ISO 31000, a risk management standard for decision-makers

ISO 31000, a risk management standard for decision-makers Alex Dali, MBA, ARM, CT31000 President Global Institute for Risk Management Standards - G31000 Alex.Dali@G31000.org

Risk management foundations in the airline industry 2

Major Risks Faced by Airlines Strategic risk Business design choices Financial risk Variability of revenue and costs Operational risk Tactical aspects of running the business Hazard risk Safety of physical assets

Specialized risk in ISO standards Quality Environment Health &Safety Energy IT security Nonconformities Pollution Accident, disease Interruption Data breach, cyber crime ISO 9001 ISO 14001 ISO 45001 ISO 50001 ISO 27001 Project Non-quality, cost overrun, delays ISO 21500 Supply chain Disruption ISO 28000 Continuity Incident ISO 22301 Law & regulations Non-compliance ISO 19600 Business ethics Bribery ISO 37001 5

Why aren t ERM Programs More Successful? Most ERM Programs are built on Governance or Compliance models Value: Did we do it? Good. Measures are rarely in meaningful terms Not a KEY role in performance management, planning, budgeting and strategy formation Limited in scope and focus Not a day-to-day part of decision making Not based on or tied to a standard or tight framework Copyright 2012 rpm3 Solutions, LLC and ERM, LLC 6

a compliance & control risk management standard compliance Controls regulations Risk insurance reporting audit 7

ISO 31000, a global risk management standard ISO 31000, a Global Risk Management Standard Uncertainty controls insurance Decision-making Philosophy of the ISO 31000 risk management standard compliance Objectives regulations Performance Risk audit reporting Best allocation of resources 8

Risk Effect of uncertainty on objectives 9

RISK MANAGEMENT & ISO 31000 The combination of governance, performance, decision-making and risk management has become the driving force for a global approach, structured methodology leading to risk management standardization 10

5 recommendations 1. Adopt an internationally-recognized reference 2. Use a simple risk management architecture 3. Promote business performance 4. Link risk management and decision-making 5. Encourage adequate education with benefits 11

5 recommendations 1. Adopt an internationally-recognized reference 12

About ISO 31000 Internationally-recognised reference International acceptance Single global reference for stakeholders Guideline can be tailored All type of risks any sector/industry Umbrella for all existing standards Multiple frameworks create confusion 13

Value-added / benefits of ERM 14

ISO 31000 adopted as national risk management standard International Organization for Standardization ISO Central Secretariat BIBC II Chemin de Blandonnet 8 CP 401 1214 Vernier, Geneva www.iso.org Switzerland 76 countries 23 languages Link : https://goo.gl/vttfqy 15

Number of members by COUNTRIES : WORLD (top ten) 2011 2012 2013 2014 2015 2016 Extract from G31000 database 16 15 June 2016

5 recommendations 2. Use a simple risk management architecture 18

Objectives of ISO 31000 STRUCTURE Simple risk management architecture 3-pillar structure robust and simple to apply opportunity to review existing RM practices ISO 31000 free to download in India Do not restrict risk management to the risk management process

Objectives of ISO 31000 a) Creates value b) Integral part of organizational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored PRINCIPLES h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the CONTINUAL IMPROVEMENT STRUCTURE FRAMEWORK MANDATE AND COMMITMENT DESIGN OF FRAMEWORK FOR MANAGING RISK MONITORING AND REVIEW Plan-Do-Check-Act cycle IMPLEMENTING RISK MANAGEMENT 20

COMMUNICATION AND CONSULTATION MONITORING AND REVIEW Objectives of ISO 31000 STRUCTURE RISK MANAGEMENT PROCESS ESTABLISH THE CONTEXT RISK IDENTIFICATION RISK ANALYSIS RISK EVALUATION + ISO GUIDE 73 RISK MANAGEMENT VOCABULARY RISK TREATMENT 21

5 recommendations 3. Promote business performance 22

ISO 31000 SURVEY 2012 How is risk management mainly used within your organization?

Objectives of ISO 31000 SCOPE not a parallel management system Integrate risk in all practices and processes at all levels. Risk management must create value Link risk management to business performance no bureaucratic compliance reporting system

5 recommendations 4. Link risk management and decision-making 25

ISO 31000, a global risk management standard ISO 31000, a Global Risk Management Standard Uncertainty controls insurance Decision-making Philosophy of the ISO 31000 risk management standard G31000 Copyright - 2015 compliance Objectives regulations Performance Risk audit reporting Best allocation of resources 26

5 recommendations 5. Encourage adequate education with benefits 27

Certification INDIVIDUALS Growing understanding of the importance of effectively managing risk Increasing recognition of ISO 31000 individuals wishing for knowledge and understanding about risk management Improved decision making through explicit consideration of uncertainty and potential consequences

Global Institute for Risk Management Standards Training session conducted, worldwide : # sessions : 78 # countries : 25 List of cities covered : New York, Chicago, Los Angeles, Denver, Washington, West Palm Beach, Toronto, Brussels, Paris, London, Nice, Lagos, Johannesburg, Cape Town, Madrid, Barcelona, Milano, Geneve, Amsterdam, Dubai, Riyadh, Macau, Shanghai, Singapore, Sydney, Lima, Bogota, Cairo. Plan your training survey: http://www.g31000.org/survey 29

Global Institute for Risk Management Standards Worldwide network of 1232 certified risk professionals via G31000 training and certification Network of 123 Approved/Certified trainers 30

Thank you for your attention Alex Dali, MBA, ARM, CT31000 President Global Institute for Risk Management Standards - G31000 Alex.Dali@G31000.org

Annexes for discussions or additional information. 35

Thesis in risk management 36

Risk combinations of the probability of an event and its consequences 37

About ISO 31000 Engineer Scenario Manager Health Finance Public sector risk = hazard risk = event risk = uncertainty on objectives risk = threat (purely negative) risk = return risk = discontinuity of service Organisations of all types face a range of risks Organisations of all types face a range of combinations of the probability of an event and its consequences 38

About risk management standards AZ/NZS ISO31000 AS/NZS4360 2009 95/99/04 Australia ONR 49000:2008 Austria(DE/CH) JIS Q 31000 2001 Japan? FERMA:2004 Europe CAN/CSA- Q850-1997 ISO 31000 Canada COSO 2 (ERM) : 2004 USA AIRMIC, ALARM, IRM:2002 M_o_R:2002/2007/2011 BS ISO31000 BS 31100 Guide UK 39

About ISO 31000 Quality OH&S Environment Finance IT security Food safety Equipment Project Supply chain 40

ISO TMB Joint Technical Coordination Group How to align all ISO Management Systems Introducing the concept of RISK Susan LK Briggs TC207/SC1 Representative on JTCG TF1 Chair, US Technical Advisory Group to TC207 Convenor, WG5 ISO 14001 Revision Presented at the 2 nd international ISO 31000 Conference 2013, Toronto, Canada

ISO TC 176 SC1 - Concepts and terminology Risk-based Thinking introduced in the Revision of ISO 9001: 2015 Direct references to ISO 31000 Paul C Palmes Chairman, International Technical Committee TC 176, SC1 (revision of ISO 9001:2015) US Technical Advisory Group to TC 176, SC1/HOD Presented at the 3 rd international ISO 31000 Conference 2014, New York, USA

Objectives of ISO 31000 Principles STRUCTURE Process Framework

Objectives of ISO 31000 SCOPE ISO Standard vs ISO Guideline? Risk Management Principles and Guidelines voluntary application, not prescriptive, no legal requirement specifically not intended for certification ISO certifiable standard? NO! 44

Objectives of ISO 31000 SCOPE All organisation: Any sector, any activity, any size All risk: Any type of risk, + or - consequences Generic guidelines: Harmonizes processus, not practices Global reference: Harmonize RM in existing and future standards Global application: Objectives, context, structure, operations, processes, functions, projects, products, services, or assets 45

Objectives of ISO 31000 BENEFITS 1. Standard = consensus ( compromise) 2. Standards regulation voluntary endorsment 3. Wide range of input one point of view 4. Apply to any activity or domain in any organisation 5. Integrated appoach for the management of risk 6. Very general allowing interpretation guideline 7. Regular updates through ISO 8. Recognizing best practices 9. Facilitate communication and training 10. Recognization for the profession

ISO 31000 SURVEY 2011 Global ISO 31000 survey 2011 Results & analysis

QUIZZ on the ISO 31000 STANDARD Quizz on the ISO 31000 risk Management standard

QUIZZ on the ISO 31000 STANDARD Question 1 : The ISO 31000 document is a A B C D Technical specifications for Risk Management Guidance standard for Risk Management Certificable standard for Risk Management Umbrella standard for in existing or future standards

USEFUL LINKS ISO 31000 GLOBAL SURVEY 2012 : English version : http://goo.gl/cckzv Spanish version : http://goo.gl/skf4j French version : http://goo.gl/xs8hy ISO 31000 INTERNATIONAL CONFERENCE http://g31000.org/conferences/ LINKEDIN GROUP on ISO 31000 : http://www.linkedin.com/groups?mostpopular=&gid=1834592 About ISO 31000 official link: http://www.iso.org/iso/catalogue_detail?csnumber=43170 About ISO 31000 presentation http://www.crasp.gov.br/crasp/conteudo/apresenta%c3%87%c3 %83O%20-%20ISO%2031000.pdf 51