ISO 31000

Dorothy Gjerdrum, ARM-P, CIRM Chair, US ISO Technical Adv Group

Why We Need to Manage Risk

The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise.
National Guidance on Implementing ISO 31000:2009 From NSAI in Ireland

Global Corporate Governance Models

INTERNATIONAL - Basel I & II; ISO 31000
France Vienot Com. Mrini Report Levy-Long Com. UK
Cadbury Turnbull Greenbury Rpt BS 31100 RM

All EU Countries Directives on Governance

Germany Bill on The Control and Transparency of organizations Kon TraG Bill

Netherlands Code Tabaksblatt

Italy Draghi Commission

US Business Round Table NYSE listing Requirements Blue Ribbon Commission Sarbanes Oxley Act COSO ERM Framework Canada Toronto Stock Exchange Committee Canadian Securities Committee Allen committee Report COCO South Africa Code of Best Practice King Report I, II, III Stakeholder Communication Public Finance Mgmt Act

Japan Corporate Governance Forum of Japan J-SOX Australia/New Zeal AS/NZS 4360:2004 Stock Exchange Listing New Accounting Standards Best Practice Stmt Mgmt

ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards. Established in 1947, ISO is a network of the national standards institutes of 159 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system.

ISO 31000:2009 --> ANSI/ASSE/ISO 31000

Australia, New Zealand & Japan initiated its creation based on AS/NZ 4360 30+ countries participated 6 meetings over several years Adopted in November of 2009, now officially the first International Standard on Risk Management Guide 73 & ISO 31010 quickly followed The American Standard on RM ANSI/ASSE/ISO 31000

Combined ISO 31000 and Implementation Guidance for Canadian organizations: Q31001-11 Canada
Placed a stronger emphasis on
senior management support of risk management Linking risk management to organizational performance

Clarified
Sensitivities in managing risks to the public Maturity model for risk management in organizations Risk management process examples Correct links between risk appetite, risk tolerance and risk rating concepts

Available for purchase at www.csa.ca

After Adoption
BSI 31100 updated Code of Practice CSA Canadian implementation guide NSAI Irelands implementation guide Austria three guidelines: embedding risk management, risk assessment & linking to business continuity processes Australia & New Zealand issued handbooks Japan created guidance (in Japanese)

2011: PC 262 formed to Create ISO 31004

International work group re-engaged to create an implementation guide to ISO 31000 Two meetings so far expect two more each year until finalized Publication date of 2015? May coincide with the next update of ISO 31000

Primary Audience
Those accountable for the governance of organizations Those accountable for managing organizations Practitioners providing advice and services to assist decision-makers Those who provide assurance regarding the effectiveness of risk management

Scope of ISO 31000

This international standard provides principles and generic guidelines on risk management it can be used by any public, private or community enterprise, association, group or individual. Therefore, this standard is not specific to any industry or sector.

What is risk??
Risk is present in everything we do. ISO 31000, the international standard on risk management, defines it this way: Risk = the affect of uncertainty on your objectives. Risk can be a threat or an opportunity Anything that could harm, prevent, delay or enhance your ability to achieve your objectives = risk

Critical Components of ISO 31000

The principles provide the foundation and describe the qualities of effective risk management in an organization The framework manages the overall process and its full integration into the organization The process for managing risk focuses on individual or groups of risks, their identification, analysis, evaluation and treatment

From ANSI/ASSE/ISO 31000

Monitoring & review, continual improvement and communication occur throughout

Principles
Creates value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured & timely Based on best available info Tailored Takes human & cultural factors into account Transparent & inclusive Dynamic, iterative & responsive to change Facilitates continual improvement & enhancement of the org

Framework
Mandate & Commitment

RM Process

Establish the context

Design framework for managing risk Communicate and consult

Risk assessment Risk identification Monitor and review

Continually improve the framework

Implement risk management

Risk analysis

Risk evaluation

Monitor and review the framework

Risk treatment

Components of the Framework

Understanding the organization & its context Establishing RM policy Accountability & Authority Integration into organizational processes Determining appropriate resources Establishing internal communication & reporting mechanisms Establishing external communication & reporting mechanisms
ISO 31000:2009 Risk management Principles and guidelines

Framework Example: Context

External Context Social, cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment Key drivers and trends that will have an impact on your organization Relationships with and perceptions & values of external stakeholders
ISO 31000:2009 Risk management Principles and guidelines

Internal Context Governance, organizational structure, roles & accountabilities Policies, objectives & strategy Capabilities & resources Info systems Organizational culture Contractual relationships Relationships with, perceptions & values of internal stakeholders

Framework Example: Benefits

Increase likelihood of achieving objectives Encourage proactive management Be aware of the need to identify and treat risk throughout the organization Improve the identification of opportunities & threats Effectively allocate and use resources
ISO 31000:2009 Risk management Principles and guidelines

Comply with relevant legal and regulatory requirements and international norms Improve mandatory and voluntary reporting Improve operational effectivness & efficiency Improve stakeholder confidence and trust Establish a reliable basis for decision making & planning Improve controls Improve governance

What is Different about ISO 31000?

Without risk, there is no reward or progress. Unless risk is managed effectively, organizations cannot maximize opportunities and minimize threats. Risk is all about uncertainty, or more importantly, the effect of uncertainty on the achievement of objectives. This is where ISO 31000 is clearly different from existing guidelines in that the emphasis is shifted from something happening the event to the effect on objectives.
Kevin W. Knight, AM Chair of the ISO 31000 working group & Chair of ISO 31004 project committee ISO Focus, June 2009

Global Survey on ISO 31000

Conducted mid-October to mid-December, 2011 LinkedIn website on ISO 31000, with >6,500 members since March of 2009
Reached out to 100+ associations, members from 74 associations participated 1,823 responses from 111 countries Largest # of participants from US (20%), UK (10%) and Australia (10%) Primary professions: risk management & IT

Survey Participants

Select Results
65% - familiar with or knowledgeable about ISO 31000
93% of Australian respondents 67% of UK respondents 47% of US respondents

35% - no knowledge
7% of Australian respondents 33% of UK respondents 53% of US respondents

Countries with Highest Level of Awareness of ISO 31000

Australia (65%) New Zealand (47%) Canada (42%) United Arab Emirates (37%) Brazil (28%) South Africa (26%) Spain (21%) Netherlands (21%) United Kingdom (21%) Finland (18%) Italy (14%) France (13%) USA (11%)

Fully understand ISO 31000

How is Risk Management Used Within Your Organization?

All decisions (40%) Auditing/compliance (21%) Safety/security (18%) Report performance (9%) Insurance (7%) Not used in our organization (5%)

Which Standard Does Your Organization Utilize?

Our own version (40%) ISO 31000 (36%) ISO 27005 (20%) COSO (18%) PMBOK (17%) Guide 73 (16%) AUS/NZ 4360 (13%) ISO 31010 (13%)