Transcription

1 9th April 2008 Copyright Implementing ISO but how do you do it? Copyright Capital International Pty Ltd, 2008 BROADLEAF CAPITAL INTERNATIONAL PTY LTD ABN Bettowynd Road Pymble NSW 2073 T l +61 Tel: F Fax: Cooper@.com.au Grant Purdy Associate Director, Capital International This document contains substantial pre-existing Intellectual Property of value to Capital International Pty Ltd (). Chair, Standards Australia and New Zealand Management Committee Nominated Expert ISO WG on Management It is provided for the information of persons to whom it is released by, but not to be sold, licensed or otherwise transferred, whether in its original form or as part of any further development that they might undertake, without s prior written agreement. Capital International Pty Ltd, Implementing Management in 2008 Capital International Pty Ltd, The Pivotal Definition RM Creates Value y on objectives j effect of uncertainty Change in situation NOTE 2 An objective may be financial, related to health and safety, or defined in other terms. NOTE 3 is often described by an event, a change in circumstances, a consequence, or a combination of these and how they may affect the achievement of objectives. NOTE 4 can be expressed in terms of a combination of the consequences of an event or a change in circumstances, and their likelihood. uen seq Con fit +ve ene ces B ess ppin Ha e tag van Ad d oo elih L ik Event Change in circumstances NOTE 1 An effect may be positive, negative, or a deviation from the expected. Capital International Pty Ltd, Is this a car? Treatment Li ke lih oo d -ve Co ns eq u H arm enc es I nju D ry etr im en t Capital International Pty Ltd, Spot the difference? Between this. Capital International Pty Ltd, Capital International Pty Ltd, Capital International Pty Ltd,

2 And this Management Components - The risk process Establish the context Monitor and review Identify risks Analyse risks Evaluate risks Com mmunicate and consult RM Information System Registers Treatment Assurance Reporting templates Treat risks Capital International Pty Ltd, Capital International Pty Ltd, Management Components - The (often missing) organisational context Commit and Mandate Policy Statement Management Assurance plan Standards Procedures/Guidelines Act Train Communications and reporting plan Do Training strategy RM Network Commit and Mandate Policy Statement Management Assurance plan Standards Procedures/Guidelines Strategic Pro ocess Monitor and re eview Strategic Process Tactical Process Establish the context Identify risks Analyse risks Evaluate risks Treat risks consult Train Communications and reporting plan Training strategy RM Network Strate gic Process Measure and review Control assurance RM progress Governance reporting Benchmarking Performance criteria Check Organise and Allocate Board RM Committee Exec RM Committee Manager, RM RM Champions, Control, Task owners Assurance providers Measure and Review Control assurance RM progress Governance reporting Benchmarking Performance criteria RM Information System Registers Treatment Assurance Reporting templates Strategic Process Allocate and Organise and Audit Committee Exec RM Committee RM Working Group Manager, RM RM Champions and Control Owners Capital International Pty Ltd, Capital International Pty Ltd, ISO Framework for Management 5.6 Continual improvement of the framework 5.2 Mandate and commitment 5.3 Designing the Framework 5.5 Monitoring and Reviewing the framework 5.4 Implementing risk Management Process Clause 6 Capital International Pty Ltd, Simple summary it aint what you do Its the way that you do it Capital International Pty Ltd, Capital International Pty Ltd,

3 Principles (Clause 4) risk should. 1. Create value 2. An integral part of organisational processes 3. Part of decision making 4. Explicitly address uncertainty 5. Be systematic and structured 6. Be based on the best available information 7. Be tailored 8. Take into account human factors 9. Be transparent and inclusive 10. Be dynamic, iterative and responsive to change 11. Be capable of continual improvement and enhancement Annex A Attributes of excellence in risk 1. A pronounced emphasis on continuous improvement 2. Comprehensive, fully defined and fully accepted accountability for risks, controls and treatment tasks. 3. All decision making within the organization involves the explicit consideration of risks and the application of the risk process to some appropriate degree. 4. Continual communications and highly visible, comprehensive and frequent reporting. 5. is always viewed as a core organizational process. Capital International Pty Ltd, Capital International Pty Ltd, So how do you start? 1 - the cunning plan 1. Conduct a gap analysis take stock 2. Set a realistic timetable (years) 3. Get a budget 4. Get some help 5. Bleed in the processes (one a year?) 6. Decide when you will be ready to roll (down) 7. Decide on the early adopters with credibility and start m 8. Decide on the blockers and take them on later 9. Look out for opportunity to showcase So how do you start? receiving the blessing 1. Get a sponsor (CEO/CFO/Co Sec) 2. Write a motivational policy statement and get the CEO to own it and sign 3. Tell the risk/audit committee or Board what you are doing and when you will report to them on progress 4. Set up a W/G with all departments involved especially the difficult ones 5. Get consultation going on Standards and Guidelines 6. Agree a timetable for engagement of each department/chunk 7. Get Champions nominated 8. Make friends Internal Auditors Capital International Pty Ltd, Capital International Pty Ltd, So how do you start? 3 - tricks of the trade Don t do a pilot study or call it an initiative Set Standards and write Guidelines (not Policy and Procedures manuals!!) Don t outsource it Don t try to force people to do it you need to make your case Don t ever do it for them after the first time Don t start until you re ready Never agree to just do it for reporting purposes Don t over simplify (simple = yes, simplistic = no) Don t start at the bottom of the organisation Roll down or Roll-up? Answer both! You roll-down risk, getting buy- in and ownership You roll-up risk profiles to produce consolidated profiles Capital International Pty Ltd, Capital International Pty Ltd, Capital International Pty Ltd,

4 The roll-down 1. Engage the team at that level Change their vocabulary and make your case Get them to discuss what they perceive as the major risks and compare across the team! 2. Facilitate a self-evaluation of their current approaches to risk using a structured maturity evaluation 3. Facilitate a strategic risk assessment what are those things that might prevent or enhance us achieving our strategic objectives Management Maturity Measurement System Intent total of 30% Practice total of 70% None Very little Some Good Complete Management Management Management Management Management do not support the agree completely enthusiasticall recognise the intent for the intent for the subscribe to y advocate the need for the requirement requirement the intent of requirement. requirement. the requirement Very little or no any way Poor practice Patchy and limited requirement Partial practice. Absolute practice at all times and in all places Capital International Pty Ltd, Capital International Pty Ltd, Evaluation Protocol for example # Principle # Requirement Guidance on evaluation Management of the s of Change The Business has and uses a Normally this would be a change system or procedure. documented system or approach for The form of risk assessment should be specified within it. The changes 1.1 the of changes. covered will be all those which we propose to undertake internally together with those changes which might occur externally which would be significant for our business. A risk assessment that t considers all This means a properly conducted d systematic ti risk assessment types of risk is conducted whenever rigour of the assessment in keeping severity of the potential 1.2 an internally created change occurs consequences. The risk assessment covers all types of risks and is All risks created by both or is planned. not, for example, just for Health and Safety risks. assessments that consider all Normally, the risk assessments would cover all types of risks. Just a internal and external 1 types of risk are conducted risk assessment that deals with health safety risks is not adequate. changes and events are 1.3 whenever significant external effectively and efficiently changes and events are detected. managed. Assessments that consider all Normally, the risk assessments would cover all types of risks. Just a types of risks are conducted every risk assessment that deals with health and safety risks is not adequate. 1.4 time an important or critical process This may include Procedural HAZOP or the use of detailed techniques or procedure is changed. in keeping process concerned. For example, if the change is to a work instruction. Assessments that consider all Organisational changes may involve just one or a small number of types of risk are conducted every people (for example the restructure of a department) or may affect the 1.5 time before a structural or whole Business (for example a re-structure). This may include organisational change occurs. Organisational HAZOP. Maturity evaluation Compare the current year to the past footprinting Generate a numerical score that links to KPIs and performance Link to insurance premium distribution ib i and create an incentive i Validate through Internal Audit it gives them a protocol to follow Refocus on what matters for yoru organisation Raise the bar after a few years Capital International Pty Ltd, Capital International Pty Ltd, The RMIS manages the outputs Baseline Assessment Maturity Evaluation Register Treatment Management s Tasks Causes Tasks for embedding Controls Task owners for rolling out further ratings etc. Timelines Training owners Budgets? Special risk treatment (eg BCP) Control owners Measurement KPIs Task owners Timelines Capital International Pty Ltd, Conclusions 1. ISO Management is not just about risk assessment for reporting 2. It is a continuous process that infects an organisation 3. It will not happen by accident 4. It should be carefully planned, managed and resourced 5. The benefits (in time) are remarkable and valuable Capital International Pty Ltd, Capital International Pty Ltd,

5 Uncertainty is the human paradox: we fear it, but we need it! Contact details For more information about the material discussed here, please contact: Dr Dale F Cooper Grant Purdy Dr Stephen Grey Geoff Raymond Mike Wood Phil Walker Cooper@.com.au Purdy@.com.au au Grey@.com.au Raymond@.com.au Wood@.co.nz Walker@.com.au Visit our web site: Capital International Pty Ltd, Capital International Pty Ltd, Capital International Pty Ltd,