ISO 31000, 2009 The New International Standard for Risk Management By Remonde Brangman Risk Advisory Practice Leader CBIZ MHM, LLC Mid-Atlantic
Session Objectives Why is ISO 31000 relevant? Scope History and development of ISO standards Key definitions Principles Framework Process
Why ISO 31000? First Recognized International Standard A roadmap to the future of ERM Introduces a new perspective on Risk Management Provides greater specific guidance to Risk Managers
Scope Provides principles and generic guidelines Can be used by any public, private or community enterprise, association, group or individual not industry or sector specific Can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets Can be applied to any type of risk, whatever its nature, whether having positive or negative consequences It is not intended to promote uniformity of risk management across organizations
Why implement Risk Management? Increase the likelihood of achieving objectives; Encourage proactive management; Be aware of the need to identify and treat risk throughout the organization; Improve the identification of opportunities and threats; Comply with relevant legal and regulatory requirements and international norms; Improve mandatory and voluntary reporting; Improve governance; Improve stakeholder confidence and trust; Establish a reliable basis for decision making and planning; Improve controls; Effectively allocate and use resources for risk treatment; Improve operational effectiveness and efficiency; Enhance health and safety performance, as well as environmental protection; Improve loss prevention and incident management; Minimize losses; Improve organizational learning; and Improve organizational resilience
Traditional Risk Management Compliance oriented Financial focus Negative risk events Driven from credit and market risk modeling Top down approach Complex methodologies Lacking front line involvement and buy-in Not seen as a model for small businesses Risk Management Evolution ISO 31000 Methodology Principles Framework Process Modern Risk Management Management oriented Broad organizational focused Positive and negative risk events Driven from strategic and organizational objectives Both top down and bottom up Simplified methodologies Organizational buy-in Excepted model for all businesses
History and Development ISO (International Organization for Standardization) is the world s largest developer and publisher of International Standards. Established in 1947, ISO is a network of the national standards institutes of 159 countries.
History and Development - continued Australia, New Zealand and Japan initiated its creation over 18 countries participated US Technical Advisory Group established in 2008 Adopted in November 2009, now officially the first International Standard on Risk Management ISO 31010 Risk assessment Process issued Guide 73 (terminology guide) issued
Risk: Definitions Effect of uncertainty on objectives NOTE 1: An effect is a deviation from the expected positive and/or negative. NOTE 2: Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process). NOTE 3: Risk is often characterized by reference to potential events (2.17) and consequences (2.18), or a combination of these. NOTE 4: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (2.19) of occurrence. NOTE 5: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood
Definitions Risk management: Coordinated activities to direct and control an organization with regard to risk Risk management framework: A set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring (2.28), reviewing and continually improving risk management (2.2) throughout the organization NOTE 1 The foundations include the policy, objectives, mandate and commitment to manage risk (2.1). NOTE 2 The organizational arrangements include plans, relationships, accountabilities, resources, processes and activities. NOTE 3 The risk management framework is embedded within the organization's overall strategic and operational policies and practices.
ISO 31000 Approach Keep it simple and practical complexity is not an advantage Principles Framework Integrated approach that includes risk / opportunity management Process Incorporates most of the key elements of the COSO framework Requires strong and Sustained management commitment
Risk Management must: Principles 1. Create and protect value 2. Be an integral part of all organizational processes 3. Be part of decision making 4. Explicitly address uncertainty 5. Be systematic, structured and timely 6. Be based on the best available information 7. Be tailored to the organization 8. Take human and cultural factors into account 9. Be transparent and inclusive 10. Be dynamic, iterative and responsive to change 11. Facilitate the continual improvement of the organization
Risk Management Fr amewor k Mandate and Commitment Design of framework for managing risk Understanding the organization and context Establishing policy Accountability Integration into processes Resources Establishing internal and external communication and reporting mechanisms Continual improvement Implementing risk management Framework and process Monitoring and review
Risk Management Pr ocess Establishing the context Communication and consultation Risk Assessment Risk identification Risk analysis Monitoring and review Risk evaluation Risk treatment
Risk Management Heat Map Management addresses these key risks and opportunities in its plans and priorities Note: Some adjustment to cur rent pr ior ities may be required Developed by Jay Mattingly 3 3 O - 21 R - 11 Impact on Objectives 2 R - 3 R - 72 1 O - 8 O - 14 R - 34 2 1 Impact on Objectives 1 2 3 3 2 1 Opportunities Likelihood Likelihood Risks
Framework Design: Clarifying Who Does What (Sample Federal Organization) (Based on the Institute of Internal Auditors Position Paper & revised by CSA)