Using ISO 31000 · PDF fileUsing the ISO 31000 Risk Management Guide ... • COSO ERM Framework Canada ... vs. budget limitations Public-private partnerships

2/6/2013

1

Using the ISO 31000Risk Management GuideIn your Risk Control Work

Jim Newberry - ISO 31000 TAG memberRisk Mgt./Ins. Practice Specialty Admin.AVP & Risk Control Mgr. - Island Ins. Co.

Loss Control Virtual SymposiumFebruary 6, 2013

Be Flexible

You can use RM whole sale or ala-carte

RA tools – what you need to knowThere are many tools – go discover

Use the right one for the job

Create a risk register and go from there

Risk Assessment Tools

2/6/2013

2

How to begin

Begin by getting more familiar with the standards/guidelines

Dive into the Risk Assessment tools and put as many at your disposal as possible

Find out which ones are good for your needs

Practice using them within your network

Conclusion

Organizations are looking for better ways to make decisions

By using RM and RA with your customers, they will get exposure to ways and means of improving the management of their risks

Participate in our discussion group

Send me your email for more resources

What Questions do you have?

2/6/2013

3

© 2012 ARTHUR J. GALLAGHER & CO.

How Risk Control Professionals Can Use ANSI/ASSE/ISO 31000

Dorothy M Gjerdrum, ARM-P CIRMArthur J. Gallagher & Co.


Learning Objectives

• Understand the components of the ISO series on Risk Management – 31000, Guide 73 and 31010

• Review how key components apply to risk control practices

• Consider ways to incorporate ISO 31000 tools, language and concepts into your work


Agenda• Framing the issue

• The ISO 31000 series• The purpose of a standard• The evolution of risk management

• Overview of ISO 31000• The “architecture” • Key definitions • Desired outcomes

• A quick look at ISO 31010• Implementation examples

2/6/2013

4


ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards.

Established in 1947, ISO is a network of the national standards institutes of 160+ countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system.


ISO 31000:2009• Australia, New Zealand & Japan initiated its creation

– based on AS/NZ 4360• 30+ countries participated • 6 meetings over several years• Adopted in November of 2009, now officially the

first International Standard on Risk Management • Guide 73 & ISO 31010 quickly followed• Now the official American Standard on RM

© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.

The ISO 31000 SeriesANSI/ASSE/ISO 31000 (also known as the Z690 series)

• ANSI/ASSE/ISO 31000 – Risk Management –Principles and Guidelines

• ANSI/ASSE/ISO 31010 – Risk Assessment Techniques• Guide 73 – Vocabulary for Risk Management

Page | 12

2/6/2013

5


Global Corporate Governance Models

All EU Countries• Directives on

Governance

Netherlands• Code Tabaksblatt

UK• Cadbury• Turnbull• Greenbury Rpt• BS 31100 RM

France• Vienot Com.• Mrini Report• Levy-Long Com.

Italy• Draghi

Commission

Australia/New Zeal• HB 317 on Risk

Communication• Stock Exchange

Listing• New Accounting

Standards• Best Practice

Stmt Mgmt

US• Business Round Table• NYSE listing

Requirements• Blue Ribbon

Commission• Sarbanes Oxley Act• COSO ERM

FrameworkCanada• Toronto Stock

Exchange Committee• Canadian Securities

Committee• Allen committee

Report• COCO• CAN/CSA-Q850

South Africa• Code of Best Practice• King Report I, II, III• Stakeholder Communication• Public Finance Mgmt Act

Japan• Corporate

Governance Forum of Japan

• J-SOX

Germany• Bill on The Control

and Transparency of organizations

• Kon TraG Bill

INTERNATIONAL (All countries) - Basel I & II; ISO 31000 & 31010

Developed by Dorothy Gjerdrum , AJG & Mary Peter of Eide Bailly LLP


What this standard is – and isn’t• Guidance (voluntary)• A collaborative effort, the

best thinking of many• The result of an evolution

in the practice of risk management

• Broadly applicable – any size, type or location

14

• Regulation (mandatory)• A certification standard• A compliance tool• Built on controls &

metrics• A prescribed doctrine• An implementation guide


Traditional Risk Management • Purchase insurance to cover risks• Hazard-based risk identification

and controls• Compliance issues addressed

separately• Safety & emergency mgmt

handled separately• “Silo” approach – risk mgmt is not

integrated across the organization• Risk Manager is the insurance

buyer

Advanced Risk Management• Greater use of alternative risk

financing techniques• More proactive about

preventing and reducing risks• Integrates claims mgmt,

contracts review, special event RM, insurance and risk transfer techniques

• Cost allocation used for education and accountability

• More collaboration – as depts are willing

• Risk Manager may be the risk owner

Enterprise-wide Risk Management• A wide range of risks are

discussed and reviewed, including reputational, human capital, strategic and operational

• Aligns RM process with strategy and mission

• May include “upside risks” (opportunities)

• Helps manage growth, allocate capital & resources

• Risks are owned by all & mitigated at the department level

• Many risk mitigation & analytical tools available

• Risk Manager is the risk facilitator and leader

Risk is bad – focus is on transferring risk

Risk is an expense – focus is on reducing cost-of-risk

Risk is uncertainty – focus is on optimizing risk to

achieve goals

Risk Management is Evolving

2/6/2013

6

Financial StrategicBank failures

Stock market performance

Unemployment

Interest rates

Budget cuts

Investment limitations

Tax caps

Bond ratingRetirement funding

Capital availability

Credit markets stabilityCurrency & foreign exchange rate fluctuations

Unexpected loss of revenue

Health care costs

Revenue & grant $$ management

Counterparty risk

Financial reporting

Mergers & Acquisitions of key partners or vendors

Ethics violationsReputation

Negative media coverage

Stakeholders’ interests

Strategy & initiativesUnion relations

Long-term planning vs. budget limitations

Public-private partnerships

Health & safety violations

HR & personnel risks

Utilities failure

Workplace violence

Public support

Theft, embezzlementGov’t sanctions

Accounting or internal controls failures

Facilities maintenance

Aging infrastructure

IT system failure

Business interruptionLoss of key suppliers

Mandated public services

Code violations

Quality control

Operational

Workers’ comp

Building security

Public safety

Lawsuits

Piracy & Counterfeiting

War

Natural events & catastrophes

Terrorism

Fraud

Governance

Compliance

Disease & epidemics

Mold exposureAsbestos exposure

Student activities

Director & Officer liabilityGeopolitical risks

Animal or insect infestation

Pollution

Contractual liabilityBuilding subsidence or collapse

Hazard & 3rd Party

Labor practices

Procurement

Unfunded mandates

Internal ThreatsExternalThreats

Energy costs

Typical purview of RM

Code of Conduct

Meeting Public expectations

Geopolitical risks

Public safety


The Baltimore SunJuly 16, 2008An underground fire shut down power to 30 residential and commercial buildings in Baltimore and took nearly 10 hours to control. Baltimore’s utility lines are part of the city’s aging infrastructure –carrying electricity, cable, telephone, street light and fiber-optic service through 3.7 million feet of conduits. The cost to update the >100 year-old system is $900 million.

Financial StrategicBank failures

Stock market performance

Unemployment

Interest rates

Budget cuts

Investment limitations

Tax caps

Bond ratingRetirement funding

Capital availability

Credit markets stabilityCurrency & foreign exchange rate fluctuations

Unexpected loss of revenueHealth care costs

Revenue & grant $$ management

Counterparty risk

Financial reporting

Mergers & Acquisitions of key partners or vendors

Ethics violationsReputation

Negative media coverage

Stakeholders’ interests

Strategy & initiativesUnion relations

Long-term planning vs. budget limitations

Public-private partnerships

Health & safety violations

HR & personnel risks

Utilities failure

Workplace violence

Public support

Theft, embezzlementGov’t sanctions

Accounting or internal controls failures

Facilities maintenance

Aging infrastructure

IT system failure

Business interruptionLoss of key suppliers

Mandated public services

Code violations

Quality control

Operational

Workers’ comp

Building security

Public safety

Lawsuits

Piracy & Counterfeiting

War

Natural events & catastrophes

Terrorism

Fraud

Governance

Compliance

Disease & epidemics

Mold exposureAsbestos exposure

Student activities

Director & Officer liabilityGeopolitical risks

Animal or insect infestation

Pollution

Contractual liabilityBuilding subsidence or collapse

Hazard & 3rd Party

Labor practices

Procurement

Unfunded mandates

Internal ThreatsExternalThreats

Energy costs

Typical purview of RM

Code of Conduct

Meeting Public expectations

Geopolitical risks

Public safety

2/6/2013

7


A Good Intro to ERMRisk management is an increasingly important businesss driver and stakeholders have become much more concerned about risk.Risk may be:• A driver of strategic decisions• The cause of uncertainty in an organization• Embedded in the activities of the organizationAn enterprise-wide approach to risk management enables an organization to consider the potential impact of all types of risks on all processes, activities, stakeholders, products and services.

Excerpt from the Executive Summary “A Structured Approach to ERM and the Requirements of ISO 31000” published by airmic, alarm and the irm – all based in the U.K.


ISO 31000 – Quick Overview

• The basis of ISO 31000• Overview of the “architecture”• Understanding Principles, Framework and Process• Select definitions• Key concepts


It’s a Broad Approach to Risk

1. All organizations exist to achieve their objectives2. Many internal and external factors affect those

objectives, causing uncertainty about whether the organization will achieve its objectives

3. The effect of this uncertainty has on an organization’s objectives is “risk”

2/6/2013

8


Scope of ISO 31000This international standard provides principles and generic guidelines on risk management… it can be used by any public, private or community enterprise, association, group or individual. Therefore, this standard is not specific to any industry or sector.


• Streamlined and easy to understand• Proactive approach vs compliance• Emphasizes top-down implementation• Links risks to strategy & the achievement of

objectives• Addresses both threats and opportunities• Provides a consistent approach that can be tailored

to any type of operation in any location and integrated with other standards and guidelines

ISO 31000 – Highlights


The principlesprovide the foundation

and describe the qualities of effective risk manage-ment

in an organization

The frameworkmanages the

overall process and

its full integration

into the organization

The process for managing risk

focuses on individual or

groups of risks, their

identification, analysis,

evaluation and treatment

Monitoring & review, continual improvement and communication occur throughout

The “Architecture”

2/6/2013

9


• Creates value• Part of org.

processes• Part of decision

making• Explicitly

addresses uncertainty

• Systematic, structured & timely

• Based on best avail info

• Tailored• Considers human

& cultural factors

• Transparent & inclusive

• Dynamic, iterative & responsive to change

• Continual improvement

Principles

Mandate & Commitment

Design framework for managing risk

Framework RM Process

Implementrisk

management

Monitor and review the framework

Continually improve the framework

Establish the context

Com

mun

icat

e an

d co

nsul

t

Mon

itor a

nd re

view

Risk identification

Risk analysis

Risk treatment

Risk evaluation

Risk assessment


Why ISO Outlines Principles

The principles that govern the process:• Establish the values and philosophy of the process• Support a comprehensive and coordinated view of risk

that applies to the entire organization• Link the framework and practice of risk management to

the strategic goals of the entity• Align risk management to corporate activities


Risk Management PrinciplesRisk Management:• Creates value• Is an integral part of all organizational processes• Is part of decision-making• Explicitly addresses uncertainty• Is systematic, structure and timely• Is based on the best available information

2/6/2013

10


Risk Management Principles (cont’d)Risk Management:• Is tailored• Takes human and cultural factors into account• Is transparent and inclusive• Is dynamic, iterative and responsive to change• Facilitates continual improvement & enhancement of

the organization


Why ISO Specifies the Framework• Maps out how the management of risk will be

integrated across the organization• Assures that the corporate-wide process is

supported, iterative and effective• Details how risk management will be an active

component in governance, strategy and planning, management, reporting processes, policies, values and culture

• Provides for reporting & accountability


The Framework Includes:• The organization & its context• Risk Management Policy• Accountability• Integration into organizational processes• Resources• Communication & reporting – internal• Communication & reporting - external

2/6/2013

11


Framework Example: Benefits of RM• Increase likelihood of achieving

objectives• Encourage proactive management• Be aware of the need to identify and

treat risk throughout the organization

• Improve the identification of opportunities & threats

• Effectively allocate and use resources

• Comply with relevant legal and regulatory requirements and international norms

• Improve mandatory and voluntary reporting

• Improve operational effectiveness & efficiency

• Improve stakeholder confidence and trust

• Establish a reliable basis for decision making & planning

• Improve controls• Improve governanceISO/ANSI/ASSE 31000:2009

Risk management – Principles and guidelines


The Risk Management Process

• Begins with the context –always tailored to the organizational environment

• Applies to portfolio of risks and individual risks

• Emphasizes continual: •Communication & consultation•Monitoring & review


Com

mun

icat

e an

d co

nsul

t

Mon

itor a

nd re

view

Risk identification

Risk analysis

Risk treatment

Risk evaluation

Risk assessment


What is “risk”??• Risk is present in everything we do.• The definition we use is from ISO 31000, the

international standard on risk management.

Risk = the effect of uncertainty on your objectives.

• Risk can be a threat or an opportunity

Anything that could harm, prevent, delay or enhanceyour ability to achieve your objectives = risk

2/6/2013

12


Select DefinitionsRisk = the effect of uncertainty on objectives

Note 1 An effect may be positive, negative or a deviation from the expected

Note 2 An objective may be financial, related to health and safety or defined in other terms

Note 3 Risk is often described by an event, a change in circumstances, a consequence or a combination of these and how they may affect the achievement of objectives

Note 4 Risk can be expressed in terms of a combination of the consequences of an event or a change in circumstances and their likelihood

Note 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence or likelihood


Risk 1 Risk 2 Risk 3 Risk 4

Risk

The threat is that we are not prepared for a disruptive event. If people don't know (or aren't trained to follow) the protocol, if facilities are not "disaster ready," we will not be ready to respond or be able to return to normal quickly. If we manage this risk well, the opportunity is that we build resilience.

With a large number of impending retirements in the coming years, the threat is that we are not prepared for continuity of operations ‐maintaining our culture and institutional knowledge. The opportunities of this risk include improving processes and programs through the influx of new ideas & employees.

The threat of future financial instability and continued budget pressures. The opportunities include the opportunity to streamline operations & operate more efficiently.

The threat is that we won't keep up with infrastructure needs and care for our aging facilities and infrastructure. The opportunity is that if we plan ahead, we will be able to justify needs, prioritize projects and implement improvements over time.

Likelih

ood

4 5 2.5 4

Conseq

uence

3 4 4 4

Key Risks in Higher Ed


Select DefinitionsRisk management = the coordinated activities to direct and control an organization with regard to riskRisk owner = the person with the accountability and authority to manage the riskStakeholder = any person or organization that can affect, be affected by or perceive themselves to be affected by a decision or activity. They are both internal and external. Stakeholders are important to the process and key to activities like communication, consultation and reporting. Stakeholders’ interests and fears should be taken into account

2/6/2013

13


A Vision for Enhanced Risk ManagementKey Outcomes• The organization has a current, correct and comprehensive

understanding of its risks.• The organization's risks are managed to an acceptable level of

tolerance.

Page | 37

Attributes• Continual improvement• Full accountability for risks• Application of risk management in all decision making• Continual communications• Full integration into the organization’s governance structure

Excerpt from Annex A: ISO/ANSI/ASSE 31000: 2009


RM & Decision Making

Accept grant money?•Traditional RM – review hold harmless, place insurance

•ERM – gather stakeholders, assess risks, make decision in alignment with district goals, then manage risks


Page | 39

2/6/2013

14


Getting to “Yes”


• After full consideration of all risks, the community college supported the trip

• Six students & one faculty member participated.• Threats were addressed through training, info on

cultural context, travel abroad insurance

• Result: Awarded silver medal!

Getting to “Yes”


ISO 31010 – Risk Assessment Techniques

• Risk assessment concepts• Process• Techniques


Com

mun

icat

e an

d co

nsul

t

Mon

itor a

nd re

view

Risk identification

Risk analysis

Risk treatment

Risk evaluation

Risk assessment

2/6/2013

15



• Publishing an Implementation Guide as a Technical Report – 2013/2014

• ISO 31000 will be open for revision beginning late 2013

• ISO 31010 will also be reconsidered

• Being broadly implemented across the globe: Japan, Europe, Ireland, Canada, Australia & New Zealand

What’s Next for ISO 31000?


FEBRUARY 6, 2013

DOROTHY M GJERDRUMEXECUTIVE DIRECTOR, PUBLIC SECTOR

Page | 45

Documents

Using ISO 31000 · PDF fileUsing the ISO 31000 Risk Management Guide ... • COSO ERM Framework Canada ... vs. budget limitations Public-private partnerships