ISO whitepaper, January Inspiring Business Confidence.

Transcription

1 Inspiring Business Confidence. ISO whitepaper, January 2015 Author: Graeme Parker

2 ISO is an International Standard for Risk Management published by the International Organisation for Standardisation (ISO). It is designed to provide guidance on the principles of managing the range of risks that many organisations face today. Because ISO is a set of generic risk management principles it can be effectively adopted in many environments. Some of the business benefits of using ISO include: Cost reduction gained through a greater understanding and management of risk; Protection of brand and reputation; Increased confidence of customers and clients; Compliance with legal, regulatory and contractual requirements; The ability to address many different risk types through one well designed risk management framework. There are many other benefits to using ISO in your approach to Risk Management. This paper aims to explain exactly how to apply the standard to gain business benefit. Introduction Risk simply means uncertainty, and all organisations face uncertainties which need to be understood and managed. From an organisational perspective, risk really relates to organisational objectives will a potential event allow or prevent the objectives from being fulfilled? Risk Management then is all about assessing events and identifying the potential consequences, positive and negative, developing and undertaking actions to handle these consequences. Back in 2009 in response to on-going industry debate and discussion about what risk management actually meant in reality, ISO developed ISO to provide the outline of the components which would make up a good organisational risk management framework. The standard does not prescribe a management system like other ISO standards. Instead, elements of the framework can be chosen as required by the user. Furthermore, the standard is not designed for certification and in our opinion this is a positive point as there is no need to tick boxes or implement processes to pass an audit and alternatively an organisation can use the parts of the framework that lend best value. 2

3 What is Risk Management? As already highlighted earlier Risk Management is a business driven process to help ensure organisations fulfil their overall objectives whilst also reducing the chances of suffering negative or undesirable consequences from a wide variety of events. In order to actually manage risks however an organisation needs to establish a framework which should meet some key principles, so before looking into the how, let s first take a look at those principles and associated benefits as described in ISO Risk Management Principles and Benefits 1. Risk management creates and protects value. The whole purpose of managing risk is both to fulfil objectives and increase organisational performance. If an organisation pro-actively addresses risk, it can avert problems, seize opportunities and increase performance in a variety of areas including: human health and safety, security, legal and regulatory compliance, environmental protection, product and service quality, project management, operational efficiency, governance and public reputation and image. Effective risk management allows an organisation to be more resilient and able to withstand many challenges faced by organisations in an ever changing and volatile world. Additionally, proper risk management will make sure budget is only invested in treating risks that actually exist and require action. This will increase the return on investment and prevent overspending or the incorrect allocation of funds and resources. 2. Risk management is an integral part of all organisational processes. Because we describe risk management as a specific activity it is understandable that people see risk management as a separate function. In truth identifying, analysing, and evaluating risks is something that should form part of all organisational processes if it is to be a success. No person or team can manage all risks, therefore responsibility and accountability for risks need 3

4 to be properly assigned, and importantly become part of an organisation s culture. Of course all organisations will have the experts to advise and guide, however risks are never truly managed until risk management becomes a standard part of the activities. Through this culture it is important to assess each risk in their business context and use the available business intelligence to determine if a risk needs to be treated whilst considering the acceptable level of residual risk 3. Risk management is part of decision making. Organisations and management at all levels make decisions of varying magnitudes, whether to invest company funds, make a purchase, recruit staff and many other decisions are usually based on some understanding of the associated risk or uncertainty. Mature risk management processes allow decisions to be taken with more confidence and less uncertainty, and consider the risks against the perceived benefits. It is possible to build a knowledge base on these benefits, supporting the decision making process, thus reusing expertise and experience. 4. Risk management explicitly addresses uncertainty. As you will now be familiar with, the whole purpose of risk management is to address uncertainty. Risk management is not about seeing into the future, but it is about using knowledge and intelligence in making a good prediction about events considering the likelihood of an event occurring and the positive or negative consequence that comes with it. Do not forget that not all risks have a negative impact, some have a positive effect as well (these risks are known as opportunities). An organisation may choose to accept a level of impact to seize an opportunity. 5. Risk management is systematic, structured and timely. Identifying, analysing and evaluating risks should be done in a manner that follows a consistent system or approach, conducted at the right time by the right people whilst also meeting business requirements. This is of course easier said than done, however if an organisation can agree its approach to managing risks, the responsibilities and reporting channels then, a great deal of business benefits can be realised. It is important to align this approach to one that is considered good practice in the business field the organisation operates in, or the field the risks apply to. An example of this is to use ISO as an approach for managing Information Security risk or OHSAS as an approach for managing Health and Safety risk. 6. Risk management is based on the best available information. Risk management should always be based on reality or at least as much as we know about the reality in an organisation. Whilst, risk management may involve making estimates and it should never be based on general opinion, guesswork or assumption. Establishing processes where access can be gained to useful information is a key principle. This may be internal information and intelligence, records of incidents, project lessons learned or industry benchmarks and generally accepted best practices. 4

5 7. Risk management is tailored. ISO provides the framework for risk management, but it is not designed to be a one size fits all solution. Effective risk management is unique to each organisation, the scope; context, organisation type, market, size, values, objectives and strategy are just some of the things that will influence an approach to risk management. It is therefore important that the approach to risk management is tailored to take these points into account and is aligned with the internal and external context of the organisation. 8. Risk management takes human and cultural factors into account. People s view of risks may vary depending on their experience or perceptions. How many times have we heard words such as that will never happen without any real investigation? When designing an effective risk management process, understanding people is the key to the process being a success. Understanding concerns of various people at all levels will allow an approach to be adopted that is flexible without allowing general perceptions to cloud sound risk based judgments. 9. Risk management is transparent and inclusive. Risk management is not just something for senior management or the risk management department. Of course directors, senior managers and executives will make decisions based on risk, but contribution to the process should involve people from across all levels of an organisation. This is particularly true of risks at the operational level. Who is more likely to be aware of a health and safety risk, a person on the ground or an executive manager? The point to be highlighted here is that the process needs to be all-inclusive welcoming and encouraging the contribution of everyone. 10. Risk management is dynamic, iterative and responsive to change. Risks are not just one off potential events. The kind of risks faced by an organisation will constantly change just as the world changes. Whether it is the new legislation or regulations, changes in technologies and people, changes in customer demands, markets or products, or as we have all experienced to some extent recently economic circumstances, risk management should adapt to the ever changing world around us. Whatever happens, a good risk management process should be flexible and should be linked to the organisation s overall change management processes. Even when it is not obvious that changes are occurring regular reviews should be conducted to identify any potential changes or even the opportunity to improve the risk management process. 11. Risk management facilitates continual improvement of the organisation. Most organisations would like to improve something, whether it is increased efficiencies, winning more business, cutting waste or seizing new opportunities. Understanding uncertainty, identifying opportunities and acting upon them all contributes to organisations being able to drive improvements in some if not all the areas of principle 1. This again highlights the point that risk management is not a function on its own but in fact should form part of an overall approach to business performance and excellence and extends far beyond the realm of it. 5

6 What are the steps to establish a good risk management framework? In order to build an effective risk management framework for your organisation there are number of logical steps to take. 1. Gain support from upper management The first step as ever is to gain support from senior management. If senior managers actively support the concept, it is much more likely that the rest of the organisation supports the initiative with it being embedded in the culture. All the benefits and principles already described will help in making upper management aware and gaining their support. Your risk management framework needs to support the business objectives, values and strategies of your organisation. Both internal and external context of the organisation affects the kind of risk management scope and strategy that will be adopted. It is necessary to obtain an overview of the organisation to understand the challenges and the risk inherent in that market segment. General information about the organisation concerned should be collected in order to better appreciate its mission, strategies, main purpose, values and other key success factors. This helps ensure consistency and alignment between the strategic objectives for risk management and the organisation s mission. So, what do these terms mean? Mission: The mission is the reason for the company to exist. This justifies what brings the organisation to do what it does. For example, the mission of an organisation may be to offer customers the best value in terms of furniture, overcome cancer or make affordable and safe motor vehicles. Implications for risk management: Risk management supports the organisation in fulfilling its mission to protect its value. The risk management practices must therefore be aligned with the corporate mission. Corporate Policy Risk Management Policy Mission Values Strategies Strategic Alignment Risk management objectives Objectives 6

7 Values: Values are the fundamental and enduring beliefs that are shared by members of an organisation and influence the behaviour of individuals. Implications for risk management: The values of the organisation influence the choices made by professionals in risk management. For example, values can influence the priorities and policies in terms of evaluating risks. Objectives: An objective is the result that the organisation wants to achieve. These objectives are generally clear, quantified and time bound (e.g. 5% gain in market share in 24 months, sales in France increased to 20,000,000 in 12 months). Implications for risk management: As for strategy, risk management must understand and be aligned with business objectives to achieve its objectives by identifying the risk that must be managed by the organisation, and opportunities that can be seized by the organisation. Strategies: The strategy consists in the definition of actions occurring in a logical sequence to achieve one or more goals. Implications for risk management: The choice of treatment and the resulting actions will also depend on the strategy defined by the organisation 2. Define the scope of the risk management framework So, understanding all of the above will help define the scope and context of the risk management framework. We also need to consider the internal and external factors that influence the risk management context: Establishing the External Context Practical Advice Strengths Opportunities Weaknesses Threats ISO offers no practical approach to analyse the context of an organisation. Several methodologies exist to understand how an organisation functions. The important thing is to identify the characteristics of internal and external environmental factors that will influence risk management: mission, main activities, internal organisation, stakeholders, etc. When starting with the implementation of a risk management framework, it is advisable to start with a manageable scope that relates to key business processes. If possible, select a scope that has as little dependencies on, and interfaces with other business processes. This will allow much more efficient and successful project management. When defining the scope, both the internal and external context of the business process should be taken into account. The internal context describes the contribution of the process to the value chain and relationships with other parts of the organisation. The external context describes the relations 7

8 with and dependencies on external parties (customers, suppliers, business partners). For both internal and external context it is recommended that techniques such as SWOT analysis should be performed to determine what Strengths, Weaknesses, Opportunities and Threats are present and relevant. The reason for this recommendation is that the Opportunities and Threats in particular will greatly influence the activities that follow. 3. Define a Risk Management Policy In order for your risk management framework to be a success, a clear policy should be developed showing management commitment to risk management, its importance and the responsibilities for making sure risk management adds business value in line with the principles described earlier. A good risk management policy will detail: The organisation s reasoning behind risk management, clearly laying out its importance and purpose; A description about how risk management aligns to the business objectives and strategies of the organisation. This is critical as a policy is only valuable if it allows the organisation to achieve objectives, policies should never hinder the organisation; The roles and responsibilities. Who is responsible for identifying, assessing and escalating risk? Who can accept risks on behalf of the organisation? These are all questions which need to be clearly answered; A description of how risk management performance will be measured; Clear direction on how competing issues will be addressed, e.g. does one risk type carry more weight than another, will greater risks be accepted in certain circumstances and similar questions; A documented commitment to drive continual improvement in the risk management process along with regular review of risk management processes. The policy should of course be more than a document, all of the statements made in any policy are of intent and the organisation should be willing and able to implement the policy and all the commitments that go with it, the policy must evolve in concert with the organisation. 4. Integrate with Organisational Processes As we have noted already risk management efforts will only be successful if they are integrated into organisational processes. By this we mean that identifying, assessing, analysing and treating risk is something which should be done as part of an existing process rather than as an exclusive exercise. For example, a change management process should include risk assessment and management as a standard part of the process. This integration is critical as from a cultural perspective everyone in the organisation can see risk management as something standard rather than an additional overhead or burden. The ISO standard makes the following remarks about integration: In particular, risk management should be embedded into the policy development, business and strategic planning and review, and change management processes. There should be an organisation-wide risk management plan to ensure that the risk management policy is implemented and that risk management is embedded in all of the organisation s practices and processes. The risk management plan can be integrated into other organisational plans, such as a strategic plan. 8

9 In order to achieve this integration, the organisation needs to review its business processes and activities and identify where risk management activities would logically fit. For example, a business planning process should logically have a risk management element, a procurement process may involve conducting risk assessments on potential suppliers and so on. The key point here is that those leading the effort really need a good understanding of your organisation, its activities and the risks (and opportunities) that those activities present. 5. Allocate Resources So, what kind of resources is needed to implement an effective risk management programme? The amount of resources will depend largely on the size of your organisation and the scope of your risk management programme. These resources will always include: People: We have already established that commitment is required from management and that people from throughout the organisation will be involved, but in addition you need skilled practitioners who can establish the risk management framework, ensure people are trained and aware whilst measuring performance and identifying improvement opportunities. Tools: Depending on the kind of activities being performed the organisation will need a variety of tools for risk management. This would include risk assessment tools and methodologies, risk reporting and monitoring tools and in some cases specialist software and information systems. The standard does not dictate how sophisticated these tools should be or how much they should cost, in some cases simple methods can be more than satisfactory. (To get started take a look at some of the free tools from Parker Solutions Group available on our website) Skills: As we have already discussed risk management will involve many different people from across the organisation. Whilst, those individuals do not need to become risk management specialists they will certainly need to understand the organisation policy, their responsibilities and the fundamentals of the organisation s approach to risk management, therefore the development of a clear set of training requirements is a key component in the risk management framework. As with any continuous improvement process the requirements should be continuously reviewed as the organisation changes over time. 6. Establish a Communication and Reporting programme Effective risk management is all about the right people being able to make informed decisions based on realistic information being presented in a timely manner. This is based on building a good communication infrastructure to guarantee all stakeholders get the right information at the right time. When establishing the risk management framework and policy an important step is to identify and develop the communication channels. Ask yourself these questions: Who should risks be reported to? How often? When should risks be escalated further up the organisational chain? What form of communications fits our organisation? 9

10 The frequency and communication style will vary depending on industry and organisational culture, and having the right communication infrastructure will help ensure that the right risks are known in the right place at the right time. The following is a very simple example of an organisation structure that could be adopted: Board of Directors Risk and Audit Committee Risk Management Finance Human Resources Information Technology Health and Safety Quality Management Security Environmental Business Continuity The above diagram is meant to show some key principles, it is not meant to represent a real organisation and of course most organisational structures will be much more complex than this however there are some clear points. Firstly we have the Risk and Audit Committee. The Risk and Audit Committee should report direct to the Board of Directors (or controlling party in organisations which do not have a board). The committee would consist of senior management from across organisational functions and members of internal audit. The job of the committee is to steer risk management on behalf of the organisation, take decisions on the most serious risks and report to the board on performance and significant events. The committee is not a risk management department, and those involved are not conducting risk assessments. The role of the committee is to ensure that risk management is implemented and effective and ultimately to make business decisions. The existence of the committee should be agreed by the board of directors, their role should be clearly defined and the criteria for handling risk should be agreed (i.e. what level of risks do the committee handle, what can they authorise, what must be escalated, etc.). All of these points should be addressed in the Risk Management Policy. In order to ensure all necessary risk areas are covered, a Risk Management function is shown on the chart. This may be a department or one individual depending on the size and scope of the risk management programme. 10

11 The job of the Risk Management function is to: Ensure appropriate risk assessments are conducted in line with the policy; Assist departments in conducting those assessments; Provide expertise (or access to) in the many different risk disciplines; Provide departments and functions with risk treatment solutions; Escalate risks to the Risk and Audit Committee where the criteria require; Providing training on the organisational risk methods; Review risk performance and drive improvements of the risk framework. Some of the specific risk related functions such as Security, Health and Safety, Quality and Business Continuity are all shown here reporting to the Risk Management Function. So, why develop a Risk Management function this way? Firstly such a structure would allow these areas to be truly independent reducing the chance of departmental risks being overlooked, ignored or in the worst case hidden. Secondly the structure allows the sharing of risk related skills and knowledge to be exchanged by functions that are often segregated and isolated and all too often creating duplication and unnecessary effort. Of course a security risk assessment is very different in terms of technical expertise to an environmental risk assessment or a financial risk assessment, however the principles of risk management are very similar meaning techniques and risk criteria could be more easily aligned. Other risk areas such as financial risk, credit, market risk and so on could also be handled by the structure proposed. We have seen this work well for some of our clients, with the function being handed other titles such as Business Assurance and the Excellence Department. Whatever the title the point is that skills can be consolidated, duplication can be reduced, good practice can be shared and communication can be clear through to the Risk and Audit Committee or Directors. This approach of openness and clarity can allow an organisation that does this well to be truly resilient. 7. Perform Risk Assessments The following describes the steps involved in a typical risk assessment regardless of the nature of the assessment. There are many methods available however before looking at specific tools and methods it is important to understand the key principles: 11

12 Identify business processes under assessment The first step is to select the business process for which the risk assessment needs to be performed. This process should represent value to the organisation, either by creating value in the value chain or by supporting primary processes. Do realise that value may be expressed as a direct monetary value, or as an intangible value (e.g. the reputation of an organisation). This process should have assets (items of value to the organisation) that are potential under threat. Identify legal and regulatory requirements The business process itself and its assets may be required to adhere to legal requirements, industry regulations or meet contractual requirements. These laws and regulations form a natural boundary. Determine maximum damage or gain Determine the maximum negative impact on the business process using a number of worst-case scenarios. Ask yourself the question: What are the worst possible things that can go wrong and how much damage do they incur?, or What are the business opportunities that become available and what benefits do they bring? Determine acceptable risk level and treatment strategy Most risks cannot be completely eliminated, and some risks are impossible to mitigate completely. However, most risks can be reduced and the organisation must first select the level of risk acceptable to the organisation. Once that is done, the default treatment strategy needs to be selected. An organisation can select from a number of strategies: 1. Avoidance (stop the business process and thus remove the risk completely); 2. Acceptance (accept the risk as it stands in line with risk management policy); 3. Transference (transfer the financial damage of a negative impact to another party, like an insurance company. This means the damage may occur, but the organisation is compensated by the insurance at the cost of paying a premium. An alternative may be outsourcing. In this case you should note that an organisation can transfer the work of addressing the risk; however the responsibility and ownership of risk always remains with the organisation plus any associated legal liability); 4. Mitigation (implement controls to reduce the risk). Determine threats Determine the different threats to the business process. Each threat is a potential cause of a risk. For most industries predefined sets of threats are available in risk assessment frameworks. These predefined sets get you started and the set needs to be evaluated for applicability and, if necessary, be extended with threats that are particular to the business process in your organisations. Determine likelihood Determine the likelihood of occurring for each of the threats. Part of determining this likelihood is the availability of threat vectors, threat actors, vulnerabilities and exploits. These all are used to calculate how easy it is for a threat to materialise and exercise a negative impact. Apply risk treatment strategy The organisation needs to implement the risk treatment strategy they selected. In case the organisation opted for the mitigation strategy, the organisation needs to select the controls it needs to implement to reduce the risks to below the acceptable level. 12

13 Methodologies There are many methodologies available which will follow the above principles. Some organisations may develop their own methodologies. There are many factors influencing your decision on selecting risk methodologies such as: Suitability for the risk type being assessed; Language of the method - it is crucial to master the vocabulary used; Existence of software tools facilitating use; Documentation, training, support, qualified labour available; Ease of use and pragmatism of the method; Costs including the total cost of ownership; Existence of means of comparison (metric, case studies, etc.). An important aspect to include in the risk treatment plan is measuring the effectiveness of the risk mitigation controls. Defining key risk and performance indicators will help determine if the mitigation is successful and effective. Continual Improvement As with all ISO standards, ISO encourages the concept of continual improvement. Continual Improvement simply means taking small steps in the right direction. In terms of risk management the idea is to ensure that risks are more easily identified, are treated more efficiently, are responded to quicker and that overall the risk management process becomes more and more integrated into the organisational culture. 13

14 About PARKER Solutions Parker Solutions Group was established by Managing Director Graeme Parker in response to the increasing risks and challenges that organisations across the globe are facing. We are providers of professional training, services and coaching across multiple risk disciplines. Our aim is to enable your organisation to become resilient to threats, to increase your ability to seize opportunities and to ease the effort of meeting compliance requirements. Our international multi-disciplinary team of professionals is on hand to provide solutions across key risk areas including Cyber Security, Business Continuity, IT and Technology Risk, Energy, Safety, Sustainability and Environmental risk. With our strong knowledge and experience of standards in these areas along with our innovative and proportionate approach we are ready to enable your organisation. Our mission is to ensure that Governance and Risk Management efforts are implemented efficiently as possible and become a business enabler. We firmly believe that addressing risk should not be a cost or necessary evil but should be a benefit to your organisation. With a strong team of professionals Parker Solutions Group helps organisations make Risk Management become a business enabler by increasing efficiency and reducing un-necessary cost. All our solutions are linked to the key objectives of your organisation. We are more than just a consultancy, we can make recommendations and we also have the ability to go that one step further and actually implement working solutions covering people, processes and technologies. Our professional coaching and training services are also designed to enable your organisation to become self-sufficient reducing the reliance on external consultants. Whether your organisation is a small business, large multinational or a public sector organisation you can be assured that providing a highly professional and excellent service is the core principal of Parker Solutions Group. We have professionally certified and dedicated people with proven skills in the services we offer. Our people have experience working with and assisting a wide variety of organisations around the globe. We would like to thank PECB for generously providing the graphics for this whitepaper. For further information and free no obligation discussion please contact us on: 6 George Street, Driffield, York, YO25 6RA UK enquiries@parkersolutionsgroup.co.uk +44 (0)