Professional Documents
Culture Documents
Kevin W Knight AM
CPRM; Hon FRMIA; FIRM (UK); LMRMIA.
CHAIRMAN
ISO WORKING GROUP - RISK MANAGEMENT STANDARD
MEMBER
STANDARDS AUSTRALIA / STANDARDS NEW ZEALAND
JOINT TECHNICAL COMMITTEE OB/7 - RISK MANAGEMENT
08/2009
Why a new standard?
AS/NZS 4360:2004
ISO Guide 73
• Type of deliverable
The standard to be developed is a Guideline document, and is NOT to be used
for the purpose of certification.
ISO Guide 73 - Scope
NOTE 2 Objectives can have different aspects (such as financial, health and safety, and
environmental goals) and can apply at different levels (such as strategic, organisation-
wide, project, product and process).
NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to,
understanding or knowledge of, an event, its consequence, or likelihood.
Well-defined Poorly
outcomes defined
outcomes
KNOWLEDGE “INCERTITUDE”
ABOUT
LIKELIHOODS
Note 1: Risk acceptance can occur without risk treatment or during the
process of risk treatment
Note 2: Accepted risks are subject to monitoring and review
1. Create value
2. An integral part of organisational processes
3. Part of decision making
4. Explicitly address uncertainty
5. Be systematic and structured
6. Be based on the best available information
7. Be tailored
8. Take into account human factors
9. Be transparent and inclusive
10. Be dynamic, iterative and responsive to change
11. Be capable of continual improvement and
enhancement
Attributes of enhanced
risk management
AS/NZS/ISO 31000:2009
Annex A
(Informative)
SUPERVISION
Potential greater GOVERNANCE
future role of risk
management
STRATEGIC
MANAGEMENT
Traditional and current MANAGEMENT
risk management EXECUTIVE
application
MANAGEMENT
DECISION & CONTROL
OPERATIONAL MANAGEMENT
Act Do
Organise and Allocate
Measure and review Board RM Committee
Control assurance Exec RM Committee
RM Plan progress Manager, RM
Governance reporting RM Champions
Benchmarking
Performance criteria Check Risk, Control, Risk
owners
Assurance providers
a) Creates value Mandate Establishing
b) Integral part of and C the context (5.3)
organisational Commitment o M
processes (4.2) m o
c) Part of decision u Risk assessment n
making n (5.4) i
d) Explicitly addresses i t
Design of
uncertainty c o
framework Risk
e) Systematic, a r
structured and timely identification
(4.3) t i
f) Based on the best (5.4.2)
i n
available information o g
g) Tailored Continual Implementing n
h) Takes human and improvement risk Risk analysis &
&
cultural factors into of the Management (5.4.3)
c
account Framework (4.4) r
o
i) Transparent and (4.6) e
n Risk
inclusive v
s evaluation
j) Dynamic, iterative and i
u (5.4.4)
responsive to change e
Monitoring l
k) Facilitates continual w
and review t (5.6)
improvement and of the a
enhancement of the Framework t Risk treatment
organisation (4.5) i (5.5)
o
n
5.2
AS/NZS/ISO 31000:2009 Figure 1 – Relationship between the principles, framework and process
Mandate and commitment (4.2)
AS/NZS/ISO 31000:2009 Figure 2 — Relationship between the components of the framework for
managing risk
• Future State/ End Vision
• SWOT, Opportunities and Risks
• Strategy & Tactics
Planning
Review Execution/
Processes
& Change Integration
• Performance
• Capability
• External Environment
Hierarchical Objectives
• Strategic: designed to provide the direction required to
achieve strategic goals. These are usually long-term plans
with a minimum timeframe of three to five years.
Strategic
management Indecision
decision
Irresponsible
Impulsive
Risk
Aversion Excessive
tolerance
appetite
range
Denial
Dislike Corporate culture
Disinclination
Operational Risk Management Cycle
Conduct risk
profiling
Implement and
monitor treatment May
actions Sep
Determine risk
treatment
Budget and actions
business
planning
DISCUSSION
Communication
and Monitoring
Risk analysis (6.4.3) and
Consultation
(6.2) Review
(6.6)
C 5.7
O
M 5.4.2 RISK IDENTIFICATION M
M What can happen, when, where, how & why
U A O
N S N
I 5.4.3 RISK ANALYSIS
5.4 S I
C Determine existing controls
A Determine Determine E T
T R Likelihood Consequences O
I I S R
O Estimate Level of Risk S
N S
M &
& K
E
C 5.4.4 RISK EVALUATION R
O N E
N Compare against criteria.
Identify & assess options. T V
S
Decide on response.
U
Establish priorities.
I
L E
T
A W
T
I 5.5 RISK TREATMENT
O 5.5.2 Selection of risk treatment options
N 5.5.3 Preparing and implementing risk
treatment plans
Step 6 : Monitor and Review Risks Communicate and Step 4 : Evaluate Risks
• process consult - at all steps • identify tolerable/unacceptable risks
• environment (referring risk rating against risk criteria)
• organisation • prioritise risks for treatment
• strategy
• stakeholders
Observation
Interest Attention
Competing Information
Time Availability
Decision Making
Org/Env Factors
C 5.7
O
M M
M 5.4.2 RISK IDENTIFICATION
U A O
N S N
I I
C
5.4 5.4.3 RISK ANALYSIS S
A E T
T R O
I I S R
O S
N S
M &
& K
E
C R
O N E
N 5.4.4 RISK EVALUATION T
S V
U I
L E
T
A W
T
I 5.5 RISK TREATMENT
O
N
R itu a ls & An
R o u tin e s O rg an isa tio n ’s P o w er
P a ra d ig m S tru ctu res
C o n tro l
S y ste m s O rg an isa tio n a l
S tru c tu re s
A d a p te d fro m Jo h n so n & S c h o le s, 1 9 9 3 , p .6 1
DISCUSSION
• Personnel/human behaviour.
• Management activities and controls.
• Economic circumstances.
• Natural and unnatural events.
• Political circumstances.
• Technology/technical issues.
• Commercial and legal relationships.
• Public/professional/product liability.
• The activity itself.
Components of a risk
A risk is associated with:
}
• SATISFACTORY
}
ACCEPTED PRACTICE
BEST ACHIEVABLE
}
ABSOLUTE
}
MINIMUM
}
COST OF REDUCING RISK ($) ►
THE TRADE-OFF BETWEEN LEVEL OF RISK AND
COST OF REDUCING RISK B.F.Hough 1985
Cost of risk reduction measures
V
A
L I
U M
E P
L
A E
T M
E
N
R T USE
I
JUDGEMENT
S UNECONOMICAL
K
COST OF RISK REDUCTION MEASURES
5.3 ESTABLISHING THE CONTEXT
5.2
C 5.7
O
M M
M 5.4.2 RISK IDENTIFICATION
U A O
N S N
I I
C
5.4 S
5.4.3 RISK ANALYSIS T
A E
T R O
I I S R
O S
N S
M &
& K
E
C R
O N E
N 5.4.4 RISK EVALUATION T
S V
U I
L E
T
A W
T
I 5.5 RISK TREATMENT
O 5.5.2 Selection of risk treatment options
N 5.5.3 Preparing and implementing risk
treatment plans
• Contingency planning
• Retain residual
Step 1 - Commencement
Risk Assessment
Step 5– Developing Resource &
Interdependency Requirements
s ines
Faci
s
n risk
ss the bus
rk
Roles
litatin
Ch
ng Mana
ewo
Core
ting o
am
Internal
val
fram
g ris
pi o
Internal
pro
Gi
repor
risks acro
nin
k wo
vin
Audit
gement’
RM
ap
ge
ga
Audit roles
te
rd
eE
tic
rksh
eti
dv
Re
sta should not
pp
Bo
Holis
ice
vie
g th
bl i s
ka
ops
s respon
wi
for
Monitoring
on
se undertake
ng s
ris
ratin
hm
ide
gy
th s
he
Ev e
ent
ce
ate
alu
gt
Ope
nti
m ro
ati an tp
ttin
fyi
str
o
se to ris
ng ag n
f
ng
e n
Se
to
ER
rep
RM
em em n
&e
Ev ort en ag me
M
alu ing an ge
ing
va
atin o to na isks
fm fm ks m a
lua
gR r
op
k m
isk ate at ris by and
vel
tin
Ma ria er g e
c ls
sin ran ntro es
gr
nag l ri ia ons
De
Givi u
ng a em sks l ri o s co sp
isk
ssur e p A s kr e
nt p sk Im n ris
s
ance roc s o
that ns
risks ess
es de cisio
Giving are ing alf
assura
nce on
corr
ectly Tak m en t’s beh
eval nage
the Ris
k Mana uate ris ks on Ma
gemen d ing
t proce Manag
sses s
Giving assurance that the
control systems are effective Accountability for risks and control
C 1. Strategic Ct M
O O
M N
M I
U 2. Identify Threats T
N O
I R
C
A A 3. Analyze &
T S 4. Assess
E S R
E E
5. Assess/
S V
C S I
Opportunities Risks
O E
N W
S
7. Manage the Risk
U
Culture Communication
L
T