ISO31000 RiskManagementStandard ISO 31000 Risk Management Standard OttawaFebruary27,2008

JohnShortreed,Director, InstituteforRisk Research

UniversityofWaterloo (shortree@uwaterloo.ca)

1. WhatisISO31000? 2. Whatarethekeycomponents of31000? y p 3. Questions workshop formattounderstandISO31000byexamining keycomponents

jhsOttawa27/02/08

WhatisISO31000?
Guideforprinciplesandimplementationof riskmanagement
Moreorlessfinal willbeissuedin2009alongwithGuide73 ( (terms),and31010(revisedIECriskanalysisstandard originally ), ( y g y
Canadian eh!)

Can review 31000 and have input by asking after April 1 for the Canreview31000andhaveinputbyaskingafterApril1forthe latestdraft(freebutmustread,shortree@uwaterloo.ca ) Will WillreplaceCSAQ850,TreasuryBoard,RIMS,etc.etc.and l CSA Q850 T B d RIMS t t d becometherecognizedinternationalframeworkforrisk managementeverywhere goodstuff,nofooling
jhsOttawa27/02/08 2

firstafewthingsaboutriskand31000
risk ;effectofuncertaintyonobjectives
positiveandnegativeconsequences safet compliance strateg an thing nder the s n safety,compliance,strategy,anythingunderthesun

riskmanagement;coordinatedactivitiestodirectandcontroland organizationwithregardtorisk organization with regard to risk riskmanagementframework;setofcomponentsthatprovidethe foundationsandorganizationalarrangementsfordesigning, foundations and organizational arrangements for designing, implementing,monitoring,reviewingandcontinuallyimprovingrisk managementprocessesthroughouttheorganization riskmanagementprocess;systematicapplicationofmanagement policies,proceduresandpracticestothetasksofcommunication, consultation,establishingthecontext,identifying,analysing, evaluating,treating,monitoringandreviewingrisk evaluating treating monitoring and reviewing risk
jhsOttawa27/02/08 3

Isthisyourorganization? Is this your organization?

NameBrandhasbeentarnished Continuallyincrisismanagementmodeduetothe absenceofQualityAssurancemechanisms Repeatedcasesof:
Overspending Delays Noncompliancewithpoliciesandregulations
SelfassessmentbyaCanadianGovernmentdepartment(goodstart!!) Qualityassurancemustfollow&becoordinated withriskmanagement
jhsOttawa27/02/08 4

YourOrganizationand31000 g
Everyorganizationisunique,yoursmightbearegulator,a delivererofservices,apolicyanalysisshop,anenforceroflaws, , p y y p, , afacilitatorofindustryandcommerce,supportforeducationor literacyorrights,etc. Soimplementationofriskmanagementineveryorganizationis differentbutinstantaneouslyrecognizedas31000risk managementframework,process,terminology,andotherbest management framework process terminology and other best practices. Soyourorganizationsriskmanagementcouldbereviewedand evaluatedbyanyotherriskmanagementliteratepersonfrom y g g anyorganizationtomutualadvantage.

Workshopwillrateyourorganizationagainst keycomponentsinISO31000 key components in ISO 31000

Intheprocessyouwilllearnwhatisin31000

Scorecard

1. 2. 2 3. 4. 5. 6.

RiskRegister Accountability A t bilit RMProcess RMFramework Integration Terminology Total

____/10 ____/6 /6 ____/14 ____/14 ____/6 ____/5(bonus) ____/ /50

KeycomponentsWorkshop RiskRegister(RR)

riskregister; recordofinformationabout identifiedrisks

1. riskowner;personorentitywiththeaccountabilityand authority 2. i k 2 riskevaluation useriskanalysistocompareriskagainst l ti ik l i t ik i t riskcriteriaandfindlevelofrisk isitacceptable? 3. risktreatment;processofdeveloping,selecting,and implementingmeasurestomodifyrisk implementing measures to modify risk (controlis measurestomodifyrisk ) 4. risktrends,performancemeasuresforriskandrisk controls 5. recordforeveryriskintheorganization

jhsOttawa27/02/08

Thefollowingthreeslidesprovideillustrationsofrisk registers thathavebeenfoundtobeusefulin it h h b f d b f li organizationswithsuccessfulERM 1. AbowtiediagramusedbyBroadleafCapital, usedfordesignofrisktreatmentbutalsoarisk used for design of risk treatment but also a risk register 2.Anillustrativeexampleoftheapproachusedby ,and 3.Anillustrativeexampleofhowuse theirriskregisterformonitoringandreview their risk register for monitoring and review

ExampleriskregisterforaspecificObjective illustrationonly CourtesyofLarryWarneroftheFoodCompany

6. Management Team evaluates the probability of success in achieving this initiatives overall objectives 1. Identify initiatives and their associated descriptions with measurable objectives 2. Prioritize order of the key initiatives based on their contribution to achieving the overall financial and strategic objectives within the OP

ReadytoHeat
Risks
1

Risk Profile

Aggressivelygrowandbuildthereadytoheatbusinessbyexpandingthe Priority productline(15%NSVgrowth&maintainsharesabove30%)and d t li (15% NSV th & i t i h b 30%) d Owner broadentheavailabilityoftheproduct.

MitigationActivities
1,2,3 1

2 3

Increaseofaggressivecompetition fromRiceMasterandFastRice from Rice Master and Fast Rice Aggressiveyearforgrowthtarget forthesegment&brand Achievenewproductgrowth targets

Accelerateinnovation Conductcompetitoranalysis C d t tit l i session

5. List of planned activities that will mitigate the risks match the mitigation strategies to risk through the reference numbers

3. Document the individual in charge of the given initiative

ActionPlan
4. List of risks that could hinder the ability to meet the initiatives objectives bilit t t th i iti ti bj ti

7. Document the immediate next steps for effective initiative execution

Business units are required to review and update a dashboard on a quarterly basis which allows tracking of performance over time

Initiative Initiative

RiskProfile Risk Profile Trend Q305Q405Q106Q206

Comments

RelaunchofPedigree Yellow Green EffectivelyexecutetherelaunchofPedigreeto achievethegrowthtargets(10%)

Directtostore(DTS) IncreaseDTSoperationsby10%andadd500 p pointsofsalepercell p

Green Green

Associateengagement Increaseassociateengagementscorefrom85%to 90%withinthefactory

Blue Green

BringPetDryplantonline MaketheDryplantfullyoperationalbyP13 LaunchofDove Launch of Dove SuccessfullylaunchDoveintothemassmarketand achieve65%distribution

Red

Blue

Blue Yellow

ShipmentsstartedinP2tomeet Improving advertisingschedule.Advertising onair(P2W3).Massive presentationtoallcustomerswas presentation to all customers was executedduringP1withexcellent customerparticipation. Stable DTSoperationisimproving howevertherearestillsomeareas thatneedtoimprovefurther.We p willexpandwhenwehavea holisticstrategy. Improving Shiftmanagershavebeen providedassociateengagement training.Allmanagershaveheld meetingswiththeirteam members. Stable Ontrack,constructionpermit granted.Plantwillbereadyby P13 Stable Increasedriskduetocurrent Increased risk due to current demandexceedingsupply.We haverephasedtherolloutfor themassmarkettoensure currentsupplyisadequate.

KeycomponentsWorkshop RiskRegister(RR) discussattable, thenrateyourorganizationoutof10 discuss at table then rate your organization out of 10 riskregister; recordofinformationaboutidentifiedrisks

Rate R each i h item out of 2 f

1. riskowner;personorentitywiththeaccountabilityand authority y 2. riskevaluation useriskanalysistocompareriskagainst riskcriteriaandfindlevelofrisk isitacceptable? 3. risk treatment; process of developing, selecting, and risktreatment; processofdeveloping,selecting,and implementingmeasurestomodifyrisk (controlismeasurestomodifyrisk ) 4. risktrends,performancemeasuresforriskandrisk 4 risk trends performance measures for risk and risk controls 5. recordforeveryriskintheorganization

jhsOttawa27/02/08

12

KeycomponentsWorkshop Accountability discuss, rateorganizationoutof 6 di i i f

Policythatstateseachriskownerisaccountablefor y thatrisk,theassociatedcontrolsandmonitoringof risk Accountabilityisassessedatmanagersannual performancereviewwhereevidenceisexpected performance review where evidence is expected Culture of accountability is such that everyone knows Cultureofaccountabilityissuchthateveryoneknows whatriskstheyownandwhoownsrisksthatimpact them
jhsOttawa27/02/08 13

KeycomponentsWorkshop

RiskManagementProcess

discuss, rateorganizationoutof 14 discuss rate organization out of 14

Notes N t

Monitor and Revie a ew

Riskassessmentis thewhiteboxes Processisforevery managerforevery project,program, decision 2pointshavebox, 1 beingdone Wewillnotspend muchtimehere sincethisshouldbe wellknown well known

Identify Risks Analyse Risks y Evaluate Risks Treat Risks

Communica and co ate onsult

Establish the Context

KeycomponentsWorkshop

RiskManagementFramework

discuss, rateorganizationoutof discuss rate organization out of 14 Framework;setofcomponentsthatprovidethefoundations andorganizationalarrangementfordesigning,implementing, and organizational arrangement for designing implementing monitoring,reviewingandcontinuallyimprovingrisk managementprocessesthroughouttheorganization (wowa
mouthful)

Frameworkisnewto31000,followsPlanDoCheckActquality modelandmustfollowprinciplesoutlinedin31000 model and must follow principles outlined in 31000 Nexttwoslidesshow 1)relationshipofofframework,processandprinciples 2)detailsofframeworkimplementation

a) Creates value b) Integral part of organizational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organization

5.2 Mandate and commitment 5.3 Design of framework for managing risk 5.6 Continual improvement of the framework 5.4 Implementing risk management framework

5.5 Monitoring and review of the framework

Principlesfor managingrisk (Clause4)

Frameworkfor managingrisk (Clause5)

Processesfor managingrisk (Clause6)

5.2 Mandate and commitment

plan
5.3 Designofframeworkformanagingrisk 5.3.1 Understanding the organization and its context 5.3.2 Risk management policy 5.3.3 Integration into organizational processes 5.3.4 Accountability 5.3.5 Resources 5.3.6 Establishing internal communication and reporting mechanisms 5.3.7 Establishing external communication and reporting mechanisms

act
5.6 Continualimprovementoftheframework

do
5.4 Implementingriskmanagement 5.4.1 Implementing the framework for managing risk 5.4.2 Implementing the risk management process

check
5.5 Monitoringandreviewoftheframework

Continuous Improvement of the ISO 31000 Framework for risk management

KeycomponentsWorkshop

RiskManagementFramework

discuss, rateorganizationoutof 14asfollows discuss rate organization out of 14 as follows

Proclaimedcommitment&policy(2) Proclaimed commitment & policy (2) Frameworkwellknown&communicated(2) Continuousimprovementofframework(2) Continuous improvement of framework (2) Principles pointeachtomaxof(4) Championandimplementationplan(2) Ch i di l t ti l (2) Frameworkfacilitatedbyasmallriskgroupof2 4people,withprocessesandapplicationthe 4 l ith d li ti th responsibilityofmanagersineveryunitinthe organization shierarchy(2) organizations hierarchy (2)

KeycomponentsWorkshop

IntegratedRiskManagement

discuss, rateorganizationoutof discuss rate organization out of 6

Integratedapproachtoallrisksilosfromstrategicto newprojectstoworkplacesafety(2) j k l f (2) I t Integratedriskmanagementbyindividualmanagers t d ik t b i di id l withotheraspectsofdecisionmaking,oversightof activities,etc.Notaseparatetask(2) , p ( ) Riskmanagementconsideredacoreactivity,referred toinannualreports,majortopicinstrategicandall decisions,etc.Opportunityfocusaswellasprevention ofnegativerisks(2) of negative risks (2)

KeycomponentsWorkshop

Terminology/concepts

discuss, haveatermfor_______5(bonuspoints) discuss have a term for 5 (bonus points)

maycurrentlyuseotherthanISO31000terms

risk isimpactofuncertaintyonobjectives,mustbeeither positiveornegative(1) risk management framework for whole organization (1) riskmanagementframework forwholeorganization(1) riskmanagementprocess forindividualmanagereverywhere inorganization(1) riskcontrol asresultofrisktreatment,itisbasisforrisk ownersactionstomodifyrisk(1) context,internalandexternal asthesourceofobjectives,and , j , riskcriteria usedinriskevaluation (1)
please see next slide for full list of 31000 terms

Terms in ISO 31000 & Guide 73

risk effect
of uncertainty on objectives event consequence likelihood uncertainty probability frequency level of risk risk source hazard h d vulnerability

risk management-coordinated activities to direct and control an organization with regard

to risk external context internal context risk management policy risk management framework risk management plan risk appetite risk owner risk management audit exposure risk profile risk attitude resilience

risk evaluation-process of comparing the

results of risk analysis against risk criteria to determine whether the level of risk is acceptable or tolerable (part of risk management process) risk criteria risk tolerance risk matrix risk aggregation risk aversion

stakeholder those people and

organizations who can affect, be affected by, or perceive themselves to be affected by a decision or activity communication and consultation risk perception risk reporting

risk management process-systematic application of management policies, procedures

and practices to the tasks of communicating, consultation, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk risk assessment risk register risk identification risk analysis monitoring review

risk treatmentprocess of developing, selecting, and implementing measures to modify

risk (part of risk management process) risk sharing risk avoidance risk financing residual risk risk retention risk mitigation control risk acceptance

Broadleaf Capitals 10 point approach to Implementation of Risk Management g If Time topic Continued on next slide with 10 steps for implementation Approach Rational
Rather than use a design build contractor with a pre-packaged approach to ERM it is preferred to have a consultant who partners with the organization in developing a customized framework, tools and methods that reflect the organizations needs, risk profile and organization s needs profile, organization structure. Risk management champions are found within the organization and trained to implement and roll out the framework in a top-down engagement process. This seems to achieve the most rapid take-up and long term ownership of risk management in the organization, by working with the th organisations li managers and risk management specialists, i ti line d i k t i li t and building on their skills and experience risk management processes are more relevant to business needs and this also y g creates early and visible risk management benefits.
(Purdy@broadleaf.com.au) for more information

Broadleafs10pointapproachtoimplementationofRM
1. 1 Achieve an unequivocal Executive and Board mandate with a full appreciation of the changes required at all levels of the organisation. 2. Undertake a gap analysis and maturity evaluation. 3. Develop a carefully tailored framework, based on ISO 31000 risk management framework, principles, and process as well as th organisations context and f k i i l d ll the i ti t t d structure necessary for ERM to be implemented and sustained. 4. Workshop and develop a strategic risk management plan to implement the framework utilizing practical tools and best practice methods 5. Develop and gain senior management agreement on a set of performancebase standards to codify the framework and its implementation plan. 6. Create a tailored risk management information system, that enforces accountability for risks controls and tasks supports control assurance and risks, tasks, enables risk management performance management and reporting. 7. Cause Champions to be appointed within the organisation and trained to create the confidence, skills and local management support needed for roll-out 8. Help Champions engage local management and implement the framework and risk management plan, generating risk registers, etc. 9. Establish a process and structure for RM performance management and reporting, including committees and review groups, and performance measures. 10. Periodically, review, benchmark, and revise the framework.

Questions please p
20 sec questions q 30 sec answers Also ask shortree@uwaterloo.ca