covid-19 and risk management · principles should enable effective integration of processes into a...

Copyright © 2020 BSI. All rights reservedCopyright © 2020 BSI. All rights reserved

COVID-19 and Risk ManagementJulia Graham, AirmicDeborah Higgins, EPC (Serco)Russell Price, Continuity Forum


COVID-19 and Risk ManagementRussell Price, Continuity Forum

Copyright © 2020 BSI. All rights reserved

“The effect of uncertainty on objectives”1

Uncertainty Effect Objectives

ISO Definition of Risk

1BS ISO 31000:2018

If there is no OBJECTIVE set then there is no RISK in Risk Management terms.

Objectives can be hard or soft

3


Risk Life Cycle

Issue ManagementEarly Issue Identification

Pre

ssur

e / C

ost /

Impa

ct

Opportunity to Influence Increasingly difficult to influence

Potential Current Crisis DormantEmerging

Increasing Awareness

Origin Development ResolutionImpact

Time / Development

4


• It is the global standard for structuring the management of risk

• The content of ISO 31000 has been developed and agreed by the member organisations’ expert committees* from around the world

• ISO 31000 is part of the ISO family of standards and shares a common framework & terminology

• Principles based • Clear and concise

ISO 31000 – Framework Approach

*Committees consist of experts membersnominated by National Standards Bodiesorganisations (such as the BSI, ANSI and DIN)and have responsibility for the technical contentof standards.

International collaboration


Setting the context for Risk Management Business Management

6

GovernanceCompliance & RegulationHealth & SafetyEnvironmental ManagementQuality Management Information Technology & Security

SecurityBusiness Continuity Organizational ResilienceDisaster RecoveryEmergency ManagementCrisis Management

and much more…


Management of Risk & Resilience Building better performance …

• Clear understanding of management and organizational objectives• Improved communications & integration across the organization and

with stakeholders & wider society. • Better monitoring and horizon scanning across Risk, Resilience,

Continuity and Security operations • Evidence based Compliance - Maturity assessment

7


8

ISO 31000:2018

Principles provide an anchor for the organizations decision making and provides guidance that helps people apply their experience in an most effective way.

Principles should enable effective integration of Processes into a Framework that delivers value for the organization

Structure

Principles and Guidelines


Standards work togetherISO Directives

9


Types of StandardsType A Type B

Specification Standard

Sets out Requirements

Can be assessed with Certification provided

Guidance Standard

Provides recommendations

Can be assessed or audited, but not certified

Handbooks & Technical Reports too Annex SP10


Connecting capabilities Sector Standards

Specific Guidelines

11


At the heart of the BS ISO 31000 Standard?

12

Principles

Ensuring Risk Management is directly focused on contributing to improved performance.


Introduction Clauses 1-3 Scope, references and terms & definitions

Clause 4 – Principles – the foundations of the risk management framework

Clause 5 – Framework – integration of risk management into activities and functions

Clause 6 – Process – the systematic application of policies, procedures and practices, establishing the context, assessing, treating, monitoring and reporting risk

13


ISO 31000 Structure

Principles

Process

Framework

14


Principles

At the heart of ISO 31000:2018

15


FrameworkThe purpose of the risk management framework is to assist the organization in integrating risk management into significant activities and functions.

The effectiveness of risk management will depend on its integration into the governance of the organization, including decision-making.

This requires support from stakeholders, particularly top management.

16


ProcessThe risk management process involves the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk.

17


Not just for big businessSMEs can benefit big time too!• Improve quality of products and services• Increased credibility and trust• Benefit from global best practice and expertise• Reduce costs, improve performance• Access to new markets and compete better• Comply with regulations

18


Integrating performanceBuilding resilience

19


Managing Risk Performance

Culture• Risk Ownership• Responsibility &

Accountability • Knowledge, Skills,

Attitudes & Behaviour (KSAB)

CapabilityACTIVE MONITORING, TESTING, HORIZON SCANNING, REVIEW & UPDATE

Activities should be aligned with the organisations interests & proportionate to Threats & Opportunities.

Board engagement & responsibility

Risk Management• Understanding Context• Risk Identification• Risk Analysis• Risk Evaluation• Risk Treatment• Scanning & Review

Governance• Evaluate• Direct• Monitor• Communicate• Assure

Operational management & accountability

20


Protecting the futureStandards are evolving

Risk Management• ISO 31000:2018• ISO 31010:2019 Risk

Assessment Techniques• ISO Guide 73:2009 1 (ISO 31073)

• ISO 31022 Legal Risk Mgmt 2

• IWA 31 - Guidance on risk management in management systems 2

1 under revision2 in development

Governance• ISO 19600 – Compliance 1

OTHER ISO TC 262

• ISO 31030 - Workforce Travel Risk 2

• ISO 31050 – Emerging Risk 2

• ISO 31070 – Guidelines on core concepts2

21


A balanced approach…• Assess the organisations wider risk and resilience issues, identify

the critical priorities – protect them!

• Engage with an ‘informed’ management focus on risk and resilience issues

• Connect with ‘business drivers’ to develop management support, drive improvement and deliver improved value & performance

22


Changing Habits• Re-thinking Risk management with better focus on ‘business’

opportunities & addressing real threats to organizations and society

• Improve value and return for the organization & wider society

• Evolving challenges and growing complexity

• Share, connect and amplify expertise

• Change the future … ? 23


COVID-19 and Risk ManagementJulia Graham, Airmic


COVID-19Exploring the “Known unknown”


“A CRISIS LIKE NO OTHER”Kristalina GeorgievaManaging Director, IMF2nd April 2020


27


28


29


30


31


2020 is a different computer generation 1 million daily users at the end of 20041.7 billion daily users at the start of 2020

Growth of UK Internet users ” risk

32


Then and now• COVID-19 appears less deadly than other

coronaviruses• But by 31 March 2020 the disease had infected

and killed more people than SARS (2003) and MERS (2012) combined

• COVID-19 has spread faster than SARS and MERS• But has lower fatality rates …. based on what

we know so far• Response has demanded agility: travel and on-line

access levels have played a key role• Longevity of the crisis depends on how case

numbers decline• But what do we bounce back to and where?• Recovery to the New Next will vary by sector

and location• With challenges to sustainable global connectivity

33


Now and next

Now• People• Critical business drivers of value• What creates this value• Multiple lenses of risk across the enterprise • Communicate then communicate some more

Then survival• Financial impact• Cash flow• Leverage• Engaging innovations


Key considerations

• Business purpose, activities, key cash flow, people and suppliers

• Geographical locations of facilities, customers and suppliers• Cultures that affect how people respond and behave• People who may be at higher risk from COVID-19• Expected peak absenteeism rates and potential patterns• Government actions, such as travel, quarantine, restrictions

on mass gatherings and guidelines on social distancing

Continuously keeping context front of mind

35


36


37


38


39


Edelman’s COVD-19 observations• An uncertain context trust in institutions

becomes even more critical • Strong leadership and decision making

will be required to shape and earn trust post-crisis

• Many organisations were caught off-guard by the crisis and living up to the established purpose may seem daunting - but at some point organisations will need to regroup. This will require and enterprise approach.

• Purpose is not immune to shifts in context, with millennials having a profound influence – purpose must adapt in harmony with culture

• Now is the time to start thinking – the clarity that comes with crisis provides a unique opportunity

• Trust remains a key metric at this time• “Proof of purpose” if an organization

wants to build lasting trust•

40


41


42


Responses to COVID-19 research from Imperial College

Priority• Improve the way the current outbreak response is planned and implemented;• Improve the way information and guidance is provided to and understood by the public;• Optimise the support provided to communities and vulnerable groups; and• Improve future outbreak preparednessSecondary• Understanding the role of the media in influencing how people react and respond;• Furthering our basic understanding of the virus – how it spreads, who it affects the most and why, and whether

people achieve and maintain immunity after being infected;• Critiquing the UK’s response to the pandemic against that of other countries; and• Ensuring lessons can be learnt from this outbreak to better equip us for future outbreaks, and public health

emergencies in general

https://www.imperial.ac.uk/mrc-global-infectious-disease-analysis/covid-19/

43


44


COVID-19 and Risk Management

Deborah Higgins, EPC (Serco)Julia Graham, AirmicRussell Price, Continuity Forum

Questions?

covid-19 and risk management · principles should enable effective integration of processes into a...

Documents