ERM: Risk Maps and Registers. Performing an ISO Risk Assessment

Similar documents
Executive Teams and the Use of ISO in Decision Making. Scott Wightman, ARM-E National Director Gallagher ERM Practice

Texas Tech University System

Fraud Risk Management

Sample Corporate Risk Management Policy

Key Risks and Risk Based Management Update

COSO ERM: Integrating with Strategy and Performance. Michael Parkinson

Risk Management Strategy

I S O T R A N S L A T E D I N T O P L A I N E N G L I S H 5. R I S K M A N A G E M E N T F R A M E W O R K

Sample Strategy and Value Oversight Policy

Board Corporate Governance and Risk Committee

REPORT 2015/077 INTERNAL AUDIT DIVISION

This policy establishes the approach to risk management at Sunshine Coast Council (Council) and outlines the guiding principles and framework.

ERM: Mandate & Commitment in 60 Minutes

The SC Corp. ISO 31000:2018 Risk Management Checklist. conducted for. Conducted on 09 Nov :33 PM. Prepared by Michael de la Torre

Enterprise Risk Management And Beyond. Copyright WHA Insurance

ISO 9001:2015 and Risk Based Thinking

Enhanced Risk Management Policy

From Dictionary.com. Risk: Exposure to the chance of injury or loss; a hazard or dangerous chance

Risk Management and Corporate Governance in Local Government

Aligning and Integrating ERM and Business Process. Federal ERM Summit September 9, :00-12:00

Corporate governance for banks

SAMPLE Marketing Slides for Building a Compliance Program

Deloitte Governance Framework and Maturity Model

LIVING IN THE REAL WORLD THE LEGAL AND INSURANCE ASPECTS OF SMS

IT Audit at Brown. A collaboration between the Information Technology and Internal Audit Teams

INTERNAL AUDIT DIVISION REPORT 2018/105. Audit of strategic support to the global humanitarian inter-agency coordination mechanisms

Enterprise Risk Management: Developing a Model for Organizational Success. White Paper

Emerging Trends in Auditing ERM COSO ERM 2017

Charter for Enterprise Risk Management

Risk Management at Statistics Canada

A Guide to IT Risk Assessment for Financial Institutions. March 2, 2011

Inside of a ring or out, ain t nothing wrong with going down. It s staying down that s wrong. Muhammad Ali

Enterprise Risk Management Montana State Fund

AUDIT REPORT NOVEMBER

Corporate Risk Management Audit

RISK MANAGEMENT POLICY

ISO 31000:2009 IEC/ISO 31010:2009 & ISO Guide 73:2009 International Standards for the Management of Risk

Risk management Principles and guidelines

SOLUTION BRIEF RSA ARCHER REGULATORY & CORPORATE COMPLIANCE MANAGEMENT

Risk Management Policy

Practices in Enterprise Risk Management

Enterprise Risk Management Program Development Update. Finance & Audit Committee Meeting September 25, 2015

IRM s Professional Standards in Risk Management PART 1 Consultation: Functional Standards

December Business and Finance Division Service Assessment Survey. Summary Report To Finance Division December 1, 2006

University System of Georgia Enterprise Risk Management (ERM) Creating A More Educated Georgia

ISO 31000:2009 PRINCIPLESAND GUIDELINESCHECKLIST

4/10/2014. Developing an HR Strategic Plan A Step by Step Approach. Agenda. By a Show of Hands: The HR Strategic Plan. Critical Success Factors

More than 2000 organizations use our ERM solution

Enterprise Risk Management

Risk Management Policy

Strengthening Your Enterprise Risk Management Process

Risk Management Update ISO Overview and Implications for Managers

Successful ERM Program Standards. Definitions of Enterprise Risk Management (ERM)

ISO INTERNATIONAL STANDARD. Risk management Principles and guidelines. Management du risque Principes et lignes directrices

On the road(map) again. Balancing the emerging regulatory requirements in the Middle East public sector

INFORMATION SERVICES FY 2018 FY 2020

Risk Management Guidelines of the CGIAR System

Introduction to ERM (Enterprise Risk Management)

7 Key Trends in Enterprise Risk Management

Enterprise Risk Management

A conversation about the framework for performance excellence PERFORM LIKE A ROCK STAR!

Next-generation enterprise risk management

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Concept of Risk Management in Medical Equipment Application of ISO in IEC rd Edition

CHARTER OF THE BOARD OF DIRECTORS

AASHTO Guide for Enterprise Risk Management: An Overview. Tim Henkel, Assistant Commissioner, Mn DOT NCHRP Project 08-93

Role of Board of Directors in Risk Management. CPA Erick Audi Thursday, 15 th November 2018

Risk Management Policy and Framework

Enterprise Risk Management: Aligning Risk with Strategy & Performance June 26, :45 p.m. 4:45 p.m.

Step 2: Analyze Stakeholders/Drivers and Define the Target Business Strategy

UNIVERSITY OF COLORADO DEPARTMENT OF INTERNAL AUDIT 2018 AUDIT PLAN As of June 1, 2017

RAISING THE STANDARD THE NEW ISO RISK MANAGEMENT STANDARD

ENTERPRISE RISK MANAGEMENT USING DATA ANALYTICS. Dan Julevich and Chris Dawes April 17, 2015

ISO 2018 COPYRIGHT PROTECTED DOCUMENT All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of th

ARCHIVED Audit of Risk Management

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

Guidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.

Critical Success Factor in ERM Implementation

STRATEGIC ASSET MANAGEMENT POLICY

Guidance Note: Corporate Governance - Board of Directors. January Ce document est aussi disponible en français.

Informed Decision Making

Introducing ISO 22301

BOD Minute:. Oversight Committee Mandate: Governance Committee

Active Essex Risk Management Strategy

B U S I N E S S R I S K M A N A G E M E N T L T D

Integrated Clause-byclause Guidance

OPERATIONAL DIRECTIVE REF. OD.FG RISK MANAGEMENT

THE ENTERPRISE AND RISK MANAGEMENT POLICY

The Future of Business Analysis. October 2013

STRATEGIC PLAN

RISK MANAGEMENT FRAMEWORK OF THE CGIAR SYSTEM

Advancing Sustainability for Public Power. July 2017

An Integrated Nine-Step Approach to Managing Clinical Technology Risks

Enterprise Risk Management (ERM) Program Primer

A Risk Practitioners Guide to ISO 31000: 2018

THE PUBLIC SECTOR COMPLIANCE FRAMEWORK A BRIEF OVERVIEW D A R Y L G L A S S

Advisory Services Governance, Risk & Compliance

Portfolio Management Professional (PfMP ) Certification preparatory workshop Course Outline

Follow-up Audit of the CNSC Performance Measurement and Reporting Frameworks, November 2011

These are the primary functions of the Board, and should be the main focus of the Board s attention and activities.

Transcription:

ERM: Risk Maps and Registers Performing an ISO 31000 Risk Assessment

Agenda Following a Standard? Framework First Performing a Risk Assessment Assigning Risk Ownership Data Management Questions?

Following a Standard?

ISO 31000 The International Risk Management Standard ISO 31000 Provides the Architecture

ISO 31000 The International Risk Management Standard Scalable and Tailorable

Principles ISO 31000 Risk Management Model Framework Process Creates value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured and timely Based on best available information Tailored Takes human and cultural factors into account Transparent and inclusive Dynamic, iterative and responsive to change Facilitates continual improvement and enhancement of the organization Continually improve the framework Mandate & Commitment Design framework for managing risk Monitor and review the framework Implement risk management Communicate and consult Establish the context Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review

Framework First

Written Risk Management Framework Best way to get everyone on board Answers the questions: Why do we manage risk at ABC? How do we manage risk at ABC? Sections can cover: - Framework objective - Mandate & commitment - Risk appetite - Guiding principles - Roles & accountabilities - Applying the framework - Performance monitoring - Reporting - Quality & improvement - Committee charge

Incorporated Into Strategy, Operations & Decisions Three levels of risk to consider Strategic Operational Decision- Making

Risk as Pillar of Governance Governance

Risk as Pillar of Governance Mission Governance Mission The board sets the overall mission and objectives of the organization and insists that its culture and values are aligned with that mission.

Risk as Pillar of Governance Mission Strategy Governance Strategy Senior leadership, in conjunction with the board, develop strategic plans to carry out the organization s mission and objectives.

Risk as Pillar of Governance Mission Strategy Governance Stewardship Stewardship Financial resources are developed and maintained to ensure the mission and strategic plans are adequately funded.

Risk as Pillar of Governance Mission Strategy Governance Stewardship Quality Quality The quality of the organization s programs are planned for and tested in order to maintain demand for the product in the long-term.

Risk as Pillar of Governance Mission Strategy Governance Stewardship Quality Risk Risk Risks to the organization in meeting its organizational objectives, including threats and opportunities, are identified, assessed, and treated.

Risk as Pillar of Governance Mission Strategy Governance Stewardship Quality Risk Compliance Compliance Risks to the organization for failing to comply with its legal, regulatory, industry, and internal standards are identified, assessed, and managed.

Risk as Pillar of Governance Mission Strategy Governance Stewardship Quality Assurance Risk Compliance Assurance A strong management structure and culture is maintained to ensure proper reporting and accountability, and internal and external audits are utilized to bring board assurance.

ISO 31000 RM Process Establish the context Performing a Risk assessment Risk Assessment Communicate and consult Risk identification Risk analysis Risk evaluation Monitor and review Risk treatment

Risk Assessment Considerations What is the context of this risk assessment? Who should be there? - Senior leadership - Risk committee - Ad hoc team - Risk management Identification of internal and external stakeholders How precise to be - ISO 31000 details 31 risk assessment methods - But normally looking for reasonable consensus and gut feel Agree on risk criteria

Risk Assessment Process Risk Identification - Risk register - Developed through: - Brainstorming - Interviews - Surveys - Other institutions - Associations Risk Analysis - Ranking based on likelihood and consequence (impact) - Use of heat maps Risk Evaluation - Prioritization Communicate and consult ISO 31000 RM Process Establish the context Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review

Visual tool to plot likelihood and impact scores - Let s the viewer easily identify top risks - Highlights need for risk treatment and to drive risks from top right to bottom left A risk tolerance line can easily be drawn Excellent for senior leadership and Board presentations Risk (Heat) Maps

Risk Assessments Day Of Use of technology - Survey tools - Spreadsheet Have placemat ready Usually start with subject matter expert - Then rest of group agrees or challenges Can also agree on risk ownership at same time

What Happens After the Risk Assessment? Each risk turned over to owner - To draft risk treatment plan - To determine team needed Risk owners report back to leadership for approval of plan - Through committee - Through management structure Risk owners work their plans with accountability to central oversight Rerank risks as treatment plans are implemented Report to senior leadership, audit committee, and/or full board

Assigning Risk Ownership

Employment of Ownership Model is Critical Pushing work out to subject matter experts is essential to success Risk owners: - Develop risk treatment plans - Assemble work teams - Communicate and report - Monitor and evaluate At what level of the organization should ownership reside?

Central Oversight/Decentralized Implementation Oversight Centralized Decentralized Implementation Centralized Decentralized Where some have developed, but centralized implementation requires significant staff and does not take advantage of current subject matter expertise Oversight is at highest levels, including board, but implementation is pushed out to experienced subject matter experts through risk and compliance ownership Where most institutions have been, although with some limited departmental oversight, but does not incorporate board-level reporting and accountability

Central Oversight/Decentralized Implementation Oversight Centralized Decentralized Implementation Centralized Decentralized Where some have developed, but centralized implementation requires significant staff and does not take advantage of current subject matter expertise Oversight is at highest levels, including board, but implementation is pushed out to experienced subject matter experts through risk and compliance ownership Where most institutions have been, although with some limited departmental oversight, but does not incorporate board-level reporting and accountability

Central Oversight/Decentralized Implementation Oversight Centralized Decentralized Implementation Centralized Decentralized Where some have developed, but centralized implementation requires significant staff and does not take advantage of current subject matter expertise Oversight is at highest levels, including board, but implementation is pushed out to experienced subject matter experts through risk and compliance ownership Where most organizations have been, although with some limited departmental oversight, but does not incorporate board-level reporting and accountability

Central Oversight/Decentralized Implementation Oversight Centralized Decentralized Implementation Centralized Decentralized Where some have developed, but centralized implementation requires significant staff and does not take advantage of current subject matter expertise Oversight is at highest levels, including board, but implementation is pushed out to experienced subject matter experts through risk ownership Where most organizations have been, although with some limited departmental oversight, but does not incorporate board-level reporting and accountability

Reporting & Accountability Clearly Addressed Accountability and Surveillance Pushes Down Reporting Flows Up

Data Management

Administrative Tools Spreadsheets Enterprise software Governance, Risk & Compliance (GRC) software - As part of RMIS - As stand-alone cloud system Functions to look for: Detailed risk and compliance obligation registers with multiple data points Dashboards for each risk and obligation with the ability to rank risks and catalogue treatment plans Risk rankings that flow into interactive, institutional heat maps Ability to manage delegations using email assignments and workflow through calendars Reporting tools for use at all levels of the organization

Questions?

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback