
•The risk management process should become part of,
and not separate from, those organizational processes
•When you make any decision/choice then part, and only
a part, of the decision process is the Risk Management
Process (RMP)
ORMIS April 21, Toronto, ISO 21
Overarching in 31000 – Integration (continued)
“2.7 risk owner - person or entity with the
accountability and authority to manage a risk ”
•Every risk (effect of uncertainty on objectives) is
owned
•Risk owners are listed in risk register
•Ownership has its privileges – get to monitor:
risk, risk controls (may be responsibility of others), cost
of controls, effectiveness of controls, value of RMP
(risk management process); and continuously improve all
•your annual evaluation includes how well you
manage your owned risks (part of the standard!)
ORMIS April 21, Toronto, ISO 22
Ironically, 48.7% of respondents describe
the sophistication of their risk oversight
processes as immature to minimally
mature. Forty-seven percent do not have
their business functions establishing or
updating assessments of risk exposures
on any formal basis. Almost 70% noted
that management does not report the
entity’s top risk exposures to the board of
directors. These trends are relatively
unchanged from those noted in the 2009
report. (NCU ERM center 2010 report)
ORMIS April 21, Toronto, ISO 23
“risk management framework –
set of components that provide the foundations and
organizational arrangements for designing, implementing,
monitoring, reviewing and continually improving risk
management throughout the organization
NOTE 1 The foundations include the policy, objectives,
mandate and commitment to manage risk
NOTE 2 The organizational arrangements include plans,
relationships, accountabilities, resources, processes and
activities
NOTE 3 The risk management framework is embedded
within the organization's overall strategic and operational
policies and practices “ (ISO 31000)
ORMIS April 21, Toronto, ISO 24
7 components to the ERM Framework
1. Mandate and commitment to
the framework (step 1)
a. Agreement in principle to proceed
b. Gap analysis
c. Context for framework
d. Design of framework
e. Implementation plan
2. Risk management policy
a. Policies for the framework, its
processes and procedures
b. Policies for risk management
decisions;
– i. Risk Appetite
– ii. Risk Criteria
– iii. Internal Risk Reporting
3. Integration into the
Organization
4. Risk Management Process
5. Communications and
Reporting
6. Accountability
• a. Risk ownership and risk register
• b. Managers’ performance evaluation
7. Monitoring, Review and
Continuous improvement
a. Responsibility for maintaining and
improving framework
b. Risk Maturity and continuous
improvement of framework
Commit and Mandate
•Policy Statement
•Standards
•Guidelines
•RM Plan and RM Process
•Assurance Plan
Communicate & Train
•Stakeholder analysis
•Training needs analysis
•Communication strategy
•Training strategy
•Roles and Reporting
Structure & Accountability
•Board RM Committee
•Executive RM Group
•RM Working Group
•Facilitator for Risk Management
•RM Champions
•Risk and Control Owners
Review & Improve
•Control assurance
•RM Plan progress
•RM Maturity Evaluation
•RM KPIs
•Benchmarking
•Governance reporting
Framework Continuous
Improvement Cycle
Management Information System
-Risk Registers -Treatment Plans
-Assurance Plan -Reporting templates
Framework Implementation
Establish context
Identify risks
Analyse risks
Evaluate risks
Treat risks
Communicateandconsult
Monitorandreview
Risk assessment
Process for Managing Risk
Framework
Implementation
FrameworkContinuous
ImprovementCycle
ORMIS April 21, Toronto, ISO 26
The risk management process
Establish the context
Identify risks
Analyse risks
Evaluate risks
Treat risks
Communicateandconsult
Monitorandreview
Used by every manager for every decision
ORMIS April 21, Toronto, ISO 27
Risk Assessment
• Identify the risks
• Analyze the risks (Note: when numerical estimates
of likelihood, consequences not available then
subjective risk matrix methods may be used)
• Evaluate the risks against Risk Criteria
• Result of Evaluation is to (or not to) Accept Risk-
”informed decision to take a particular risk”
• Not Acceptable, go to Risk Treatment
ORMIS April 21, Toronto, ISO 28
Risk Treatment- “process to modify risk”
“NOTE 1 Risk treatment can involve:
— avoiding the risk
—increasing risk in order to pursue an opportunity;
— removing the risk source
— changing the likelihood
— changing the consequences
— sharing the risk with another party or parties [including risk
financing]
— retaining the risk by informed decision
NOTE 3 Risk treatment can create new risks or modify existing
risks.”
Risk Treatment is often a cycle of: Control options, Assessment of
Residual Risk, Accept?, Treat risk?, Control options,
Assessment…
ORMIS April 21, Toronto, ISO 29
“communication and consultation”
“continual and iterative processes that an organization
conducts to provide, share or obtain information, and
to engage in dialogue with stakeholders regarding
the management of risk
• NOTE 1 The information can relate to the existence, nature,
form, likelihood, significance, evaluation, acceptability,
treatment aspects
• NOTE 2 Consultation is a two-way process of informed
communication between an organization and its stakeholders on
an issue prior to making a decision or determining a direction on
that issue. Consultation is:
– a process which impacts on a decision through influence
rather than power; and
– an input to decision making, not joint decision making. “
ORMIS April 21, Toronto, ISO 30
Example risk register for a specific Strategic Objective – illustration only
Courtesy of the Food Company
•High
Risk
ProfileObjective xx “Ready-to-Heat”
Action Plan
 Accelerate innovation
 Conduct competitor analysis
session
 Increase of aggressive competition
from Rice Master and Fast Rice
 Aggressive year for growth target
for the segment & brand
 Achieve new product growth
targets
Control ActivitiesRisks (uncertainties re Obj)
•JoeOwner
•yesPriorityAggressively grow and build the ready-to-heat business by expanding the
product line (15% NSV growth & maintain shares above 30%) and
broaden the availability of the product.
1. Identify initiatives and their associated
descriptions with measurable objectives
2. Prioritize order of
the key initiatives
based on their
contribution to
achieving the overall
financial and strategic
objectives within the
OP
4. List of risks that could hinder the ability to
meet the initiative’s objectives
5. List of planned activities that will modify the
risks – match the treatment strategies to risk
through the reference numbers
6. Management Team evaluates the probability
of success in achieving this initiative’s overall
objectives
3. Document the
individual in charge of
the given initiative
7. Document the
immediate next steps
for effective initiative
execution
1
2
3
1,2,3
1
Jane to develop 2-3 innovation
schemes within 2 months
Joe to do market analysis
ORMIS April 21, Toronto, ISO 31
4. Existing Controls4. Existing Controls
Preventative
5. Existing Controls5. Existing Controls
Reactive – Post Event
2. Causes
6. Risk Control
Effectiveness
7. Consequence
rating
3. Impacts
Existing Preventative Controls Existing Reactive ControlsControl Owner Control Owner
Task (future controls) Task Owner Due Date Task (future controls) Task Owner Due Date
8. Likelihood
rating
9. RISK
RATING
10, Comments
BowBow--Tie Risk Treatment ToolTie Risk Treatment Tool
11. Risk Owner
© Broadleaf Capital International, 2006
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
1.
2.
3.
4.
5.
6.
1.
2.
3.
4.
5.
6.
1.
2.
1.
2.
3.3.
Example of an integrated tool for RM Process
ORMIS April 21, Toronto, ISO 32
Companies that are considered "strong" demonstrate an enterprise-
wide view of risks, but are still focused on loss control. These
companies have control processes for major risks, thus giving them
advantages due to lower expected losses in adverse times, as such
companies can consistently identify, measure, and manage risk
exposures and losses in predetermined tolerance guidelines. Strong
ERM firms are unlikely to experience unexpected losses outside of
tolerance levels. Risk and risk management are usually important
considerations in such firms' corporate judgment.
Companies that are considered "excellent" possess all of the
characteristics of those scored "strong" and will also demonstrate
risk/reward optimization. Such companies have very well-developed
capabilities to consistently identify, measure, and manage risk
exposures and losses in predetermined tolerance guidelines. Risk and
risk management are always important considerations in such firms'
corporate judgment. It is highly unlikely that these firms will experience
losses outside of their risk tolerance.
How to measure success? – Risk Maturity?
Standard and Poor’s ERM perspective (still too negative)
ORMIS April 21, Toronto, ISO 33
Risk Maturity Score – Fraser Valley Health
Level of ERM Maturity
Elements of ERM 1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
Organization Philosophy &
Culture
Leadership Commitment
RM Capabilities
RM Process
Monitoring & Review
Reporting & Control
Integration with other
Management Systems
ORMIS April 21, Toronto, ISO 34
Organization Philosophy & Culture
Level of
Maturity
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
1. Risk
management
culture
The focus is
primarily on
responding to crises
and tends to be
reactive rather than
proactive.
People tend to be risk
averse. Risks are
identified primarily
at operational and
project levels. RM
concepts are
intuitively
understood and
practised on ad hoc
basis. A cautious
approach is taken to
RM overall.
RM is done
proactively to
anticipate risks and
develop mitigation
plans. Emerging risks
are considered. Focus
is on opportunities,
not just risk
avoidance. Risk
implications are
considered in all
major decisions.
Risks are consistently
managed. Staff are
encouraged to be
innovative. The
organization fosters a
culture of continuous
learning and
participation. Staff
are highly committed
to organization
success.
RM is done at every
level in the
organization, and is
strongly integrated
with management
practices. Individual
and organization
expectations for RM
are synchronized.
2. Roles and
responsibilities
for managing risk
Roles and
responsibilities are
not documented and
are unclear. No
individual
accountability for
managing risk. RM is
viewed as a
department rather
than a process.
Responsibilities for
managing risk have
been established (job
descriptions, terms of
reference, etc.), but
are not understood or
consistently
followed. Risk is
managed intuitively,
on an ad hoc basis.
Roles and
responsibilities for
RM are clear, well
communicated and
understood
throughout the
organization.
RM is embedded in
individual behaviour.
Individuals are
empowered to
manage risks.
Responsibility for
RM is an integral
part of goal setting
and performance
planning.
Individual
accountability for
RM is firmly
embedded in
organization culture.
Roles and
responsibilities for
RM is aligned with
overall organization
accountability
framework.
ORMIS April 21, Toronto, ISO 35
Organization Philosophy & Culture cont’d
Level of
Maturity
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
3. Linkage to
ethics and values
No ethics policy or
guidelines in place.
Policy statements are
issued on ad hoc
basis. No clear
statements of shared
values or principles,
or attention to legal
or political
considerations.
Organization has an
ethics and values
statement. RM
philosophy is
reflected in written
code of ethics and
values. Philosophy is
attuned to legal and
political
considerations.
Policies are
communicated across
the organization but
applied
inconsistently.
Ethics and values
principles and
legal/political
considerations are
well understood by
staff, and applied
consistently
throughout the
organization. RM
approach is closely
aligned with ethics
and values.
Ethics and values
help managers take a
balanced approach to
RM, and reconcile
competing external
forces. Ethics and
values surveys
consider risk, and are
carried out regularly.
Improvements are
made.
Ethics, values and
sensitivity to
legal/political
considerations are
consistently reflected
in organization
practices and RM
approach.
Atmosphere of
mutual trust exists at
all levels of
organization. Few
infractions or
incidents occur.
4. Valuing risk
management
behaviour
High level of
scepticism exists
within organization.
Mixed messages are
given to staff. RM is
not considered in
assessing and
rewarding
performance. Staff
contribution to
managing risk is not
recognized or valued.
People are consulted
and given
opportunity to
participate in RM.
Staff contribution to
managing risk is
recognized on ad hoc
basis. Performance in
managing risks is
considered in
recognition and
rewards programs.
The working
environment supports
a proactive approach
to managing risks.
Information on risk is
shared openly.
Strong sense of
teamwork exists
across the
organization.
Recognition and
rewards programs
encourage staff to
manage risks and
take advantage of
opportunities.
Management is
committed to
continuous RM
learning. Sanctions in
place for knowingly
ignoring risks. Staff
development is a
major organization
priority.
Staff encouraged and
recognized for
identifying risks and
opportunities, and for
identifying risks not
being appropriately
managed. Staff
continuously cited
for their exemplary
behaviour. Value of
human capital in the
organization is
measured.
ORMIS April 21, Toronto, ISO 36
Leadership Commitment to Risk Management
Level of
Maturity
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
5. Leadership RM is the concern of
managers, and is
dealt with on an ad
hoc basis. RM
concepts are ill
defined and not well
understood. No
leadership
engagement.
RM initiatives are
supported by senior
management on ad
hoc basis. Risks are
managed by
operational
managers. No Board
engagement.
Senior management
regularly engaged in
formal RM process.
Minimal Board
engagement.
Senior management
oversee and
champion the
organization’s RM
framework, and lead
by example. Some
Board engagement.
Board and senior
management
commitment for RM
clearly articulated,
and strongly
embedded at all
levels of the
organization.
6. Risk
management
framework &
policy
The organization has
no formal RM
framework or policy.
Some RM policies
for specific areas
have been formally
documented to
address specific
risks.
Organization RM
framework in place.
Organization RM
framework and
policy. These are
well communicated
and followed.
Board approved RM
framework and
policy are well
communicated,
followed and
compliance is
monitored.
7. Roles and
responsibilities of
senior
management
Unclear roles and
responsibilities for
RM. The audit
function is seen as
responsible for
identifying risks.
Specialists are
responsible for
managing risks.
Managers identify
and respond to risks
on an ad hoc basis.
Senior management
assume responsibility
for RM practices.
Collectively, they
identify and assess
key organization
risks, and develop
mitigation plans.
Senior management
roles and
responsibilities for
RM are well
documented in
accountability
agreements or
governance
documents. They are
consistently applied
and monitored.
Senior management
promote and support
research into RM
best practice to
ensure evidence-
based approach.
They are seen as
leaders and
innovators for
implementing state of
the art RM concepts.
ORMIS April 21, Toronto, ISO 37
Risk Management Capabilities
Level of
Maturity
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
8. Risk
management
competencies
RM is not perceived
to be a formal
competency. RM
concepts are not well
understood.
RM competencies
have been identified,
and skills gap
established by some
managers. Little or
no formal training
has been done.
Training in RM is
high priority. Skills
gap is being
addressed. Training
is being sourced.
There is “cross-
fertilization” between
specialists and
managers.
RM competency
development is
integral part of
individual learning
plans, and
organization
development
programs. Staff at all
levels are being
trained, and skills
gaps addressed.
Ongoing
commitment to
ensure continuous
renewal of RM
competencies. The
organization is well
known and respected
for its RM training
program.
9. Risk
management
techniques
Limited RM tools
and techniques are
available.
Managers tend to use
their own individual
approach for risk
analysis. Available
RM techniques have
limited focus in
specialised areas
(e.g., finance,
OH&S, IT project
management).
Managers have
access to various RM
techniques that
integrate financial
and non-financial
information for risk
analysis. Tools are
used with specialist
support.
Wide range of RM
tools/techniques
available to all staff
who understand how
to use them, as well
as their benefits and
limitations.
Knowledge transfer
occurs between
specialists and
managers.
RM tools and
techniques are
integrated with other
management decision
support tools. Strong
interface with IS.
Periodic review and
update of tools and
techniques.
10. Specialist
support
No specialist support
for RM.
Specialists are used
by management to
carry out basic risk
analysis on an ad hoc
basis.
Specialists are known
throughout the
organisation and
often called upon by
managers to provide
RM analysis and
advice on specific
issues.
The expert advisory
role of specialists is
valued by all levels
of management.
Specialist support
viewed as a key
enabler in initiating
change.
Specialists advise on
broad range of issues,
on an integrated
basis, through multi-
disciplinary teams.
Externally
recognized.
ORMIS April 21, Toronto, ISO 38
Risk Management Process
Level of
Maturity
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
11. Risk
identification &
assessment
No formal process to
identify and assess
risks.
Risks are identified
for specific areas,
and assessed by
managers on an ad
hoc basis. No formal
process in place. No
attempt to aggregate
risks across the
organization.
Formal risk
assessment process
and tools available to
managers. Tools are
used with specialist
support. Risks are
identified across the
organisation to
provide aggregate
view.
Formal process and
tools available to
managers who
understand their
benefits/limitations,
and know how to
apply them. More
sophisticated tools
available with
specialist support.
Risk categories
provide aggregate
view for better
understanding.
Risk assessment
process and tools are
integrated with other
management decision
support tools. Strong
interface with
organization
management
information systems.
12. Risk
tolerance
Risk tolerance is not
defined.
Risk tolerance is not
defined. Specific risk
levels are accepted or
rejected intuitively.
Risk tolerance is
somewhat defined for
the organization and
used by management.
Common
understanding and
application of
specific risk
tolerance levels.
Risk tolerance levels
established at all
levels of the
organization guide
decision making.
13. Risk
documentation
No formal risk
documentation is
done.
No formal process in
place. Risks
documentation that
does occur is ad hoc
and inconsistent.
Formal
documentation of
risks in some areas –
i.e., risk register, RM
plans.
Formal
documentation of
risks at all levels of
the organisation.
Risk registers and
RM plans are
regularly monitored
and updated.
Formal
documentation of
risk (risk register,
RM plans) is an
integral part of
planning and
decision making –
and a requirement of
the Board.
ORMIS April 21, Toronto, ISO 39
Monitoring & Review
Level of
Maturity
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
14. Performance
measurement
No formal
performance
measurement system
in place.
Performance
measurement at
departmental level
involves monitoring
of risks. Some risk
indicators have been
developed but not
consistently applied.
Organization-wide
performance
measurement system
includes monitoring
of risk indicators.
Risk indicators are
interpreted in relation
to other corporate
performance
measures. Regular
monitoring and
review by Executive.
Strategic and
operational risk
indicators and
performance
measures are closely
linked. Regular
monitoring and
review by Executive
and the Board.
15. Review of the
risk management
practices
No measurement
framework in place
to assess RM
practices.
Evaluation of RM
practices occurs in
specific areas. This is
typically done by
internal audit.
Performance
indicators to assess
progress in
implementing
organization RM
framework, and the
effectiveness of RM
practices have been
developed.
Information is
regularly collected to
monitor outcomes
achieved as a result
of RM framework
and practices.
Benchmarks
established against
which to assess
progress.
Performance against
indicators is
measured, and results
tracked over time.
Action taken to
improve. RM
performance
indicators and
benchmarks are
regularly reviewed
and updated.
ORMIS April 21, Toronto, ISO 40
Reporting & Control
Level of
Maturity
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
16. Risk
management
plans
No formal RM plans
exist.
Formal RM plans in
place to address and
report on specific
risks. However, RM
plans are not
developed on a
consistent basis
throughout the
organization.
RM is discussed as a
part of the strategic
and business
planning processes.
Plans include an
overview of key risks
and mitigation.
Organization-wide
RM plan in place that
includes
comprehensive
analysis of
organization risks
and mitigation. Plan
is regularly reported
against, reviewed
and updated by
senior management.
Organization RM
plan is viewed as
integral to
organization success.
The plan is regularly
reviewed and
updated by senior
management, and
reported to the
Board.
17. Controls Existing controls are
not linked to
corporate objectives
or risk appetites. No
criteria in place to
evaluate controls
effectiveness.
Controls are used on
an ad hoc basis to
respond to new risks.
Limited cost/ benefit
analysis of controls.
Controls
effectiveness is not
monitored on a
regular basis.
Controls reflect
corporate objectives
and risk appetites.
Cost/ benefit analysis
of controls is
regularly conducted.
Controls compliance
and effectiveness is
monitored at high
level.
Risk significance, as
well as the cost/
benefit of mitigation
options is considered
prior to
implementing
controls. Compliance
with, and
effectiveness of,
controls is regularly
monitored and
reported throughout
the organization.
The organization’s
control environment
is integrally linked to
objectives, risk
appetites and RM
strategies. Controls
compliance and
effectiveness is
regularly monitored
and reported against,
and improvements
made as required.
ORMIS April 21, Toronto, ISO 41
Integration with Other Management SystemsLevel of
Maturity
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
18. Linkage with
strategic and
operational
planning
RM is not linked
with organization
planning processes.
Risks are considered
in development of
business and
operational plans on
ad hoc and
inconsistent basis.
Formal consideration
of risks is integral
part of strategic and
operational planning.
Formal RM process
integral to strategic
and operational
planning. Risks are
prioritized, and
cost/benefit of
mitigation options
are assessed.
RM process is fully
embedded in
organization
planning at all levels.
A variety of
modelling techniques
used to quantify
risks.
19. Linkage to
management
information
system
Limited management
information to
support RM.
Management
information exists to
varying degrees to
support RM at
departmental level.
Management
information exists for
organisation as a
whole but with
limited “drill-down”
capability.
Organization-wide
performance
management system
in place. Information
is used on ongoing
basis to support RM.
Sophisticated
decision support
tools available on-
line to support RM at
all levels of the
organization.
20. Linkage to
internal
communication
and feedback on
risks
No formal internal
communication
channels for risk
issues.
Ad hoc
communication on
risk issues at
departmental level.
Managers tend to
work independently
with some
interaction.
Communication on
risk issues follows
normal reporting
channels. Some
sharing of
information across
the organization.
Risk information is
shared across the
organization. A pro-
active effort made to
communicate
information on RM
best practices and
lessons learned.
RM best practices
and lessons learned
are regularly
communicated to the
organization via
newsletter, web page,
orientation, etc.
21. Linkage to
communication
with external
stakeholders
No formal
communication with
external stakeholders
on risk issues.
Communication with
stakeholders is ad
hoc. Risk information
is communicated on
a “need to know”
basis.
Formal process to
communication with
stakeholders on risk
issues.
Regular reporting to
stakeholders on
performance and
risks. Stakeholder
feedback obtained
and considered in
risk mitigation.
Careful consideration
of stakeholder
interests in risk
mitigation. The
organization is
widely respected by
stakeholders.
ORMIS April 21, Toronto, ISO 42
Roles in ERM – One scheme
Legitimate Internal Audit
roles with safeguards
Core Internal Audit roles
Roles Internal Audit should
not undertake
Giving assurance that the control systems are effective
Giving assurance that risks are correctly evaluated
Evaluating Risk Management processes
Evaluating reporting of material risks
Reviewing
the
m
anagem
ent of m
aterial
risks
Giving
advice
on
identifying
&
evaluating
risks
ChampioningestablishmentofERM
Facilitatingriskworkshops
CentralcoordinatingpointforERM
Monitoringrisksacrossthebusiness
Holisticreportingonrisks
FacilitatingManagement’sresponsetorisks
OperatingtheERMframework
DevelopingRM
strategyforBoardapproval
Im
posing
risk m
anagem
ent processes
Setting
the
risk
appetite
Assurance by management on
controls and
risks
Taking decisions on risk responses
Managing risks on Management’s behalf
Accountability for risks and controls
Giving assurance on the Risk Management processes
Internal Audit roles
CRO or Risk Management Department
Roles for Management
At all levels of organization
ORMIS April 21, Toronto, ISO 43
Are we done yet? Agenda Covered? Questions?
• Risk is “effect of uncertainty on objectives”
• Discussion of Adopt 31000 - PHB Bilton and KISS
• Overview of 31000; introduction, scope, principles,
framework, process
• How to “sell” ERM to senior management?
• The role of risk appetite risk tolerance and the ubiquitous
risk matrix/map/profile to deal with existing silos
• How will ERM help improve existing risk management?
• Next steps? How to measure success?
• Monitor, communications and consultation, and risk
ownership.
• Role of CRO? (Ans- Minimal)
• What did we learn today?
ORMIS April 21, Toronto, ISO 44
Opportunities
Threats
Risks: +ve
and -ve
Strategic Risk Management Process
Decision to “Take a Risk” or not
Detailed (RMP) Risk
Management ProcessRisk Control(s)
Residual Risk
Actual Risk ???
Risk Financing
Anatomy of Risk
Objectives

More Related Content

What's hot

Risk and issue management
Risk and issue managementRisk and issue management
Risk and issue management
Thomas Petite
 
Risk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesRisk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation Slides
SlideTeam
 
Project Risk Management
Project Risk ManagementProject Risk Management
Project Risk Management
Martin Sillaots
 
PMP_Project Risk Management
PMP_Project Risk ManagementPMP_Project Risk Management
PMP_Project Risk Management
Hisham Haridy MBA, PMP®, RMP®, SP®
 
Step by step guide on project risk management
Step by step guide on project risk managementStep by step guide on project risk management
Step by step guide on project risk management
PMC Mentor
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
Ersoy AKSOY
 
Strategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightStrategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management Right
Proformative, Inc.
 
Pmp risk management
Pmp risk managementPmp risk management
Pmp risk management
Tu Nguyen, PMP®,PMI-RMP®
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
PECB
 
Risk Management Procedure And Guidelines PowerPoint Presentation Slides
Risk Management Procedure And Guidelines PowerPoint Presentation Slides Risk Management Procedure And Guidelines PowerPoint Presentation Slides
Risk Management Procedure And Guidelines PowerPoint Presentation Slides
SlideTeam
 
Risk management
Risk managementRisk management
Risk management
baderali2141
 
Iso 31000
Iso 31000Iso 31000
Iso 31000
Dr. Jojo Javier
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
Prof. Akram Hassan PhD,MBA,PMP,OPM3
 
Everything you need to know about Risk Management
Everything you need to know about Risk ManagementEverything you need to know about Risk Management
Everything you need to know about Risk Management
ITM Platform
 
Managing Your Risk Taxonomy within StratexPoint
Managing Your Risk Taxonomy within StratexPointManaging Your Risk Taxonomy within StratexPoint
Managing Your Risk Taxonomy within StratexPoint
Ascendore Limited
 
Project Risk Management - PMBOK5
Project Risk Management - PMBOK5Project Risk Management - PMBOK5
Project Risk Management - PMBOK5
pankajsh10
 
Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides
SlideTeam
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk management
Subhendu Datta
 
Projectriskmanagement pmbok5
Projectriskmanagement pmbok5Projectriskmanagement pmbok5
Projectriskmanagement pmbok5
Dhamo daran
 
Project risk management
Project risk managementProject risk management
Project risk management
Er Swati Nagal
 

What's hot (20)

Risk and issue management
Risk and issue managementRisk and issue management
Risk and issue management
 
Risk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesRisk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation Slides
 
Project Risk Management
Project Risk ManagementProject Risk Management
Project Risk Management
 
PMP_Project Risk Management
PMP_Project Risk ManagementPMP_Project Risk Management
PMP_Project Risk Management
 
Step by step guide on project risk management
Step by step guide on project risk managementStep by step guide on project risk management
Step by step guide on project risk management
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
 
Strategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightStrategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management Right
 
Pmp risk management
Pmp risk managementPmp risk management
Pmp risk management
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
 
Risk Management Procedure And Guidelines PowerPoint Presentation Slides
Risk Management Procedure And Guidelines PowerPoint Presentation Slides Risk Management Procedure And Guidelines PowerPoint Presentation Slides
Risk Management Procedure And Guidelines PowerPoint Presentation Slides
 
Risk management
Risk managementRisk management
Risk management
 
Iso 31000
Iso 31000Iso 31000
Iso 31000
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 
Everything you need to know about Risk Management
Everything you need to know about Risk ManagementEverything you need to know about Risk Management
Everything you need to know about Risk Management
 
Managing Your Risk Taxonomy within StratexPoint
Managing Your Risk Taxonomy within StratexPointManaging Your Risk Taxonomy within StratexPoint
Managing Your Risk Taxonomy within StratexPoint
 
Project Risk Management - PMBOK5
Project Risk Management - PMBOK5Project Risk Management - PMBOK5
Project Risk Management - PMBOK5
 
Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk management
 
Projectriskmanagement pmbok5
Projectriskmanagement pmbok5Projectriskmanagement pmbok5
Projectriskmanagement pmbok5
 
Project risk management
Project risk managementProject risk management
Project risk management
 

Similar to Iso 31000 presentation

Risk Management - A Journey
Risk Management - A JourneyRisk Management - A Journey
Risk Management - A Journey
Debashis Gupta
 
Bcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementBcu msc cg week 4 risk management
Bcu msc cg week 4 risk management
Stephen Ong
 
How to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential StepsHow to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential Steps
Case IQ
 
mr neeraj - day 1 - compliance
mr neeraj - day 1 - compliancemr neeraj - day 1 - compliance
mr neeraj - day 1 - compliance
Neeraj Verma
 
ISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and Implementation
Alvin Integrated Services [AIS]
 
Enterprise Risk Management and Sustainability
Enterprise Risk Management and SustainabilityEnterprise Risk Management and Sustainability
Enterprise Risk Management and Sustainability
Jeff B
 
Five Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance  A New ERM and IA ParadigmFive Lines of Assurance  A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA Paradigm
Tim Leech
 
Five lines of assurance a new paradigm in internal audit &amp; erm
Five lines of assurance a new paradigm in internal audit &amp; ermFive lines of assurance a new paradigm in internal audit &amp; erm
Five lines of assurance a new paradigm in internal audit &amp; erm
Dr. Zar Rdj
 
ISO 31000.pdf
ISO 31000.pdfISO 31000.pdf
ISO 31000.pdf
ssuser840a78
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
Manoj Agarwal
 
PECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB Webinar: ISO 31000 – Risk Management and how it can help an organizationPECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB
 
Risk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc anenyRisk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc aneny
Иван Вали-Пур
 
Risk Management Presentation to Doyle Property Club
Risk Management Presentation to Doyle Property ClubRisk Management Presentation to Doyle Property Club
Risk Management Presentation to Doyle Property Club
marcpreston
 
Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management
Risk Management Institution of Australasia
 
Riskpro iso 31000 services 2013
Riskpro iso 31000 services 2013Riskpro iso 31000 services 2013
Riskpro iso 31000 services 2013
Nidhi Gupta
 
Riskpro iso 31000 services 2013
Riskpro iso 31000 services 2013Riskpro iso 31000 services 2013
Riskpro iso 31000 services 2013
Rahul Bhan (CA, CIA, MBA)
 
Riskpro iso 31000 services 2013
Riskpro iso 31000 services 2013Riskpro iso 31000 services 2013
Riskpro iso 31000 services 2013
Nidhi Gupta
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.ppt
SashaKing4
 
Implementing an Enterprise Risk Management program (2022 updates).pdf
Implementing an Enterprise Risk Management program (2022 updates).pdfImplementing an Enterprise Risk Management program (2022 updates).pdf
Implementing an Enterprise Risk Management program (2022 updates).pdf
Robert Serena, FSA, CFA, CPCU
 
Manajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSOManajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSO
Dina Pramudianti
 

Similar to Iso 31000 presentation (20)

Risk Management - A Journey
Risk Management - A JourneyRisk Management - A Journey
Risk Management - A Journey
 
Bcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementBcu msc cg week 4 risk management
Bcu msc cg week 4 risk management
 
How to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential StepsHow to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential Steps
 
mr neeraj - day 1 - compliance
mr neeraj - day 1 - compliancemr neeraj - day 1 - compliance
mr neeraj - day 1 - compliance
 
ISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and Implementation
 
Enterprise Risk Management and Sustainability
Enterprise Risk Management and SustainabilityEnterprise Risk Management and Sustainability
Enterprise Risk Management and Sustainability
 
Five Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance  A New ERM and IA ParadigmFive Lines of Assurance  A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA Paradigm
 
Five lines of assurance a new paradigm in internal audit &amp; erm
Five lines of assurance a new paradigm in internal audit &amp; ermFive lines of assurance a new paradigm in internal audit &amp; erm
Five lines of assurance a new paradigm in internal audit &amp; erm
 
ISO 31000.pdf
ISO 31000.pdfISO 31000.pdf
ISO 31000.pdf
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
 
PECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB Webinar: ISO 31000 – Risk Management and how it can help an organizationPECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB Webinar: ISO 31000 – Risk Management and how it can help an organization
 
Risk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc anenyRisk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc aneny
 
Risk Management Presentation to Doyle Property Club
Risk Management Presentation to Doyle Property ClubRisk Management Presentation to Doyle Property Club
Risk Management Presentation to Doyle Property Club
 
Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management
 
Riskpro iso 31000 services 2013
Riskpro iso 31000 services 2013Riskpro iso 31000 services 2013
Riskpro iso 31000 services 2013
 
Riskpro iso 31000 services 2013
Riskpro iso 31000 services 2013Riskpro iso 31000 services 2013
Riskpro iso 31000 services 2013
 
Riskpro iso 31000 services 2013
Riskpro iso 31000 services 2013Riskpro iso 31000 services 2013
Riskpro iso 31000 services 2013
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.ppt
 
Implementing an Enterprise Risk Management program (2022 updates).pdf
Implementing an Enterprise Risk Management program (2022 updates).pdfImplementing an Enterprise Risk Management program (2022 updates).pdf
Implementing an Enterprise Risk Management program (2022 updates).pdf
 
Manajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSOManajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSO
 

Recently uploaded

Chapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptxChapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptx
Denish Jangid
 
Wound healing PPT
Wound healing PPTWound healing PPT
Wound healing PPT
Jyoti Chand
 
The basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptxThe basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptx
heathfieldcps1
 
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
สมใจ จันสุกสี
 
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
Nguyen Thanh Tu Collection
 
Liberal Approach to the Study of Indian Politics.pdf
Liberal Approach to the Study of Indian Politics.pdfLiberal Approach to the Study of Indian Politics.pdf
Liberal Approach to the Study of Indian Politics.pdf
WaniBasim
 
A Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdfA Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdf
Jean Carlos Nunes Paixão
 
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama UniversityNatural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Akanksha trivedi rama nursing college kanpur.
 
Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...
Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...
Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...
Diana Rendina
 
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptxC1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
mulvey2
 
How to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRMHow to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRM
Celine George
 
Digital Artefact 1 - Tiny Home Environmental Design
Digital Artefact 1 - Tiny Home Environmental DesignDigital Artefact 1 - Tiny Home Environmental Design
Digital Artefact 1 - Tiny Home Environmental Design
amberjdewit93
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE”           .MARY JANE WILSON, A “BOA MÃE”           .
MARY JANE WILSON, A “BOA MÃE” .
Colégio Santa Teresinha
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
History of Stoke Newington
 
clinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdfclinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdf
Priyankaranawat4
 
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
Nguyen Thanh Tu Collection
 
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)
Academy of Science of South Africa
 
Cognitive Development Adolescence Psychology
Cognitive Development Adolescence PsychologyCognitive Development Adolescence Psychology
Cognitive Development Adolescence Psychology
paigestewart1632
 
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movieFilm vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
Nicholas Montgomery
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Fajar Baskoro
 

Recently uploaded (20)

Chapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptxChapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptx
 
Wound healing PPT
Wound healing PPTWound healing PPT
Wound healing PPT
 
The basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptxThe basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptx
 
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
คำศัพท์ คำพื้นฐานการอ่าน ภาษาอังกฤษ ระดับชั้น ม.1
 
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
 
Liberal Approach to the Study of Indian Politics.pdf
Liberal Approach to the Study of Indian Politics.pdfLiberal Approach to the Study of Indian Politics.pdf
Liberal Approach to the Study of Indian Politics.pdf
 
A Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdfA Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdf
 
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama UniversityNatural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
 
Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...
Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...
Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...
 
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptxC1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
 
How to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRMHow to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRM
 
Digital Artefact 1 - Tiny Home Environmental Design
Digital Artefact 1 - Tiny Home Environmental DesignDigital Artefact 1 - Tiny Home Environmental Design
Digital Artefact 1 - Tiny Home Environmental Design
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE”           .MARY JANE WILSON, A “BOA MÃE”           .
MARY JANE WILSON, A “BOA MÃE” .
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
 
clinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdfclinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdf
 
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
 
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)
 
Cognitive Development Adolescence Psychology
Cognitive Development Adolescence PsychologyCognitive Development Adolescence Psychology
Cognitive Development Adolescence Psychology
 
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movieFilm vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
 

Iso 31000 presentation

  • 1. ORMIS April 21, Toronto, ISO 1 ISO 31000 (Nov. 2009) What is it? What’s new? How to Implement? Please interrupt, thank you John Shortreed ORIMS Workshop Wednesday, April 21, 2010 Arts & Letters Club, 14 Elm Street, Toronto, Ontario
  • 2. ORMIS April 21, Toronto, ISO 2 Proposed AGENDA – OK? • Risk is “effect of uncertainty on objectives” • Discussion of Adopt 31000 - PHB Bilton and KISS • Overview of 31000; introduction, scope, principles, framework, process • How to “sell” ERM to senior management? • The role of risk appetite risk tolerance and the ubiquitous risk matrix/map/profile to deal with existing silos • How will ERM help improve existing risk management? • Next steps? How to measure success? • Monitor, communications and consultation, and risk ownership. • Role of CRO? (Ans- Minimal) • What did we learn today?
  • 3. ORMIS April 21, Toronto, ISO 3 Risk - “effect of uncertainty on objectives” (ISO 31000) • NOTE 1 An effect is a deviation from the expected — positive and/or negative. (wrt achieving objectives) • NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process). • NOTE 3 Risk is often characterized (i.e. named, e.g. credit risk) by reference to potential events (2.17) and consequences (2.18), or a combination of these. • NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (2.19) of occurrence.
  • 4. ORMIS April 21, Toronto, ISO 4 There are two ways a risk can have an effect on objectives. 1. the effect of a risk when and if it should occur, or 2. the very existence of a risk whether it happens or not. (2.) is the acceptance, or not, of being in risky situations - a friend of mine says he can not sleep at night if his money is invested in stocks, even knowing they provide better returns. So he invests in government bonds. It is the uncertainty that he can not stand. Related to risk appetite. (1.) is the traditional risk and where risk management seeks to increase the good and decrease the bad consequences (as translated into objectives) The "uncertainty" or ambiguity, is the essence of risk, and can be part of: a. the risk identification (source, associated event(s) & consequence(s) ) b. the event effect or consequence as estimated by analysis methods c. the probability itself (in addition to uncertainty of identification (a), event (b), and effect (d)) [probability of a probability drives mathematicians mad] d. the objectives themselves and the link between consequences and objectives (either measurement or how objectives reflect values or how attitudes might bias selection and metrics of objectives) Discussion from last week
  • 5. ORMIS April 21, Toronto, ISO 5 (Aside) ISO Definitions are nested – rigorous substitution rule (2.18) Consequence - outcome of an event (2.17) affecting objectives and since Event - occurrence or change of a particular set of circumstances, then (2.18) Consequence - outcome of an occurrence or change of a particular set of circumstances affecting objectives (2.26 )control - measure that is modifying risk (2.1) (2.26 )control - measure that is modifying effect of uncertainty on objectives Try residual risk (2.27) – insert risk treatment, control (?) and risk
  • 6. ORMIS April 21, Toronto, ISO 6 Discussion of “YES Adopt 31000 “- PHB Bilton and KISS • survey question – which framework is right?) • Answer - ISO 31000 should be adopted immediately and that existing COSO, PMI, and other frameworks and processes integrated with 31000 in the short term and in the longer term modified to better reflect, not so much 31000, as the “ERM risk framework” in the organization. • The rational is that ISO incorporates these other approaches [with gaps], is principle and performance based and is simple enough and flexible enough to be used by any organization.
  • 7. ORMIS April 21, Toronto, ISO 7 The COSO ERM Framework only negative risk! (a common problem)  Entity objectives can be viewed in the context of four categories: • Strategic • Operations • Reporting • Compliance
  • 8. ORMIS April 21, Toronto, ISO 8 BHP Billiton RISK MANAGEMENT POLICY Risk is inherent in our business. The identification and management of risk is central to delivering on the Corporate Objective. • By understanding and managing risk we provide greater certainty and confidence for our shareholders, employees, customers and suppliers, and for the communities in which we operate. • Successful risk management can be a source of competitive advantage. • Risks faced by the Group shall be managed on an enterprise-wide basis. • Risk Management will be embedded into our critical business activities, functions and processes. Risk understanding and our tolerance for risk will be key considerations in our decision making. • Risk issues will be identified, analysed and ranked in a consistent manner. Common systems and methodologies will be used. (cont.)
  • 9. ORMIS April 21, Toronto, ISO 9 •Risk controls will be designed and implemented to reasonably assure the achievement of our Corporate Objective. The effectiveness of these controls will be systematically reviewed and, where necessary, improved. •Risk management performance will be monitored, reviewed and reported. Oversight of the effectiveness of our risk management processes will provide assurance to executive management, the Board and shareholders. •The effective management of risk is vital to the continued growth and success of our Group. • signed Chip Goodyear •Chief Executive Officer (see web site for all the BHP good stuff) Done by 3 people (lead Grant Purdy) in 4 years for all 200,000 employees, with 80,000 risk owners identified Over 12,000 risk assessments on file (open), and then Risk management department eliminated. IT CAN BE DONE – Keep It Sweet and Simple Senior Management leads the charge
  • 10. Commit and Mandate •Policy Statement •Standards •Guidelines •RM Plan and RM Process •Assurance Plan Communicate & Train •Stakeholder analysis •Training needs analysis •Communication strategy •Training strategy •Roles and Reporting Structure & Accountability •Board RM Committee •Executive RM Group •RM Working Group •Facilitator for Risk Management •RM Champions •Risk and Control Owners Review & Improve •Control assurance •RM Plan progress •RM Maturity Evaluation •RM KPIs •Benchmarking •Governance reporting Framework Continuous Improvement Cycle Management Information System -Risk Registers -Treatment Plans -Assurance Plan -Reporting templates Framework Implementation Establish context Identify risks Analyse risks Evaluate risks Treat risks Communicateandconsult Monitorandreview Risk assessment Process for Managing Risk Framework Implementation FrameworkContinuous ImprovementCycle
  • 11. ORMIS April 21, Toronto, ISO 11 4.2 Mandate and commitment 4.4 Implementing risk management 4.3 Design of framework for managing risk 4.6 Continual improvement of the framework 4.5 Monitoring and review of the framework Framework for managing risk (Clause 4) a) Creates value b) Integral part of organizational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organization Principles for managing risk (Clause 3) Process for managing risk (Clause 5) ISO Overview 3 main clauses plus terminology from ISO Guide 73
  • 12. ORMIS April 21, Toronto, ISO 12 How to “sell” ERM to senior management? Up to Organization not you When implemented and maintained in accordance with this International Standard, the management of risk enables an organization to, for example: • increase the likelihood of achieving objectives; • encourage proactive management; • be aware of the need to identify and treat risk throughout the organization; • improve the identification of opportunities and threats; • comply with relevant legal and regulatory requirements and international norms; • improve mandatory and voluntary reporting; • improve governance; • improve stakeholder confidence and trust; • establish a reliable basis for decision making and planning; • improve controls; • effectively allocate and use resources for risk treatment; • improve operational effectiveness and efficiency; • enhance health and safety performance, as well as environmental protection; • improve loss prevention and incident management; • minimize losses; • improve organizational learning; and • improve organizational resilience.
  • 13. ORMIS April 21, Toronto, ISO 13 The role of risk appetite & risk attitude “amount and type of risk that an organization is willing to pursue or retain” “organization's approach to assess and eventually pursue, retain, take or turn away from risk “ • Vague term that is still evolving, can be bottom up (from typical decisions) or top down from basics of survival and comfort of board and senior management • In conceptual terms – Identify all risks (events and consequences ) [high level] – Estimate plausible worst case and best case scenarios – may be expressed as a risk profile – Examine the robustness of the organization wrt plausible cases – Balance opportunities and threats against the organization’s capabilities/resources and select a risk appetite or risk attitude – how risk adverse?
  • 14. ORMIS April 21, Toronto, ISO 14 Risk Tolerance is the practical step between risk appetite and risk criteria (risk evaluation) (also deals with silos) • for specific consequence categories (reputation, credit, compliance, country, etc.) • for predetermined categories of likelihood • find equivalent effects on objectives • done by senior management (workshops) • using risk matrix results as a check and perhaps involving voting, delphi, etc.
  • 15. ORMIS April 21, Toronto, ISO 15 Likelihood Scale for Tolerance (Simple Rating Scale) (Hydro 1 Harvard Business School case study 9-109-001) 1. Remote 5% probability that the event will occur in the next 36 months 2. Unlikely 25% probability that the event will occur in the next 36 months 3. Even Odds 50% probability that the event will occur in the next 36 months 4. Very Likely 75% probability that the event will occur in the next 36 months 5. Virtually Certain 95% probability that the event will occur in the next 36 months
  • 16. ORMIS April 21, Toronto, ISO 16 Hydro 1 Risk Tolerances for 3 Silos (Fraser, 2009) Business Objective Conse- quence 5 Worst Case 4 Severe 3 Major 2 Moderate 1 Minor Financial Net income (shortfall) >$150 million $75- $150 million $25- $75 million $5-$25 million <$5 million Reputa tion Negative Media- Opinion Leaders and Public Internation al Everyone National Most Provin cial Several Local Letters To Govt & Hydro System reliability Outages Customers, or # MW for 7days, or Fail NERC >100,000 >1000 YES 40-100k 400-1000 Some 10-40k 100-400 Warning 1-10k 10-100 Near many <1,000 <10 Near few
  • 17. ORMIS April 21, Toronto, ISO 17 Standard sort of Risk Matrix be careful, extremely careful, with risk matrices works well at the understanding/communications level, BUT Very Likely (>.45) Likely (.45 - .19) Medium (.19 - .05) Unlikely (.05 - .011) Remote (< .011) Minor Moderate Major Severe Catastrophic Likelihood Consequences High Medium Low Risk levels plotted in structured Workshop with Experts, voting, Delphi…
  • 18. ORMIS April 21, Toronto, ISO 18 Example of use of Risk Matrix to set priorities What might be wrong with this? 1. Refurbish 3. IT Upgrade Medium High Low KPI - Tx/Dx Reliability Consequences >10 5-10 1-5 .2-1 <0.2 Likelihood No Impact Medium High Low KPI - Unsupplied Energy Likelihood VL L M UL VU L Consequences Cata Severe Major Mod Minor Medium High Low KPI - SFI Likelihood VL L M UL VU L Consequences Cata Severe Major Mod Minor Medium High Low KPI - Unavailability Likelihood VL L M UL VU L Consequences Cata Severe Major Mod Minor Medium High Low KPI - Worst Served Cust. Likelihood VL L M UL VU L Consequences Cata Severe Major Mod Minor No Impact 2. Vegetation Mgmt Medium High Low KPI - Dx SAIDI Likelihood Consequences Cata. Severe Major Mod Minor Medium High Low KPI - Dx SAIFI Likelihood Consequences Cata. Severe Major Mod Minor
  • 19. ORMIS April 21, Toronto, ISO 19 Basic and overarching in 31000 – Integration ISO 31000 “recommends that ; organizations develop, implement and continuously improve a framework whose purpose is to integrate the process for managing risk (RMP) into the organization's overall governance, strategy and planning, management, reporting processes, policies, values and culture.” How will ERM help improve existing risk management?
  • 20. ORMIS April 21, Toronto, ISO 20 Overarching in 31000 – Integration (continued) 4.3.4 Integration into organizational processes •Risk management (RM) should be embedded in all the organization's practices and processes in a way that it is relevant, effective and efficient. •The risk management process should become part of, and not separate from, those organizational processes •When you make any decision/choice then part, and only a part, of the decision process is the Risk Management Process (RMP)
  • 21. ORMIS April 21, Toronto, ISO 21 Overarching in 31000 – Integration (continued) “2.7 risk owner - person or entity with the accountability and authority to manage a risk ” •Every risk (effect of uncertainty on objectives) is owned •Risk owners are listed in risk register •Ownership has its privileges – get to monitor: risk, risk controls (may be responsibility of others), cost of controls, effectiveness of controls, value of RMP (risk management process); and continuously improve all •your annual evaluation includes how well you manage your owned risks (part of the standard!)
  • 22. ORMIS April 21, Toronto, ISO 22 Ironically, 48.7% of respondents describe the sophistication of their risk oversight processes as immature to minimally mature. Forty-seven percent do not have their business functions establishing or updating assessments of risk exposures on any formal basis. Almost 70% noted that management does not report the entity’s top risk exposures to the board of directors. These trends are relatively unchanged from those noted in the 2009 report. (NCU ERM center 2010 report)
  • 23. ORMIS April 21, Toronto, ISO 23 “risk management framework – set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization NOTE 1 The foundations include the policy, objectives, mandate and commitment to manage risk NOTE 2 The organizational arrangements include plans, relationships, accountabilities, resources, processes and activities NOTE 3 The risk management framework is embedded within the organization's overall strategic and operational policies and practices “ (ISO 31000)
  • 24. ORMIS April 21, Toronto, ISO 24 7 components to the ERM Framework 1. Mandate and commitment to the framework (step 1) a. Agreement in principle to proceed b. Gap analysis c. Context for framework d. Design of framework e. Implementation plan 2. Risk management policy a. Policies for the framework, its processes and procedures b. Policies for risk management decisions; – i. Risk Appetite – ii. Risk Criteria – iii. Internal Risk Reporting 3. Integration into the Organization 4. Risk Management Process 5. Communications and Reporting 6. Accountability • a. Risk ownership and risk register • b. Managers’ performance evaluation 7. Monitoring, Review and Continuous improvement a. Responsibility for maintaining and improving framework b. Risk Maturity and continuous improvement of framework
  • 25. Commit and Mandate •Policy Statement •Standards •Guidelines •RM Plan and RM Process •Assurance Plan Communicate & Train •Stakeholder analysis •Training needs analysis •Communication strategy •Training strategy •Roles and Reporting Structure & Accountability •Board RM Committee •Executive RM Group •RM Working Group •Facilitator for Risk Management •RM Champions •Risk and Control Owners Review & Improve •Control assurance •RM Plan progress •RM Maturity Evaluation •RM KPIs •Benchmarking •Governance reporting Framework Continuous Improvement Cycle Management Information System -Risk Registers -Treatment Plans -Assurance Plan -Reporting templates Framework Implementation Establish context Identify risks Analyse risks Evaluate risks Treat risks Communicateandconsult Monitorandreview Risk assessment Process for Managing Risk Framework Implementation FrameworkContinuous ImprovementCycle
  • 26. ORMIS April 21, Toronto, ISO 26 The risk management process Establish the context Identify risks Analyse risks Evaluate risks Treat risks Communicateandconsult Monitorandreview Used by every manager for every decision
  • 27. ORMIS April 21, Toronto, ISO 27 Risk Assessment • Identify the risks • Analyze the risks (Note: when numerical estimates of likelihood, consequences not available then subjective risk matrix methods may be used) • Evaluate the risks against Risk Criteria • Result of Evaluation is to (or not to) Accept Risk- ”informed decision to take a particular risk” • Not Acceptable, go to Risk Treatment
  • 28. ORMIS April 21, Toronto, ISO 28 Risk Treatment- “process to modify risk” “NOTE 1 Risk treatment can involve: — avoiding the risk —increasing risk in order to pursue an opportunity; — removing the risk source — changing the likelihood — changing the consequences — sharing the risk with another party or parties [including risk financing] — retaining the risk by informed decision NOTE 3 Risk treatment can create new risks or modify existing risks.” Risk Treatment is often a cycle of: Control options, Assessment of Residual Risk, Accept?, Treat risk?, Control options, Assessment…
  • 29. ORMIS April 21, Toronto, ISO 29 “communication and consultation” “continual and iterative processes that an organization conducts to provide, share or obtain information, and to engage in dialogue with stakeholders regarding the management of risk • NOTE 1 The information can relate to the existence, nature, form, likelihood, significance, evaluation, acceptability, treatment aspects • NOTE 2 Consultation is a two-way process of informed communication between an organization and its stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is: – a process which impacts on a decision through influence rather than power; and – an input to decision making, not joint decision making. “
  • 30. ORMIS April 21, Toronto, ISO 30 Example risk register for a specific Strategic Objective – illustration only Courtesy of the Food Company •High Risk ProfileObjective xx “Ready-to-Heat” Action Plan  Accelerate innovation  Conduct competitor analysis session  Increase of aggressive competition from Rice Master and Fast Rice  Aggressive year for growth target for the segment & brand  Achieve new product growth targets Control ActivitiesRisks (uncertainties re Obj) •JoeOwner •yesPriorityAggressively grow and build the ready-to-heat business by expanding the product line (15% NSV growth & maintain shares above 30%) and broaden the availability of the product. 1. Identify initiatives and their associated descriptions with measurable objectives 2. Prioritize order of the key initiatives based on their contribution to achieving the overall financial and strategic objectives within the OP 4. List of risks that could hinder the ability to meet the initiative’s objectives 5. List of planned activities that will modify the risks – match the treatment strategies to risk through the reference numbers 6. Management Team evaluates the probability of success in achieving this initiative’s overall objectives 3. Document the individual in charge of the given initiative 7. Document the immediate next steps for effective initiative execution 1 2 3 1,2,3 1 Jane to develop 2-3 innovation schemes within 2 months Joe to do market analysis
  • 31. ORMIS April 21, Toronto, ISO 31 4. Existing Controls4. Existing Controls Preventative 5. Existing Controls5. Existing Controls Reactive – Post Event 2. Causes 6. Risk Control Effectiveness 7. Consequence rating 3. Impacts Existing Preventative Controls Existing Reactive ControlsControl Owner Control Owner Task (future controls) Task Owner Due Date Task (future controls) Task Owner Due Date 8. Likelihood rating 9. RISK RATING 10, Comments BowBow--Tie Risk Treatment ToolTie Risk Treatment Tool 11. Risk Owner © Broadleaf Capital International, 2006 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 1. 2. 3. 4. 5. 6. 1. 2. 3. 4. 5. 6. 1. 2. 1. 2. 3.3. Example of an integrated tool for RM Process
  • 32. ORMIS April 21, Toronto, ISO 32 Companies that are considered "strong" demonstrate an enterprise- wide view of risks, but are still focused on loss control. These companies have control processes for major risks, thus giving them advantages due to lower expected losses in adverse times, as such companies can consistently identify, measure, and manage risk exposures and losses in predetermined tolerance guidelines. Strong ERM firms are unlikely to experience unexpected losses outside of tolerance levels. Risk and risk management are usually important considerations in such firms' corporate judgment. Companies that are considered "excellent" possess all of the characteristics of those scored "strong" and will also demonstrate risk/reward optimization. Such companies have very well-developed capabilities to consistently identify, measure, and manage risk exposures and losses in predetermined tolerance guidelines. Risk and risk management are always important considerations in such firms' corporate judgment. It is highly unlikely that these firms will experience losses outside of their risk tolerance. How to measure success? – Risk Maturity? Standard and Poor’s ERM perspective (still too negative)
  • 33. ORMIS April 21, Toronto, ISO 33 Risk Maturity Score – Fraser Valley Health Level of ERM Maturity Elements of ERM 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized Organization Philosophy & Culture Leadership Commitment RM Capabilities RM Process Monitoring & Review Reporting & Control Integration with other Management Systems
  • 34. ORMIS April 21, Toronto, ISO 34 Organization Philosophy & Culture Level of Maturity 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized 1. Risk management culture The focus is primarily on responding to crises and tends to be reactive rather than proactive. People tend to be risk averse. Risks are identified primarily at operational and project levels. RM concepts are intuitively understood and practised on ad hoc basis. A cautious approach is taken to RM overall. RM is done proactively to anticipate risks and develop mitigation plans. Emerging risks are considered. Focus is on opportunities, not just risk avoidance. Risk implications are considered in all major decisions. Risks are consistently managed. Staff are encouraged to be innovative. The organization fosters a culture of continuous learning and participation. Staff are highly committed to organization success. RM is done at every level in the organization, and is strongly integrated with management practices. Individual and organization expectations for RM are synchronized. 2. Roles and responsibilities for managing risk Roles and responsibilities are not documented and are unclear. No individual accountability for managing risk. RM is viewed as a department rather than a process. Responsibilities for managing risk have been established (job descriptions, terms of reference, etc.), but are not understood or consistently followed. Risk is managed intuitively, on an ad hoc basis. Roles and responsibilities for RM are clear, well communicated and understood throughout the organization. RM is embedded in individual behaviour. Individuals are empowered to manage risks. Responsibility for RM is an integral part of goal setting and performance planning. Individual accountability for RM is firmly embedded in organization culture. Roles and responsibilities for RM is aligned with overall organization accountability framework.
  • 35. ORMIS April 21, Toronto, ISO 35 Organization Philosophy & Culture cont’d Level of Maturity 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized 3. Linkage to ethics and values No ethics policy or guidelines in place. Policy statements are issued on ad hoc basis. No clear statements of shared values or principles, or attention to legal or political considerations. Organization has an ethics and values statement. RM philosophy is reflected in written code of ethics and values. Philosophy is attuned to legal and political considerations. Policies are communicated across the organization but applied inconsistently. Ethics and values principles and legal/political considerations are well understood by staff, and applied consistently throughout the organization. RM approach is closely aligned with ethics and values. Ethics and values help managers take a balanced approach to RM, and reconcile competing external forces. Ethics and values surveys consider risk, and are carried out regularly. Improvements are made. Ethics, values and sensitivity to legal/political considerations are consistently reflected in organization practices and RM approach. Atmosphere of mutual trust exists at all levels of organization. Few infractions or incidents occur. 4. Valuing risk management behaviour High level of scepticism exists within organization. Mixed messages are given to staff. RM is not considered in assessing and rewarding performance. Staff contribution to managing risk is not recognized or valued. People are consulted and given opportunity to participate in RM. Staff contribution to managing risk is recognized on ad hoc basis. Performance in managing risks is considered in recognition and rewards programs. The working environment supports a proactive approach to managing risks. Information on risk is shared openly. Strong sense of teamwork exists across the organization. Recognition and rewards programs encourage staff to manage risks and take advantage of opportunities. Management is committed to continuous RM learning. Sanctions in place for knowingly ignoring risks. Staff development is a major organization priority. Staff encouraged and recognized for identifying risks and opportunities, and for identifying risks not being appropriately managed. Staff continuously cited for their exemplary behaviour. Value of human capital in the organization is measured.
  • 36. ORMIS April 21, Toronto, ISO 36 Leadership Commitment to Risk Management Level of Maturity 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized 5. Leadership RM is the concern of managers, and is dealt with on an ad hoc basis. RM concepts are ill defined and not well understood. No leadership engagement. RM initiatives are supported by senior management on ad hoc basis. Risks are managed by operational managers. No Board engagement. Senior management regularly engaged in formal RM process. Minimal Board engagement. Senior management oversee and champion the organization’s RM framework, and lead by example. Some Board engagement. Board and senior management commitment for RM clearly articulated, and strongly embedded at all levels of the organization. 6. Risk management framework & policy The organization has no formal RM framework or policy. Some RM policies for specific areas have been formally documented to address specific risks. Organization RM framework in place. Organization RM framework and policy. These are well communicated and followed. Board approved RM framework and policy are well communicated, followed and compliance is monitored. 7. Roles and responsibilities of senior management Unclear roles and responsibilities for RM. The audit function is seen as responsible for identifying risks. Specialists are responsible for managing risks. Managers identify and respond to risks on an ad hoc basis. Senior management assume responsibility for RM practices. Collectively, they identify and assess key organization risks, and develop mitigation plans. Senior management roles and responsibilities for RM are well documented in accountability agreements or governance documents. They are consistently applied and monitored. Senior management promote and support research into RM best practice to ensure evidence- based approach. They are seen as leaders and innovators for implementing state of the art RM concepts.
  • 37. ORMIS April 21, Toronto, ISO 37 Risk Management Capabilities Level of Maturity 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized 8. Risk management competencies RM is not perceived to be a formal competency. RM concepts are not well understood. RM competencies have been identified, and skills gap established by some managers. Little or no formal training has been done. Training in RM is high priority. Skills gap is being addressed. Training is being sourced. There is “cross- fertilization” between specialists and managers. RM competency development is integral part of individual learning plans, and organization development programs. Staff at all levels are being trained, and skills gaps addressed. Ongoing commitment to ensure continuous renewal of RM competencies. The organization is well known and respected for its RM training program. 9. Risk management techniques Limited RM tools and techniques are available. Managers tend to use their own individual approach for risk analysis. Available RM techniques have limited focus in specialised areas (e.g., finance, OH&S, IT project management). Managers have access to various RM techniques that integrate financial and non-financial information for risk analysis. Tools are used with specialist support. Wide range of RM tools/techniques available to all staff who understand how to use them, as well as their benefits and limitations. Knowledge transfer occurs between specialists and managers. RM tools and techniques are integrated with other management decision support tools. Strong interface with IS. Periodic review and update of tools and techniques. 10. Specialist support No specialist support for RM. Specialists are used by management to carry out basic risk analysis on an ad hoc basis. Specialists are known throughout the organisation and often called upon by managers to provide RM analysis and advice on specific issues. The expert advisory role of specialists is valued by all levels of management. Specialist support viewed as a key enabler in initiating change. Specialists advise on broad range of issues, on an integrated basis, through multi- disciplinary teams. Externally recognized.
  • 38. ORMIS April 21, Toronto, ISO 38 Risk Management Process Level of Maturity 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized 11. Risk identification & assessment No formal process to identify and assess risks. Risks are identified for specific areas, and assessed by managers on an ad hoc basis. No formal process in place. No attempt to aggregate risks across the organization. Formal risk assessment process and tools available to managers. Tools are used with specialist support. Risks are identified across the organisation to provide aggregate view. Formal process and tools available to managers who understand their benefits/limitations, and know how to apply them. More sophisticated tools available with specialist support. Risk categories provide aggregate view for better understanding. Risk assessment process and tools are integrated with other management decision support tools. Strong interface with organization management information systems. 12. Risk tolerance Risk tolerance is not defined. Risk tolerance is not defined. Specific risk levels are accepted or rejected intuitively. Risk tolerance is somewhat defined for the organization and used by management. Common understanding and application of specific risk tolerance levels. Risk tolerance levels established at all levels of the organization guide decision making. 13. Risk documentation No formal risk documentation is done. No formal process in place. Risks documentation that does occur is ad hoc and inconsistent. Formal documentation of risks in some areas – i.e., risk register, RM plans. Formal documentation of risks at all levels of the organisation. Risk registers and RM plans are regularly monitored and updated. Formal documentation of risk (risk register, RM plans) is an integral part of planning and decision making – and a requirement of the Board.
  • 39. ORMIS April 21, Toronto, ISO 39 Monitoring & Review Level of Maturity 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized 14. Performance measurement No formal performance measurement system in place. Performance measurement at departmental level involves monitoring of risks. Some risk indicators have been developed but not consistently applied. Organization-wide performance measurement system includes monitoring of risk indicators. Risk indicators are interpreted in relation to other corporate performance measures. Regular monitoring and review by Executive. Strategic and operational risk indicators and performance measures are closely linked. Regular monitoring and review by Executive and the Board. 15. Review of the risk management practices No measurement framework in place to assess RM practices. Evaluation of RM practices occurs in specific areas. This is typically done by internal audit. Performance indicators to assess progress in implementing organization RM framework, and the effectiveness of RM practices have been developed. Information is regularly collected to monitor outcomes achieved as a result of RM framework and practices. Benchmarks established against which to assess progress. Performance against indicators is measured, and results tracked over time. Action taken to improve. RM performance indicators and benchmarks are regularly reviewed and updated.
  • 40. ORMIS April 21, Toronto, ISO 40 Reporting & Control Level of Maturity 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized 16. Risk management plans No formal RM plans exist. Formal RM plans in place to address and report on specific risks. However, RM plans are not developed on a consistent basis throughout the organization. RM is discussed as a part of the strategic and business planning processes. Plans include an overview of key risks and mitigation. Organization-wide RM plan in place that includes comprehensive analysis of organization risks and mitigation. Plan is regularly reported against, reviewed and updated by senior management. Organization RM plan is viewed as integral to organization success. The plan is regularly reviewed and updated by senior management, and reported to the Board. 17. Controls Existing controls are not linked to corporate objectives or risk appetites. No criteria in place to evaluate controls effectiveness. Controls are used on an ad hoc basis to respond to new risks. Limited cost/ benefit analysis of controls. Controls effectiveness is not monitored on a regular basis. Controls reflect corporate objectives and risk appetites. Cost/ benefit analysis of controls is regularly conducted. Controls compliance and effectiveness is monitored at high level. Risk significance, as well as the cost/ benefit of mitigation options is considered prior to implementing controls. Compliance with, and effectiveness of, controls is regularly monitored and reported throughout the organization. The organization’s control environment is integrally linked to objectives, risk appetites and RM strategies. Controls compliance and effectiveness is regularly monitored and reported against, and improvements made as required.
  • 41. ORMIS April 21, Toronto, ISO 41 Integration with Other Management SystemsLevel of Maturity 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized 18. Linkage with strategic and operational planning RM is not linked with organization planning processes. Risks are considered in development of business and operational plans on ad hoc and inconsistent basis. Formal consideration of risks is integral part of strategic and operational planning. Formal RM process integral to strategic and operational planning. Risks are prioritized, and cost/benefit of mitigation options are assessed. RM process is fully embedded in organization planning at all levels. A variety of modelling techniques used to quantify risks. 19. Linkage to management information system Limited management information to support RM. Management information exists to varying degrees to support RM at departmental level. Management information exists for organisation as a whole but with limited “drill-down” capability. Organization-wide performance management system in place. Information is used on ongoing basis to support RM. Sophisticated decision support tools available on- line to support RM at all levels of the organization. 20. Linkage to internal communication and feedback on risks No formal internal communication channels for risk issues. Ad hoc communication on risk issues at departmental level. Managers tend to work independently with some interaction. Communication on risk issues follows normal reporting channels. Some sharing of information across the organization. Risk information is shared across the organization. A pro- active effort made to communicate information on RM best practices and lessons learned. RM best practices and lessons learned are regularly communicated to the organization via newsletter, web page, orientation, etc. 21. Linkage to communication with external stakeholders No formal communication with external stakeholders on risk issues. Communication with stakeholders is ad hoc. Risk information is communicated on a “need to know” basis. Formal process to communication with stakeholders on risk issues. Regular reporting to stakeholders on performance and risks. Stakeholder feedback obtained and considered in risk mitigation. Careful consideration of stakeholder interests in risk mitigation. The organization is widely respected by stakeholders.
  • 42. ORMIS April 21, Toronto, ISO 42 Roles in ERM – One scheme Legitimate Internal Audit roles with safeguards Core Internal Audit roles Roles Internal Audit should not undertake Giving assurance that the control systems are effective Giving assurance that risks are correctly evaluated Evaluating Risk Management processes Evaluating reporting of material risks Reviewing the m anagem ent of m aterial risks Giving advice on identifying & evaluating risks ChampioningestablishmentofERM Facilitatingriskworkshops CentralcoordinatingpointforERM Monitoringrisksacrossthebusiness Holisticreportingonrisks FacilitatingManagement’sresponsetorisks OperatingtheERMframework DevelopingRM strategyforBoardapproval Im posing risk m anagem ent processes Setting the risk appetite Assurance by management on controls and risks Taking decisions on risk responses Managing risks on Management’s behalf Accountability for risks and controls Giving assurance on the Risk Management processes Internal Audit roles CRO or Risk Management Department Roles for Management At all levels of organization
  • 43. ORMIS April 21, Toronto, ISO 43 Are we done yet? Agenda Covered? Questions? • Risk is “effect of uncertainty on objectives” • Discussion of Adopt 31000 - PHB Bilton and KISS • Overview of 31000; introduction, scope, principles, framework, process • How to “sell” ERM to senior management? • The role of risk appetite risk tolerance and the ubiquitous risk matrix/map/profile to deal with existing silos • How will ERM help improve existing risk management? • Next steps? How to measure success? • Monitor, communications and consultation, and risk ownership. • Role of CRO? (Ans- Minimal) • What did we learn today?
  • 44. ORMIS April 21, Toronto, ISO 44 Opportunities Threats Risks: +ve and -ve Strategic Risk Management Process Decision to “Take a Risk” or not Detailed (RMP) Risk Management ProcessRisk Control(s) Residual Risk Actual Risk ??? Risk Financing Anatomy of Risk Objectives