ISO 31000 and Risk Management

Similar documents
ERM Standards of Practice and Shared Risk Principles

Analyzing Risks in Healthcare. February 12, 2014

Maryland Association of Boards of Education Insurance Programs

ISO 31000: ISO/IEC & ISO Guide 73: New Standards for the Management of Risk

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

Understanding Enterprise Risk Management. Presented by Dorothy Gjerdrum Arthur J Gallagher

14 October 2015 ISACA Curaçao Conference By: Paul Helmich

Fraud Risk Management

The Role of Internal Audit In Business Continuity Planning

Risk Assessment & Enterprise Risk Management

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

Strategic Risk Management for School Board Trustees

Policy : Enterprise Risk Management Policy

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

Conceptual Basis of Internal Audit

ENTERPRISE RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT AN OVERVIEW. November 2011

Improving Financial Performance, Governance and Compliance

ENTERPRISE RISK MANAGEMENT POLICY

Risk Management Policy Adopted by:

Fundamentals of Information Governance:

Fundamentals of Risk Management Understanding, evaluating and implementing effective risk management

Enterprise Risk Management Framework Strengthening our commitment to risk management

Risk Management The International Standard

COCA-COLA HELLENIC BOTTLING COMPANY RISK MANAGEMENT POLICY

Integrated Risk Management:

Enterprise Risk Management for International Schools

Enterprise Risk Management: Concepts & Issues

The Changing Landscape for Trade Compliance Enterprise Risk (and Opportunity) Management

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Using COSO Small Business Guidance for Assessing Internal Financial Controls

Risk, Risk Assessments and Risk Management. Christopher Bowler CPA, CISA August 10, 2015

The Lowitja Institute Risk Management Plan

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

Assessing & Managing IT Risk

Risk Management - Board & Management Responsibilities Murray Short, MBA, CPA CA Not-for-Profit Partner RLB LLP

Internal Auditing Guidelines

Enterprise Risk Management: Taking the First Steps

Enterprise Risk Management

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.

Moving Forward with IT Governance and COBIT

Enterprise Risk Management

COMMUNIQUE. Information Technology (IT) Governance Guidance

The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies

A Sarbanes-Oxley Roadmap to Business Continuity

IT Security Governance for e-business

This is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines

Security Controls What Works. Southside Virginia Community College: Security Awareness

Avondale College Limited Enterprise Risk Management Framework

SAI GLOBAL LIMITED Risk Management Policy

Achieving Business Imperatives through IT Governance and Risk

Risk Management Policy

This is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines

What Should IS Majors Know About Regulatory Compliance?

Enterprise Risk Management: COSO, New COSO, ISO Review of ERM

Operational Risk Management in a Debt Management Office

Governance structures and leading. central banks

Governance, Risk and Compliance Assessment

RIMS Executive Report The Risk Perspective

and Risk Tolerance in an Effective ERM Program

Pocket Guide to Clinical Risk Management

How To Use Risk It

The Role of Internal Audit in Risk Governance

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

CFE 2. Enterprise Risk Management. Study Guide - Supplemental Background Material

Victorian Government Risk Management Framework. March 2015

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Risk Management Strategy and Guidelines

Information Technology Governance. Steve Crutchley CEO - Consult2Comply

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

III. CORPORATE GOVERNANCE IN BANKING ORGANIZATIONS

ERM Program. Enterprise Risk Management Guideline

Preparing for the Convergence of Risk Management & Business Continuity

International Institute of Management

International Diploma in Risk Management Syllabus

GLOBAL STANDARD FOR INFORMATION MANAGEMENT

Risk Management Basics - ISO Standard. Louis Kunimatsu, CRISC IT Security & Strategy, Ford Motor Company

Benchmark of controls over IT activities Report. ABC Ltd

Enterprise Risk Management

Risk Management Policy and Framework

APPENDIX 50. Enterprise risk management - Risk management overview

Measuring Operational Risk Management Systems under Basel II

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors

OAC Presentation to UNESCO Member States

A COMPARATIVE FRAMEW ORK FOR EVALUATING INFORMATION SECURITY RISK MANAGEMENT METHODS

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

Information Security and Risk Management

AUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management

ENTERPRISE RISK MANAGEMENT POLICY

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

Trends in Information Technology (IT) Auditing

Subject ST9 Enterprise Risk Management Syllabus

Audit of the Policy on Internal Control Implementation

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Implementing an Integrated City-wide Risk Management Framework

Transcription:

ISO 31000 and Risk Management August 19, 2010

What is risk? All management is risk management!

Risk Management Boot camp Threat + Vulnerability = Risk Risk Controls = Residual Risk Residual Risk Probability + Residual Risk Impact = Risk Rating

Risk Types Strategic Risks Inherent risks of doing business, going after new markets, regulatory Finance Risks Treasury risks, credit risks, trading risks Operations Risks People, compliance, process Information Risks Operational and Technological risks

About controls Control Types Preventive Detective Corrective Control Categories Administrative Technical Personnel Physical

How do you manage and track risks? Enterprise Risk Management What is it? ERM is establishes the oversight, control and discipline to drive continuous improvement of an entity s risk management capabilities in a changing operating environment. Who is involved? Everyone in the organization and the Board

And you should care because

Recent History of ERM Cadbury Committee (UK) (1992) Chief Risk Officer created at GE (1992) AS/NZS 4360:1995 (revised 1999, 2004) released first ever ERM standard 9/11 and collapse of Enron resulting in Sarbanes-Oxley Act (2000) International Standards Organization (ISO) forms an international working group to write a global guideline of managing risk released 2009.

Global Corporate Governance Models INTERNATIONAL - Basel I & II; ISO 31000 & 31010 France Vienot Com. Mrini Report Levy-Long Com. UK Cadbury Turnbull Greenbury Rpt BS 31100 RM All EU Countries Directives on Governance Germany Bill on The Control and Transparency of organizations Kon TraG Bill Netherlands Code Tabaksblatt Italy Draghi Commission Canada Toronto Stock Exchange Committee Canadian Securities Committee Allen committee Report COCO US Business Round Table NYSE listing Requirements Blue Ribbon Commission Sarbanes Oxley Act COSO ERM Framework South Africa Code of Best Practice King Report I, II and III Stakeholder Communication Public Finance Mgmt Act Japan Corporate Governance Forum of Japan J-SOX Australia/New Zeal AS/NZS 4360:2004 Stock Exchange Listing New Accounting Standards Best Practice Stmt Mgmt Source: RIMS.org

Risk Management Frameworks Which one is best for your organization? Organizational Information Technology Focused (supports Committee of Sponsoring Organizational) Organizations of the Treadway Control Objectives for Information and Commission (COSO) Enterprise Risk related Technology (COBIT from Management Internal Framework ISACA) (ERM-IF) Guide to Assessment of IT Risk (GAIT Risk and Insurance Management from IIA) Society (RIMS) Risk Maturity Model (RMM) for Enterprise Risk Management Australian/New Zealand Standard (AZ/NZA 4360:2004) ISO 31000:2009 (Replaced AZ/NZA 4360:2004) Risk Management Publications BS 31100:2008 and ISO 31000:2009 ISO guide 73 risk management vocabulary ISO 31010 risk assessment techniques

ISO 31000 Risk Management Principles and Guidelines Provides a very general and flexible framework for best practices in ERM Incorporates COSO, PMI (Project Management Institute, and AS/NZS4360:2004 Built on the premise that risk management is fully integrated into the organization and part of all decisions Allows for management of negative and positive risk

ISO 31000 10 Basic Principles 1. Creates value not focused on loss 2. Integral part of the organization in project management, strategic planning, etc. 3. Decision making through analysis and evaluation to understand risk 4. Explicitly addresses uncertainty and how it can be modified 5. Systematic, structured, timely, repeatable

10 Basic Principles (Cont.) 6. Based on available information historic data, expert opinion. 7. Big or small tailored to the organization 8. Includes human, cultural as well as technical factors that impact likelihood of consequences 9. Transparent and inclusive communication and consultation with stakeholders 10. Incorporates continuous improvement and responds to changing environment

ERM Framework 31000 focuses on the framework that supports the Risk Management Process(es) orrmp Does not specify components, but gives conceptual guidance Aggregates information on risks, risk management, and performance of risk controls Must be practical and part of existing processes

ERM Framework Components The Lucky 7 1. Mandate and commitment to the ERM framework 2. Risk management policy 3. Integration of ERM in the organization 4. Risk Management Process (RMP) 5. Communications and reporting 6. Accountability 7. Monitoring, review, and continuous improvement (Plan, Do, Check, Act)

Source: RIMS.org

Risk Management Process Risk Management environment defined Establishing the Context t Risk Appetite/Tolerance Internal and External Should Be Defined Context Risk Mgmt. Context Risk Identification Risk Assessment Risk Analysis Risk Evaluation Treat Risk Identify control option Select control option Implementation of control Monitor and Review Communicate and Consultation Ongoing Tracking and Monitoring

How To Leverage BC in an ERM Process Enterprise Risk Management Risk Management Process Risk Mgmt. Policy Too ls to levera age for inte egration Physical Security IT Security/ Disaster Rec. Business Operations Financial Controls rg. Planning Business Impact Analysis Risk Assessment BC/COOP/Eme

Analyze Risk: Risk Mapping (aka (a.k.a. HeatMap) High Significa ance (Im pact) Secondary Risks Lower likelihood, but could have significant adverse impact on business objectives Low Priority Risks Significant monitoring not necessary unless change in classification Periodically reassess Key Risks Critical risks that potentially threaten the achievement of business objectives Secondary Risks Lesser significance, but more likely to occur Consider cost/benefit trade-off Reassess often to ensure changing conditions (move to high h significance) ifi Low Likelihood (Probability) High Source: www.knowledgeleader.com

Risk Ratings Other types FREQUENCY OF OCCURANCE/ PROBABILITY IV III RISK IMPACT (Catastrophic or (Critical or High) (Marginal or (Negligible or Emergency) Medium) Low) II I 4 (Frequent) 8 7 6 5 3 (Probable) 7 6 5 4 2 (Occasional) 6 5 4 3 1 (Remote) 5 4 3 2 0 (Improbable) 4 3 2 1

Evaluate Risks: Types of Risk Decisions Avoidance - a decision not to become involved in, or to withdraw from, a risk situation. Acceptance: acceptance of the burden of loss, or benefit of gain, from a particular risk. Reduction: actions taken to lessen the likelihood, negative, or both, associated with a risk. Sharing of risk: sharing with another party the burden of loss, or benefit of gain from a particular risk.

Monitor Risk: Tracking the Risk Risk Register (Keep It Simple!) Identified d Risk with Description Risk Category (Type of Risk) Risk Score (Residual Risk Probability + Residual Risk Impact) Risk Owner Risk Decision i

Perceived Deficiencies with ISO 31000 Risk management policies, roles and responsibilities Insufficient i detail of risk architecture, t strategy, t protocols Risk management principles Confusion between what risk management is and what it delivers Risk management specialist areas no included Project risk management and clinical risk management Risk governance No mention of risk appetite Lack of detail for risk reporting and auditing controls Source: RIMS.org

Final Thoughts Start Small Document and obtain agreement on the Risk Appetite Establishing the Context There are no right and wrong answers to every risk. Make the best decision you can with the most available data! Engage all parts of the organization!

Karen L. Cole, CBCP, SBCI Assura, Inc. 804.672.8714 Karen.cole@assuraconsulting.com lti www.assuraconsulting.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information