ISO 31000 de internationale richtlijn voor risicomanagement Dick Hortensius NEN-Managementsystemen Agenda Achtergrond en ontwikkeling ISO Guide 73 en ISO 31000 De betekenis voor risicomanagers 1
overheid industrie consultancy wetenschap missie: normontwikkeling bevorderen toepassing normen kennis- en informatiecentrum normen 160 leden 30 leden Voor alle typen risico s. IT systems Clients Health, safety & environment Solvability Finance Natural events (external) safety Reputation Legal compliance 2
ISO 9000/INK/EFQM..zijn er wel normen ISO 14000/EMAS NTA 8620 VMS/BRZO OHSAS 18001/ VCA ISO 27001 Information security COSO HACCP/ISO 22000 SA 8000/ ISO 26000ISO 28000 Behoefte aan algemeen kader ISO 31000? Supply chain security Food safety Safety of machinery information OH&S security Finance quality environment 3
Terms of Reference Principles of and practical guidance to the risk management process Applicable to all types and sizes of organizations and all types of risk A guideline document and not to be used for certification Revision of ISO Guide 73 Risk management Vocabulary Cie. lid Creëren van draagvlak Delegatie/ stem Cielid Cie. lid nationale spiegel Normalisatie commissie proces ISO Technische Commissie Delegaties + stem andere landen Cie.lid documenten 4
ISO/IEC Guide 73 Risk management Vocabulary 49 termen en definities; belangrijkste: Risk External/Internal context Risk Management Risk Management Framework Risk Management Process Risk control Definition of Effect of uncertainty on objectives Uncertainty: deficiency of information related to or understanding or knowledge of an event, its consequences or likelihood event: occurance or change of a particular set of circumstances consequence: outcome of an event affecting objectives 5
Concept of + event consequence objectives - uncertainties Notes 1) An effect is a deviation from the expected - positive and/or negative. 2) Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product, and process). 3) Risk is often characterized by reference to potential events and consequences, or a combination of these.. 4) Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence. 6
ISO/IEC Guide 73 Risk management Vocabulary External/Internal context Risk Management Risk Management Framework Risk Management Process Risk control ISO 31000 scope Principles and generic guidelines on implementation of risk management Applicable to any organization and to a wide range of subjects Acknowledges the varying needs of specific situations Common approach to RM for standards Not intended for certification purposes 7
ISO 31000 Inhoud Terms and definitions Principles (for managing risk) Framework (for managing risk) Process (for managing risk) Annex: Attributes of enhanced RM a) Creates value b) Integral part of organizational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organization Principles for managing risk (Clause 3) 4.6 Continual improvement of the framework 4.2 Mandate and commitment 4.3 Design of framework for managing risk 4.5 Monitoring and review of the framework Framework for managing risk (Clause 4) 4.4 Implementing risk management Process for managing risk (Clause 5) 8
Principles of risk management (I) Risk management: Creates value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured and timely Based on best available information Principles of risk management (II) Risk management: Is tailored Takes human and cultural factors into account Is transparant and inclusive Is dynamic, iterative and responsive to change Facilitates continual improvement and enhancement 9
4.2 Mandate and commitment 4.3 Framework design for managing risk 4.3.1 Understanding the organization and its context 4.3.2 Risk management policy 4.3.3 Integration into organizational processes 4.3.4 Accountability 4.3.5 Resources 4.3.6 Establishing internal communication and reporting mechanisms 4.3.7 Establishing external communication and reporting mechanisms 4.6 Continual improvement of the framework 4.4 Implementing risk management 4.4.1 Implementing the framework for managing risk 4.4.2 Implementing the risk management process 4.5 Monitoring and Review of the framework Figure 2 Elements of framework for managing risk 5.3 Establishing the context 5.4 Risk assessment 5.4.2 Risk identification 5.2 Communication and consultation 5.4.3 Risk analysis 5.6 Monitoring and review 5.4.4 Risk evaluation 5.5 Risk treatment Figure 3 Risk management process 10
Ontwikkeling ISO 31000 New Work Item Proposal maart 2005 Instelling TMB/WG/RM juni 2005 Eerste WG vergadering sept 2005 Eerste Working Draft dec 2005 Draft International Standard apr 2008 Laatste WG vergadering nov 2008 Final Draft International Stndrd mei 2009 ISO 31000 + Guide 73 nov 2009? Google test Juni 2008 Mei 2009 Risk Risk management Risk man standard ISO 31000 378.000.000 36.200.000 21.200 2.840 11
Risk Risk management Risk man standard ISO 31000 Google test Juni 2008 378.000.000 36.200.000 21.200 2.840 Mei 2009 291.000.000 23.400.000 28.000 21.400 Risk Risk management Risk man standard ISO 31000 Quality Quality management Quality MS ISO 9001 Google test Juni 2008 378.000.000 36.200.000 21.200 2.840 Mei 2009 291.000.000 23.400.000 28.000 21.400 868.000.000 9.710.000 77.500 24.000.000 12
Voordelen/kenmerken ISO 31000 Generiek: alle typen risico s Neutraal risicobegrip: bedreigingen en kansen in het licht van doelstellingen Samenhang tussen principes, managementraamwerk en proces Richtlijn, geen knellend keurslijf Compatibel met ISO managementsystemen 13
Voor wie en wat? Bestuurder: Kader voor integraal management Risicomanager Profilering eigen vakgebied KAM-manager Kader voor integratie deelsystemen Stakeholders Benchmark voor in control zijn Meer informatie? www.nen.nl dick.hortensius@nen.nl 14