ISO 31 000 The Future of Risk? Finnish Risk Management Association Future of Risk Seminar September 21 th 2010 Agenda 1 The Changing Landscape of Risk Management 2 A Brief Introduction to the New International Standard for Risk Management, ISO 31 000 3 Lessons Learned sid 1
THE CHANGING LANDSCAPE OF RISK MANAGEMENT 3 Increased Importance of Effective Risk Management in an Ever Changing World Increasing pace of change, conflicting priorities and performance pressure driving the exposure to a broader set of risks Demand from stakeholders to demonstrate robust approaches to manage risks Management demanding Risk Management functions to bring true value to the business Increasing demand for effective and efficient Risk Management and Internal Control work sid 2
ISO 31 000 - A BRIEF INTRODUCTION 5 ISO 31 000:2009 The New International Standard for Risk Management Published in 2009 Four years of consultation between risk and standards experts in 30 countries Provides principles and generic guidelines on risk management Not specific to any industry or sector Can be applied to any type of risk Is intended to harmonize risk management processes in existing and future standards Is not intended for certification 6 sid 3
Substandards to ISO 31 000:2009 ISO 31000 is complemented by: ISO Guide 73:2009 Risk Management Vocabulary is a more detailed vocabulary to clarify the taxanomyof ISO 31000 ISO/IEC 31010 Risk Management Risk Assessment Techniques describes tools in detail, such as Monte Carlo Simulation and Event Tree Analysis ISO Guide 73:2009 ISO 31 000 ISO/IEC 31 010 7 Risk Definition in ISO 31 000:2009 Risk is the effect of uncertainty on objectives ISO 31 000: RISK COSO ERM: EVENTS Danger Opportunity Risk Opportunity 8 sid 4
The Anatomy of ISO 31 000:2009: Principles, Framework and Process a) Creates value b) Integral part of organisational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural values into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Principles (clause 1) Continual improvement of the framework (4.6) Mandate and committment (4.2) Design of framework for managing risk (4.3) Monitoring and reviewof the framework (4.5) Framework(clause4) Implementing risk management (4.4) Communication and consultation (5.2) Establishing the context (5.3) Risk assessment (5.4) Risk identification (5.4) Risk analysis (5.4.3) Risk evaluation(5.4.4) Risk treatment (5.5) Process (clause5) Monitoring and review (5.6) 9 Framework, clause 4 Continual Improvement of the framework (4.6) Mandate and committment (4.2) Design of framework for managing risk (4.3) Monitoring and reviewof the framework (4.5) Implementing risk management (4.4) Mandate and committment Monitor usage of the framework Review framework appropriatenessand effectiveness Continualimprovement Support and coach implementationand execution Framework(clause4) 10 sid 5
Process, clause 5 Communication and consultation (5.2) Establishing the context (5.3) Risk assessment (5.4) Risk identification (5.4) Risk analysis (5.4.3) Risk evaluation(5.4.4) Risk treatment (5.5) Monitoring and review (5.6) Begin with contextand objectives top down approach Includemonitoringand reviewin everystage Includecommunicationand consultationin everystage Classical risk assessment, supported by ISO/IEC 31010 Keep Black Swans in mind Process (clause5) 11 ISO 31 000:2009 vs COSO ERM: Pros and Cons Distinguishes and clarifies ERM and ICM Broadly applicable Hands-on advice Process-oriented Strategic risk communication High-level system harmonisation Certification ISO 31 000:2009 COSO ERM?? x x?? 12 sid 6
Risk Management Standards Will They Make It Happen? Scenario A: ISO 31 000 takes over the risk management standards market step by step Most likely for relationship with e g JIS Q 2001, CAN/CSA Q850, IRMSA Codeof Practice Scenario B: ISO 31 000 becomesa meta-standard to whichother standards and frameworksare harmonised Most likely for relationship with e g AS/NZS 4360 and ONR 49000 Scenario C: ISO 31 000 is one alternative among many other standards Most likely for relationship to e g COSO ERM and British RM Standards Source: Dr Erben 2008 13 LESSONS LEARNED 14 sid 7
Success Factors and Pitfalls from Real Life Set clearprinciplesand guidelines Ensure you have a well-defined and throughly anchored purpose and goal what parts of the standard do we want to use and to what end? Be clear of your ambition See the requirements in ISO 31 000 as long term objectives Clarifyyour scope Adapt the use of the standard to your organisation ask experts for alternative approaches ifyou need to Taxonomy the glueof risk management Make an inventory of your current taxonomy and use this as a basis for a consistency analysis adapt the risk language to your organisation s culture Make sure your frameworkis effective Allocate a majority of the effforts to putting a solid framework in place: >30% during planning and >80% during implementation 15 Thank you! sid 8