ISO 31000 – Opportunities & Implications for Turkish

Organisations & Projects

Joint IRM Regional Group Turkey & IPYD MeetingIstanbul, 1 October 2009

Nicola Crawford

Nicola Crawford, IRM IPYD – ISO 31000, 1 October 20092

Disclaimer

The information contained in this presentation is intended for public use to assist knowledge and discussion on ISO 31000. The information should

not be relied upon for the purpose of a particular matter. Specialist and/or appropriate legal advice should be obtained before any action or decision

is taken on the basis of any material in this document. The Business Resilience Group and Business Resilience Europe Ltd, the authors or

contributors do not assume liability of any kind whatsoever resulting from any person's use or reliance upon the content of this presentation.

This paper is made available on the basis that no part of the content may be reproduced or in any way made available to any party without prior

consent being granted in writing by Nicola Crawfordnicci@businessresilience.com

0534 3994092

3

What today’s presentation is not…

• Technically-focused : ‘soft’ issues rather than the mechanics of risk measurement and risk models…..

• Definitive : no-one can offer a set of ‘Answers’ : all I will do today is illustrate some - but by no means all - of the ‘Questions’…..

The intent of today’s workshop is to answer the question – “What is ISO 31000, what are its benefits and the implications for Turkish businesses and projects?

4

• Introduction – why a new standard?• ISO 31000

– Scope– Users– Core Elements – Risk definitions– Benefits

• ISO 31000 & Project Risk Management– Links to project risk management framework– How does project risk management link to ERM– Links to project risk management & how to align

• ISO 31000 - Opportunities

Overview

Why a new standard?

5 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009

Kevin Knight 2008

ISO 31000:2009 - Scope

• Provides principles and generic guidelines on principles and implementation of risk management.

• Can be applied to any kind of organisation, risk type and is not specific to any industry or sector.

• Is NOT intended to be used for the purpose of certification.

6 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009

ISO 31000:2009 - Users

ISO 31000:2009 is intended to be used by a wide range of stakeholders including:•those responsible for implementing risk management within their organisation;•those who need to ensure that an organisation manages risk;•those who need to manage risk for the organisation as a whole or within a specific area or activity;•those needing to evaluate an organisation’s practices in managing risk; and•developers of standards, guides, procedures, and codes of practice that in whole or in part set out how risk is to be managed within the specific context of these documents

7 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009

ISO 31000: A Business Principles Approach to Risk Management

8 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009

Kevin Knight 2008

ISO 31000: Key Elements

9 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009

Kevin Knight 2008

10 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009

ISO 31000: Framework Development & Implementation

11 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009

ISO 31000: RM Process

12 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009

value protection + value creation

Risk

Risk (the new definition)“effect of uncertainty on objectives”ISO 31000:2009, ISO/IEC Guide 73:2009

Control (the new definition)“measure to modify risk”ISO 31000:2009, ISO/IEC Guide 73:2009

ISO 31000 & Risk

Project Management

Tactical & Ops Management

Strategic Management

Project Management

Tactical & Ops Management

Strategic Management

13 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009

• Strategic, operations, processes, projects, products, assets, governance, everything

• Proactively create value by treating uncertainty, while respecting regulations, laws, organization

• Expect better profits, moral, trust, controls, initiatives, reporting, and corporate culture

• Designed to integrate with existing management– Build on existing management systems, add commitment, alignment, IT, stakeholders, ownership of risk, etc.

• Communication and Consultation as appropriate – consider the values and perceptions of stakeholders

• Risk in every decision is set in context, assessed, treated, documented

• Enhance alignment ERM and Project Risk Management

ISO 31000: Benefits

14 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009

• An essential aspect of project management is controlling the inherent risks of a project.

• Risks arise from uncertainty surrounding project decisions and outcomes.

• Most individuals associate the concept of risk with the potential for loss in value, control, functionality, quality, or timeliness of completion of a project. However, project outcomes may also result in failure to maximize gain in an opportunity and the uncertainties in decision making leading up to this outcome can also be said to involve an element of risk

ISO 31000 & Project Management

15 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009

ISO 31000 & Project Risk Management Framework

Project Risk Management Framework

16 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009

How does Project RM relate to ERM?

17 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009

How does Project RM relate to ERM?

Project

DeliverablesDeliverablesDeliverablesDeliverables

Change

Business Objectives

Benefits

Change

Strategy

(Why)Methods

(What & how)

Program/ Portfolio

Execution Gap = risks

Program / project

objectives

Stakeholders

Benefits

Realization

Project schedule etcRisk Management Adapted from

Hillison 2003

How does Project RM relate to ERM?

Planning Definition Execution Start Up

Ab

ility

to

infl

uen

ce t

he

ou

tco

mes

Full

None

Closure

Early risk management and mitigation builds better valued projects

Co

st o

f M

itig

atio

n S

tep

s

High

Low

Benefits of alignment to business outcomes

20 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009

PMBOK vs. ISO 31000 risk process – differences lie in the framework & context

ISO 31000 & Project Risk Management Process

21 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009

How to Align Organisational & Project Risk

• Target the business’ ‘desired business outcomes’ — the measurable end states that the business wants/needs to achieve to generate and realize the benefits – focus on value creation and protection

• Treat every project as a ‘change project’ from day-1. When you adopt the ‘desired business outcomes’ approach your project becomes an exercise in changing the organization to realize these outcomes and their associated benefits and value.

• Treat the budget as a profit and loss statement — any cost increase or value decrease cuts into the ‘profit’ of the project

• Differentiate but align risk appetites – risk evaluation criteria should be related to organisational and project drivers

• Use risk break down structure that is aligned to expected benefits and project structure

22 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009

•Better communication - By providing clear, unambiguous and consistent terms and definitions, ISO 31000 can help to establish a common understanding of the relevant topics throughout the entire organization including projects•Provides a blueprint for organizations / projects aiming at designing and implementing an an effective and efficient risk management framework - ISO 31000 outlines the essential principles, components, processes and organizational structures required•Provides a benchmark to which organizations / projects can compare their existing approaches – ISO 3100 can assist in identification of gaps and weaknesses in current approach•Contributes to the confidence and trust of internal and external stakeholders in the risk management abilities of an organization / project - ISO 31000 allows the transparency of its organisation’s/ project’s approach to risk management

ISO 31000: The Opportunities