Introduction to ISO 31000:2009

Similar documents
A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

ENTERPRISE RISK MANAGEMENT POLICY

When Recognition Matters WHITEPAPER ISO RISK MANAGEMENT PRINCIPLES AND GUIDELINES.

APPENDIX 50. Enterprise risk management - Risk management overview

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

A&CS Assurance Review. Accounting Policy Division Rule Making Participation in Standard Setting. Report

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

V1.0 - Eurojuris ISO 9001:2008 Certified

ISO 31000: ISO/IEC & ISO Guide 73: New Standards for the Management of Risk

ENTERPRISE RISK MANAGEMENT FRAMEWORK

This is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines

Risk Management Basics - ISO Standard. Louis Kunimatsu, CRISC IT Security & Strategy, Ford Motor Company

The PNC Financial Services Group, Inc. Business Continuity Program

IFAD Policy on Enterprise Risk Management

Disclosure to Promote the Right To Information

POLICY. Number: Title: Enterprise Risk Management. Authorization

Policy : Enterprise Risk Management Policy

Confident in our Future, Risk Management Policy Statement and Strategy

PRINCE2:2009 Glossary of Terms (English)

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Responsible Investment Policy

Fundamentals of Risk Management Understanding, evaluating and implementing effective risk management

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

Risk Management Policy

Corporate Governance and Enterprise Risk Management Derek Jackson, Senior Manager 5 September 2005

International Diploma in Risk Management Syllabus

A Risk Management Standard

An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management

Internal Auditing Guidelines

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting

Business Continuity Trends, Requirements and Expectations in Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

Integrated Risk Management:

How To Transform It Risk Management

Xavier Catholic College Risk Management - Policy & Procedure

Enterprise Risk Management Framework Strengthening our commitment to risk management

fmswhitepaper Why community-based financial institutions should practice enterprise risk management.

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

Central bank corporate governance, financial management, and transparency

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

INTERNATIONAL FRAMEWORK FOR ASSURANCE ENGAGEMENTS CONTENTS

Avondale College Limited Enterprise Risk Management Framework

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

Quick Guide: Meeting ISO Requirements for Asset Management

Enterprise Security Tactical Plan

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

Risk Management: Coordinated activities to direct and control an organisation with regard to risk.

Enterprise Risk Management

Strategic Program Management

Risk Management The International Standard

Strategic Risk Management for School Board Trustees

Risk Management Committee (Committee) Terms of Reference

Risk Management & Business Continuity Manual

Risk Management Policy

Board oversight of risk: Defining risk appetite in plain English

Enterprise Risk Management: Taking the First Steps

RISK MANAGEMENT FRAMEWORK OKHAHLAMBA LOCAL MUNICIPALITYITY

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager

Maryland Association of Boards of Education Insurance Programs

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

Specialists in Strategic, Enterprise and Project Risk Management. Enterprise Risk Management. the effect of uncertainty on objectives.

GAINING CONTROL: Building Your Existing Framework into an ERM Model

Risk management systems of responsible entities

Deciding what opportunities to fund, which risks to protect

An Introduction to Risk Management. For Event Holders in Western Australia. May 2014

Sound Transit Internal Audit Report - No

Risk Management Policy and Framework

IT Security Risk Management: A Lifecycle Approach

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

Challenges in Improving Information Security Practice in Australian General

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Audit, Risk Management and Compliance Committee Charter

QUALITY ASSURANCE POLICY

Council Meeting Agenda 27/07/15

Title: Rio Tinto management system

Corporate Risk Management Policy

Successfully identifying, assessing and managing risks for stakeholders

This is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

Framework for Leadership

PORT SAFETY PLAN GUIDELINES

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

RISK MANAGEMENT STRATEGY

University of New England Compliance Management Framework and Procedures

Operational Risk Management Program Version 1.0 October 2013

July New Entrants: Charting the Health Industry s Risk and Regulatory Landscape Where Risk Meets Opportunity

Principled Performance & GRC

ENTERPRISE RISK MANAGEMENT FRAMEWORK

APES 325 Risk Management for Firms

The PNC Financial Services Group, Inc. Business Continuity Program

Introduction to Enterprise Risk Management at UVM DRAFT

Internal Audit Framework

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

Learning Outcomes Implementation Guidance - Revised Staff Questions & Answers Document

NSW Government ICT Benefits Realisation and Project Management Guidance

Implementing Portfolio Management: Integrating Process, People and Tools

Supporting information technology risk management

Quality Assurance. Policy P7

Transcription:

Introduction to ISO 31000:2009 ISO 31000 was published as a standard in November of 2009. It provides a standard on how risk should be implemented. The intention of ISO 31000:2009 was to be relevant and flexible for "any public, private or community enterprise, association, group or individual." Hence, the general scope of ISO 31000 - as a group of risk standards - was not developed with a particular industry sector, structure or technical field in mind. ISO 31000 provides a best practice composition and direction to all businesses concerned with risk. ISO 31000:2009 Scope ISO 31000:2009 offers broad general guidelines for the design, implementation and ongoing execution of risk processes throughout an organization. This methodology for risk practices makes possible broader adoption by organizations that necessitate an enterprise risk standard that supports silo-centric systems. The extent of this risk methodology was to facilitate all strategic, and operational tasks of an organization throughout projects, functions, and processes to be linked to a universal set of risk objectives. Consequently, ISO 31000:2009 was developed for a wide-ranging stakeholder group including: executive level stakeholders, appointment holders in the enterprise risk group, risk analysts and officers, line managers and project managers, compliance and internal auditors, and independent practitioners. Definition of Risk One of the key changes from past paradigms is how risk is defined. Under the ISO 31000:2009 a significant amendment of the terminology adds a new dimension to risk. Unlike some risk frameworks, ISO 31000 defines risk as the "effect of uncertainty on objectives," recognizing both the positive opportunities and negative consequences associated with it. Two supporting documents include: (1) ISO Guide 73:2009, Risk Vocabulary: Provides the definitions of generic terms related to risk and aims to encourage a consistent understanding of, and a coherent approach to, the description of activities relating to the of risk, as well as uniform risk terminology. And, (2) ISO/IEC 31010, Risk Risk assessment techniques: A supporting standard for ISO 31000 offering guidance on the selection and application of systematic techniques for risk assessment. The ISO 31000 Framework Whereas the Australian and New Zealand standards approach presented a process by which risk could be carried out, ISO 31000:2009 addresses an organizations system from design, through implementation, maintenance and improvement of risk processes. ISO 31000:2009 is a replacement to the existing standard on risk, AS/NZS 4360:2004. Implementation The goal of ISO 31000 is for the framework to be pragmatic within existing systems to provide structure and advance risk processes. Consequently, when implementing ISO 31000, 2013 Quality Management Division of ASQ Page 1

organizational leaders must be aware of the new paradigm addressed in this standard. The focal point of many ISO 31000 programs have centered on: shifting accountability gaps in enterprise risk, arranging organizational objectives with the ISO 31000 framework, establishing mechanisms to facilitate systems reporting, and generating consistent risk identification and assessment metrics Implications Implications for accommodating the new standards embrace improved efficiency and effectiveness of existing processes. Whether through business process re-engineering or enhanced integration of information practices the new standards must comply with the documentation, communication and accountability of the new risk working paradigm. As such, organizational leaders and managers must be aware of the implications for implementing the standards and be capable of developing strategies that reach across supply chains and multi-facility operations. Senior leaders and managers will be required to develop new competencies that deviate from the traditional old siloed and redundant risk methodologies. These new competencies will include accountability, strategic policy implementation and successful organizational policy frameworks. In some industry segments, particularly information systems security and corporate social responsibility, more structured changes will be mandated. These changes will be of specific importance when attempting to articulate new risk policies, formalizing risk ownership of key processes or response plans, and embracing continuous improvement programs. ISO 31000 Shortcomings ISO 31000 is a process-oriented risk- framework. This is in contrast to the Committee of Sponsoring Organizations (COSO) of the Treadway Commission's Enterprise Risk Management -- Integrated Framework report which is controls-oriented. Organizations cultured in enterprise-wide risk theories and looking for specifics on how to translate theories into practical tools will find little value in ISO 31000. Specifically, ISO 31000 does not establish how your organization measures risk and creates useful data, or guarantees that all relevant risk areas are identified, or provides risk taxonomies for developing risk documentation. The difference between ISO 31000 and COSO ERM is in the focus of assessing and managing risk. ISO 31000 concentrates on consequences and provides a framework for considering the consequences of an event occurring. This is depicted through the definition of risk the effect of uncertainty on objectives. COSO ERM is focused more on the events rather the consequences of events. ISO 31000 is comprised of three interrelated building blocks, 1) the general principles, 2) the framework, and 3) the process risk to be effectively implemented. The general principles of ISO 31000 state that risk should encompass the following principles: Value creation Be an integral part of organizational processes Be a part of decision-making Explicitly addresses uncertainty 2013 Quality Management Division of ASQ Page 2

Be systematic, structured and timely Be based on the best available information Be organizational specific Take human and cultural factors into account Be transparent and inclusive Be dynamic, iterative and responsive to change Facilitate continual improvement of the organization The second building block focuses on forming the right risk structure or framework. Once executive support and commitment is established, the organization: 1) designs the framework, 2) implements risk, 3) monitors and reviews the framework periodically, and 4) continually improves the framework. The third building block was adopted from AS/NZS 4360:2004. This building block requires communication and monitoring throughout the risk process. This is achieved by establishing the context for the framework, documenting the risk identification and risk assessment methodologies, and clearly articulating the risk strategies. The Framework for Managing Risk ISO 31000 describes a framework for implementing risk, rather than a framework for supporting the risk process. Information on designing the framework that supports the risk process is not set out in detail in ISO 31000. An organization will describe its framework for supporting risk by way of the risk architecture, strategy and protocols for the organization. The risk architecture, strategy and protocols should represent the internal arrangements for communicating on risk issues. It should also set out the roles and responsibilities of the individuals and committees that support the risk process. The risk strategy should set out the objectives that risk activities in the organization are seeking to achieve. Finally, the risk protocols describe the procedures by which the strategy will be implemented and risks managed. Risk Assessment Risk identification establishes the exposure of the organization to risk and uncertainty. This necessitates knowledge of the organization s marketplace in which it operates, the legal, social, political and cultural environment in which it exists, as well as an understanding of strategic and operational goals and objectives. This includes knowledge of the business elements critical to success and the threats and opportunities related to the achievement of its goals and objectives. Risk assessment ought to be approached in a systematic manner to ensure that all value-adding tasks and activities within the organization have been assessed and all the risks emerging from these tasks and activities are well defined. The result of risk analysis is used to produce a risk profile that generates a rating of importance for each risk and provides an approach for prioritizing risk efforts. The result is a ranking of the relative importance of each identified risk. This allows the risks to be mapped to the business area or specific business process affected. It also describes the primary control mechanisms in place and indicates where the level of investment in controls might be increased, decreased or reallocated. The risk analysis activity assists the operation of the organization by identifying those risks that require priority consideration by. This facilitates s ability to prioritize risk control actions in terms of their potential benefits to the 2013 Quality Management Division of ASQ Page 3

organization. The array of available risk response treatments include accept, eliminate, mitigate or transfer. An organization may decide that there is also a need to improve the control environment. Risk Treatment Risk treatment as defined in ISO 31000 is an activity to select and implement appropriate control measures to transform the risk. Risk treatment comprises risk control (or mitigation), risk avoidance, risk transfer and risk financing. Any risk treatment should provide efficient and effective internal controls. The effectiveness of internal control is determined by the level or degree to which the risk is either eliminated or reduced by the control measures. The cost-effectiveness of internal control is directly proportional to the cost of implementing the control when compared to the risk reduction benefits achieved. Compliance with laws and regulations is not an option. Organizations must understand the pertinent laws and be capable of implementing controls mechanisms to achieve compliance. One method of obtaining protection against the impact of risks is through risk financing or buying insurance. However, some losses may be uninsurable, for example, damages to employee morale and the reputation of the organization. ISO 31000 recognizes the importance of feedback. Monitoring and reviewing ensures that the organization monitors risk performance and learns from experience. Communication and consultation is a key requirement in ISO 31000 as both a part of the risk process, and part of the supporting framework. Reporting and disclosure are only very briefly mentioned in ISO 31000. Also, the monitoring and review feedback activities in ISO 31000 do not explicitly reference the tasks of monitoring risk performance and reviewing the risk framework. Board Mandate and Commitment Many organizations issue an updated version of their risk policy on a yearly basis. This ensures that the risk approach is in line with existing best practices. It also gives the organization the opportunity to focus on the intended benefits for the coming year. Mandate and commitment from the Board is critically important and it needs to be continuous. Keeping the risk policy up to date validates that risk is a dynamic activity fully supported by the Board. A risk policy should include the following sections: and internal control objectives (governance) Statement of the organizations attitude toward risk (risk strategy) Description of the risk culture or environment Level and nature of risk that is acceptable (risk tolerance) Details of procedures for risk recognition and ranking (risk assessment) List of documentation for analyzing and reporting risk (risk protocols) Risk mitigation requirements and control mechanisms (risk response) Allocation of risk roles and responsibilities Risk activities and risk priorities for the coming year Scope of the Risk Management Initiative In order to be successful, the risk initiative needs to be comprehensive. The scope of the initiative is defined by the range of benefits the organization is seeking to achieve. Benefits are influenced by the 2013 Quality Management Division of ASQ Page 4

expectations of the various stakeholders in the organization. Depending on the nature of the organization, the risk function may range from a part-time risk manager to a full-scale risk department. The internal audit function also differs from one organization to the next. In determining the most appropriate role for internal audit, the organization needs to ensure that the independence and objectivity of internal audit are not compromised. The range of risk responsibilities that need to be allocated in the policy will be broad and extensive. Table 1 sets out examples of the risk responsibilities that may be allocated in a typical organization. The Board has responsibility for determining the strategic direction of the organization and creating the context for risk. There need to be activities in place to achieve continuous improvement in performance and this responsibility is likely to be allocated to the risk manager. Table 1: responsibilities the CEO/Board: the business unit manager: individual employees: the risk manager: specialist risk functions: internal audit manager: Determine strategic approach to risk and set risk tolerance Build risk aware culture within the unit Understand, accept and implement RM processes Develop the risk policy and keep it up to date Assist the company in establishing specialist risk policies Develop a riskbased internal audit program Establish the structure for risk Agree risk performance targets Report inefficient, unnecessary or unworkable controls Document the internal risk policies and structures Develop specialist contingency and recovery plans Audit the risk processes across the organization Understand the most significant risks Ensure implementation of risk improvement recommendations Report loss events and near miss incidents Co-ordinate the risk (and internal control) activities Keep up to date with developments in the specialist area Receive and provide assurance on the of risk Manage the organization in a crisis Identify and report changed circumstances / risks Co-operate with on incident investigations Compile risk information and prepare reports for the Board Support investigations of incidents and near misses Report on the efficiency and effectiveness of internal controls Risk Assessment Procedures Risk assessment is a required part of the decision-making process. These decisions are intended to exploit business opportunities. Risk assessment of all proposed projects should be undertaken and further risk assessments sessions should be carried out throughout the project. In addition risk assessments include decisions on how the risk assessments will be documented and reported. It is at this stage that an organization will decide the level of detail that will be recorded about each risk in the risk description. 2013 Quality Management Division of ASQ Page 5

An organization should develop benchmarks to determine the significance (or materiality) of the identified risks. The nature of this benchmark tests will depend on the type of risk. For financial risks, a sum of money can be used as the benchmark test of significance. For risks that can cause disruption to operations, the length of disruption may be a suitable test. Reputational risks can be benchmarked in terms of the profile that the report of the event would receive, the likely impact of the event on share price, or the impact on the political and financial support received from key stakeholders. Risk Tolerance It is important that the Board sets rules for risk- with respect to all types of risk. It is fairly easy for an organization to confirm that it has no tolerance for causing injury and ill health. In practice, however, this may need to be developed into a set of targets for health and safety performance. There is a danger that risk tolerance statements fail to be dynamic, and they can limit behavior and rapid response. At the Board level, risk tolerance is a driver of strategic risk decisions. At the executive level, risk tolerance translates into a set of procedures to ensure that risk receives adequate attention when making tactical decisions. At the operational level, risk tolerance dictates operational constraints for routine activities. Despite its importance, it is surprising that the concept of risk tolerance is not mentioned in ISO 31000, although it is included in most other risk standards and stock exchange listing requirements. Measuring and Monitoring It is frequently the case that risk assessments are recorded in a risk register. There is no standard format for a risk register and the organization should establish a suitable format for this document. The risk register is not a static record of the significant risks faced by the organization. It must be viewed as a risk action plan that includes details of the current controls and details of any further actions that are planned. These further actions should be written as auditable actions that must be completed within a defined timescale by identified risk owners. This enables the internal audit function to monitor the existing controls and the implementation of any essential additional controls. The resources required to implement the risk policy should be defined at each level of and within each business unit. should be embedded within the strategic planning and budget processes. Additionally, monitoring and measuring includes evaluation of the risk culture and the risk framework, and assessment of the extent to which risk tasks are aligned with other corporate activities. Embed a Culture of Risk Awareness Changes within the organization and the external business environment must be identified, so that existing procedures can be modified. Any monitoring and measuring process should also determine whether: the measures adopted achieved the intended result, the procedures adopted were efficient, sufficient information was available for the risk assessments, improved knowledge would have helped to reach better decisions, lessons can be learned for future assessments and controls, involvement of staff at all levels, a culture of learning from experience, appropriate accountability for actions (without developing an automatic blame culture) and good communication on risk issues 2013 Quality Management Division of ASQ Page 6

Monitor Risk Performance Learning the lessons from risk requires examination of the opinions of key stakeholders both internally and externally. In particular, the opinion of internal audit and evaluation of risk activities at audit committee will be vitally important. Learning from experience requires more than evaluation of the risk performance indicators. An annual review of the risk framework will be necessary, including evaluation of the risk architecture, strategy and protocols. It is important that the organization has a risk-based audit plan and undertakes appropriate risk reviews. Other features of learning from experience include evaluation of audit reports and an assessment of the sources of risk assurance available to the Board and the audit committee. An evaluation of the level of assurance that has been obtained is also necessary. Often, a major source of risk assurance for the Board will be self-certification, such as a Control Risk Self-Assessment process that provides assurance regarding risk, risk reporting and disclosure, as well as information about learning from incidents. Summary Organizations that have not yet implemented a proactive, organized risk framework or are struggling to implement one, will find ISO 31000 a useful guide. While not a comprehensive workbook, ISO 31000 still provides adequate guidance. Organizations already using AS/NZS 4360 will be in a good position to adopt the new Standards. In particular, ISO 31000 provides an opportunity for managers who lead risk, internal audits, and compliance and governance initiatives in their organization to reassess their current risk framework, introduce the new terms and principles and refresh their risk program. The transition from AS/NZS 4360 to ISO 31000 will offer two types of improvements for most organizations: (1) minor improvements such as changes to terms and definitions, and (2) major improvements like those that require changes to processes etc. 2013 Quality Management Division of ASQ Page 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information