ISO 31000, a risk management standard for decision-makers Alex Dali, MBA, ARM President at G31000 Alex.Dali@G31000.org About ISO 31000 History Scope Structure Users Benefits About the First global survey on ISO 31000 About certification Certification of organisations Certification of individuals 2 1
History of ISO 31000 3 About ISO 31000 Quality OH&S Environment Finance IT security Project Food safety Equipment Supply chain 4 2
About ISO 31000 Engineer Scenario Manager Health Finance Public sector risk = hazard risk = event risk = uncertainty on objectives risk = threat (purely negative) risk = return risk = discontinuity of service Organisations of all types face a range of risks Organisations of all types face a range of combinations of the probability of an event and its consequences Organisations of all types face a range of effects of uncertainty on objectives 5 About ISO 31000 AZ/NZS ISO31000 2009 AS/NZS4360 95/99/04 Australia ONR 49000:2008 Austria(DE/CH) JIS Q 31000 2001 Japan? FERMA:2004 Europe CAN/CSA- Q850-1997 ISO 31000 Canada COSO 2 (ERM) : 2004 USA AIRMIC, ALARM, IRM:2002 M_o_R:2002/2007/2011 BS ISO31000 BS 31100 Guide UK 6 3
About ISO 31000 Internationally-recognised reference International consensus single global reference for stakeholders wide application umbrella for more than 60 standards should not be ignored 7 About ISO 31000 OECD Argentina, Australia, Austria, Belarus, Bulgaria, Brazil, Canada, Chile, China, Czech Republic, Denmark, Estonia, Finland, France, Germany, India, Iran, Israel, Italy, Japan, Malaysia, Mexico, Netherlands, New-Zealand, Norway, Poland, Portugal, Romania, Russia, Singapore, Slovak Republic, Slovenia, South-Africa, Spain, Sweden, Switzerland, Thailand, Turkey, United Kingdom, Uruguay, United States 4
ISO31000 standards in Europe SS ISO31000 SFS ISO31000 EVS ISO 31000 NS ISO31000 LVS ISO 31000 GOST R ISO 31000 BS ISO31000 NEN ISO31000 DIN ISO31000 NF ISO31000 ISO31000 NP ISO31000 DS ISO 31000 STB ISO 31000 PN ISO 31000 CSN ISO 31000 STN ISO 31000 ÖNORM ISO 31000 SIST ISO 31000 SR ISO 31000 xxxiso 31000 UNE ISO31000 UNI ISO31000 Based on informal information received on 6th August 2012 Survey Population USA 20% (based on 1823 responses) UK 10% 111 countries Australia 10% South Africa 10% G31000. Commercial in Confidence. 2012 India 4% Canada 4% United Arab Emirates 3% 10 5
Participation by Department G31000. Commercial in Confidence. 2012 11 SCOPE All organisation: Any sector, any activity, any size All risk: Any type of risk, + or - consequences Generic guidelines: Harmonizes processus, not practices Global reference: Harmonize RM in existing and future standards Global application: Objectives, context, structure, operations, processes, functions, projects, products, services, or assets 12 6
SCOPE ISO Standard vs ISO Guideline? Risk Management Principles and Guidelines voluntary application, not prescriptive, no legal requirement specifically not intended for certification ISO certifiable standard? NO! 13 SCOPE not a parallel management system avoid the troubled implementation of ISO 9000 series promote business performance no bureaucratic compliance reporting system simplify further if necessary 7
Principles STRUCTURE Process Framework STRUCTURE Simple risk management architecture 3-pillar structure robust and simple to apply opportunity to review existing RM practices Track similarities and differences 8
COMMUNICATION AND CONSULTATION MONITORING AND REVIEW 14.12.2012 a) Creates value b) Integral part of organizational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored PRINCIPLES h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organization STRUCTURE FRAMEWORK MANDATE AND COMMITMENT DESIGN OF FRAMEWORK FOR MANAGING RISK IMPLEMENTING CONTINUAL RISK IMPROVEMENT MANAGEMENT MONITORING AND REVIEW 17 STRUCTURE RISK MANAGEMENT PROCESS ESTABLISH THE CONTEXT RISK IDENTIFICATION RISK ANALYSIS RISK EVALUATION + ISO GUIDE 73 RISK MANAGEMENT VOCABULARY RISK TREATMENT 18 9
STRUCTURE Text of the ISO 31000 standard The text is short and clear Not radically new Some statements like embedded in all... seem ideallic goals STRUCTURE Vocabulary ISO Guide 73 reviewed by the same committee 51 definitions related to RISK many improvements use language meaningful to your organisation 10
USERS 1. CORPORATE LEVEL : policy, program, framework 2. OPERATIONAL LEVEL : Project, activity, sectors 3. AUDIT : Audit, evaluation and reporting 4. WRITERS : Guides, procedures, practices BENEFITS 1. Standard = consensus ( compromise) 2. Standards regulation voluntary endorsment 3. Wide range of input one point of view 4. Apply to any activity or domain in any organisation 5. Integrated appoach for the management of risk 6. Very general allowing interpretation guideline 7. Regular updates through ISO 8. Recognizing best practices 9. Facilitate communication and training 10. Recognization for the profession 11
Certification ORGANISATIONS ISO certifiable standard? NO! The 3 last slides could be used for debatting Certification SURVEY 2011 12
Certification SURVEY 2011 Certification PROS ORGANISATIONS CONS Validation by external independant third parties Validation of the decision-making process Simple link with mandatory obligation in specific sectors/areas Confidence of stakeholders to an international recognized standard Rarely objective and different in each countries Additional burden on ressources with no or tangible gain Certified companies do not enojyed better performance False security Might become mandatory by law In a legal dispute, source of negligence Too much focussing on audits and not on processes! 13
Certification INDIVIDUALS Growing understanding of the importance of effectively managing risk Increasing recognition of ISO 31000 individuals wishing for knowledge and understanding about risk management Improved decision making through explicit consideration of uncertainty LINKEDIN ISO 31000 discussion group Link to the LinkedIn group : www.linkedin.com/groups?mostpopular=&gid=1834592 14
LINKEDIN OTHER GROUPS LINKEDIN COUNTRIES 15
ISO 31000 SURVEY 2011 Global ISO 31000 survey 2011 Results & analysis ISO 31000 SURVEY 2011 What is your level of awareness about ISO 31000? 16
ISO 31000 SURVEY 2011 What is your level of awareness about ISO 31000? ISO 31000 SURVEY 2011 What is your level of awareness about ISO 31000? 17
ISO 31000 SURVEY 2011 How is risk management mainly used within your organization? ISO 31000 SURVEY 2011 How is risk management mainly used within your organization? 18
www.g31000conference2012.org 38 19
QUIZZ on the ISO 31000 STANDARD Quizz on the ISO 31000 risk Management standard QUIZZ on the ISO 31000 STANDARD Question 1 : The ISO 31000 document is a A B C D Technical specifications for Risk Management Guidance standard for Risk Management Certificable standard for Risk Management Umbrella standard for in existing or future standards 20
QUIZZ on the ISO 31000 STANDARD Question 1 : The ISO 31000 document is a A B C D Technical specifications for Risk Management Guidance standard for Risk Management Certificable standard for Risk Management Umbrella standard for in existing or future standards USEFUL LINKS ISO 31000 GLOBAL SURVEY 2011 : http://www.g31000conference2012.org/iso31000survey2011 ISO 31000 INTERNATIONAL CONFERENCE :http://g31000conference2012.org/ LINKEDIN GROUP on ISO 31000 : http://www.linkedin.com/groups?mostpopular=&gid=1834592 About ISO 31000 official link: http://www.iso.org/iso/catalogue_detail?csnumber=43170 42 21