1.

ISO 31000:2009 - Risk Management – Principles and Guidelines

The standard provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope
and context.
Eleven characteristics of risk management

 Five part framework (

1. Mandate and commitment,
2. Design of framework for managing risk,
3. Implementing risk management,
4. Monitoring and review of the framework, and
5. Continual improvement of the framework )
 six part generic process description (
1. establishing of context,
2. risk identification,
3. risk analysis,
4. risk evaluation,
5. risk treatment and
6. monitoring and review).
The diagram below provides an effective summary of the process to be followed
Mandate and commitment
ISO 31000 makes it clear that there must be an organisation wide commitment to risk management. This commitment must be
led by the board and be implemented by all levels of management

Designing a framework for managing risk

This section of ISO 31000 is designed to make sure that there is an appropriate, relevant and effective framework for
managing risk that is embedded across the organisation.

Some of the main elements are:

 Take the Organization's context into consideration when managing risk. Context means both external context (for
example its political, social, regulatory, legal and financial environment) and internal context (for example
governance, organisational structure, roles and accountabilities) as well as the main drivers and trends that could
have an impact on the Organisation achieving its objectives.
 Having risk owners with ‘accountability, authority and appropriate competence for managing risk’.
 Establishing risk management policy.
 Embedding and integrating risk management into all of the Organisations practices and processes by establishing
an enterprise-wide risk management function.

Closely aligned with your culture are the organisation's core values, such as individual ownership and accountability,
integrity, teamwork and collaboration, communications, and a commitment to excellence.

 Adopting an enterprise wide approach to risk management helps:

 Ensure the right people have the right information at the right time.
 Culture is key and business management should be synonymous with risk management.
 Helps organisation focus and spend time and money where it’s needed most.
 Optimize risk, return, capital.
 Links strategy to risk process and control
 Improve decision-making
 Making sure you have the right resources including the right systems and people with skills, experience and
competence in managing risk.
Establishing internal communication and reporting mechanisms

For example, reporting to your board on risk, progress with the risk management plan and how well
the risk management policy is being followed; and reviewing of the effectiveness of the risk
management framework from time to time. (4.5).

Once the risk management framework has been in operation for a period, each Organisation should
consider how the framework, policy and plan can be improved (continual improvement of the
framework 4.6).

Implementing risk management and the risk management process

Under ISO31000, organisations should establish risk criteria and then evaluate risks against those
criteria to determine which risks need treatment:
Establishing context (5.3)

Consider your organization's context when you define the scope of its risk
management program, formulate its risk management policy, and when you establish
its risk criteria. Context would include things such as the size and scale of your
Organisation, which activities you carry out, your location, experience, changes in your
operating environment etc.
2. COSO: 2004 Enterprise Risk Management - Integrated Framework (The Committee of Sponsoring Organizations ")
In COSO ERM organisations are recommended to introduce ERM to achieve a better connection between risk monitoring and the development
and protection of the organization's value creation.

COSO’s goal is to improve the quality of financial reporting through a focus on corporate governance, ethical practices, and internal control.

It defines ERM as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and
across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.”

Enterprise risk management requires an entity to take a portfolio view of risk.

ERM “consists of eight interrelated components:

1. Internal environment
2. Objective setting
3. Event identification
4. Risk assessment
5. Risk response
6. Control activities
7. Information and communication
8. Monitoring.

Enterprise risk management is not strictly a serial process, where one component affects only the next. It is a multidirectional, iterative process
in which almost any component can and does influence another.

Entity's Objectives:
 Strategic
 Operations
 Reporting
 Compliance.
ERM considers activities at all levels of the organization:
• Enterprise-level
• Division or subsidiary
• Business unit processes
 COSO framework
Internal environment

Monitoring Objective setting

Enterprise Risk

Information & Management— Event identification

communication
Integrated Framework

Control activities Risk assessment

Risk response Source: Accounting Information Systems:

Basic Concepts and Current Issues (3rd
edition) by R. L. Hurt. McGraw-Hill / Irwin,
2013.

Framework application

 Internal environment

• Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur.

• Establishes the entity’s risk culture.

• Considers all other aspects of how the organization’s actions may affect its risk culture.

i.e.: Readings, seminars, “brown bag” discussions

 Objective setting

• Is applied when management considers risks strategy in the setting of objectives.

• Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept.

• Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.

i.e.: Minimize the number of students on academic probation for multiple terms

 Event identification

• Differentiates risks and opportunities.

• Events that may have a negative impact represent risks.

• Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy
setting.

i.e.: Lack of knowledge regarding conditions for academic probation

 Risk assessment

• Allows an entity to understand the extent to which potential events might impact objectives.

• Assesses risks from two perspectives:

- Likelihood

- Impact

• Is used to assess risks and is normally also used to measure the related objectives.

• Employs a combination of both qualitative and quantitative risk assessment methodologies.

• Relates time horizons to objective horizons.

• Assesses risk on both an inherent and a residual basis.( Inherent Risk: The risk that an activity would pose if no controls or other
mitigating factors were in place (the gross risk or risk before controls) Residual Risk: The risk that remains after controls are taken
into account (the net risk or risk after controls).

• )

i.e.: High

 Risk response

• Identifies and evaluates possible responses to risk.

• Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will
reduce impact and/or likelihood.

• Selects and executes response based on evaluation of the portfolio of risks and responses.

i.e.:

 Reduce

 Avoid

 Control activities

• Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out.

• Occur throughout the organization, at all levels and in all functions.

• Include application and general information technology controls.

i.e:

 Annual advisor workshops

 Advising videos

 Information & communication

• Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out
their responsibilities.
 • Communication occurs in a broader sense, flowing down, across, and up
the organization.

i.e.: ERM plan posted on web site

 Monitoring

Effectiveness of the other ERM components is monitored through:

• Ongoing monitoring activities.

• Separate evaluations.

• A combination of the two.

i.e.:

 Annual survey

 Bi-annual staff retreat

*-+*-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-*

 Tasks to complete

 Form the team.

Internal environment

 Identify and describe inherent risks.

Objective setting & event identification

 Determine the likelihood and significance of those risks.

Risk assessment

 Develop a sound response to the risks.

Risk response & control activities

 Communicate the plan.

Information & communication

 Monitor the plan.

Monitoring

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

Key Implementation Factors

1. Organizational design of business

 2. Establishing an ERM organization

3. Performing risk assessments

4. Determining overall risk appetite

5. Identifying risk responses

6. Communication of risk results

7. Monitoring

8. Oversight & periodic review by management

Organizational Design

• Strategies of the business

• Key business objectives

• Related objectives that cascade down the organization from key business objectives

• Assignment of responsibilities to organizational elements and leaders (linkage)

Example:

• Mission – To provide high-quality accessible and affordable community-based health care

• Strategic Objective – To be the first or second largest, full-service health care provider in mid-size metropolitan markets

• Related Objective – To initiate dialogue with leadership of 10 top under-performing hospitals and negotiate agreements with two this
year

Establish ERM

• Determine a risk philosophy

• Survey risk culture

• Consider organizational integrity and ethical values

• Decide roles and responsibilities

Assess Risk

• Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining
how risks should be managed.

Example: Risk Model

Environmental Risks

– Capital Availability

– Regulatory, Political, and Legal

– Financial Markets and Shareholder Relations

 Process Risks

– Operations Risk

– Empowerment Risk

– Information Processing / Technology Risk

– Integrity Risk

– Financial Risk

Information for Decision Making

– Operational Risk

– Financial Risk

– Strategic Risk

Risk Analysis

Risk Risk Risk

Assessment Management Monitoring

Process
Identification Control It
Level

Share or Activity
Measurement
Transfer It Level

Diversify or
Prioritization Entity Level
Avoid It

www.theiia.org

DETERMINE RISK APPETITE

• Risk appetite is the amount of risk — on a broad level — an entity is willing to accept in pursuit of value.

• Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable
variation).

Key questions:

• What risks will the organization not accept? (e.g. environmental or quality compromises)

• What risks will the organization take on new initiatives? (e.g. new product lines)
 • What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?)

IDENTIFY RISK RESPONSES

• Quantification of risk exposure

• Options available:

- Accept = monitor

- Avoid = eliminate (get out of situation)

- Reduce = institute controls

- Share = partner with someone (e.g. insurance)

Residual risk (unmitigated risk – e.g. shrinkage)

Impact vs. Probability

High Medium Risk High Risk

I
M Share Mitigate & Control
P
A Low Risk Medium Risk
C
T
Accept Control

Low PROBABILITY High

www.theiia.org
 Example: Call Center Risk
Assessment
High Medium Risk High Risk
• Loss of phones • Credit risk
Loss of computers Customer has a long wait
I • •

• Customer can’t get through

M • Customer can’t get answers
P
A Low Risk Medium Risk
C
Fraud Entry errors
T • •

• Lost transactions • Equipment obsolescence

• Employee morale • Repeat calls for same problem

Low PROBABILITY High

www.theiia.org

Example: Accounts Payable

Process
Control Risk Control
Objective Activity

Completeness Material Accrual of

transaction open liabilities
not recorded
Invoices
accrued
after closing

www.theiia.org

Communicate Results

• Dashboard of risks and related responses

(visual status of where key risks stand relative to risk tolerances)

• Flowcharts of processes with key controls noted

 • Narratives of business objectives linked to operational risks and responses

• List of key risks to be monitored or used

• Management understanding of key business risk responsibility and communication of assignments

Monitor

• Collect and display information

• Perform analysis

- Risks are being properly addressed

- Controls are working to mitigate risks

Management Oversight & Periodic Review

• Accountability for risks

• Ownership

• Updates

- Changes in business objectives

- Changes in systems

- Changes in processes

Internal Control
A strong system of internal control is essential to effective enterprise risk management.

• Control Objectives Example

The company only pays bills for goods actually ordered and received.
• Control Activity Example
Accounts payable clerks perform a three-way match of original purchase orders, goods receipt information, and invoices received
prior to payment to vendors.

risk is “the possibility of loss”; risk can be divided into risk (downside) or opportunity (upside); and may be internal, external or both.

 Risk comes from not knowing what you're doing. (Warren Buffett)
 Successful organizations have learned that the higher the risk, the more necessary it is to engage everyone's commitment and
intelligence. (Margaret Wheatley)


• Risk Assessment Process:

1. Estimate the significance of the risk
2. Assess the likelihood or frequency of the risk occurring
3. Consider how the risk should be managed and assess what actions must be taken

Control Activities
• The policies and procedures that help ensure that management directives are carried out.
• Help ensure that the necessary actions are taken to address risks during the achievement of company objectives.

ERM Underlying principles

• Every entity, whether for-profit or not, exists to realize value for its stakeholders.
 • Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to
operating the enterprise day-to-day.

ERM supports value creation by enabling management to:

• Deal effectively with potential future events that create uncertainty.
• Respond in a manner that reduces the likelihood of downside outcomes and increases the upside