ISO31000

ISO
31000 RiskManagementStandard
Risk Management Standard
OttawaFebruary27,2008
JohnShortreed,Director, InstituteforRisk Research
UniversityofWaterloo
([email protected])

1. WhatisISO31000?
2. Whatarethekeycomponents
y
p
of31000?
3. Questions
workshop formattounderstandISO31000byexamining
keycomponents

jhsOttawa27/02/08

WhatisISO31000?
Guideforprinciplesandimplementationof
riskmanagement
Moreorlessfinal willbeissuedin2009alongwithGuide73
((terms),and31010
),
((revisedIECriskanalysisstandard
y
originally
g
y
Canadian eh!)

Can
Canreview31000andhaveinputbyaskingafterApril1forthe
review 31000 and have input by asking after April 1 for the
latestdraft(freebutmustread,[email protected] )
Will
WillreplaceCSAQ850,TreasuryBoard,RIMS,etc.etc.and
l
CSA Q850 T
B d RIMS t t
d
becometherecognizedinternationalframeworkforrisk
managementeverywhere goodstuff,nofooling
jhsOttawa27/02/08

firstafewthingsaboutriskand31000
risk ;effectofuncertaintyonobjectives
positiveandnegativeconsequences
safety,compliance,strategy,anythingunderthesun
safet compliance strateg an thing nder the s n

riskmanagement;coordinatedactivitiestodirectandcontroland
organization with regard to risk
organizationwithregardtorisk
riskmanagementframework;setofcomponentsthatprovidethe
foundations and organizational arrangements for designing,
foundationsandorganizationalarrangementsfordesigning,
implementing,monitoring,reviewingandcontinuallyimprovingrisk
managementprocessesthroughouttheorganization
riskmanagementprocess;systematicapplicationofmanagement
policies,proceduresandpracticestothetasksofcommunication,
consultation,establishingthecontext,identifying,analysing,
evaluating treating monitoring and reviewing risk
evaluating,treating,monitoringandreviewingrisk
jhsOttawa27/02/08

Is this your organization?

Isthisyourorganization?
NameBrandhasbeentarnished
Continuallyincrisismanagementmodeduetothe
absenceofQualityAssurancemechanisms
Repeatedcasesof:
Overspending
Delays
Noncompliancewithpoliciesandregulations
SelfassessmentbyaCanadianGovernmentdepartment(goodstart!!)
Qualityassurancemustfollow&becoordinated withriskmanagement
jhsOttawa27/02/08

YourOrganizationand31000
g
Everyorganizationisunique,yoursmightbearegulator,a
delivererofservices,apolicyanalysisshop,anenforceroflaws,
, p y
y
p,
,
afacilitatorofindustryandcommerce,supportforeducationor
literacyorrights,etc.
Soimplementationofriskmanagementineveryorganizationis
differentbutinstantaneouslyrecognizedas31000risk
management framework process terminology and other best
managementframework,process,terminology,andotherbest
practices.
Soyourorganizationsriskmanagementcouldbereviewedand
evaluatedbyanyotherriskmanagementliteratepersonfrom
y g
g
anyorganizationtomutualadvantage.

Workshopwillrateyourorganizationagainst
key components in ISO 31000
keycomponentsinISO31000
Intheprocessyouwilllearnwhatisin31000

Scorecard

1.
2
2.
3.
4.
5.
6.

RiskRegister
A
Accountability
t bilit
RMProcess
RMFramework
Integration
Terminology
Total

____/10
____/6
/6
____/14
____/14
____/6
____/5(bonus)
____//50

KeycomponentsWorkshop RiskRegister(RR)

riskregister; recordofinformationabout
identifiedrisks
1. riskowner;personorentitywiththeaccountabilityand
authority
2 riskevaluation
2.
ik
l ti
useriskanalysistocompareriskagainst
ik
l i t
ik
i t
riskcriteriaandfindlevelofrisk isitacceptable?
3. risktreatment;processofdeveloping,selecting,and
implementing measures to modify risk
implementingmeasurestomodifyrisk
(controlis measurestomodifyrisk )
4. risktrends,performancemeasuresforriskandrisk
controls
5. recordforeveryriskintheorganization

jhsOttawa27/02/08

Thefollowingthreeslidesprovideillustrationsofrisk
registers
i t thathavebeenfoundtobeusefulin
h h
b
f
d b
f li
organizationswithsuccessfulERM
1. AbowtiediagramusedbyBroadleafCapital,
used for design of risk treatment but also a risk
usedfordesignofrisktreatmentbutalsoarisk
register
2.Anillustrativeexampleoftheapproachusedby
,and
3.Anillustrativeexampleofhowuse
their risk register for monitoring and review
theirriskregisterformonitoringandreview

ExampleriskregisterforaspecificObjective illustrationonly
CourtesyofLarryWarneroftheFoodCompany
6. Management Team evaluates the
probability of success in achieving this
initiatives overall objectives
1. Identify initiatives and their associated
descriptions with measurable objectives

Risk
Profile

ReadytoHeat

Aggressivelygrowandbuildthereadytoheatbusinessbyexpandingthe Priority
productline(15%NSVgrowth&maintainsharesabove30%)and
d t li (15% NSV
th & i t i h
b
30%) d
Owner
broadentheavailabilityoftheproduct.

Risks
1

2
3

MitigationActivities

Increaseofaggressivecompetition
from Rice Master and Fast Rice
fromRiceMasterandFastRice
Aggressiveyearforgrowthtarget
forthesegment&brand
Achievenewproductgrowth
targets

1,2,3
1

Accelerateinnovation
C d t
Conductcompetitoranalysis
tit
l i
session

3. Document the
individual in
charge of the given
initiative

5. List of planned activities that will

mitigate the risks match the mitigation
strategies to risk through the reference
numbers

ActionPlan
4. List of risks that could hinder the
ability
bilit to
t meett the
th initiatives
i iti ti objectives
bj ti

2. Prioritize order
of the key
initiatives based
on their
contribution to
achieving the
overall financial
and strategic
objectives within
the OP

7. Document the
immediate next
steps for effective
initiative execution

Business units are required to review and update a dashboard on a

quarterly basis which allows tracking of performance over time

Initiative
Initiative

RiskProfile
Risk
Profile
Trend
Q305Q405Q106Q206

RelaunchofPedigree
Yellow Green
EffectivelyexecutetherelaunchofPedigreeto
achievethegrowthtargets(10%)

Directtostore(DTS)
IncreaseDTSoperationsby10%andadd500
pointsofsalepercell
p
p

Green Green

Associateengagement
Increaseassociateengagementscorefrom85%to
90%withinthefactory

Blue Green

BringPetDryplantonline
MaketheDryplantfullyoperationalbyP13

Red

LaunchofDove
Launch
of Dove
SuccessfullylaunchDoveintothemassmarketand
achieve65%distribution

Blue Yellow

Blue

Comments

ShipmentsstartedinP2tomeet
Improving advertisingschedule.Advertising
onair(P2W3).Massive
presentation to all customers was
presentationtoallcustomerswas
executedduringP1withexcellent
customerparticipation.
Stable
DTSoperationisimproving
howevertherearestillsomeareas
thatneedtoimprovefurther.We
p
willexpandwhenwehavea
holisticstrategy.
Improving Shiftmanagershavebeen
providedassociateengagement
training.Allmanagershaveheld
meetingswiththeirteam
members.
Stable
Ontrack,constructionpermit
granted.Plantwillbereadyby
P13
Stable
Increased risk due to current
Increasedriskduetocurrent
demandexceedingsupply.We
haverephasedtherolloutfor
themassmarkettoensure
currentsupplyisadequate.

KeycomponentsWorkshop RiskRegister(RR)
discuss at table thenrateyourorganizationoutof10
discussattable,
then rate your organization out of 10
riskregister; recordofinformationaboutidentifiedrisks

R each
Rate
h iitem out off 2
1. riskowner;personorentitywiththeaccountabilityand
authority
y
2. riskevaluation useriskanalysistocompareriskagainst
riskcriteriaandfindlevelofrisk isitacceptable?
3. risktreatment;
risk treatment; process
processofdeveloping,selecting,and
of developing, selecting, and
implementingmeasurestomodifyrisk
(controlismeasurestomodifyrisk )
4 risktrends,performancemeasuresforriskandrisk
4.
risk trends performance measures for risk and risk
controls
5. recordforeveryriskintheorganization

jhsOttawa27/02/08

12

KeycomponentsWorkshop Accountability
di
discuss,
rateorganizationoutof
i i
f6

Policythatstateseachriskownerisaccountablefor
y
thatrisk,theassociatedcontrolsandmonitoringof
risk
Accountabilityisassessedatmanagersannual
performance review where evidence is expected
performancereviewwhereevidenceisexpected
Culture
Cultureofaccountabilityissuchthateveryoneknows
of accountability is such that everyone knows
whatriskstheyownandwhoownsrisksthatimpact
them
jhsOttawa27/02/08

13

KeycomponentsWorkshop

RiskManagementProcess

Establish the
Context

Riskassessmentis
thewhiteboxes

Processisforevery
managerforevery
project,program,
decision

2pointshavebox,
1 beingdone
Wewillnotspend
muchtimehere
sincethisshouldbe
well known
wellknown

Monitor a
and Revie
ew

N t
Notes

Identify Risks
Analyse
y Risks
Evaluate Risks
Treat Risks

Communica
ate and co
onsult

discuss rateorganizationoutof
discuss,
rate organization out of 14
14

KeycomponentsWorkshop

RiskManagementFramework

discuss rateorganizationoutof
discuss,
rate organization out of 14
Framework;setofcomponentsthatprovidethefoundations
and organizational arrangement for designing implementing
andorganizationalarrangementfordesigning,implementing,
monitoring,reviewingandcontinuallyimprovingrisk
managementprocessesthroughouttheorganization (wowa
mouthful)

Frameworkisnewto31000,followsPlanDoCheckActquality
model and must follow principles outlined in 31000
modelandmustfollowprinciplesoutlinedin31000
Nexttwoslidesshow
1)relationshipofofframework,processandprinciples
2)detailsofframeworkimplementation

a) Creates value
b) Integral part of
organizational
processes
c) Part of decision
making
d) Explicitly addresses
uncertainty
e) Systematic,
Systematic
structured and timely
f) Based on the best
available information
g) Tailored
h) Takes human and
cultural factors into
account
i) Transparent and
inclusive
j) Dynamic, iterative
and responsive to
change
k) Facilitates
continual
improvement and
enhancement of the
organization

Principlesfor
managingrisk
(Clause4)

5.2
Mandate
and
commitment
5.3
Design of
framework
for managing risk
5.6
Continual
improvement
of the
framework

5.4
Implementing
risk
management
framework

5.5
Monitoring
and review
of the
framework

Frameworkfor
managingrisk
(Clause5)

Processesfor
managingrisk
(Clause6)

5.2 Mandate and commitment

plan
5.3 Designofframeworkformanagingrisk
5.3.1 Understanding the organization and its context
5.3.2 Risk management policy
5.3.3 Integration into organizational processes
5.3.4 Accountability
5.3.5 Resources
5.3.6 Establishing internal communication and reporting mechanisms
5.3.7 Establishing external communication and reporting mechanisms

act

do

5.6 Continualimprovementoftheframework

5.4 Implementingriskmanagement
5.4.1 Implementing the framework for managing risk
5.4.2 Implementing the risk management process

check
5.5 Monitoringandreviewoftheframework

Continuous Improvement of the ISO 31000 Framework for risk management

KeycomponentsWorkshop

RiskManagementFramework

discuss rateorganizationoutof
discuss,
rate organization out of 14asfollows
14 as follows

Proclaimedcommitment&policy(2)
Proclaimed
commitment & policy (2)
Frameworkwellknown&communicated(2)
Continuous improvement of framework (2)
Continuousimprovementofframework(2)
Principles pointeachtomaxof(4)
Ch
Championandimplementationplan(2)
i
di l
t ti
l (2)
Frameworkfacilitatedbyasmallriskgroupof2
4
4people,withprocessesandapplicationthe
l
ith
d
li ti th
responsibilityofmanagersineveryunitinthe
organizationsshierarchy(2)
organization
hierarchy (2)

KeycomponentsWorkshop

IntegratedRiskManagement

discuss rateorganizationoutof
discuss,
rate organization out of 6

Integratedapproachtoallrisksilosfromstrategicto
newprojectstoworkplacesafety(2)
j
k l
f (2)
IIntegratedriskmanagementbyindividualmanagers
t
t d ik
t b i di id l
withotheraspectsofdecisionmaking,oversightof
activities,etc.Notaseparatetask(2)
,
p
( )
Riskmanagementconsideredacoreactivity,referred
toinannualreports,majortopicinstrategicandall
decisions,etc.Opportunityfocusaswellasprevention
of negative risks (2)
ofnegativerisks(2)

KeycomponentsWorkshop

Terminology/concepts

discuss haveatermfor_______5(bonuspoints)
discuss,
have a term for
5 (bonus points)
maycurrentlyuseotherthanISO31000terms

risk isimpactofuncertaintyonobjectives,mustbeeither
positiveornegative(1)
riskmanagementframework
risk management framework forwholeorganization(1)
for whole organization (1)
riskmanagementprocess forindividualmanagereverywhere
inorganization(1)
riskcontrol asresultofrisktreatment,itisbasisforrisk
ownersactionstomodifyrisk(1)
context,internalandexternal
,
asthesourceofobjectives,and
j
,
riskcriteria usedinriskevaluation (1)
please see next slide for full list of 31000 terms

Terms in
ISO 31000
& Guide 73

risk management-coordinated activities to direct and control an organization with regard

to risk
external context
internal context
risk management policy
risk management framework risk management plan risk appetite
risk owner
risk management audit exposure

risk profile
risk attitude
resilience

risk effect
of uncertainty
on objectives
event

risk evaluation-process of comparing the

organizations who can affect, be

affected by, or perceive themselves to
be affected by a decision or activity

risk criteria risk tolerance

risk matrix risk aggregation

communication and consultation

risk perception
risk reporting

consequence
likelihood

stakeholder those people and

results of risk analysis against risk criteria to

determine whether the level of risk is acceptable
or tolerable (part of risk management process)
risk aversion

uncertainty
probability

risk management process-systematic application of management policies, procedures

frequency

and practices to the tasks of communicating, consultation, establishing the context, identifying,
analysing, evaluating, treating, monitoring and reviewing risk

level of risk
risk source
h
hazard
d

risk assessment
risk register

risk identification

risk analysis

monitoring

review

vulnerability

risk treatmentprocess of developing, selecting, and implementing measures to modify

risk

(part of risk management process)

control
risk acceptance

risk sharing
risk avoidance

risk financing
residual risk

risk retention
risk mitigation

Broadleaf Capitals 10 point approach to Implementation

of Risk Management
g
If Time topic Continued on next slide with 10 steps for implementation
Approach Rational
Rather than use a design build contractor with a pre-packaged
approach to ERM it is preferred to have a consultant who partners
with the organization in developing a customized framework, tools
and methods that reflect the organizations
organization s needs,
needs risk profile
profile, and
organization structure. Risk management champions are found
within the organization and trained to implement and roll out the
framework in a top-down engagement process.
This seems to achieve the most rapid take-up and long term
ownership of risk management in the organization, by working with
th organisations
the
i ti line
li managers and
d risk
i k managementt specialists,
i li t
and building on their skills and experience risk management
processes are more relevant to business needs and this also
y and visible risk management
g
benefits.
creates early
([email protected]) for more information

Broadleafs10pointapproachtoimplementationofRM
1
1.

Achieve an unequivocal Executive and Board mandate with a full appreciation

of the changes required at all levels of the organisation.
2. Undertake a gap analysis and maturity evaluation.
3. Develop a carefully tailored framework, based on ISO 31000 risk management
f
framework,
k principles,
i i l
and
d process as wellll as th
the organisations
i ti context
t t and
d
structure necessary for ERM to be implemented and sustained.
4. Workshop and develop a strategic risk management plan to implement the
framework utilizing practical tools and best practice methods
5. Develop and gain senior management agreement on a set of performancebase standards to codify the framework and its implementation plan.
6. Create a tailored risk management information system, that enforces
accountability for risks
risks, controls and tasks
tasks, supports control assurance and
enables risk management performance management and reporting.
7. Cause Champions to be appointed within the organisation and trained to create
the confidence, skills and local management support needed for roll-out
8. Help Champions engage local management and implement the framework and
risk management plan, generating risk registers, etc.
9. Establish a process and structure for RM performance management and
reporting, including committees and review groups, and performance
measures.
10. Periodically, review, benchmark, and revise the framework.

Questions please
p
20 sec questions
q
30 sec answers
Also ask
[email protected]