Introduction to ISO 31000:2009
|
|
- Lorin Curtis
- 7 years ago
- Views:
Transcription
1 Introduction to ISO 31000:2009 ISO was published as a standard in November of It provides a standard on how risk should be implemented. The intention of ISO 31000:2009 was to be relevant and flexible for "any public, private or community enterprise, association, group or individual." Hence, the general scope of ISO as a group of risk standards - was not developed with a particular industry sector, structure or technical field in mind. ISO provides a best practice composition and direction to all businesses concerned with risk. ISO 31000:2009 Scope ISO 31000:2009 offers broad general guidelines for the design, implementation and ongoing execution of risk processes throughout an organization. This methodology for risk practices makes possible broader adoption by organizations that necessitate an enterprise risk standard that supports silo-centric systems. The extent of this risk methodology was to facilitate all strategic, and operational tasks of an organization throughout projects, functions, and processes to be linked to a universal set of risk objectives. Consequently, ISO 31000:2009 was developed for a wide-ranging stakeholder group including: executive level stakeholders, appointment holders in the enterprise risk group, risk analysts and officers, line managers and project managers, compliance and internal auditors, and independent practitioners. Definition of Risk One of the key changes from past paradigms is how risk is defined. Under the ISO 31000:2009 a significant amendment of the terminology adds a new dimension to risk. Unlike some risk frameworks, ISO defines risk as the "effect of uncertainty on objectives," recognizing both the positive opportunities and negative consequences associated with it. Two supporting documents include: (1) ISO Guide 73:2009, Risk Vocabulary: Provides the definitions of generic terms related to risk and aims to encourage a consistent understanding of, and a coherent approach to, the description of activities relating to the of risk, as well as uniform risk terminology. And, (2) ISO/IEC 31010, Risk Risk assessment techniques: A supporting standard for ISO offering guidance on the selection and application of systematic techniques for risk assessment. The ISO Framework Whereas the Australian and New Zealand standards approach presented a process by which risk could be carried out, ISO 31000:2009 addresses an organizations system from design, through implementation, maintenance and improvement of risk processes. ISO 31000:2009 is a replacement to the existing standard on risk, AS/NZS 4360:2004. Implementation The goal of ISO is for the framework to be pragmatic within existing systems to provide structure and advance risk processes. Consequently, when implementing ISO 31000, 2013 Quality Management Division of ASQ Page 1
2 organizational leaders must be aware of the new paradigm addressed in this standard. The focal point of many ISO programs have centered on: shifting accountability gaps in enterprise risk, arranging organizational objectives with the ISO framework, establishing mechanisms to facilitate systems reporting, and generating consistent risk identification and assessment metrics Implications Implications for accommodating the new standards embrace improved efficiency and effectiveness of existing processes. Whether through business process re-engineering or enhanced integration of information practices the new standards must comply with the documentation, communication and accountability of the new risk working paradigm. As such, organizational leaders and managers must be aware of the implications for implementing the standards and be capable of developing strategies that reach across supply chains and multi-facility operations. Senior leaders and managers will be required to develop new competencies that deviate from the traditional old siloed and redundant risk methodologies. These new competencies will include accountability, strategic policy implementation and successful organizational policy frameworks. In some industry segments, particularly information systems security and corporate social responsibility, more structured changes will be mandated. These changes will be of specific importance when attempting to articulate new risk policies, formalizing risk ownership of key processes or response plans, and embracing continuous improvement programs. ISO Shortcomings ISO is a process-oriented risk- framework. This is in contrast to the Committee of Sponsoring Organizations (COSO) of the Treadway Commission's Enterprise Risk Management -- Integrated Framework report which is controls-oriented. Organizations cultured in enterprise-wide risk theories and looking for specifics on how to translate theories into practical tools will find little value in ISO Specifically, ISO does not establish how your organization measures risk and creates useful data, or guarantees that all relevant risk areas are identified, or provides risk taxonomies for developing risk documentation. The difference between ISO and COSO ERM is in the focus of assessing and managing risk. ISO concentrates on consequences and provides a framework for considering the consequences of an event occurring. This is depicted through the definition of risk the effect of uncertainty on objectives. COSO ERM is focused more on the events rather the consequences of events. ISO is comprised of three interrelated building blocks, 1) the general principles, 2) the framework, and 3) the process risk to be effectively implemented. The general principles of ISO state that risk should encompass the following principles: Value creation Be an integral part of organizational processes Be a part of decision-making Explicitly addresses uncertainty 2013 Quality Management Division of ASQ Page 2
3 Be systematic, structured and timely Be based on the best available information Be organizational specific Take human and cultural factors into account Be transparent and inclusive Be dynamic, iterative and responsive to change Facilitate continual improvement of the organization The second building block focuses on forming the right risk structure or framework. Once executive support and commitment is established, the organization: 1) designs the framework, 2) implements risk, 3) monitors and reviews the framework periodically, and 4) continually improves the framework. The third building block was adopted from AS/NZS 4360:2004. This building block requires communication and monitoring throughout the risk process. This is achieved by establishing the context for the framework, documenting the risk identification and risk assessment methodologies, and clearly articulating the risk strategies. The Framework for Managing Risk ISO describes a framework for implementing risk, rather than a framework for supporting the risk process. Information on designing the framework that supports the risk process is not set out in detail in ISO An organization will describe its framework for supporting risk by way of the risk architecture, strategy and protocols for the organization. The risk architecture, strategy and protocols should represent the internal arrangements for communicating on risk issues. It should also set out the roles and responsibilities of the individuals and committees that support the risk process. The risk strategy should set out the objectives that risk activities in the organization are seeking to achieve. Finally, the risk protocols describe the procedures by which the strategy will be implemented and risks managed. Risk Assessment Risk identification establishes the exposure of the organization to risk and uncertainty. This necessitates knowledge of the organization s marketplace in which it operates, the legal, social, political and cultural environment in which it exists, as well as an understanding of strategic and operational goals and objectives. This includes knowledge of the business elements critical to success and the threats and opportunities related to the achievement of its goals and objectives. Risk assessment ought to be approached in a systematic manner to ensure that all value-adding tasks and activities within the organization have been assessed and all the risks emerging from these tasks and activities are well defined. The result of risk analysis is used to produce a risk profile that generates a rating of importance for each risk and provides an approach for prioritizing risk efforts. The result is a ranking of the relative importance of each identified risk. This allows the risks to be mapped to the business area or specific business process affected. It also describes the primary control mechanisms in place and indicates where the level of investment in controls might be increased, decreased or reallocated. The risk analysis activity assists the operation of the organization by identifying those risks that require priority consideration by. This facilitates s ability to prioritize risk control actions in terms of their potential benefits to the 2013 Quality Management Division of ASQ Page 3
4 organization. The array of available risk response treatments include accept, eliminate, mitigate or transfer. An organization may decide that there is also a need to improve the control environment. Risk Treatment Risk treatment as defined in ISO is an activity to select and implement appropriate control measures to transform the risk. Risk treatment comprises risk control (or mitigation), risk avoidance, risk transfer and risk financing. Any risk treatment should provide efficient and effective internal controls. The effectiveness of internal control is determined by the level or degree to which the risk is either eliminated or reduced by the control measures. The cost-effectiveness of internal control is directly proportional to the cost of implementing the control when compared to the risk reduction benefits achieved. Compliance with laws and regulations is not an option. Organizations must understand the pertinent laws and be capable of implementing controls mechanisms to achieve compliance. One method of obtaining protection against the impact of risks is through risk financing or buying insurance. However, some losses may be uninsurable, for example, damages to employee morale and the reputation of the organization. ISO recognizes the importance of feedback. Monitoring and reviewing ensures that the organization monitors risk performance and learns from experience. Communication and consultation is a key requirement in ISO as both a part of the risk process, and part of the supporting framework. Reporting and disclosure are only very briefly mentioned in ISO Also, the monitoring and review feedback activities in ISO do not explicitly reference the tasks of monitoring risk performance and reviewing the risk framework. Board Mandate and Commitment Many organizations issue an updated version of their risk policy on a yearly basis. This ensures that the risk approach is in line with existing best practices. It also gives the organization the opportunity to focus on the intended benefits for the coming year. Mandate and commitment from the Board is critically important and it needs to be continuous. Keeping the risk policy up to date validates that risk is a dynamic activity fully supported by the Board. A risk policy should include the following sections: and internal control objectives (governance) Statement of the organizations attitude toward risk (risk strategy) Description of the risk culture or environment Level and nature of risk that is acceptable (risk tolerance) Details of procedures for risk recognition and ranking (risk assessment) List of documentation for analyzing and reporting risk (risk protocols) Risk mitigation requirements and control mechanisms (risk response) Allocation of risk roles and responsibilities Risk activities and risk priorities for the coming year Scope of the Risk Management Initiative In order to be successful, the risk initiative needs to be comprehensive. The scope of the initiative is defined by the range of benefits the organization is seeking to achieve. Benefits are influenced by the 2013 Quality Management Division of ASQ Page 4
5 expectations of the various stakeholders in the organization. Depending on the nature of the organization, the risk function may range from a part-time risk manager to a full-scale risk department. The internal audit function also differs from one organization to the next. In determining the most appropriate role for internal audit, the organization needs to ensure that the independence and objectivity of internal audit are not compromised. The range of risk responsibilities that need to be allocated in the policy will be broad and extensive. Table 1 sets out examples of the risk responsibilities that may be allocated in a typical organization. The Board has responsibility for determining the strategic direction of the organization and creating the context for risk. There need to be activities in place to achieve continuous improvement in performance and this responsibility is likely to be allocated to the risk manager. Table 1: responsibilities the CEO/Board: the business unit manager: individual employees: the risk manager: specialist risk functions: internal audit manager: Determine strategic approach to risk and set risk tolerance Build risk aware culture within the unit Understand, accept and implement RM processes Develop the risk policy and keep it up to date Assist the company in establishing specialist risk policies Develop a riskbased internal audit program Establish the structure for risk Agree risk performance targets Report inefficient, unnecessary or unworkable controls Document the internal risk policies and structures Develop specialist contingency and recovery plans Audit the risk processes across the organization Understand the most significant risks Ensure implementation of risk improvement recommendations Report loss events and near miss incidents Co-ordinate the risk (and internal control) activities Keep up to date with developments in the specialist area Receive and provide assurance on the of risk Manage the organization in a crisis Identify and report changed circumstances / risks Co-operate with on incident investigations Compile risk information and prepare reports for the Board Support investigations of incidents and near misses Report on the efficiency and effectiveness of internal controls Risk Assessment Procedures Risk assessment is a required part of the decision-making process. These decisions are intended to exploit business opportunities. Risk assessment of all proposed projects should be undertaken and further risk assessments sessions should be carried out throughout the project. In addition risk assessments include decisions on how the risk assessments will be documented and reported. It is at this stage that an organization will decide the level of detail that will be recorded about each risk in the risk description Quality Management Division of ASQ Page 5
6 An organization should develop benchmarks to determine the significance (or materiality) of the identified risks. The nature of this benchmark tests will depend on the type of risk. For financial risks, a sum of money can be used as the benchmark test of significance. For risks that can cause disruption to operations, the length of disruption may be a suitable test. Reputational risks can be benchmarked in terms of the profile that the report of the event would receive, the likely impact of the event on share price, or the impact on the political and financial support received from key stakeholders. Risk Tolerance It is important that the Board sets rules for risk- with respect to all types of risk. It is fairly easy for an organization to confirm that it has no tolerance for causing injury and ill health. In practice, however, this may need to be developed into a set of targets for health and safety performance. There is a danger that risk tolerance statements fail to be dynamic, and they can limit behavior and rapid response. At the Board level, risk tolerance is a driver of strategic risk decisions. At the executive level, risk tolerance translates into a set of procedures to ensure that risk receives adequate attention when making tactical decisions. At the operational level, risk tolerance dictates operational constraints for routine activities. Despite its importance, it is surprising that the concept of risk tolerance is not mentioned in ISO 31000, although it is included in most other risk standards and stock exchange listing requirements. Measuring and Monitoring It is frequently the case that risk assessments are recorded in a risk register. There is no standard format for a risk register and the organization should establish a suitable format for this document. The risk register is not a static record of the significant risks faced by the organization. It must be viewed as a risk action plan that includes details of the current controls and details of any further actions that are planned. These further actions should be written as auditable actions that must be completed within a defined timescale by identified risk owners. This enables the internal audit function to monitor the existing controls and the implementation of any essential additional controls. The resources required to implement the risk policy should be defined at each level of and within each business unit. should be embedded within the strategic planning and budget processes. Additionally, monitoring and measuring includes evaluation of the risk culture and the risk framework, and assessment of the extent to which risk tasks are aligned with other corporate activities. Embed a Culture of Risk Awareness Changes within the organization and the external business environment must be identified, so that existing procedures can be modified. Any monitoring and measuring process should also determine whether: the measures adopted achieved the intended result, the procedures adopted were efficient, sufficient information was available for the risk assessments, improved knowledge would have helped to reach better decisions, lessons can be learned for future assessments and controls, involvement of staff at all levels, a culture of learning from experience, appropriate accountability for actions (without developing an automatic blame culture) and good communication on risk issues 2013 Quality Management Division of ASQ Page 6
7 Monitor Risk Performance Learning the lessons from risk requires examination of the opinions of key stakeholders both internally and externally. In particular, the opinion of internal audit and evaluation of risk activities at audit committee will be vitally important. Learning from experience requires more than evaluation of the risk performance indicators. An annual review of the risk framework will be necessary, including evaluation of the risk architecture, strategy and protocols. It is important that the organization has a risk-based audit plan and undertakes appropriate risk reviews. Other features of learning from experience include evaluation of audit reports and an assessment of the sources of risk assurance available to the Board and the audit committee. An evaluation of the level of assurance that has been obtained is also necessary. Often, a major source of risk assurance for the Board will be self-certification, such as a Control Risk Self-Assessment process that provides assurance regarding risk, risk reporting and disclosure, as well as information about learning from incidents. Summary Organizations that have not yet implemented a proactive, organized risk framework or are struggling to implement one, will find ISO a useful guide. While not a comprehensive workbook, ISO still provides adequate guidance. Organizations already using AS/NZS 4360 will be in a good position to adopt the new Standards. In particular, ISO provides an opportunity for managers who lead risk, internal audits, and compliance and governance initiatives in their organization to reassess their current risk framework, introduce the new terms and principles and refresh their risk program. The transition from AS/NZS 4360 to ISO will offer two types of improvements for most organizations: (1) minor improvements such as changes to terms and definitions, and (2) major improvements like those that require changes to processes etc Quality Management Division of ASQ Page 7
A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000
A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 Contents Executive summary Introduction Acknowledgements Part 1: Risk, risk management and ISO 31000 1 Nature
More informationSTANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices
A S I S I N T E R N A T I O N A L Supply Chain Risk Management: Risk Assessment A Compilation of Best Practices ANSI/ASIS/RIMS SCRM.1-2014 RA.1-2015 STANDARD The worldwide leader in security standards
More informationENTERPRISE RISK MANAGEMENT POLICY
ENTERPRISE RISK MANAGEMENT POLICY TITLE OF POLICY POLICY OWNER POLICY CHAMPION DOCUMENT HISTORY: Policy Title Status Enterprise Risk Management Policy (current, revised, no change, redundant) Approving
More informationWhen Recognition Matters WHITEPAPER ISO 31000 RISK MANAGEMENT PRINCIPLES AND GUIDELINES. www.pecb.com
When Recognition Matters WHITEPAPER ISO 31000 RISK MANAGEMENT PRINCIPLES AND GUIDELINES www.pecb.com CONTENT 3 4 4 5 7 7 7 7 8 Introduction An overview of ISO 31000:2009 Structure of ISO 31000:2009 Key
More informationAPPENDIX 50. Enterprise risk management - Risk management overview
APPENDIX 50 Enterprise risk management - Risk management overview Energex regulatory proposal October 2014 ENTERPRISE RISK MANAGEMENT Risk Management Overview (RMO) 06 11 2013 Table of Contents 1. INTRODUCTION...
More informationUNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework
UNOPS UNITED NATIONS OFFICE FOR PROJECT SERVICES Headquarters, Copenhagen O.D. No. 33 16 April 2010 ORGANIZATIONAL DIRECTIVE No. 33 UNOPS Strategic Risk Management Planning Framework 1. Introduction 1.1.
More informationA&CS Assurance Review. Accounting Policy Division Rule Making Participation in Standard Setting. Report
A&CS Assurance Review Accounting Policy Division Rule Making Participation in Standard Setting Report April 2010 Table of Contents Background... 1 Engagement Objectives, Scope and Approach... 1 Overall
More informationRISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide
RISK BASED AUDITING: A VALUE ADD PROPOSITION Participant Guide About This Course About This Course Adding Value for Risk-based Auditing Seminar Description In this seminar, we will focus on: The foundation
More informationV1.0 - Eurojuris ISO 9001:2008 Certified
Risk Management Manual V1.0 - Eurojuris ISO 9001:2008 Certified Section Page No 1 An Introduction to Risk Management 1-2 2 The Framework of Risk Management 3-6 3 Identification of Risks 7-8 4 Evaluation
More informationISO 31000:2009 - ISO/IEC 31010 & ISO Guide 73:2009 - New Standards for the Management of Risk
Kevin W Knight AM CPRM; Hon FRMIA; FIRM (UK); LMRMIA: ANZIIF (Mem) ISO 31000:2009 - ISO/IEC 31010 & ISO Guide 73:2009 - New Standards for the Management of Risk History of the ISO and Risk Management Over
More informationENTERPRISE RISK MANAGEMENT FRAMEWORK
ENTERPRISE RISK MANAGEMENT FRAMEWORK COVENANT HEALTH LEGAL & RISK MANAGEMENT CONTENTS 1.0 PURPOSE OF THE DOCUMENT... 3 2.0 INTRODUCTION AND OVERVIEW... 4 3.0 GOVERNANCE STRUCTURE AND ACCOUNTABILITY...
More informationThis is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines
AS/NZS ISO 31000:2009 Risk management Principles and guidelines AS/NZS ISO 31000:2009 This Joint Australian/New Zealand Standard was prepared by Joint Technical Committee OB-007, Risk Management. It was
More informationRisk Management Basics - ISO 31000 Standard. Louis Kunimatsu, CRISC IT Security & Strategy, Ford Motor Company
Risk Management Basics - ISO 31000 Standard Louis Kunimatsu, CRISC IT Security & Strategy, Ford Motor Company Risk Management Basics - ISO 31000 Standard 1. Risk Management Basics 2. ISO 31000 Risk Management
More informationThe PNC Financial Services Group, Inc. Business Continuity Program
The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page
More informationIFAD Policy on Enterprise Risk Management
Document: EB 2008/94/R.4 Agenda: 5 Date: 6 August 2008 Distribution: Public Original: English E IFAD Policy on Enterprise Risk Management Executive Board Ninety-fourth Session Rome, 10-11 September 2008
More informationDisclosure to Promote the Right To Information
इ टरन ट म नक Disclosure to Promote the Right To Information Whereas the Parliament of India has set out to provide a practical regime of right to information for citizens to secure access to information
More informationPOLICY. Number: 7311-10-005 Title: Enterprise Risk Management. Authorization
POLICY Number: 7311-10-005 Title: Enterprise Risk Management Authorization [ ] President and CEO [ X] Vice President, Finance and Corporate Services Source: Director, Enterprise Risk Management Cross Index:
More informationPolicy 10.105: Enterprise Risk Management Policy
Name: Responsibility: Complements: Enterprise Risk Management Framework Coordinator, Enterprise Risk Management Policy 10.105: Enterprise Risk Management Policy Date: November 2006 Revision Date(s): January
More informationConfident in our Future, Risk Management Policy Statement and Strategy
Confident in our Future, Risk Management Policy Statement and Strategy Risk Management Policy Statement Introduction Risk management aims to maximise opportunities and minimise exposure to ensure the residents
More informationPRINCE2:2009 Glossary of Terms (English)
accept (risk response) acceptance acceptance criteria activity agile methods approval approver assumption assurance A risk response to a threat where a conscious and deliberate decision is taken to retain
More informationApplying Integrated Risk Management Scenarios for Improving Enterprise Governance
Applying Integrated Risk Management Scenarios for Improving Enterprise Governance János Ivanyos Trusted Business Partners Ltd, Budapest, Hungary, ivanyos@trusted.hu Abstract: The term of scenario is used
More informationResponsible Investment Policy
(ABN 30 006 169 286) (AFSL 246664) October 2011 Version 4.0 (September 2011) Contents 1. Fund Objectives... 1 2. Implications of the Fund s Objectives on its Investments... 2 3. Policy on Responsible Investment...
More informationFundamentals of Risk Management Understanding, evaluating and implementing effective risk management
SECOND EDITION Fundamentals of Risk Management Understanding, evaluating and implementing effective risk management Paul Hopkin KoganPage LONDON PHILADELPHIA NEW DELHI CONTENTS List of figures xiv List
More informationIRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS
IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS 1 Module 1: Principles of Risk and Risk Management Module aims The aim of this module is to provide an introduction to the principles and concepts of risk and
More informationRisk Management Policy
1 Purpose Risk management relates to the culture, processes and structures directed towards the effective management of potential opportunities and adverse effects within the University s environment.
More informationCorporate Governance and Enterprise Risk Management Derek Jackson, Senior Manager 5 September 2005
Corporate Governance and Enterprise Risk Management Derek Jackson, Senior Manager 5 September 2005 Corporate Governance Services 0 Overview Hong Kong Code on Corporate Governance Practices Corporate Governance
More informationInternational Diploma in Risk Management Syllabus
International Diploma in Risk Management Syllabus Module 1: Principles of Risk and Risk Management The aim of this module is to provide an introduction to the principles and concepts of risk and risk management.
More informationA Risk Management Standard
A Risk Management Standard Introduction This Risk Management Standard is the result of work by a team drawn from the major risk management organisations in the UK, including the Institute of Risk management
More informationAn Effective Approach to Transition from Risk Assessment to Enterprise Risk Management
Bridgework: An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management @Copyright Cura Software. All rights reserved. No part of this document may be transmitted or copied without
More informationInternal Auditing Guidelines
Internal Auditing Guidelines Recommendations on Internal Auditing for Lottery Operators Issued by the WLA Security and Risk Management Committee V1.0, March 2007 The WLA Internal Auditing Guidelines may
More informationThe New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework
The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework Dorothy Gjerdrum, ARM-P, Chair of the ISO 31000 US TAG and Executive Director,
More informationCSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting www.corostrandberg.
Introduction CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting www.corostrandberg.com June 2015 Companies which adopt CSR or sustainability 1
More informationBusiness Continuity Trends, Requirements and Expectations in 2009. Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting
Business Continuity Trends, Requirements and Expectations in 2009 Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting Overview What Is Business Continuity? The Value Proposition What
More informationIntegrated Risk Management:
Integrated Risk Management: A Framework for Fraser Health For further information contact: Integrated Risk Management Fraser Health Corporate Office 300, 10334 152A Street Surrey, BC V3R 8T4 Phone: (604)
More informationHow To Transform It Risk Management
The transformation of IT Risk Management kpmg.com The transformation of IT Risk Management The role of IT Risk Management Scope of IT risk management Examples of IT risk areas of focus How KPMG can help
More informationXavier Catholic College Risk Management - Policy & Procedure
Xavier Catholic College Risk Management Policy 18 March 2013 Sourced from CSOHS Online. Source CSO Broken Bay 2012 Page 1 Risk Management Policy (Draft) PURPOSE Risk management is the culture, processes
More informationEnterprise Risk Management Framework 2012 2016. Strengthening our commitment to risk management
Enterprise Risk Management Framework 2012 2016 Strengthening our commitment to risk management Contents Director-General s message... 3 Introduction... 4 Purpose... 4 What is risk management?... 4 Benefits
More informationfmswhitepaper Why community-based financial institutions should practice enterprise risk management.
fmswhitepaper Why community-based financial institutions should practice enterprise risk management. By Michael D. Cohn, CPA, CISA, CGEIT Director, WolfPAC Solutions Group Unique Insights Implementation
More informationNHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY
NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY AUTHOR/ APPROVAL DETAILS Document Author Written By: Human Resources Authorised Signature Authorised By: Helen Shields Date: 20
More informationCentral bank corporate governance, financial management, and transparency
Central bank corporate governance, financial management, and transparency By Richard Perry, 1 Financial Services Group This article discusses the Reserve Bank of New Zealand s corporate governance, financial
More informationRisk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC
Annex 1 TITLE VERSION Version 2 Risk Management Strategy and Policy SUMMARY The policy provides the framework for the management and control of risk within the GOC DATE CREATED January 2013 REVIEW DATE
More informationINTERNATIONAL FRAMEWORK FOR ASSURANCE ENGAGEMENTS CONTENTS
INTERNATIONAL FOR ASSURANCE ENGAGEMENTS (Effective for assurance reports issued on or after January 1, 2005) CONTENTS Paragraph Introduction... 1 6 Definition and Objective of an Assurance Engagement...
More informationAvondale College Limited Enterprise Risk Management Framework 2014 2017
Avondale College Limited Enterprise Risk Management Framework 2014 2017 President s message Risk management is part of our daily life, something we do regularly; often without realising we are doing it.
More informationSaldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology
Inclusive of, framework, procedures and methodology Contents 1 Introduction 1 1.1 Legislative Framework and best practice 1 1.2 Purpose of Enterprise Risk Management 2 1.3 Scope and Applicability 3 1.4
More informationQuick Guide: Meeting ISO 55001 Requirements for Asset Management
Supplement to the IIMM 2011 Quick Guide: Meeting ISO 55001 Requirements for Asset Management Using the International Infrastructure Management Manual (IIMM) ISO 55001: What is required IIMM: How to get
More informationEnterprise Security Tactical Plan
Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise
More informationTHE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT
THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT Let me begin by thanking Baruch College for giving me the opportunity to present this year s prestigious Emanuel Saxe Lecture in Accounting.
More informationRisk Management: Coordinated activities to direct and control an organisation with regard to risk.
POLICY CG01 RISK MANAGEMENT Document Control Statement This Policy is maintained by the Governance and Organisational Strategy. Any printed copy may not be up to date and you are advised to check the electronic
More informationEnterprise Risk Management
2013 Government Accounting and Auditing Update Enterprise Risk Management Understanding and Implementing an ERM Framework Mike Sargent, Director- CliftonLarsonAllen May 2013 cliftonlarsonallen.com Discussion
More informationStrategic Program Management
Governance Assessment Organizational Change Management Strategic Program Management Continuous Improvement Framework Processes Strategy Strategic Program Management Bob Prieto Published by Construction
More informationRisk Management The International Standard
Risk Management The International Standard John Crawley & Emer McAneny June 2014 Who I am Accountant Banker Businessman Trainer Turnaround Expert Risk Expert Agenda Strategy GRC Tolera nce Identifica tion
More informationStrategic Risk Management for School Board Trustees
Strategic Management for School Board Trustees A Management Process Framework May, 2012 Table of Contents Introduction Page I. Purpose....................................... 3 II. Applicability and Scope............................
More informationRisk Management Committee (Committee) Terms of Reference
Risk Management Committee (Committee) Terms of Reference 1. Objective of Committee 1.1 The Risk Management Committee ( the Committee ) is a formal sub-committee of the Board of the JSE ( the Board ). 1.2
More informationRisk Management & Business Continuity Manual 2011-2014
ANNEX C Risk Management & Business Continuity Manual 2011-2014 Produced by the Risk Produced and by the Business Risk and Business Continuity Continuity Team Team February 2011 April 2011 Draft V.10 Page
More informationRisk Management Policy
Risk Management Policy Risk Management Policy Record Number D14/79827 Responsible Manager Manager Strategy and Governance Last reviewed 10 March 2015 Adoption reference Council Resolution number 90.5 Previous
More informationBoard oversight of risk: Defining risk appetite in plain English
www.pwc.com/us/centerforboardgovernance Board oversight of risk: Defining risk appetite in plain English May 2014 Defining risk appetite in plain English Risk oversight continues to be top-of-mind for
More informationEnterprise Risk Management: Taking the First Steps
Enterprise Risk Management: Taking the First Steps TN PRIMA, 2012 DOROTHY GJERDRUM, ARM, CIRM NOVEMBER 15, 2012 Agenda Goal: To understand how to begin to implement a broader approach to risk management
More informationRISK MANAGEMENT FRAMEWORK 2013-2014 OKHAHLAMBA LOCAL MUNICIPALITYITY
RISK MANAGEMENT FRAMEWORK 2013-2014 OKHAHLAMBA LOCAL MUNICIPALITYITY Page 1 CONTENTS 1. Foreword by the Mayor... 3 2. Background... 4 2.1 Introduction... 4 2.2 Overall purpose of the Enterprise Risk Management
More informationNOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager 17.09.12
POLICY BUSINESS CONTINUITY Policy owners Policy holder Author Head of Services Specialist Operations Contingency Planning Business Continuity Manager Policy No. 132 Approved by Legal Services 17.09.12
More informationMaryland Association of Boards of Education Insurance Programs
Insurance Programs ENTERPRISE RISK MANAGEMENT John Magoon, ARM (P, E), CBCP, MBCI Risk Management Officer, MABE jmagoon@mabe.org 443 603 0399 A PERFECT DAY Our Goals 1.2 1 0.8 0.6 0.4 0.2 0 Actual Goal
More informationLinking Risk Management to Business Strategy, Processes, Operations and Reporting
Linking Risk Management to Business Strategy, Processes, Operations and Reporting Financial Management Institute of Canada February 17 th, 2010 KPMG LLP Agenda 1. Leading Practice Risk Management Principles
More informationSpecialists in Strategic, Enterprise and Project Risk Management. Enterprise Risk Management. the effect of uncertainty on objectives.
BROADLEAF CAPITAL INTERNATIONAL PTY LTD ABN 24 054 021 117 23 Bettowynd Road Tel: +61 2 9488 8477 Pymble Mobile: 0419 433 184 NSW 2073 Fax: + 61 2 9488 9685 Australia www.broadleaf.com.au Cooper@Broadleaf.com.au
More informationGAINING CONTROL: Building Your Existing Framework into an ERM Model
GAINING CONTROL: Building Your Existing Framework into an ERM Model RIMS Northeast Ohio Chapter Education Day Carol Fox, ARM RIMS Director of Strategic and Enterprise Risk Practice November 19, 2013 Copyright
More informationRisk management systems of responsible entities
Attachment to CP 263: Draft regulatory guide REGULATORY GUIDE 000 Risk management systems of responsible entities July 2016 About this guide This guide is for Australian financial services (AFS) licensees
More informationDeciding what opportunities to fund, which risks to protect
Deciding what opportunities to fund, which risks to protect The critical role of enterprise risk management in strategic decision making By Linda Conrad Director of Strategic Business Risk Zurich Global
More informationAn Introduction to Risk Management. For Event Holders in Western Australia. May 2014
An Introduction to Risk Management For Event Holders in Western Australia May 2014 Tourism Western Australia Level 9, 2 Mill Street PERTH WA 6000 GPO Box X2261 PERTH WA 6847 Tel: +61 8 9262 1700 Fax: +61
More informationSound Transit Internal Audit Report - No. 2014-3
Sound Transit Internal Audit Report - No. 2014-3 IT Project Management Report Date: Dec. 26, 2014 Table of Contents Page Background 2 Audit Approach and Methodology 2 Summary of Results 4 Findings & Management
More informationRisk Management Policy and Framework
Risk Management Policy and Framework December 2014 phone 1300 360 605 08 89589500 email info@centraldesert.nt.gov.au location 1Bagot Street Alice Springs NT 0870 post PO Box 2257 Alice Springs NT 0871
More informationIT Security Risk Management: A Lifecycle Approach
Information Technology Security Guidance IT Security Risk Management: A Lifecycle Approach ITSG-33 November 2012 Foreword The of is an unclassified publication issued under the authority of the Chief,
More informationWith the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS
How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning The world has experienced a great deal of natural and man-made upheaval and destruction in the past few years, including tornadoes,
More informationChallenges in Improving Information Security Practice in Australian General
Research Online Australian Information Security Management Conference Security Research Institute Conferences 2009 Challenges in Improving Information Security Practice in Australian General Donald C.
More informationThe College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012
The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only Agenda Introduction Basic program components Recent trends in higher education risk management Why
More informationAudit, Risk Management and Compliance Committee Charter
Audit, Risk Management and Compliance Committee Charter Woolworths Limited Adopted by the Board on 27 August 2013 page 1 1 Introduction This Charter sets out the responsibilities, structure and composition
More informationQUALITY ASSURANCE POLICY
QUALITY ASSURANCE POLICY ACADEMIC DEVELOPMENT & QUALITY ASSURANCE OFFICE ALPHA UNIVERSITY COLLEGE 1. BACKGROUND The Strategic Plan of 2003-2005 E.C of Alpha University s defines the direction Alpha University
More informationCouncil Meeting Agenda 27/07/15
3 Risk Management Framework Abstract Council s Risk Management Framework ( the Framework ) was adopted by Council in 2012. The Framework provides structure and guidance to Council s risk management activities
More informationTitle: Rio Tinto management system
Standard Rio Tinto management system December 2014 Group Title: Rio Tinto management system Document No: HSEC-B-01 Standard Function: Health, Safety, Environment and Communities (HSEC) No. of pages: 23
More informationCorporate Risk Management Policy
Corporate Risk Management Policy Managing the Risk and Realising the Opportunity www.reading.gov.uk Risk Management is Good Management Page 1 of 19 Contents 1. Our Risk Management Vision 3 2. Introduction
More informationSuccessfully identifying, assessing and managing risks for stakeholders
Introduction Names like Enron, Worldcom, Barings Bank and Menu Foods are household names but unfortunately as examples of what can go wrong. With these recent high profile business failures, people have
More informationThis is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines
AS/NZS ISO 31000:2009 Risk management Principles and guidelines AS/NZS ISO 31000:2009 This Joint Australian/New Zealand Standard was prepared by Joint Technical Committee OB-007, Risk Management. It was
More informationPOL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:
POL ENTERPRISE RISK MANAGEMENT SC51 POLICY CODE: SC51 DIRECTORATE: Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT: Executive Support Services RESPONSIBLE OFFICER:
More informationFramework for Leadership
Framework for Leadership Date Leader Self-Assessment Evaluator Assessment Domain 1: Strategic/Cultural Leadership Principals/school leaders systemically and collaboratively develop a positive culture to
More informationPORT SAFETY PLAN GUIDELINES
Schedule PORT SAFETY PLAN GUIDELINES 1 July 2015 Version 1.0 1 PREAMBLE... 3 1.1 Title... 3 1.2 Authority... 3 1.3 Application... 3 1.4 Applicable Legislation... 3 1.5 Applicable Standards... 3 1.6 Relevant
More informationTHE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK
THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK ACCOUNTABLE SIGNATURE AUTHORISED for implementation SIGNATURE On behalf of Chief Executive Officer SAHRA Council Date Date
More informationRISK MANAGEMENT STRATEGY
RISK MANAGEMENT STRATEGY 1 Introduction The purpose of this document is to outline a which facilitates the effective recognition and management of risks facing the University. The Combined Code on Corporate
More informationUniversity of New England Compliance Management Framework and Procedures
University of New England Compliance Management Framework and Procedures Document data: Document type: Administering entity: Framework and Procedures Audit and Risk Directorate Records management system
More informationOperational Risk Management Program Version 1.0 October 2013
Introduction This module applies to Fannie Mae and Freddie Mac (collectively, the Enterprises), the Federal Home Loan Banks (FHLBanks), and the Office of Finance, (which for purposes of this module are
More informationJuly 2015. New Entrants: Charting the Health Industry s Risk and Regulatory Landscape Where Risk Meets Opportunity
July 2015 New Entrants: Charting the Health Industry s Risk and Regulatory Landscape Where Risk Meets Opportunity The new health economy is bringing change and new entrants from diverse industries are
More informationPrincipled Performance & GRC
part of GRC Fundamentals Principled Performance & GRC How principled performance is the new normal and the imperative for integrating governance, performance, risk, internal control and compliance management
More informationENTERPRISE RISK MANAGEMENT FRAMEWORK
ROCKHAMPTON REGIONAL COUNCIL ENTERPRISE RISK MANAGEMENT FRAMEWORK 2013 Adopted 25 June 2013 Reviewed: October 2015 TABLE OF CONTENTS 1. Introduction... 3 1.1 Council s Mission... 3 1.2 Council s Values...
More informationAPES 325 Risk Management for Firms
APES 325 Risk Management for Firms Prepared and issued by Accounting Professional & Ethical Standards Board Limited ISSUED: December 2011 Copyright 2011 Accounting Professional & Ethical Standards Board
More informationThe PNC Financial Services Group, Inc. Business Continuity Program
The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis
More informationIntroduction to Enterprise Risk Management at UVM DRAFT
Introduction to Enterprise Management at UVM 1 Enterprise What is Enterprise Management? Enterprise risk management is a structured, consistent, and continuous process across the whole organization for
More informationInternal Audit Framework
Internal Audit Framework Internal Audit Framework National Treasury Republic of South Africa March 2009 (2 nd Edition) The Internal Audit Framework is being provided as a service to the Public Service.
More informationFlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk
Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk 2012 The Flynt Group, Inc., All Rights Reserved FlyntGroup.com Enterprise Risk Management and Business
More informationLearning Outcomes Implementation Guidance - Revised Staff Questions & Answers Document
Committee: International Accounting Education Standards Board Meeting Location: IFAC Headquarters, New York, USA Meeting Date: November 4 6, 2015 SUBJECT: Learning Outcomes Implementation Guidance - Revised
More informationNSW Government ICT Benefits Realisation and Project Management Guidance
NSW Government ICT Benefits Realisation and Project Management Guidance November 2014 CONTENTS 1. Introduction 1 2. Document purpose 1 3. Benefits realisation 1 4. Project management 4 5. Document control
More informationImplementing Portfolio Management: Integrating Process, People and Tools
AAPG Annual Meeting March 10-13, 2002 Houston, Texas Implementing Portfolio Management: Integrating Process, People and Howell, John III, Portfolio Decisions, Inc., Houston, TX: Warren, Lillian H., Portfolio
More informationSupporting information technology risk management
IBM Global Technology Services Thought Leadership White Paper October 2011 Supporting information technology risk management It takes an entire organization 2 Supporting information technology risk management
More informationQuality Assurance. Policy P7
Quality Assurance Policy P7 Table of Content Quality assurance... 3 IIA Australia quality assurance and professional standards... 3 Quality assurance and professional qualifications... 4 Quality assurance
More information