launching iso 31000 -...
TRANSCRIPT
6/1/2011
1
Dorothy M. Gjerdrum, ARM‐P, CIRM
Chair of the US ISO 31000 Technical Advisory GroupAdvisory Group
Wayne Salen, ARM, CHCM, CPSM
Launching ISO 31000 –The New Risk Management Standard
Former Vice Chair of the U.S. TAG for Risk
Management Current member of the
U.S. TAG.
Agenda
• Framing the issue: the need for a broader view of “risk”
• Why do we need a standard on risk management? The evolution of ISO 31000
• Overview of ISO 31000 and 31010l i d i d• Implementation advice and resources
6/1/2011
2
Financial Risks
Strategic RisksBank failures
Stock market performance
Unemployment
Budget cutsTax caps
Credit markets stabilityCurrency & foreign exchange rate fluctuations
Unexpected loss of revenue
Health care costs
Mergers & Acquisitions of key partners or vendors
Ethics violationsReputation
Stakeholders’ interests
Long‐term planning vs. budget limitations
Public support
Internal RisksExternalRisks
Energy costs
Meeting Public expectations
Geopolitical risks
Interest rates
Investment limitationsBond rating
Retirement funding
Capital availability
Revenue & grant $$ management
Counterparty risk
Financial reporting
Negative media coverage
interestsStrategy & initiativesUnion relations
budget limitations
Public‐private partnerships
Health & safety violations
HR & personnel risks
Gov’t sanctions
Accounting or internal controls failures
Facilities maintenance
Aging infrastructure
MandatedCode violations
Workers’ comp
Public safety
Lawsuits
Piracy & Counterfeiting
Natural events & catastrophes
Terrorism
Governance
Student activities
Contractual liabilityBuilding subsidence or collapse
Labor practices
Procurement
Unfunded mandates
Code of Conduct
Utilities failure
Workplace violence
Theft, embezzlementGov t sanctions
IT system failure
Business interruptionLoss of key suppliers
Mandated public services
Quality control
OperationalRisks
Building security
War Fraud
Compliance
Disease & epidemics
Mold exposureAsbestos exposure
Director & Officer liabilityGeopolitical risks
Animal or insect infestation
Pollution
Hazard & 3rd Party Risks
Typical purview of RM
Public safety
The Baltimore SunJuly 16, 2008
An underground fire shut down power to 30 residential and commercial buildings in B l i d k l 10Baltimore and took nearly 10 hours to control. Baltimore’s utility lines are part of the city’s aging infrastructure – carrying electricity, cable, telephone, t t li ht d fib tistreet light and fiber‐optic service through 3.7 million feet of conduits. The cost to update the >100 year‐old system is $900 million.
6/1/2011
3
Financial Risks
Strategic RisksBank failures
Stock market performance
Unemployment
Budget cutsTax caps
Credit markets stabilityCurrency & foreign exchange rate fluctuations
Unexpected loss of revenue
Health care costs
Mergers & Acquisitions of key partners or vendors
Ethics violationsReputation
Stakeholders’ interests
Long‐term planning vs. budget limitations
Public support
Internal RisksExternalRisks
Energy costs
Meeting Public expectations
Geopolitical risks
Interest rates
Investment limitationsBond rating
Retirement funding
Capital availability
Revenue & grant $$ management
Counterparty risk
Financial reporting
Negative media coverage
interestsStrategy & initiativesUnion relations
budget limitations
Public‐private partnerships
Health & safety violations
HR & personnel risks
Gov’t sanctions
Accounting or internal controls failures
Facilities maintenance
Aging infrastructure
MandatedCode violations
Workers’ comp
Public safety
Lawsuits
Piracy & Counterfeiting
Natural events & catastrophes
Terrorism
Governance
Student activities
Contractual liabilityBuilding subsidence or collapse
Labor practices
Procurement
Unfunded mandates
Code of Conduct
Utilities failure
Workplace violence
Theft, embezzlementGov t sanctions
IT system failure
Business interruptionLoss of key suppliers
Mandated public services
Quality control
OperationalRisks
Building security
War Fraud
Compliance
Disease & epidemics
Mold exposureAsbestos exposure
Director & Officer liabilityGeopolitical risks
Animal or insect infestation
Pollution
Hazard & 3rd Party Risks
Typical purview of RM
Public safety
Enterprise‐wide Risk Management• A wide range of risks are discussed
Risk Management is Evolving
Traditional Risk Management • Purchase insurance to cover risks• Hazard‐based risk identification and
controls• Compliance issues addressed
separately• Safety & emergency mgmt handled
l
Advanced Risk Management• Greater use of alternative risk
financing techniques• More proactive about
preventing and reducing risks• Integrates claims mgmt,
contracts review, special event RM, insurance and risk transfer techniques
• Cost allocation used for
gand reviewed, including reputational, human capital, strategic and operational
• Aligns RM process with strategy and mission
• May include “upside risks” (opportunities)
• Helps manage growth, allocate capital & resources
• Risks are owned by all & mitigated at the department levelseparately
• “Silo” approach – risk mgmt is not integrated across the organization
• Risk Manager is the insurance buyer
education and accountability• More collaboration – as depts
are willing• Risk Manager may be the risk
owner
the department level• Many risk mitigation & analytical
tools available• Risk Manager is the risk facilitator
and leader
Risk is bad – focus is on transferring risk
Risk is an expense – focus is on reducing cost‐of‐risk
Risk is uncertainty – focus is on optimizing risk to achieve goals
6/1/2011
4
The Development of RM in the US
Finance:PRMIA
Audit: IIA
Safety: ASSE
Risk Mgmt: RIMSPRMIA
GRCIIACOSO
ASSE NASP ASA
RIMS PRIMASTRIMAURMIAASHRMASHRM
Global Corporate Governance Models
All EU Countries• Directives on Governance
Netherlands• Code Tabaksblatt
UK• Cadbury• Turnbull• Greenbury Rpt• BS 31100 RM
France• Vienot Com.• Mrini Report• Levy‐Long Com.
Italy• Draghi Commission
Germany• Bill on The Control and Transparency of organizations
• Kon TraG Bill
INTERNATIONAL (All countries) ‐ Basel I & II; ISO 31000 & 31010
Australia/New Zeal• HB 317 on Risk Communication
• Stock Exchange Listing
US• Business Round Table• NYSE listing Requirements• Blue Ribbon Commission• Sarbanes Oxley Act• COSO ERM Framework
Canada• Toronto Stock Exchange Committee
• Canadian Securities
Japan• Corporate Governance Forum of Japan
• J‐SOX
Kon TraG Bill
• New Accounting Standards
• Best Practice Stmt Mgmt
• Canadian Securities Committee
• Allen committee Report• COCO• CAN/CSA‐Q850 (draft)
South Africa• Code of Best Practice• King Report I, II, III• Stakeholder Communication• Public Finance Mgmt Act
Developed by Dorothy Gjerdrum , AJG & Mary Peter of Eide Bailly LLP
6/1/2011
5
A Good Intro to ERMRisk management is an increasingly important businesss driver and stakeholders have become much more concerned about risk.
Riskmay be:• A driver of strategic decisions• The cause of uncertainty in an organization• Embedded in the activities of the organization
An enterprise‐wide approach to risk management enables an organization to consider the potential impact of all types of risks on all processes, activities, stakeholders, products and services.
Excerpt from the Executive Summary “A Structured Approach to ERM and the Requirements of ISO 31000” published by airmic, alarm and the irm – all based in the U.K.
ISO (International Organization for Standardization) is theISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards.
Established in 1947, ISO is a network of the national standards institutes of 159 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, y, , ,that coordinates the system.
6/1/2011
6
ISO 31000:2009
• Australia, New Zealand & Japan initiated its creation – based on AS/NZ 4360
• 30+ countries participated • 6 meetings over several years• Adopted in November of 2009, now officially the first International Standard on Risk Management
• Guide 73 & ISO 31010 quickly followed
• Now the official American Standard on RM
ISO 31000 – Quick Overview
• The basis of ISO 31000The basis of ISO 31000• Overview of the process• Understanding Principles, Framework and Process
• Select definitionsSelect definitions• Key concepts
6/1/2011
7
It’s a Broad Approach to Risk1. All organizations exist to achieve their
objectivesobjectives2. Many internal and external factors affect
those objectives, causing uncertainty about whether the organization will achieve its objectives
3. The effect of this uncertainty has on an organization’s objectives is “risk”
Scope of ISO 31000
This international standard provides principles and generic guidelines on risk management… it can be used by any public, private or community enterprise, association, group or individual. Th f thi t d d i t ifi tTherefore, this standard is not specific to any industry or sector.
6/1/2011
8
• Streamlined and easy to understand• Proactive approach vs compliance
ISO 31000 – Highlights
• Emphasizes top‐down implementation• Links risks to strategy & the achievement of objectives
• Addresses both upside and downside of risk• Provides a consistent approach that can beProvides a consistent approach that can be tailored to any type of operation in any location and integrated with other standards and guidelines
The principles
The framework
The process for managing risk
Overview of the Process from ISO 31000
provide the foundation and describe the qualities of effective risk manage‐ment in an
manages the overall
process and its full
integration into the
organization
focuses on individual or
groups of risks, their
identification, analysis,
evaluation and organization treatment
Monitoring & review, continual improvement and communication occur throughout
6/1/2011
9
• Creates value• Part of org. processes
• Part of decision making
• Explicitly
Principles
Mandate & Commitment
Framework RM Process
Establish the context
p yaddresses uncertainty
• Systematic, structured & timely
• Based on best avail info
• Tailored• Considers human & cultural factors
Design framework for managing risk
Implementrisk
management
Continually improve the framework
Commun
icate and consult
Mon
itor a
nd re
view
Risk identification
Risk analysis
Risk evaluation
Risk assessment
• Transparent & inclusive
• Dynamic, iterative & responsive to change
• Continual improvement
Monitor and review the framework
C
Risk treatment
Why ISO Outlines PrinciplesThe principles that govern the process:• Establish the values and philosophy of the stablish the values and philosophy of theprocess
• Support a comprehensive and coordinated view of risk that applies to the entire organization
• Link the framework and practice of risk• Link the framework and practice of risk management to the strategic goals of the entity
• Align risk management to corporate activities
6/1/2011
10
Risk Management PrinciplesRisk Management:• Creates value• Is an integral part of all organizational processes
• Is part of decision‐making• Explicitly addresses uncertainty• Is systematic structure and timelyIs systematic, structure and timely• Is based on the best available information
Risk Management Principles (cont’d)Risk Management:• Is tailored• Takes human and cultural factors into account• Is transparent and inclusive• Is dynamic, iterative and responsive to change• Facilitates continual improvement & enhancement of the organizationenhancement of the organization
6/1/2011
11
Why ISO Specifies the Framework• Maps out how the management of risk will be integrated across the organization
• Assures that the corporate‐wide process is supported, iterative and effective
• Details how risk management will be an active component in governance, strategy and planning management reportingand planning, management, reporting processes, policies, values and culture
• Provides for reporting & accountability
The Framework Includes:• The organization & its context• Risk Management Policy• Accountability• Integration into organizational processes• Resources• Communication & reporting – internal• Communication & reporting ‐ external
6/1/2011
12
The Risk Management Process
• Applies to portfolio of risks and individual risks
Establish the contextrisks and individual risks
• Begins with the context – always tailored to the organizational environment
mun
icate and consult
onito
r and
review
Risk identification
Risk analysis
Risk evaluation
Risk assessment
• Emphasizes continual: – Communication & consultation
– Monitoring & reviewCo
mm M
Risk treatment
• Creates value• Part of org. processes
• Part of decision making
• Explicitly
Principles
Mandate & Commitment
Framework RM Process
Establish the context
p yaddresses uncertainty
• Systematic, structured & timely
• Bsed on best avail info
• Tailored• Considers human & cultural factors
Design framework for managing risk
Implementrisk
management
Continually improve the framework
Commun
icate and consult
Mon
itor a
nd re
view
Risk identification
Risk analysis
Risk evaluation
Risk assessment
• Transparent & inclusive
• Dynamic, iterative & responsive to change
• Continual improvement
Monitor and review the framework
C
Risk treatment
6/1/2011
13
Select DefinitionsRisk = the effect of uncertainty on objectives
An effect is a deviation from the expected –iti ti Ri k b d ib dpositive or negative. Risks may be described as a
combination of likelihood and consequences.
Risk management = the coordinated activities to direct and control an organization with regard to riskRisk owner = the person with the accountability and authority to manage the risk
Risk Mgmt & Other Initiatives• RM supports strategic initiatives, mission and goals and links to themgoals and links to them
• RM can support management processes (e.g. balanced scorecard, performance management measures)
• RM will help build success of key initiatives by identifying barriers and risks and ways to mitigate them
6/1/2011
14
Key Concepts of ISO 31000• Risk Management is about exploiting opportunities as well as preventing problems (upside & downside risks)
• It is tied to business objectives and strategies – and supports them
• It works within the organization’s culture and will become integral to decision makingwill become integral to decision making
• It will ensure that Risk Management applies to all levels of the organization and to all activities
ISO 31010 – Risk Assessment Techniques
Establish the context
• Risk assessment conceptsm
unicate and consult
onito
r and
review
Risk identification
Risk analysis
Risk evaluation
Risk assessment
concepts• Process• Techniques
Comm Mo
Risk treatment
6/1/2011
15
Implementation Advice• Educate yourself, develop your “elevator speech”, build your network of peersy p
• Seek opportunities for a broader approach to risk
• Create an inventory of risk management practices across all operations; can you build support for integration?
• Develop tools & resources – and develop your leadership skills
• Be patient – it’s a journey, not a destination
6/1/2011
16
Risk Management Standards• COSO ERM Framework (2004)• British Standards Assoc: Risk Management – CodeBritish Standards Assoc: Risk Management Code of Practice – BSI 31100:2008 (under revision)
• ANSI/ASSE Z690.2‐2011 ‐ ISO 31000:2009 – Risk Mgmt Principles and Guidelines
• ANSI/ASSE Z690.3‐2011 ‐ ISO 31010:2009 – Risk Assessment TechniquesAssessment Techniques
• HB 327:2010 Communicating and Consulting About Risk – from Australia/New Zealand
• Canadian Standards Association CAN/CSA‐Q850 Implementation of ISO 31000
• Proposal from the UK to develop an i t ti l i l t ti id
What’s Next for ISO 31000?
international implementation guide• ISO 31000 will be open for revision beginning in 2012
• Being broadly implemented across the• Being broadly implemented across the globe: Japan, Europe, Ireland, Canada, Australia & New Zealand
6/1/2011
17
US Perspective• Adopted as the US Standard by ANSI• Available from ASSE or ANSI• Available from ASSE or ANSI
33
Canadian Perspective Risk Management Standards
34
• Combined ISO 31000 andImplementation Guidance for Canada organizations: ‘Q31001‐11’: one document!
• Canada – Placed a stronger emphasis on
• senior management support of risk management• Linking risk management to organizational
performance
– Clarified• Sensitivities in managing risks to the public
Available for purchase at www.csa.ca
Sensitivities in managing risks to the public• Maturity model for risk management in organizations• Risk management process examples• Correct links between risk appetite, risk tolerance and
risk rating concepts
6/1/2011
18
Resources available • RIMS Executive Report: An Overview of Widely Used Risk Management Standards andManagement Standards and Guidelines
–ISO 31000:2009–OCEG “Red Book”–BS 31100: 2008–COSO ERM Framework 2004COSO ERM Framework 2004–FERMA 2002–Solvency II: 2012 35
Thank You!
Dorothy Gjerdrum, ARM‐PExecutive Director, PESDArthur J. Gallagher Risk Mgmt [email protected]
Wayne Salen, ARM, CHCM, CPSM Director of Risk Management Labor Finders® International, Inc. [email protected]