Introduction to ISO 31000:2009

Size: px
Start display at page:

Download "Introduction to ISO 31000:2009"

Transcription

1 Introduction to ISO 31000:2009 ISO was published as a standard in November of It provides a standard on how risk should be implemented. The intention of ISO 31000:2009 was to be relevant and flexible for "any public, private or community enterprise, association, group or individual." Hence, the general scope of ISO as a group of risk standards - was not developed with a particular industry sector, structure or technical field in mind. ISO provides a best practice composition and direction to all businesses concerned with risk. ISO 31000:2009 Scope ISO 31000:2009 offers broad general guidelines for the design, implementation and ongoing execution of risk processes throughout an organization. This methodology for risk practices makes possible broader adoption by organizations that necessitate an enterprise risk standard that supports silo-centric systems. The extent of this risk methodology was to facilitate all strategic, and operational tasks of an organization throughout projects, functions, and processes to be linked to a universal set of risk objectives. Consequently, ISO 31000:2009 was developed for a wide-ranging stakeholder group including: executive level stakeholders, appointment holders in the enterprise risk group, risk analysts and officers, line managers and project managers, compliance and internal auditors, and independent practitioners. Definition of Risk One of the key changes from past paradigms is how risk is defined. Under the ISO 31000:2009 a significant amendment of the terminology adds a new dimension to risk. Unlike some risk frameworks, ISO defines risk as the "effect of uncertainty on objectives," recognizing both the positive opportunities and negative consequences associated with it. Two supporting documents include: (1) ISO Guide 73:2009, Risk Vocabulary: Provides the definitions of generic terms related to risk and aims to encourage a consistent understanding of, and a coherent approach to, the description of activities relating to the of risk, as well as uniform risk terminology. And, (2) ISO/IEC 31010, Risk Risk assessment techniques: A supporting standard for ISO offering guidance on the selection and application of systematic techniques for risk assessment. The ISO Framework Whereas the Australian and New Zealand standards approach presented a process by which risk could be carried out, ISO 31000:2009 addresses an organizations system from design, through implementation, maintenance and improvement of risk processes. ISO 31000:2009 is a replacement to the existing standard on risk, AS/NZS 4360:2004. Implementation The goal of ISO is for the framework to be pragmatic within existing systems to provide structure and advance risk processes. Consequently, when implementing ISO 31000, 2013 Quality Management Division of ASQ Page 1

2 organizational leaders must be aware of the new paradigm addressed in this standard. The focal point of many ISO programs have centered on: shifting accountability gaps in enterprise risk, arranging organizational objectives with the ISO framework, establishing mechanisms to facilitate systems reporting, and generating consistent risk identification and assessment metrics Implications Implications for accommodating the new standards embrace improved efficiency and effectiveness of existing processes. Whether through business process re-engineering or enhanced integration of information practices the new standards must comply with the documentation, communication and accountability of the new risk working paradigm. As such, organizational leaders and managers must be aware of the implications for implementing the standards and be capable of developing strategies that reach across supply chains and multi-facility operations. Senior leaders and managers will be required to develop new competencies that deviate from the traditional old siloed and redundant risk methodologies. These new competencies will include accountability, strategic policy implementation and successful organizational policy frameworks. In some industry segments, particularly information systems security and corporate social responsibility, more structured changes will be mandated. These changes will be of specific importance when attempting to articulate new risk policies, formalizing risk ownership of key processes or response plans, and embracing continuous improvement programs. ISO Shortcomings ISO is a process-oriented risk- framework. This is in contrast to the Committee of Sponsoring Organizations (COSO) of the Treadway Commission's Enterprise Risk Management -- Integrated Framework report which is controls-oriented. Organizations cultured in enterprise-wide risk theories and looking for specifics on how to translate theories into practical tools will find little value in ISO Specifically, ISO does not establish how your organization measures risk and creates useful data, or guarantees that all relevant risk areas are identified, or provides risk taxonomies for developing risk documentation. The difference between ISO and COSO ERM is in the focus of assessing and managing risk. ISO concentrates on consequences and provides a framework for considering the consequences of an event occurring. This is depicted through the definition of risk the effect of uncertainty on objectives. COSO ERM is focused more on the events rather the consequences of events. ISO is comprised of three interrelated building blocks, 1) the general principles, 2) the framework, and 3) the process risk to be effectively implemented. The general principles of ISO state that risk should encompass the following principles: Value creation Be an integral part of organizational processes Be a part of decision-making Explicitly addresses uncertainty 2013 Quality Management Division of ASQ Page 2

3 Be systematic, structured and timely Be based on the best available information Be organizational specific Take human and cultural factors into account Be transparent and inclusive Be dynamic, iterative and responsive to change Facilitate continual improvement of the organization The second building block focuses on forming the right risk structure or framework. Once executive support and commitment is established, the organization: 1) designs the framework, 2) implements risk, 3) monitors and reviews the framework periodically, and 4) continually improves the framework. The third building block was adopted from AS/NZS 4360:2004. This building block requires communication and monitoring throughout the risk process. This is achieved by establishing the context for the framework, documenting the risk identification and risk assessment methodologies, and clearly articulating the risk strategies. The Framework for Managing Risk ISO describes a framework for implementing risk, rather than a framework for supporting the risk process. Information on designing the framework that supports the risk process is not set out in detail in ISO An organization will describe its framework for supporting risk by way of the risk architecture, strategy and protocols for the organization. The risk architecture, strategy and protocols should represent the internal arrangements for communicating on risk issues. It should also set out the roles and responsibilities of the individuals and committees that support the risk process. The risk strategy should set out the objectives that risk activities in the organization are seeking to achieve. Finally, the risk protocols describe the procedures by which the strategy will be implemented and risks managed. Risk Assessment Risk identification establishes the exposure of the organization to risk and uncertainty. This necessitates knowledge of the organization s marketplace in which it operates, the legal, social, political and cultural environment in which it exists, as well as an understanding of strategic and operational goals and objectives. This includes knowledge of the business elements critical to success and the threats and opportunities related to the achievement of its goals and objectives. Risk assessment ought to be approached in a systematic manner to ensure that all value-adding tasks and activities within the organization have been assessed and all the risks emerging from these tasks and activities are well defined. The result of risk analysis is used to produce a risk profile that generates a rating of importance for each risk and provides an approach for prioritizing risk efforts. The result is a ranking of the relative importance of each identified risk. This allows the risks to be mapped to the business area or specific business process affected. It also describes the primary control mechanisms in place and indicates where the level of investment in controls might be increased, decreased or reallocated. The risk analysis activity assists the operation of the organization by identifying those risks that require priority consideration by. This facilitates s ability to prioritize risk control actions in terms of their potential benefits to the 2013 Quality Management Division of ASQ Page 3

4 organization. The array of available risk response treatments include accept, eliminate, mitigate or transfer. An organization may decide that there is also a need to improve the control environment. Risk Treatment Risk treatment as defined in ISO is an activity to select and implement appropriate control measures to transform the risk. Risk treatment comprises risk control (or mitigation), risk avoidance, risk transfer and risk financing. Any risk treatment should provide efficient and effective internal controls. The effectiveness of internal control is determined by the level or degree to which the risk is either eliminated or reduced by the control measures. The cost-effectiveness of internal control is directly proportional to the cost of implementing the control when compared to the risk reduction benefits achieved. Compliance with laws and regulations is not an option. Organizations must understand the pertinent laws and be capable of implementing controls mechanisms to achieve compliance. One method of obtaining protection against the impact of risks is through risk financing or buying insurance. However, some losses may be uninsurable, for example, damages to employee morale and the reputation of the organization. ISO recognizes the importance of feedback. Monitoring and reviewing ensures that the organization monitors risk performance and learns from experience. Communication and consultation is a key requirement in ISO as both a part of the risk process, and part of the supporting framework. Reporting and disclosure are only very briefly mentioned in ISO Also, the monitoring and review feedback activities in ISO do not explicitly reference the tasks of monitoring risk performance and reviewing the risk framework. Board Mandate and Commitment Many organizations issue an updated version of their risk policy on a yearly basis. This ensures that the risk approach is in line with existing best practices. It also gives the organization the opportunity to focus on the intended benefits for the coming year. Mandate and commitment from the Board is critically important and it needs to be continuous. Keeping the risk policy up to date validates that risk is a dynamic activity fully supported by the Board. A risk policy should include the following sections: and internal control objectives (governance) Statement of the organizations attitude toward risk (risk strategy) Description of the risk culture or environment Level and nature of risk that is acceptable (risk tolerance) Details of procedures for risk recognition and ranking (risk assessment) List of documentation for analyzing and reporting risk (risk protocols) Risk mitigation requirements and control mechanisms (risk response) Allocation of risk roles and responsibilities Risk activities and risk priorities for the coming year Scope of the Risk Management Initiative In order to be successful, the risk initiative needs to be comprehensive. The scope of the initiative is defined by the range of benefits the organization is seeking to achieve. Benefits are influenced by the 2013 Quality Management Division of ASQ Page 4

5 expectations of the various stakeholders in the organization. Depending on the nature of the organization, the risk function may range from a part-time risk manager to a full-scale risk department. The internal audit function also differs from one organization to the next. In determining the most appropriate role for internal audit, the organization needs to ensure that the independence and objectivity of internal audit are not compromised. The range of risk responsibilities that need to be allocated in the policy will be broad and extensive. Table 1 sets out examples of the risk responsibilities that may be allocated in a typical organization. The Board has responsibility for determining the strategic direction of the organization and creating the context for risk. There need to be activities in place to achieve continuous improvement in performance and this responsibility is likely to be allocated to the risk manager. Table 1: responsibilities the CEO/Board: the business unit manager: individual employees: the risk manager: specialist risk functions: internal audit manager: Determine strategic approach to risk and set risk tolerance Build risk aware culture within the unit Understand, accept and implement RM processes Develop the risk policy and keep it up to date Assist the company in establishing specialist risk policies Develop a riskbased internal audit program Establish the structure for risk Agree risk performance targets Report inefficient, unnecessary or unworkable controls Document the internal risk policies and structures Develop specialist contingency and recovery plans Audit the risk processes across the organization Understand the most significant risks Ensure implementation of risk improvement recommendations Report loss events and near miss incidents Co-ordinate the risk (and internal control) activities Keep up to date with developments in the specialist area Receive and provide assurance on the of risk Manage the organization in a crisis Identify and report changed circumstances / risks Co-operate with on incident investigations Compile risk information and prepare reports for the Board Support investigations of incidents and near misses Report on the efficiency and effectiveness of internal controls Risk Assessment Procedures Risk assessment is a required part of the decision-making process. These decisions are intended to exploit business opportunities. Risk assessment of all proposed projects should be undertaken and further risk assessments sessions should be carried out throughout the project. In addition risk assessments include decisions on how the risk assessments will be documented and reported. It is at this stage that an organization will decide the level of detail that will be recorded about each risk in the risk description Quality Management Division of ASQ Page 5

6 An organization should develop benchmarks to determine the significance (or materiality) of the identified risks. The nature of this benchmark tests will depend on the type of risk. For financial risks, a sum of money can be used as the benchmark test of significance. For risks that can cause disruption to operations, the length of disruption may be a suitable test. Reputational risks can be benchmarked in terms of the profile that the report of the event would receive, the likely impact of the event on share price, or the impact on the political and financial support received from key stakeholders. Risk Tolerance It is important that the Board sets rules for risk- with respect to all types of risk. It is fairly easy for an organization to confirm that it has no tolerance for causing injury and ill health. In practice, however, this may need to be developed into a set of targets for health and safety performance. There is a danger that risk tolerance statements fail to be dynamic, and they can limit behavior and rapid response. At the Board level, risk tolerance is a driver of strategic risk decisions. At the executive level, risk tolerance translates into a set of procedures to ensure that risk receives adequate attention when making tactical decisions. At the operational level, risk tolerance dictates operational constraints for routine activities. Despite its importance, it is surprising that the concept of risk tolerance is not mentioned in ISO 31000, although it is included in most other risk standards and stock exchange listing requirements. Measuring and Monitoring It is frequently the case that risk assessments are recorded in a risk register. There is no standard format for a risk register and the organization should establish a suitable format for this document. The risk register is not a static record of the significant risks faced by the organization. It must be viewed as a risk action plan that includes details of the current controls and details of any further actions that are planned. These further actions should be written as auditable actions that must be completed within a defined timescale by identified risk owners. This enables the internal audit function to monitor the existing controls and the implementation of any essential additional controls. The resources required to implement the risk policy should be defined at each level of and within each business unit. should be embedded within the strategic planning and budget processes. Additionally, monitoring and measuring includes evaluation of the risk culture and the risk framework, and assessment of the extent to which risk tasks are aligned with other corporate activities. Embed a Culture of Risk Awareness Changes within the organization and the external business environment must be identified, so that existing procedures can be modified. Any monitoring and measuring process should also determine whether: the measures adopted achieved the intended result, the procedures adopted were efficient, sufficient information was available for the risk assessments, improved knowledge would have helped to reach better decisions, lessons can be learned for future assessments and controls, involvement of staff at all levels, a culture of learning from experience, appropriate accountability for actions (without developing an automatic blame culture) and good communication on risk issues 2013 Quality Management Division of ASQ Page 6

7 Monitor Risk Performance Learning the lessons from risk requires examination of the opinions of key stakeholders both internally and externally. In particular, the opinion of internal audit and evaluation of risk activities at audit committee will be vitally important. Learning from experience requires more than evaluation of the risk performance indicators. An annual review of the risk framework will be necessary, including evaluation of the risk architecture, strategy and protocols. It is important that the organization has a risk-based audit plan and undertakes appropriate risk reviews. Other features of learning from experience include evaluation of audit reports and an assessment of the sources of risk assurance available to the Board and the audit committee. An evaluation of the level of assurance that has been obtained is also necessary. Often, a major source of risk assurance for the Board will be self-certification, such as a Control Risk Self-Assessment process that provides assurance regarding risk, risk reporting and disclosure, as well as information about learning from incidents. Summary Organizations that have not yet implemented a proactive, organized risk framework or are struggling to implement one, will find ISO a useful guide. While not a comprehensive workbook, ISO still provides adequate guidance. Organizations already using AS/NZS 4360 will be in a good position to adopt the new Standards. In particular, ISO provides an opportunity for managers who lead risk, internal audits, and compliance and governance initiatives in their organization to reassess their current risk framework, introduce the new terms and principles and refresh their risk program. The transition from AS/NZS 4360 to ISO will offer two types of improvements for most organizations: (1) minor improvements such as changes to terms and definitions, and (2) major improvements like those that require changes to processes etc Quality Management Division of ASQ Page 7

A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000

A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 Contents Executive summary Introduction Acknowledgements Part 1: Risk, risk management and ISO 31000 1 Nature

More information

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices A S I S I N T E R N A T I O N A L Supply Chain Risk Management: Risk Assessment A Compilation of Best Practices ANSI/ASIS/RIMS SCRM.1-2014 RA.1-2015 STANDARD The worldwide leader in security standards

More information

ENTERPRISE RISK MANAGEMENT POLICY

ENTERPRISE RISK MANAGEMENT POLICY ENTERPRISE RISK MANAGEMENT POLICY TITLE OF POLICY POLICY OWNER POLICY CHAMPION DOCUMENT HISTORY: Policy Title Status Enterprise Risk Management Policy (current, revised, no change, redundant) Approving

More information

When Recognition Matters WHITEPAPER ISO 31000 RISK MANAGEMENT PRINCIPLES AND GUIDELINES. www.pecb.com

When Recognition Matters WHITEPAPER ISO 31000 RISK MANAGEMENT PRINCIPLES AND GUIDELINES. www.pecb.com When Recognition Matters WHITEPAPER ISO 31000 RISK MANAGEMENT PRINCIPLES AND GUIDELINES www.pecb.com CONTENT 3 4 4 5 7 7 7 7 8 Introduction An overview of ISO 31000:2009 Structure of ISO 31000:2009 Key

More information

APPENDIX 50. Enterprise risk management - Risk management overview

APPENDIX 50. Enterprise risk management - Risk management overview APPENDIX 50 Enterprise risk management - Risk management overview Energex regulatory proposal October 2014 ENTERPRISE RISK MANAGEMENT Risk Management Overview (RMO) 06 11 2013 Table of Contents 1. INTRODUCTION...

More information

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework UNOPS UNITED NATIONS OFFICE FOR PROJECT SERVICES Headquarters, Copenhagen O.D. No. 33 16 April 2010 ORGANIZATIONAL DIRECTIVE No. 33 UNOPS Strategic Risk Management Planning Framework 1. Introduction 1.1.

More information

A&CS Assurance Review. Accounting Policy Division Rule Making Participation in Standard Setting. Report

A&CS Assurance Review. Accounting Policy Division Rule Making Participation in Standard Setting. Report A&CS Assurance Review Accounting Policy Division Rule Making Participation in Standard Setting Report April 2010 Table of Contents Background... 1 Engagement Objectives, Scope and Approach... 1 Overall

More information

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide RISK BASED AUDITING: A VALUE ADD PROPOSITION Participant Guide About This Course About This Course Adding Value for Risk-based Auditing Seminar Description In this seminar, we will focus on: The foundation

More information

V1.0 - Eurojuris ISO 9001:2008 Certified

V1.0 - Eurojuris ISO 9001:2008 Certified Risk Management Manual V1.0 - Eurojuris ISO 9001:2008 Certified Section Page No 1 An Introduction to Risk Management 1-2 2 The Framework of Risk Management 3-6 3 Identification of Risks 7-8 4 Evaluation

More information

ISO 31000:2009 - ISO/IEC 31010 & ISO Guide 73:2009 - New Standards for the Management of Risk

ISO 31000:2009 - ISO/IEC 31010 & ISO Guide 73:2009 - New Standards for the Management of Risk Kevin W Knight AM CPRM; Hon FRMIA; FIRM (UK); LMRMIA: ANZIIF (Mem) ISO 31000:2009 - ISO/IEC 31010 & ISO Guide 73:2009 - New Standards for the Management of Risk History of the ISO and Risk Management Over

More information

ENTERPRISE RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT FRAMEWORK ENTERPRISE RISK MANAGEMENT FRAMEWORK COVENANT HEALTH LEGAL & RISK MANAGEMENT CONTENTS 1.0 PURPOSE OF THE DOCUMENT... 3 2.0 INTRODUCTION AND OVERVIEW... 4 3.0 GOVERNANCE STRUCTURE AND ACCOUNTABILITY...

More information

This is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines

This is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines AS/NZS ISO 31000:2009 Risk management Principles and guidelines AS/NZS ISO 31000:2009 This Joint Australian/New Zealand Standard was prepared by Joint Technical Committee OB-007, Risk Management. It was

More information

Risk Management Basics - ISO 31000 Standard. Louis Kunimatsu, CRISC IT Security & Strategy, Ford Motor Company

Risk Management Basics - ISO 31000 Standard. Louis Kunimatsu, CRISC IT Security & Strategy, Ford Motor Company Risk Management Basics - ISO 31000 Standard Louis Kunimatsu, CRISC IT Security & Strategy, Ford Motor Company Risk Management Basics - ISO 31000 Standard 1. Risk Management Basics 2. ISO 31000 Risk Management

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page

More information

IFAD Policy on Enterprise Risk Management

IFAD Policy on Enterprise Risk Management Document: EB 2008/94/R.4 Agenda: 5 Date: 6 August 2008 Distribution: Public Original: English E IFAD Policy on Enterprise Risk Management Executive Board Ninety-fourth Session Rome, 10-11 September 2008

More information

Disclosure to Promote the Right To Information

Disclosure to Promote the Right To Information इ टरन ट म नक Disclosure to Promote the Right To Information Whereas the Parliament of India has set out to provide a practical regime of right to information for citizens to secure access to information

More information

POLICY. Number: 7311-10-005 Title: Enterprise Risk Management. Authorization

POLICY. Number: 7311-10-005 Title: Enterprise Risk Management. Authorization POLICY Number: 7311-10-005 Title: Enterprise Risk Management Authorization [ ] President and CEO [ X] Vice President, Finance and Corporate Services Source: Director, Enterprise Risk Management Cross Index:

More information

Policy 10.105: Enterprise Risk Management Policy

Policy 10.105: Enterprise Risk Management Policy Name: Responsibility: Complements: Enterprise Risk Management Framework Coordinator, Enterprise Risk Management Policy 10.105: Enterprise Risk Management Policy Date: November 2006 Revision Date(s): January

More information

Confident in our Future, Risk Management Policy Statement and Strategy

Confident in our Future, Risk Management Policy Statement and Strategy Confident in our Future, Risk Management Policy Statement and Strategy Risk Management Policy Statement Introduction Risk management aims to maximise opportunities and minimise exposure to ensure the residents

More information

PRINCE2:2009 Glossary of Terms (English)

PRINCE2:2009 Glossary of Terms (English) accept (risk response) acceptance acceptance criteria activity agile methods approval approver assumption assurance A risk response to a threat where a conscious and deliberate decision is taken to retain

More information

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance Applying Integrated Risk Management Scenarios for Improving Enterprise Governance János Ivanyos Trusted Business Partners Ltd, Budapest, Hungary, ivanyos@trusted.hu Abstract: The term of scenario is used

More information

Responsible Investment Policy

Responsible Investment Policy (ABN 30 006 169 286) (AFSL 246664) October 2011 Version 4.0 (September 2011) Contents 1. Fund Objectives... 1 2. Implications of the Fund s Objectives on its Investments... 2 3. Policy on Responsible Investment...

More information

Fundamentals of Risk Management Understanding, evaluating and implementing effective risk management

Fundamentals of Risk Management Understanding, evaluating and implementing effective risk management SECOND EDITION Fundamentals of Risk Management Understanding, evaluating and implementing effective risk management Paul Hopkin KoganPage LONDON PHILADELPHIA NEW DELHI CONTENTS List of figures xiv List

More information

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS 1 Module 1: Principles of Risk and Risk Management Module aims The aim of this module is to provide an introduction to the principles and concepts of risk and

More information

Risk Management Policy

Risk Management Policy 1 Purpose Risk management relates to the culture, processes and structures directed towards the effective management of potential opportunities and adverse effects within the University s environment.

More information

Corporate Governance and Enterprise Risk Management Derek Jackson, Senior Manager 5 September 2005

Corporate Governance and Enterprise Risk Management Derek Jackson, Senior Manager 5 September 2005 Corporate Governance and Enterprise Risk Management Derek Jackson, Senior Manager 5 September 2005 Corporate Governance Services 0 Overview Hong Kong Code on Corporate Governance Practices Corporate Governance

More information

International Diploma in Risk Management Syllabus

International Diploma in Risk Management Syllabus International Diploma in Risk Management Syllabus Module 1: Principles of Risk and Risk Management The aim of this module is to provide an introduction to the principles and concepts of risk and risk management.

More information

A Risk Management Standard

A Risk Management Standard A Risk Management Standard Introduction This Risk Management Standard is the result of work by a team drawn from the major risk management organisations in the UK, including the Institute of Risk management

More information

An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management

An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management Bridgework: An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management @Copyright Cura Software. All rights reserved. No part of this document may be transmitted or copied without

More information

Internal Auditing Guidelines

Internal Auditing Guidelines Internal Auditing Guidelines Recommendations on Internal Auditing for Lottery Operators Issued by the WLA Security and Risk Management Committee V1.0, March 2007 The WLA Internal Auditing Guidelines may

More information

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework Dorothy Gjerdrum, ARM-P, Chair of the ISO 31000 US TAG and Executive Director,

More information

CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting www.corostrandberg.

CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting www.corostrandberg. Introduction CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting www.corostrandberg.com June 2015 Companies which adopt CSR or sustainability 1

More information

Business Continuity Trends, Requirements and Expectations in 2009. Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

Business Continuity Trends, Requirements and Expectations in 2009. Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting Business Continuity Trends, Requirements and Expectations in 2009 Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting Overview What Is Business Continuity? The Value Proposition What

More information

Integrated Risk Management:

Integrated Risk Management: Integrated Risk Management: A Framework for Fraser Health For further information contact: Integrated Risk Management Fraser Health Corporate Office 300, 10334 152A Street Surrey, BC V3R 8T4 Phone: (604)

More information

How To Transform It Risk Management

How To Transform It Risk Management The transformation of IT Risk Management kpmg.com The transformation of IT Risk Management The role of IT Risk Management Scope of IT risk management Examples of IT risk areas of focus How KPMG can help

More information

Xavier Catholic College Risk Management - Policy & Procedure

Xavier Catholic College Risk Management - Policy & Procedure Xavier Catholic College Risk Management Policy 18 March 2013 Sourced from CSOHS Online. Source CSO Broken Bay 2012 Page 1 Risk Management Policy (Draft) PURPOSE Risk management is the culture, processes

More information

Enterprise Risk Management Framework 2012 2016. Strengthening our commitment to risk management

Enterprise Risk Management Framework 2012 2016. Strengthening our commitment to risk management Enterprise Risk Management Framework 2012 2016 Strengthening our commitment to risk management Contents Director-General s message... 3 Introduction... 4 Purpose... 4 What is risk management?... 4 Benefits

More information

fmswhitepaper Why community-based financial institutions should practice enterprise risk management.

fmswhitepaper Why community-based financial institutions should practice enterprise risk management. fmswhitepaper Why community-based financial institutions should practice enterprise risk management. By Michael D. Cohn, CPA, CISA, CGEIT Director, WolfPAC Solutions Group Unique Insights Implementation

More information

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY AUTHOR/ APPROVAL DETAILS Document Author Written By: Human Resources Authorised Signature Authorised By: Helen Shields Date: 20

More information

Central bank corporate governance, financial management, and transparency

Central bank corporate governance, financial management, and transparency Central bank corporate governance, financial management, and transparency By Richard Perry, 1 Financial Services Group This article discusses the Reserve Bank of New Zealand s corporate governance, financial

More information

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC Annex 1 TITLE VERSION Version 2 Risk Management Strategy and Policy SUMMARY The policy provides the framework for the management and control of risk within the GOC DATE CREATED January 2013 REVIEW DATE

More information

INTERNATIONAL FRAMEWORK FOR ASSURANCE ENGAGEMENTS CONTENTS

INTERNATIONAL FRAMEWORK FOR ASSURANCE ENGAGEMENTS CONTENTS INTERNATIONAL FOR ASSURANCE ENGAGEMENTS (Effective for assurance reports issued on or after January 1, 2005) CONTENTS Paragraph Introduction... 1 6 Definition and Objective of an Assurance Engagement...

More information

Avondale College Limited Enterprise Risk Management Framework 2014 2017

Avondale College Limited Enterprise Risk Management Framework 2014 2017 Avondale College Limited Enterprise Risk Management Framework 2014 2017 President s message Risk management is part of our daily life, something we do regularly; often without realising we are doing it.

More information

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology Inclusive of, framework, procedures and methodology Contents 1 Introduction 1 1.1 Legislative Framework and best practice 1 1.2 Purpose of Enterprise Risk Management 2 1.3 Scope and Applicability 3 1.4

More information

Quick Guide: Meeting ISO 55001 Requirements for Asset Management

Quick Guide: Meeting ISO 55001 Requirements for Asset Management Supplement to the IIMM 2011 Quick Guide: Meeting ISO 55001 Requirements for Asset Management Using the International Infrastructure Management Manual (IIMM) ISO 55001: What is required IIMM: How to get

More information

Enterprise Security Tactical Plan

Enterprise Security Tactical Plan Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise

More information

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT Let me begin by thanking Baruch College for giving me the opportunity to present this year s prestigious Emanuel Saxe Lecture in Accounting.

More information

Risk Management: Coordinated activities to direct and control an organisation with regard to risk.

Risk Management: Coordinated activities to direct and control an organisation with regard to risk. POLICY CG01 RISK MANAGEMENT Document Control Statement This Policy is maintained by the Governance and Organisational Strategy. Any printed copy may not be up to date and you are advised to check the electronic

More information

Enterprise Risk Management

Enterprise Risk Management 2013 Government Accounting and Auditing Update Enterprise Risk Management Understanding and Implementing an ERM Framework Mike Sargent, Director- CliftonLarsonAllen May 2013 cliftonlarsonallen.com Discussion

More information

Strategic Program Management

Strategic Program Management Governance Assessment Organizational Change Management Strategic Program Management Continuous Improvement Framework Processes Strategy Strategic Program Management Bob Prieto Published by Construction

More information

Risk Management The International Standard

Risk Management The International Standard Risk Management The International Standard John Crawley & Emer McAneny June 2014 Who I am Accountant Banker Businessman Trainer Turnaround Expert Risk Expert Agenda Strategy GRC Tolera nce Identifica tion

More information

Strategic Risk Management for School Board Trustees

Strategic Risk Management for School Board Trustees Strategic Management for School Board Trustees A Management Process Framework May, 2012 Table of Contents Introduction Page I. Purpose....................................... 3 II. Applicability and Scope............................

More information

Risk Management Committee (Committee) Terms of Reference

Risk Management Committee (Committee) Terms of Reference Risk Management Committee (Committee) Terms of Reference 1. Objective of Committee 1.1 The Risk Management Committee ( the Committee ) is a formal sub-committee of the Board of the JSE ( the Board ). 1.2

More information

Risk Management & Business Continuity Manual 2011-2014

Risk Management & Business Continuity Manual 2011-2014 ANNEX C Risk Management & Business Continuity Manual 2011-2014 Produced by the Risk Produced and by the Business Risk and Business Continuity Continuity Team Team February 2011 April 2011 Draft V.10 Page

More information

Risk Management Policy

Risk Management Policy Risk Management Policy Risk Management Policy Record Number D14/79827 Responsible Manager Manager Strategy and Governance Last reviewed 10 March 2015 Adoption reference Council Resolution number 90.5 Previous

More information

Board oversight of risk: Defining risk appetite in plain English

Board oversight of risk: Defining risk appetite in plain English www.pwc.com/us/centerforboardgovernance Board oversight of risk: Defining risk appetite in plain English May 2014 Defining risk appetite in plain English Risk oversight continues to be top-of-mind for

More information

Enterprise Risk Management: Taking the First Steps

Enterprise Risk Management: Taking the First Steps Enterprise Risk Management: Taking the First Steps TN PRIMA, 2012 DOROTHY GJERDRUM, ARM, CIRM NOVEMBER 15, 2012 Agenda Goal: To understand how to begin to implement a broader approach to risk management

More information

RISK MANAGEMENT FRAMEWORK 2013-2014 OKHAHLAMBA LOCAL MUNICIPALITYITY

RISK MANAGEMENT FRAMEWORK 2013-2014 OKHAHLAMBA LOCAL MUNICIPALITYITY RISK MANAGEMENT FRAMEWORK 2013-2014 OKHAHLAMBA LOCAL MUNICIPALITYITY Page 1 CONTENTS 1. Foreword by the Mayor... 3 2. Background... 4 2.1 Introduction... 4 2.2 Overall purpose of the Enterprise Risk Management

More information

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager 17.09.12

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager 17.09.12 POLICY BUSINESS CONTINUITY Policy owners Policy holder Author Head of Services Specialist Operations Contingency Planning Business Continuity Manager Policy No. 132 Approved by Legal Services 17.09.12

More information

Maryland Association of Boards of Education Insurance Programs

Maryland Association of Boards of Education Insurance Programs Insurance Programs ENTERPRISE RISK MANAGEMENT John Magoon, ARM (P, E), CBCP, MBCI Risk Management Officer, MABE jmagoon@mabe.org 443 603 0399 A PERFECT DAY Our Goals 1.2 1 0.8 0.6 0.4 0.2 0 Actual Goal

More information

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

Linking Risk Management to Business Strategy, Processes, Operations and Reporting Linking Risk Management to Business Strategy, Processes, Operations and Reporting Financial Management Institute of Canada February 17 th, 2010 KPMG LLP Agenda 1. Leading Practice Risk Management Principles

More information

Specialists in Strategic, Enterprise and Project Risk Management. Enterprise Risk Management. the effect of uncertainty on objectives.

Specialists in Strategic, Enterprise and Project Risk Management. Enterprise Risk Management. the effect of uncertainty on objectives. BROADLEAF CAPITAL INTERNATIONAL PTY LTD ABN 24 054 021 117 23 Bettowynd Road Tel: +61 2 9488 8477 Pymble Mobile: 0419 433 184 NSW 2073 Fax: + 61 2 9488 9685 Australia www.broadleaf.com.au Cooper@Broadleaf.com.au

More information

GAINING CONTROL: Building Your Existing Framework into an ERM Model

GAINING CONTROL: Building Your Existing Framework into an ERM Model GAINING CONTROL: Building Your Existing Framework into an ERM Model RIMS Northeast Ohio Chapter Education Day Carol Fox, ARM RIMS Director of Strategic and Enterprise Risk Practice November 19, 2013 Copyright

More information

Risk management systems of responsible entities

Risk management systems of responsible entities Attachment to CP 263: Draft regulatory guide REGULATORY GUIDE 000 Risk management systems of responsible entities July 2016 About this guide This guide is for Australian financial services (AFS) licensees

More information

Deciding what opportunities to fund, which risks to protect

Deciding what opportunities to fund, which risks to protect Deciding what opportunities to fund, which risks to protect The critical role of enterprise risk management in strategic decision making By Linda Conrad Director of Strategic Business Risk Zurich Global

More information

An Introduction to Risk Management. For Event Holders in Western Australia. May 2014

An Introduction to Risk Management. For Event Holders in Western Australia. May 2014 An Introduction to Risk Management For Event Holders in Western Australia May 2014 Tourism Western Australia Level 9, 2 Mill Street PERTH WA 6000 GPO Box X2261 PERTH WA 6847 Tel: +61 8 9262 1700 Fax: +61

More information

Sound Transit Internal Audit Report - No. 2014-3

Sound Transit Internal Audit Report - No. 2014-3 Sound Transit Internal Audit Report - No. 2014-3 IT Project Management Report Date: Dec. 26, 2014 Table of Contents Page Background 2 Audit Approach and Methodology 2 Summary of Results 4 Findings & Management

More information

Risk Management Policy and Framework

Risk Management Policy and Framework Risk Management Policy and Framework December 2014 phone 1300 360 605 08 89589500 email info@centraldesert.nt.gov.au location 1Bagot Street Alice Springs NT 0870 post PO Box 2257 Alice Springs NT 0871

More information

IT Security Risk Management: A Lifecycle Approach

IT Security Risk Management: A Lifecycle Approach Information Technology Security Guidance IT Security Risk Management: A Lifecycle Approach ITSG-33 November 2012 Foreword The of is an unclassified publication issued under the authority of the Chief,

More information

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning The world has experienced a great deal of natural and man-made upheaval and destruction in the past few years, including tornadoes,

More information

Challenges in Improving Information Security Practice in Australian General

Challenges in Improving Information Security Practice in Australian General Research Online Australian Information Security Management Conference Security Research Institute Conferences 2009 Challenges in Improving Information Security Practice in Australian General Donald C.

More information

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012 The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only Agenda Introduction Basic program components Recent trends in higher education risk management Why

More information

Audit, Risk Management and Compliance Committee Charter

Audit, Risk Management and Compliance Committee Charter Audit, Risk Management and Compliance Committee Charter Woolworths Limited Adopted by the Board on 27 August 2013 page 1 1 Introduction This Charter sets out the responsibilities, structure and composition

More information

QUALITY ASSURANCE POLICY

QUALITY ASSURANCE POLICY QUALITY ASSURANCE POLICY ACADEMIC DEVELOPMENT & QUALITY ASSURANCE OFFICE ALPHA UNIVERSITY COLLEGE 1. BACKGROUND The Strategic Plan of 2003-2005 E.C of Alpha University s defines the direction Alpha University

More information

Council Meeting Agenda 27/07/15

Council Meeting Agenda 27/07/15 3 Risk Management Framework Abstract Council s Risk Management Framework ( the Framework ) was adopted by Council in 2012. The Framework provides structure and guidance to Council s risk management activities

More information

Title: Rio Tinto management system

Title: Rio Tinto management system Standard Rio Tinto management system December 2014 Group Title: Rio Tinto management system Document No: HSEC-B-01 Standard Function: Health, Safety, Environment and Communities (HSEC) No. of pages: 23

More information

Corporate Risk Management Policy

Corporate Risk Management Policy Corporate Risk Management Policy Managing the Risk and Realising the Opportunity www.reading.gov.uk Risk Management is Good Management Page 1 of 19 Contents 1. Our Risk Management Vision 3 2. Introduction

More information

Successfully identifying, assessing and managing risks for stakeholders

Successfully identifying, assessing and managing risks for stakeholders Introduction Names like Enron, Worldcom, Barings Bank and Menu Foods are household names but unfortunately as examples of what can go wrong. With these recent high profile business failures, people have

More information

This is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines

This is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines AS/NZS ISO 31000:2009 Risk management Principles and guidelines AS/NZS ISO 31000:2009 This Joint Australian/New Zealand Standard was prepared by Joint Technical Committee OB-007, Risk Management. It was

More information

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT: POL ENTERPRISE RISK MANAGEMENT SC51 POLICY CODE: SC51 DIRECTORATE: Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT: Executive Support Services RESPONSIBLE OFFICER:

More information

Framework for Leadership

Framework for Leadership Framework for Leadership Date Leader Self-Assessment Evaluator Assessment Domain 1: Strategic/Cultural Leadership Principals/school leaders systemically and collaboratively develop a positive culture to

More information

PORT SAFETY PLAN GUIDELINES

PORT SAFETY PLAN GUIDELINES Schedule PORT SAFETY PLAN GUIDELINES 1 July 2015 Version 1.0 1 PREAMBLE... 3 1.1 Title... 3 1.2 Authority... 3 1.3 Application... 3 1.4 Applicable Legislation... 3 1.5 Applicable Standards... 3 1.6 Relevant

More information

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK ACCOUNTABLE SIGNATURE AUTHORISED for implementation SIGNATURE On behalf of Chief Executive Officer SAHRA Council Date Date

More information

RISK MANAGEMENT STRATEGY

RISK MANAGEMENT STRATEGY RISK MANAGEMENT STRATEGY 1 Introduction The purpose of this document is to outline a which facilitates the effective recognition and management of risks facing the University. The Combined Code on Corporate

More information

University of New England Compliance Management Framework and Procedures

University of New England Compliance Management Framework and Procedures University of New England Compliance Management Framework and Procedures Document data: Document type: Administering entity: Framework and Procedures Audit and Risk Directorate Records management system

More information

Operational Risk Management Program Version 1.0 October 2013

Operational Risk Management Program Version 1.0 October 2013 Introduction This module applies to Fannie Mae and Freddie Mac (collectively, the Enterprises), the Federal Home Loan Banks (FHLBanks), and the Office of Finance, (which for purposes of this module are

More information

July 2015. New Entrants: Charting the Health Industry s Risk and Regulatory Landscape Where Risk Meets Opportunity

July 2015. New Entrants: Charting the Health Industry s Risk and Regulatory Landscape Where Risk Meets Opportunity July 2015 New Entrants: Charting the Health Industry s Risk and Regulatory Landscape Where Risk Meets Opportunity The new health economy is bringing change and new entrants from diverse industries are

More information

Principled Performance & GRC

Principled Performance & GRC part of GRC Fundamentals Principled Performance & GRC How principled performance is the new normal and the imperative for integrating governance, performance, risk, internal control and compliance management

More information

ENTERPRISE RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT FRAMEWORK ROCKHAMPTON REGIONAL COUNCIL ENTERPRISE RISK MANAGEMENT FRAMEWORK 2013 Adopted 25 June 2013 Reviewed: October 2015 TABLE OF CONTENTS 1. Introduction... 3 1.1 Council s Mission... 3 1.2 Council s Values...

More information

APES 325 Risk Management for Firms

APES 325 Risk Management for Firms APES 325 Risk Management for Firms Prepared and issued by Accounting Professional & Ethical Standards Board Limited ISSUED: December 2011 Copyright 2011 Accounting Professional & Ethical Standards Board

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis

More information

Introduction to Enterprise Risk Management at UVM DRAFT

Introduction to Enterprise Risk Management at UVM DRAFT Introduction to Enterprise Management at UVM 1 Enterprise What is Enterprise Management? Enterprise risk management is a structured, consistent, and continuous process across the whole organization for

More information

Internal Audit Framework

Internal Audit Framework Internal Audit Framework Internal Audit Framework National Treasury Republic of South Africa March 2009 (2 nd Edition) The Internal Audit Framework is being provided as a service to the Public Service.

More information

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk 2012 The Flynt Group, Inc., All Rights Reserved FlyntGroup.com Enterprise Risk Management and Business

More information

Learning Outcomes Implementation Guidance - Revised Staff Questions & Answers Document

Learning Outcomes Implementation Guidance - Revised Staff Questions & Answers Document Committee: International Accounting Education Standards Board Meeting Location: IFAC Headquarters, New York, USA Meeting Date: November 4 6, 2015 SUBJECT: Learning Outcomes Implementation Guidance - Revised

More information

NSW Government ICT Benefits Realisation and Project Management Guidance

NSW Government ICT Benefits Realisation and Project Management Guidance NSW Government ICT Benefits Realisation and Project Management Guidance November 2014 CONTENTS 1. Introduction 1 2. Document purpose 1 3. Benefits realisation 1 4. Project management 4 5. Document control

More information

Implementing Portfolio Management: Integrating Process, People and Tools

Implementing Portfolio Management: Integrating Process, People and Tools AAPG Annual Meeting March 10-13, 2002 Houston, Texas Implementing Portfolio Management: Integrating Process, People and Howell, John III, Portfolio Decisions, Inc., Houston, TX: Warren, Lillian H., Portfolio

More information

Supporting information technology risk management

Supporting information technology risk management IBM Global Technology Services Thought Leadership White Paper October 2011 Supporting information technology risk management It takes an entire organization 2 Supporting information technology risk management

More information

Quality Assurance. Policy P7

Quality Assurance. Policy P7 Quality Assurance Policy P7 Table of Content Quality assurance... 3 IIA Australia quality assurance and professional standards... 3 Quality assurance and professional qualifications... 4 Quality assurance

More information