ISO whitepaper, January Inspiring Business Confidence.
|
|
- Gyles Walters
- 6 years ago
- Views:
Transcription
1 Inspiring Business Confidence. ISO whitepaper, January 2015 Author: Graeme Parker
2 ISO is an International Standard for Risk Management published by the International Organisation for Standardisation (ISO). It is designed to provide guidance on the principles of managing the range of risks that many organisations face today. Because ISO is a set of generic risk management principles it can be effectively adopted in many environments. Some of the business benefits of using ISO include: Cost reduction gained through a greater understanding and management of risk; Protection of brand and reputation; Increased confidence of customers and clients; Compliance with legal, regulatory and contractual requirements; The ability to address many different risk types through one well designed risk management framework. There are many other benefits to using ISO in your approach to Risk Management. This paper aims to explain exactly how to apply the standard to gain business benefit. Introduction Risk simply means uncertainty, and all organisations face uncertainties which need to be understood and managed. From an organisational perspective, risk really relates to organisational objectives will a potential event allow or prevent the objectives from being fulfilled? Risk Management then is all about assessing events and identifying the potential consequences, positive and negative, developing and undertaking actions to handle these consequences. Back in 2009 in response to on-going industry debate and discussion about what risk management actually meant in reality, ISO developed ISO to provide the outline of the components which would make up a good organisational risk management framework. The standard does not prescribe a management system like other ISO standards. Instead, elements of the framework can be chosen as required by the user. Furthermore, the standard is not designed for certification and in our opinion this is a positive point as there is no need to tick boxes or implement processes to pass an audit and alternatively an organisation can use the parts of the framework that lend best value. 2
3 What is Risk Management? As already highlighted earlier Risk Management is a business driven process to help ensure organisations fulfil their overall objectives whilst also reducing the chances of suffering negative or undesirable consequences from a wide variety of events. In order to actually manage risks however an organisation needs to establish a framework which should meet some key principles, so before looking into the how, let s first take a look at those principles and associated benefits as described in ISO Risk Management Principles and Benefits 1. Risk management creates and protects value. The whole purpose of managing risk is both to fulfil objectives and increase organisational performance. If an organisation pro-actively addresses risk, it can avert problems, seize opportunities and increase performance in a variety of areas including: human health and safety, security, legal and regulatory compliance, environmental protection, product and service quality, project management, operational efficiency, governance and public reputation and image. Effective risk management allows an organisation to be more resilient and able to withstand many challenges faced by organisations in an ever changing and volatile world. Additionally, proper risk management will make sure budget is only invested in treating risks that actually exist and require action. This will increase the return on investment and prevent overspending or the incorrect allocation of funds and resources. 2. Risk management is an integral part of all organisational processes. Because we describe risk management as a specific activity it is understandable that people see risk management as a separate function. In truth identifying, analysing, and evaluating risks is something that should form part of all organisational processes if it is to be a success. No person or team can manage all risks, therefore responsibility and accountability for risks need 3
4 to be properly assigned, and importantly become part of an organisation s culture. Of course all organisations will have the experts to advise and guide, however risks are never truly managed until risk management becomes a standard part of the activities. Through this culture it is important to assess each risk in their business context and use the available business intelligence to determine if a risk needs to be treated whilst considering the acceptable level of residual risk 3. Risk management is part of decision making. Organisations and management at all levels make decisions of varying magnitudes, whether to invest company funds, make a purchase, recruit staff and many other decisions are usually based on some understanding of the associated risk or uncertainty. Mature risk management processes allow decisions to be taken with more confidence and less uncertainty, and consider the risks against the perceived benefits. It is possible to build a knowledge base on these benefits, supporting the decision making process, thus reusing expertise and experience. 4. Risk management explicitly addresses uncertainty. As you will now be familiar with, the whole purpose of risk management is to address uncertainty. Risk management is not about seeing into the future, but it is about using knowledge and intelligence in making a good prediction about events considering the likelihood of an event occurring and the positive or negative consequence that comes with it. Do not forget that not all risks have a negative impact, some have a positive effect as well (these risks are known as opportunities). An organisation may choose to accept a level of impact to seize an opportunity. 5. Risk management is systematic, structured and timely. Identifying, analysing and evaluating risks should be done in a manner that follows a consistent system or approach, conducted at the right time by the right people whilst also meeting business requirements. This is of course easier said than done, however if an organisation can agree its approach to managing risks, the responsibilities and reporting channels then, a great deal of business benefits can be realised. It is important to align this approach to one that is considered good practice in the business field the organisation operates in, or the field the risks apply to. An example of this is to use ISO as an approach for managing Information Security risk or OHSAS as an approach for managing Health and Safety risk. 6. Risk management is based on the best available information. Risk management should always be based on reality or at least as much as we know about the reality in an organisation. Whilst, risk management may involve making estimates and it should never be based on general opinion, guesswork or assumption. Establishing processes where access can be gained to useful information is a key principle. This may be internal information and intelligence, records of incidents, project lessons learned or industry benchmarks and generally accepted best practices. 4
5 7. Risk management is tailored. ISO provides the framework for risk management, but it is not designed to be a one size fits all solution. Effective risk management is unique to each organisation, the scope; context, organisation type, market, size, values, objectives and strategy are just some of the things that will influence an approach to risk management. It is therefore important that the approach to risk management is tailored to take these points into account and is aligned with the internal and external context of the organisation. 8. Risk management takes human and cultural factors into account. People s view of risks may vary depending on their experience or perceptions. How many times have we heard words such as that will never happen without any real investigation? When designing an effective risk management process, understanding people is the key to the process being a success. Understanding concerns of various people at all levels will allow an approach to be adopted that is flexible without allowing general perceptions to cloud sound risk based judgments. 9. Risk management is transparent and inclusive. Risk management is not just something for senior management or the risk management department. Of course directors, senior managers and executives will make decisions based on risk, but contribution to the process should involve people from across all levels of an organisation. This is particularly true of risks at the operational level. Who is more likely to be aware of a health and safety risk, a person on the ground or an executive manager? The point to be highlighted here is that the process needs to be all-inclusive welcoming and encouraging the contribution of everyone. 10. Risk management is dynamic, iterative and responsive to change. Risks are not just one off potential events. The kind of risks faced by an organisation will constantly change just as the world changes. Whether it is the new legislation or regulations, changes in technologies and people, changes in customer demands, markets or products, or as we have all experienced to some extent recently economic circumstances, risk management should adapt to the ever changing world around us. Whatever happens, a good risk management process should be flexible and should be linked to the organisation s overall change management processes. Even when it is not obvious that changes are occurring regular reviews should be conducted to identify any potential changes or even the opportunity to improve the risk management process. 11. Risk management facilitates continual improvement of the organisation. Most organisations would like to improve something, whether it is increased efficiencies, winning more business, cutting waste or seizing new opportunities. Understanding uncertainty, identifying opportunities and acting upon them all contributes to organisations being able to drive improvements in some if not all the areas of principle 1. This again highlights the point that risk management is not a function on its own but in fact should form part of an overall approach to business performance and excellence and extends far beyond the realm of it. 5
6 What are the steps to establish a good risk management framework? In order to build an effective risk management framework for your organisation there are number of logical steps to take. 1. Gain support from upper management The first step as ever is to gain support from senior management. If senior managers actively support the concept, it is much more likely that the rest of the organisation supports the initiative with it being embedded in the culture. All the benefits and principles already described will help in making upper management aware and gaining their support. Your risk management framework needs to support the business objectives, values and strategies of your organisation. Both internal and external context of the organisation affects the kind of risk management scope and strategy that will be adopted. It is necessary to obtain an overview of the organisation to understand the challenges and the risk inherent in that market segment. General information about the organisation concerned should be collected in order to better appreciate its mission, strategies, main purpose, values and other key success factors. This helps ensure consistency and alignment between the strategic objectives for risk management and the organisation s mission. So, what do these terms mean? Mission: The mission is the reason for the company to exist. This justifies what brings the organisation to do what it does. For example, the mission of an organisation may be to offer customers the best value in terms of furniture, overcome cancer or make affordable and safe motor vehicles. Implications for risk management: Risk management supports the organisation in fulfilling its mission to protect its value. The risk management practices must therefore be aligned with the corporate mission. Corporate Policy Risk Management Policy Mission Values Strategies Strategic Alignment Risk management objectives Objectives 6
7 Values: Values are the fundamental and enduring beliefs that are shared by members of an organisation and influence the behaviour of individuals. Implications for risk management: The values of the organisation influence the choices made by professionals in risk management. For example, values can influence the priorities and policies in terms of evaluating risks. Objectives: An objective is the result that the organisation wants to achieve. These objectives are generally clear, quantified and time bound (e.g. 5% gain in market share in 24 months, sales in France increased to 20,000,000 in 12 months). Implications for risk management: As for strategy, risk management must understand and be aligned with business objectives to achieve its objectives by identifying the risk that must be managed by the organisation, and opportunities that can be seized by the organisation. Strategies: The strategy consists in the definition of actions occurring in a logical sequence to achieve one or more goals. Implications for risk management: The choice of treatment and the resulting actions will also depend on the strategy defined by the organisation 2. Define the scope of the risk management framework So, understanding all of the above will help define the scope and context of the risk management framework. We also need to consider the internal and external factors that influence the risk management context: Establishing the External Context Practical Advice Strengths Opportunities Weaknesses Threats ISO offers no practical approach to analyse the context of an organisation. Several methodologies exist to understand how an organisation functions. The important thing is to identify the characteristics of internal and external environmental factors that will influence risk management: mission, main activities, internal organisation, stakeholders, etc. When starting with the implementation of a risk management framework, it is advisable to start with a manageable scope that relates to key business processes. If possible, select a scope that has as little dependencies on, and interfaces with other business processes. This will allow much more efficient and successful project management. When defining the scope, both the internal and external context of the business process should be taken into account. The internal context describes the contribution of the process to the value chain and relationships with other parts of the organisation. The external context describes the relations 7
8 with and dependencies on external parties (customers, suppliers, business partners). For both internal and external context it is recommended that techniques such as SWOT analysis should be performed to determine what Strengths, Weaknesses, Opportunities and Threats are present and relevant. The reason for this recommendation is that the Opportunities and Threats in particular will greatly influence the activities that follow. 3. Define a Risk Management Policy In order for your risk management framework to be a success, a clear policy should be developed showing management commitment to risk management, its importance and the responsibilities for making sure risk management adds business value in line with the principles described earlier. A good risk management policy will detail: The organisation s reasoning behind risk management, clearly laying out its importance and purpose; A description about how risk management aligns to the business objectives and strategies of the organisation. This is critical as a policy is only valuable if it allows the organisation to achieve objectives, policies should never hinder the organisation; The roles and responsibilities. Who is responsible for identifying, assessing and escalating risk? Who can accept risks on behalf of the organisation? These are all questions which need to be clearly answered; A description of how risk management performance will be measured; Clear direction on how competing issues will be addressed, e.g. does one risk type carry more weight than another, will greater risks be accepted in certain circumstances and similar questions; A documented commitment to drive continual improvement in the risk management process along with regular review of risk management processes. The policy should of course be more than a document, all of the statements made in any policy are of intent and the organisation should be willing and able to implement the policy and all the commitments that go with it, the policy must evolve in concert with the organisation. 4. Integrate with Organisational Processes As we have noted already risk management efforts will only be successful if they are integrated into organisational processes. By this we mean that identifying, assessing, analysing and treating risk is something which should be done as part of an existing process rather than as an exclusive exercise. For example, a change management process should include risk assessment and management as a standard part of the process. This integration is critical as from a cultural perspective everyone in the organisation can see risk management as something standard rather than an additional overhead or burden. The ISO standard makes the following remarks about integration: In particular, risk management should be embedded into the policy development, business and strategic planning and review, and change management processes. There should be an organisation-wide risk management plan to ensure that the risk management policy is implemented and that risk management is embedded in all of the organisation s practices and processes. The risk management plan can be integrated into other organisational plans, such as a strategic plan. 8
9 In order to achieve this integration, the organisation needs to review its business processes and activities and identify where risk management activities would logically fit. For example, a business planning process should logically have a risk management element, a procurement process may involve conducting risk assessments on potential suppliers and so on. The key point here is that those leading the effort really need a good understanding of your organisation, its activities and the risks (and opportunities) that those activities present. 5. Allocate Resources So, what kind of resources is needed to implement an effective risk management programme? The amount of resources will depend largely on the size of your organisation and the scope of your risk management programme. These resources will always include: People: We have already established that commitment is required from management and that people from throughout the organisation will be involved, but in addition you need skilled practitioners who can establish the risk management framework, ensure people are trained and aware whilst measuring performance and identifying improvement opportunities. Tools: Depending on the kind of activities being performed the organisation will need a variety of tools for risk management. This would include risk assessment tools and methodologies, risk reporting and monitoring tools and in some cases specialist software and information systems. The standard does not dictate how sophisticated these tools should be or how much they should cost, in some cases simple methods can be more than satisfactory. (To get started take a look at some of the free tools from Parker Solutions Group available on our website) Skills: As we have already discussed risk management will involve many different people from across the organisation. Whilst, those individuals do not need to become risk management specialists they will certainly need to understand the organisation policy, their responsibilities and the fundamentals of the organisation s approach to risk management, therefore the development of a clear set of training requirements is a key component in the risk management framework. As with any continuous improvement process the requirements should be continuously reviewed as the organisation changes over time. 6. Establish a Communication and Reporting programme Effective risk management is all about the right people being able to make informed decisions based on realistic information being presented in a timely manner. This is based on building a good communication infrastructure to guarantee all stakeholders get the right information at the right time. When establishing the risk management framework and policy an important step is to identify and develop the communication channels. Ask yourself these questions: Who should risks be reported to? How often? When should risks be escalated further up the organisational chain? What form of communications fits our organisation? 9
10 The frequency and communication style will vary depending on industry and organisational culture, and having the right communication infrastructure will help ensure that the right risks are known in the right place at the right time. The following is a very simple example of an organisation structure that could be adopted: Board of Directors Risk and Audit Committee Risk Management Finance Human Resources Information Technology Health and Safety Quality Management Security Environmental Business Continuity The above diagram is meant to show some key principles, it is not meant to represent a real organisation and of course most organisational structures will be much more complex than this however there are some clear points. Firstly we have the Risk and Audit Committee. The Risk and Audit Committee should report direct to the Board of Directors (or controlling party in organisations which do not have a board). The committee would consist of senior management from across organisational functions and members of internal audit. The job of the committee is to steer risk management on behalf of the organisation, take decisions on the most serious risks and report to the board on performance and significant events. The committee is not a risk management department, and those involved are not conducting risk assessments. The role of the committee is to ensure that risk management is implemented and effective and ultimately to make business decisions. The existence of the committee should be agreed by the board of directors, their role should be clearly defined and the criteria for handling risk should be agreed (i.e. what level of risks do the committee handle, what can they authorise, what must be escalated, etc.). All of these points should be addressed in the Risk Management Policy. In order to ensure all necessary risk areas are covered, a Risk Management function is shown on the chart. This may be a department or one individual depending on the size and scope of the risk management programme. 10
11 The job of the Risk Management function is to: Ensure appropriate risk assessments are conducted in line with the policy; Assist departments in conducting those assessments; Provide expertise (or access to) in the many different risk disciplines; Provide departments and functions with risk treatment solutions; Escalate risks to the Risk and Audit Committee where the criteria require; Providing training on the organisational risk methods; Review risk performance and drive improvements of the risk framework. Some of the specific risk related functions such as Security, Health and Safety, Quality and Business Continuity are all shown here reporting to the Risk Management Function. So, why develop a Risk Management function this way? Firstly such a structure would allow these areas to be truly independent reducing the chance of departmental risks being overlooked, ignored or in the worst case hidden. Secondly the structure allows the sharing of risk related skills and knowledge to be exchanged by functions that are often segregated and isolated and all too often creating duplication and unnecessary effort. Of course a security risk assessment is very different in terms of technical expertise to an environmental risk assessment or a financial risk assessment, however the principles of risk management are very similar meaning techniques and risk criteria could be more easily aligned. Other risk areas such as financial risk, credit, market risk and so on could also be handled by the structure proposed. We have seen this work well for some of our clients, with the function being handed other titles such as Business Assurance and the Excellence Department. Whatever the title the point is that skills can be consolidated, duplication can be reduced, good practice can be shared and communication can be clear through to the Risk and Audit Committee or Directors. This approach of openness and clarity can allow an organisation that does this well to be truly resilient. 7. Perform Risk Assessments The following describes the steps involved in a typical risk assessment regardless of the nature of the assessment. There are many methods available however before looking at specific tools and methods it is important to understand the key principles: 11
12 Identify business processes under assessment The first step is to select the business process for which the risk assessment needs to be performed. This process should represent value to the organisation, either by creating value in the value chain or by supporting primary processes. Do realise that value may be expressed as a direct monetary value, or as an intangible value (e.g. the reputation of an organisation). This process should have assets (items of value to the organisation) that are potential under threat. Identify legal and regulatory requirements The business process itself and its assets may be required to adhere to legal requirements, industry regulations or meet contractual requirements. These laws and regulations form a natural boundary. Determine maximum damage or gain Determine the maximum negative impact on the business process using a number of worst-case scenarios. Ask yourself the question: What are the worst possible things that can go wrong and how much damage do they incur?, or What are the business opportunities that become available and what benefits do they bring? Determine acceptable risk level and treatment strategy Most risks cannot be completely eliminated, and some risks are impossible to mitigate completely. However, most risks can be reduced and the organisation must first select the level of risk acceptable to the organisation. Once that is done, the default treatment strategy needs to be selected. An organisation can select from a number of strategies: 1. Avoidance (stop the business process and thus remove the risk completely); 2. Acceptance (accept the risk as it stands in line with risk management policy); 3. Transference (transfer the financial damage of a negative impact to another party, like an insurance company. This means the damage may occur, but the organisation is compensated by the insurance at the cost of paying a premium. An alternative may be outsourcing. In this case you should note that an organisation can transfer the work of addressing the risk; however the responsibility and ownership of risk always remains with the organisation plus any associated legal liability); 4. Mitigation (implement controls to reduce the risk). Determine threats Determine the different threats to the business process. Each threat is a potential cause of a risk. For most industries predefined sets of threats are available in risk assessment frameworks. These predefined sets get you started and the set needs to be evaluated for applicability and, if necessary, be extended with threats that are particular to the business process in your organisations. Determine likelihood Determine the likelihood of occurring for each of the threats. Part of determining this likelihood is the availability of threat vectors, threat actors, vulnerabilities and exploits. These all are used to calculate how easy it is for a threat to materialise and exercise a negative impact. Apply risk treatment strategy The organisation needs to implement the risk treatment strategy they selected. In case the organisation opted for the mitigation strategy, the organisation needs to select the controls it needs to implement to reduce the risks to below the acceptable level. 12
13 Methodologies There are many methodologies available which will follow the above principles. Some organisations may develop their own methodologies. There are many factors influencing your decision on selecting risk methodologies such as: Suitability for the risk type being assessed; Language of the method - it is crucial to master the vocabulary used; Existence of software tools facilitating use; Documentation, training, support, qualified labour available; Ease of use and pragmatism of the method; Costs including the total cost of ownership; Existence of means of comparison (metric, case studies, etc.). An important aspect to include in the risk treatment plan is measuring the effectiveness of the risk mitigation controls. Defining key risk and performance indicators will help determine if the mitigation is successful and effective. Continual Improvement As with all ISO standards, ISO encourages the concept of continual improvement. Continual Improvement simply means taking small steps in the right direction. In terms of risk management the idea is to ensure that risks are more easily identified, are treated more efficiently, are responded to quicker and that overall the risk management process becomes more and more integrated into the organisational culture. 13
14 About PARKER Solutions Parker Solutions Group was established by Managing Director Graeme Parker in response to the increasing risks and challenges that organisations across the globe are facing. We are providers of professional training, services and coaching across multiple risk disciplines. Our aim is to enable your organisation to become resilient to threats, to increase your ability to seize opportunities and to ease the effort of meeting compliance requirements. Our international multi-disciplinary team of professionals is on hand to provide solutions across key risk areas including Cyber Security, Business Continuity, IT and Technology Risk, Energy, Safety, Sustainability and Environmental risk. With our strong knowledge and experience of standards in these areas along with our innovative and proportionate approach we are ready to enable your organisation. Our mission is to ensure that Governance and Risk Management efforts are implemented efficiently as possible and become a business enabler. We firmly believe that addressing risk should not be a cost or necessary evil but should be a benefit to your organisation. With a strong team of professionals Parker Solutions Group helps organisations make Risk Management become a business enabler by increasing efficiency and reducing un-necessary cost. All our solutions are linked to the key objectives of your organisation. We are more than just a consultancy, we can make recommendations and we also have the ability to go that one step further and actually implement working solutions covering people, processes and technologies. Our professional coaching and training services are also designed to enable your organisation to become self-sufficient reducing the reliance on external consultants. Whether your organisation is a small business, large multinational or a public sector organisation you can be assured that providing a highly professional and excellent service is the core principal of Parker Solutions Group. We have professionally certified and dedicated people with proven skills in the services we offer. Our people have experience working with and assisting a wide variety of organisations around the globe. We would like to thank PECB for generously providing the graphics for this whitepaper. For further information and free no obligation discussion please contact us on: 6 George Street, Driffield, York, YO25 6RA UK enquiries@parkersolutionsgroup.co.uk +44 (0)
Active Essex Risk Management Strategy
Active Essex Risk Management Strategy 2017-2021 November 2017 Contents 1. Policy Statement 2. Statement of Commitment 3. Risk Management Framework 4. Risk Appetite 5. Risk Maturity 6. Risk Management Levels
More informationISO whitepaper, January Inspiring Business Confidence.
Inspiring Business Confidence. ISO 22301 whitepaper, January 2015 Author: Graeme Parker enquiries@parkersolutionsgroup.co.uk www.parkersolutionsgroup.co.uk ISO 22301 is the new International Standard for
More informationThe Sector Skills Council for the Financial Services Industry. National Occupational Standards. Risk Management for the Financial Sector
The Sector Skills Council for the Financial Services Industry National Occupational Standards Risk Management for the Financial Sector Final version approved April 2009 IMPORTANT NOTES These National Occupational
More informationISO INTERNATIONAL STANDARD. Risk management Principles and guidelines. Management du risque Principes et lignes directrices
INTERNATIONAL STANDARD ISO 31000 First edition 2009-11-15 Risk management Principles and guidelines Management du risque Principes et lignes directrices http://mahdi.hashemitabar.com Reference number ISO
More informationAGILE BASED COMPETENCY MANAGEMENT
AGILE BASED COMPETENCY MANAGEMENT ABC Management Output 2 / Activity 2 Guidelines: Using the CAWC method as a tool for setting strategic directions within an organisation Output leader Hominem Spain Project
More informationIRM s Professional Standards in Risk Management PART 1 Consultation: Functional Standards
IRM s Professional Standards in Risk PART 1 Consultation: Functional Standards Setting standards Building capability Championing learning and development Raising the risk profession s profile Supporting
More informationLevel 5 NVQ Diploma in Management and Leadership Complete
Learner Achievement Portfolio Level 5 NVQ Diploma in Management and Leadership Complete Qualification Accreditation Number: 601/3550/5 Version AIQ004461 Active IQ wishes to emphasise that whilst every
More informationRisk appetite and internal audit
30 April 2018 Risk appetite and internal audit Chartered Institute of Internal Auditors This guidance looks at the nature of risk appetite and how it has come to the fore following the financial crisis
More informationElement IA1: Principles of Health and Safety Management
Element IA1: Principles of Health and Safety Management 1. Give a definition for hazard and risk. A hazard has been defined as: BS8800 BS8800 defines a hazard as - A source or a situation with a potential
More informationQuality Management System Guidance. ISO 9001:2015 Clause-by-clause Interpretation
Quality Management System Guidance ISO 9001:2015 Clause-by-clause Interpretation Table of Contents 1 INTRODUCTION... 4 1.1 IMPLEMENTATION & DEVELOPMENT... 5 1.2 MANAGING THE CHANGE... 5 1.3 TOP MANAGEMENT
More informationWhen Recognition Matters WHITEPAPER OCTAVE RISK ASSESSMENT WITH OCTAVE.
When Recognition Matters WHITEPAPER OCTAVE RISK ASSESSMENT WITH OCTAVE www.pecb.com CONTENT 3 4 4 5 5 6 6 6 7 8 8 Introduction About OCTAVE History OCTAVE ALLEGRO RoadMap Steps How to use OCTAVE? Preparing
More informationHelping you to navigate your fleet strategy
Insight through transparency Helping you to navigate your fleet strategy FLEET CONSULTANCY The tools you need to optimise your fleet and save cost fleet strategy consultancy insurance fleet insurance analytics
More informationSomalia. Risk Management For NGOs. Risk Management Unit United Nations Somalia
Somalia Risk Management For NGOs Risk Management Unit United Nations Somalia Table of Contents 1 GLOSSARY... 4 2 HOW TO USE THIS DOCUMENT... 6 3 OVERVIEW... 7 3.1 FRAGILE STATES, UNCERTAINTY AND RISK...
More informationRisk Management Update ISO Overview and Implications for Managers
Contents - ISO 31000 highlights 1 - Changes to key terms and definitions 2 - Aligning key components of the risk management framework 3 - The risk management process 4 - The principles of risk management
More informationRisk Management Policy
Risk Management Policy IPH Limited ACN 169 015 838 1. Introduction Organisations of all types and scale face internal and external factors and influences that make it uncertain whether and when they will
More information1 Management Responsibility 1 Management Responsibility 1.1 General 1.1 General
1 Management Responsibility 1 Management Responsibility 1.1 General 1.1 General The organization s management with executive The commitment and involvement of the responsibility shall define, document
More informationISO 2018 COPYRIGHT PROTECTED DOCUMENT All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of th
INTERNATIONAL STANDARD ISO 31000 Second edition 2018-02 Risk management Guidelines Management du risque Lignes directrices Reference number ISO 31000:2018(E) ISO 2018 ISO 2018 COPYRIGHT PROTECTED DOCUMENT
More informationISO 9001:2015 Your implementation guide
ISO 9001:2015 Your implementation guide ISO 9001 is the world s most popular management system standard Updated in 2015 to make sure it reflects the needs of modern-day business, ISO 9001 is the world
More informationISO 14001:2015 Your implementation guide
ISO 14001:2015 Your implementation guide ISO 14001 reduces environmental impacts and grows your organization Updated in 2015 to make sure it reflects the needs of modern day business, ISO 14001 is used
More informationJob title: Diversity & Inclusion Manager. Grade: PO 5. Role code: EBC0470. Status: Police Staff. Main purpose of the role:
Job title: Diversity & Inclusion Manager Grade: PO 5 Role code: EBC0470 Status: Police Staff Main purpose of the role: Develop, co-ordinate and implement the Forces Diversity & Inclusion Strategy, ensuring
More informationISO 9001:2015 Your implementation guide
ISO 9001:2015 Your implementation guide ISO 9001 is the world s most popular management system standard Updated in 2015 to make sure it reflects the needs of modern-day business, ISO 9001 is the world
More informationRole and person profile
Role and person profile Post title: Director of Regulation Location: Manchester Business Area: Research and Compliance Department: Compliance Reports to: Director of Research and Compliance Responsible
More informationThis policy establishes the approach to risk management at Sunshine Coast Council (Council) and outlines the guiding principles and framework.
Organisational policy Risk Management Policy Corporate Plan reference: Endorsed by Chief Executive Officer: Manager responsible for policy: A strong community In all our communitites, people are included,
More informationControl of Documented Information. Integrated Management System Guidance
Control of Documented Information Integrated Management System Guidance ISO 9001:2015, ISO 14001:2015 & OHSAS 18001:2007 Table of Contents Integrated Management System Guidance 1 INTRODUCTION... 4 1.1
More informationISO 14001:2015 Your implementation guide
ISO 14001:2015 Your implementation guide ISO 14001 reduces environmental impacts and grows your organization Updated in 2015 to make sure it reflects the needs of modern day business, ISO 14001 is used
More informationHSE Audit Solutions 2017: Update Smarter Operational Risk, Compliance & Safety Decisions
www.arkworkplacerisk.com Audit Solutions 2017; Update 2017 Ark Workplace Risk HSE Audit Solutions 2017: Update Smarter Operational Risk, Compliance & Safety Decisions HSE Audit Solutions are fast becoming
More informationCertificate in Internal Audit IV
Certificate in Internal Audit IV The Senior Audit Role auditing key business activities Who should attend? Senior Auditors Audit Managers and those about to be appointed to that role Auditors that need
More informationpwc.co.uk Enterprise Risk Management
pwc.co.uk Enterprise Risk Management Contents What s on your mind? 01 Our point of view 02 What good looks like 04 How we can help 06 What you gain 07 When to act 08 Intelligent Digital 09 What s on your
More informationBoard Corporate Governance and Risk Committee
Policy Risk management Authorising Committee / Department: Responsible Committee / Department: Document Code: Board Corporate Governance and Risk Committee POL OPCEO Risk management Introduction The purpose
More informationISO Your implementation guide
ISO 55001 Your implementation guide Optimize the value from your assets with ISO 55001 Don t let the management of costly and complex assets become a burden to your organization.. ISO 55001 can help you
More informationCreating a Lean Business System Prof. Peter Hines. Creating a Lean Business System Professor Peter Hines
Creating a Lean Business System Professor Peter Hines Creating a Lean Business System This white paper provides an overview of The Lean Business Model, how it was developed, and how it can be used by enterprises
More informationHow to get the most out of your governance structures. Risk Series Paper 3
How to get the most out of your governance structures Risk Series Paper 3 How to get the most out of your governance structures Regulation and the ever complex financial world have driven forward the need
More informationGuide to laying the foundations for an effective data quality strategy
Guide to laying the foundations for an effective data quality strategy A discussion paper January 2014 Guide to laying the foundations for an effective data quality strategy - 1 Table of contents 1 Introduction
More informationFraud in focus March Fraud & Corruption in the Victorian Public Sector learnings and insight for 2017 and beyond
Fraud in focus March 2017 Fraud & Corruption in the Victorian Public Sector learnings and insight for 2017 and beyond Introduction The Victorian Public Sector has a comprehensive integrity framework with
More informationINTEGRATED RISK BUSINESS CONTINUITY CYBER-SECURITY THE RESILIENCE FACTORS THAT DRIVE YOUR REPUTATION
CYBER-SECURITY BUSINESS CONTINUITY INTEGRATED RISK THE RESILIENCE FACTORS THAT DRIVE YOUR REPUTATION INTRODUCTION We all work hard to build and protect our reputation, and in today s world of 24/7 news
More informationThe Benefit of Adopting a Management System Approach to Regulatory Compliance
July 2018 White Paper The Benefit of Adopting a Management System Approach to Regulatory Compliance Author: Jeff Fieldhouse, Principal Consultant, Baines Simmons This paper has been developed to challenge
More informationISO Risk Management Principles and Guidance
ISO 31000 Risk Management Principles and Guidance In this article, we are going to explain what is covered by the ISO 31000 international standard, which addresses the principles of risk management. A
More informationPart of the IoD International Network
Page1 Institute of Directors in Ireland Europa House Harcourt Street Dublin 2 Tel: 01 4110010 Fax: 01 4110090 Email: info@iodireland.ie 1 st September 2014 Re: Central Bank of Ireland Discussion Paper
More informationKPMG Smart Controls. Putting you in control of your controls. kpmg.co.uk
KPMG Smart Controls Putting you in control of your controls kpmg.co.uk KPMG Smart Controls Putting you in control of your controls Our solution for Control Testing, Assurance and Clouded by controls Many
More informationTen steps to successfully leading your critical Programme
Ten steps to successfully leading your critical Programme 0 Introduction Major programmes, particularly in the public sector, have never been under more pressure to secure and demonstrate, value for money.
More informationStrathclyde Partnership for Transport
APPENDIX 3 Strathclyde Partnership for Transport Information Management Strategy Action Date Version Owner Review Created 22/01/2019 0.6 HM Updated 12/02/2019 1.0 HM Updated Contents 1. Information is
More informationImplementing a Security Management System: An Outline
Implementing a Security Management System: An Outline CAP 1273 Civil Aviation Authority 2018 All rights reserved. Copies of this publication may be reproduced for personal use, or for use within a company
More informationHead of Kent & Essex Estate Main purpose of the role: management of the joint Essex Status:
Job title: Head of Kent & Essex Estate Main purpose of the role: Services Grade: SPS 9 Lead and direct the strategic Role code: E40835 management of the joint Essex Status: Police Staff Police & Kent Police
More informationPublic Internal Control Systems in the European Union
Public Internal Control Systems in the European Union Illustrating essential Internal Control elements Discussion Paper No. 8 Ref. 2017-1 The information and views set out in this paper are those of the
More informationRisk frameworks. Driving business strategy with effective risk frameworks
Risk frameworks Driving business strategy with effective risk frameworks Integrating risk management with business strategy Each year, a board begins its planning period with a set of strategic options
More informationCertificate in Internal Audit 3. Advanced Audit Techniques
Certificate in Internal Audit 3 Advanced Audit Techniques Who should attend? Senior Auditors Audit Managers and those about to be appointed to that role Auditors that need to audit projects, contracts
More informationGovernance in a Multi-Supplier Environment
Governance in a Multi-Supplier Environment This paper provides advice and guidance for organisations faced with governing a multi-supplier environment. 1. The Need for Governance ISACA, the global IT governance
More informationJOB DESCRIPTION. Manager Service Management Technical Systems & Proposed band. Job family
Job title Job family Manager Service Management Technical Systems & Proposed Delivery band E Job purpose The Manager, Service Management is responsible for leading a functional team in one of the specialist
More informationLICENCE. for. Click here for full conditions of Licence WEB LINKS. Check if this document is current. Find similar documents
LICENCE for Licensee: Date: Conditions of use: Click here for full conditions of Licence WEB LINKS Check if this document is current Find similar documents StandardsWatch (info and login) Visit our website
More informationISO Collaborative Business Relationship Management Your implementation guide
ISO 44001 Collaborative Business Relationship Management Your implementation guide ISO 44001 Collaborative Business Relationships enhances the performance and competitiveness of your organization Collaborative
More informationGovernance Institute of Australia Ltd
Governance Institute of Australia Ltd Management Policy 1. Overview management is a key element of effective corporate governance. In view of this, Governance Institute of Australia Ltd (Governance Institute)
More informationHow to create scenarios for change
How to create scenarios for change Author Melanie Franklin Director Agile Change Management Limited Introduction Organisational change, by its very nature is uncertain. The best we can hope for is clarity
More informationTrends in Change Management for 2018
Trends in Change Management for 2018 Author Melanie Franklin Director Agile Change Management Limited Contents Executive Summary 3 Setting the scene 3 Explaining the value of change management 4 Specific
More informationشركة التقنية الصناعية للخدمات النفطية INDUSTRIAL TECHNOLOGY OIL SERVICES
Document Title QHSE Manual Originator: Muftah Elaherish Sig/Date: Reviewed by: Ibrahim Banun Sig/Date: Approved by: Salah El Fandi Sig/Date: Revision History Rev. Date Rev. no. Details of Change (note:
More informationKey Points How to create an effective business plan
Key Points What s in a business plan? 1. An executive summary 2. The business profile 3. The market analysis for your products or services 4. The marketing plan 5. The operating plan 6. The management
More informationImpact of Agile on Change Management
Impact of Agile on Change Management Author Melanie Franklin Director Agile Change Management Limited Introduction Agile approaches and techniques are having significant impact on the volume, frequency
More informationBusiness beyond borders
Business beyond borders Fasten efficiency gains to your international trade November 2016 Business beyond borders 1 02 From controlling the costs of international trade to unlocking payroll efficiencies,
More informationSMSF licensing for accountants Is this the land of plenty?
SMSF licensing for accountants Is this the land of plenty? With the licensing exemption for accountants providing SMSF advice due to be removed at the end of the 2016 financial year, accounting practices
More informationINTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)
INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) ATTRIBUTE STANDARDS 1000 Purpose, Authority and Responsibility The purpose, authority, and responsibility of the internal
More informationNOGDAWINDAMIN FAMILY AND COMMUNITY SERVICES
This dictionary describes the following six functional competencies and four enabling competencies that support the differentiated territory for professional accountants in strategic management accounting:
More informationLI & FUNG LIMITED ANNUAL REPORT 2016
52 Our approach to risk management We maintain a sound and effective system of risk management and internal controls to support us in achieving high standards of corporate governance. Our approach to risk
More informationSupply chain management theory, NQF level 6, Credits 10
SUPPLY CHAIN MANAGER Knowledge modules 132401-001-01-00 KM-01 Supply chain theory, NQF level 6, Credits 10 132401-001-01-00 KM-02 Supply chain service delivery operational planning, NQF level 6, Credits
More informationImpact of Agile on Change Management
Impact of Agile on Change Management Author Melanie Franklin Director Agile Change Management Limited Introduction Agile approaches and techniques are having significant impact on the volume, frequency
More informationT E A L C O N S U L T I N G L T D I S O A G U I D E
T E A L C O N S U L T I N G L T D I S O 4 4 0 0 1 A G U I D E W H A T I S I S O 4 4 0 0 1? There is much talk about collaboration but for many the concept seems ad hoc and without a clear perspective as
More informationTHE EFFECTIVE CHIEF STRATEGY OFFICER
THE EFFECTIVE CHIEF STRATEGY OFFICER Six characteristics in search of a role Patrick Foley and Neal Kissel April 2017 Management Consulting at Charles River Associates INTRODUCTION It s an increasingly
More informationINTERNAL AUDIT PLAN AND CHARTER 2018/19
INTERNAL AUDIT PLAN AND CHARTER 208/9 PURPOSE OF REPORT. To present the proposed 208/9 audit plan and charter to the Audit Committee for consideration and approval..2 The Internal Audit Plan for 208/9
More informationA Risk Practitioners Guide to ISO 31000: 2018
A Risk Practitioners Guide to ISO 31000: 2018 Review of the 2018 version of the ISO 31000 risk management guidelines and commentary on the use of this standard by risk professionals 1 A Risk Practitioners
More informationRisk Management Policy and Framework
Risk Management Policy and Framework Introductory Note to User: CompanyLongName There is no requirement in Australia for a non-publicly listed entity (other than a company regulated by APRA) to comply
More informationRISK MANAGEMENT STRATEGY
INSTITUTE of GRUNDSANSIP (IG) RISK ANAGEENT STRATEGY INTRDUCTIN 1.In order for the IG to operate, deliver our services and achieve our objectives some amount of risk taking is necessary. The only way to
More informationILM Level 5 NVQ Diploma in Management and Leadership (QCF) 601/3254/1
ILM Level 5 NVQ Diploma in Management and Leadership (QCF) 601/3254/1 Contents Page Qualification Overview: ILM Level 5 NVQ Diploma in Management 3 and Leadership Mandatory Units Group A Specifications
More informationWhat is a process? So a good process must:
PROCESS DESIGN BEST PRACTICES TABLE OF CONTENTS 1 What is a process? 2 The five Ws of process design 3 Standards are key 4 The how creating a model 5 How do you know when you have finished? 6 About ARIS
More informationA BARBOUR GUIDE. Benefits Gained from Implementation of OHSAS18001
A BARBOUR GUIDE 01 Background OHSAS 18001 is the benchmark for occupational health and safety and is recognised around the globe. It is intended to help an organisation control health and safety hazards
More informationHow to Develop a Corporate Community Investment Policy and Strategy
How to Develop a Corporate Community Investment Policy and Strategy Introduction Vision statements Corporate Community Investment CCI policy development Strategy Screening for fit Tests of consistency
More informationTranslate stakeholder needs into strategy. Governance is about negotiating and deciding amongst different stakeholders value interests.
Principles Principle 1 - Meeting stakeholder needs The governing body is ultimately responsible for setting the direction of the organisation and needs to account to stakeholders specifically owners or
More informationAUSTRALIAN ENGINEERING COMPETENCY STANDARDS STAGE 2 - EXPERIENCED PROFESSIONAL ENGINEER
AUSTRALIAN ENGINEERING COMPETENCY STANDARDS STAGE 2 - EXPERIENCED The Stage 2 Competency Standards are the profession's expression of the knowledge and skill base, engineering application abilities, and
More informationChampions. The Role of Risk
The Role of Risk Champions Risk departments are traditionally under resourced. A strong, engaged, team of risk champions within the business grows your reach exponentially. Copyright This work is licensed
More informationpwc.co.uk Crisis management
pwc.co.uk Crisis management Contents What s on your mind? 01 Our point of view 02 How can PwC support you? 04 What you gain 06 When to act 08 Intelligent Digital 09 What s on your mind? The ability to
More informationForeword. We would like to thank the dedicated organisations who participated in this work. On behalf of the Get It Right Initiative
A Guide to Improving Value by Reducing Design Error Synopsis 13 key recommendations July 2018 Foreword Members of the Get It Right Initiative, from across all disciplines, have collaborated to create this
More informationCertification Candidates Examination Guide
Certification Candidates Examination Guide Certification Candidates Examination Guide V2 5 Page 1 of 15 Contents Introduction... 3 Knowledge Based Examination... 3 Body of Knowledge... 3 1. Domains...
More informationKnowledge Management within ITSM
The first in a series of white papers from CIH Solutions that discuss topical issues in IT Service Management Abstract This white paper discusses how Knowledge Management (KM) can be used to manage risk
More informationMoving to the AS9100:2016 series. Transition Guide
Moving to the AS9100:2016 series Transition Guide AS9100-series - Quality Management Systems for Aviation, Space and Defense - Transition Guide Successful aviation, space and defense businesses understand
More informationMapping ISO/IEC 27001:2005 -> ISO/IEC 27001:2013
Mapping ISO/IEC 27001:2005 -> ISO/IEC 27001:2013 Carlos Bachmaier http://excelente.tk/ - 20140218 2005 2013 In 2005 0 Introduction 0 Process approach PDCA In 2013 0 No explicit process approach ISMS part
More informationLeading Change is a young, dynamic consultancy focused on strategy execution.
Leading Change is a young, dynamic consultancy focused on strategy execution. Who we are & what we do We focus on the design and implementation of tailored solutions in 5 challenging areas: 1 Helping you
More informationApril 2017 Latest update. ISO/DIS Understanding the new international standard for occupational health & safety
April 2017 Latest update ISO/DIS 45001.2 Understanding the new international standard for occupational health & safety ISO/DIS 45001.2 - Understanding the new international standard for occupational health
More informationSPECIMEN PAPER. 992 Risk Management in Insurance
SPECIMEN PAPER 992 Risk Management in Insurance The following is a specimen coursework assignment question and answer. It provides a guide as to the style and format of coursework questions that will be
More informationMerger and Acquisition Integration
4G M&A Integration Linking Behaviour to Bottom Line Performance Merger and Acquisition Integration Acquisitions vary widely in ambition and scope, ranging from relatively small bolt-on transactions to
More informationAFM Corporate Governance Code
AFM Corporate Governance Code January 2019 Ó Association of Financial Mutuals About this document The AFM Corporate Governance Code (AFM Code) takes effect from 1 January 2019. This means AFM members should
More informationAUSTRALIAN ENGINEERING COMPETENCY STANDARDS STAGE 2 - EXPERIENCED PROFESSIONAL ENGINEER IN LEADERSHIP AND MANAGEMENT
AUSTRALIAN ENGINEERING COMPETENCY STANDARDS STAGE 2 - EXPERIENCED IN LEADERSHIP AND MANAGEMENT The Stage 2 Competency Standards are the profession's expression of the knowledge and skill base, engineering
More informationProcess design best practices
BUSINESS WHITE PAPER Process design best practices TABLE OF CONTENTS 1 What is a process? 2 The process as transformation 2 The five Ws of process design 3 Standards are key 4 The how creating a model
More informationFARM MANAGEMENT CONSULTING Advisory Solutions to Enhance Farm Profitability and Operations
FARM MANAGEMENT CONSULTING Advisory Solutions to Enhance Farm Profitability and Operations OUR CORE SERVICES Introduction Management and strategic planning Farm business reviews Production economics and
More informationCAPABILITY STATEMENT
CAPABILITY STATEMENT CONTENTS LOCAL KNOWLEDGE 3 YOUR SUCCESSFUL ENGAGEMENT WITH US 4 STRATEGY AND BUSINESS IMPROVEMENT 5 Strategy and Advisory 6 Business Analysis 6 Procurement 6 Capability Development
More information8 Tips to Help You Improve
8 Tips to Help You Improve Service Level Management by Stuart Rance 1 What Is the Purpose of Service Level Management? The purpose of service level management (SLM) is to understand and influence your
More informationSupplier Risk Management. Do You Really Have the Right Level of Visibility to Minimise Risk?
Supplier Risk Management Do You Really Have the Right Level of Visibility to Minimise Risk? Contents 3 4 Introduction What Kind of Risk Are We Talking About? 5 How Do You Manage Such a Diversity of Risk?
More informationSECURING VALUE FOR MONEY IN OUTSOURCED CONTRACTS How Local Authorities Can Deliver Their Cost Reduction Remit
SECURING VALUE FOR MONEY IN OUTSOURCED CONTRACTS How Local Authorities Can Deliver Their Cost Reduction Remit Roger Warner, ISG ISG WHITE PAPER 2014 Information Services Group, Inc. All Rights Reserved
More informationAn introduction to business continuity planning
An introduction to business continuity planning What is business continuity, and is it relevant to me? Business continuity planning is about identifying the critical functions and services your business
More information29/11/2017. Risk Management Policy
1 Purpose APA Group (APA) is Australia s leading energy infrastructure business delivering smart, reliable and safe solutions through our deep industry knowledge and interconnected infrastructure. Risk
More informationCertificate in Enterprise Risk Management
Certificate in Enterprise Risk Management Who should attend? Risk managers Managers and Directors responsible for the risk management function or process Senior Internal Auditors and audit managers Other
More informationAdvanced Audit Techniques
Certificate in Internal Audit 4 Advanced Audit Techniques Who should attend? Senior Auditors Audit Managers and those about to be appointed to that role Auditors that need to audit projects, contracts
More informationThe Change Challenge: Realizing the Full Value of Your Business Initiatives
The Challenge: Realizing the Full Value of Your Business Initiatives KPMG Management Consulting: People & kpmg.com 1 People and People and 2 Managing people through change For today s businesses, change
More informationWhen Recognition Matters WHITEPAPER ISO 14001:2015 ENVIRONMENTAL MANAGEMENT SYSTEMS - REQUIREMENTS.
When Recognition Matters WHITEPAPER ISO 14001:2015 ENVIRONMENTAL MANAGEMENT SYSTEMS - REQUIREMENTS www.pecb.com CONTENT 3 4 5 8 8 9 10 11 12 Introduction An overview of ISO 14001:2015 Key clauses of ISO
More information