ISO 31000 AND INTEGRATED RISK MANAGEMENT

RIMS Breakfast Thursday October 16th, 8:30 Earl Grey Room, Minto Suites Hotel 427 Laurier Street Ottawa John Lark, Stratos Inc.

This Presentation
A Global Standard Integrated Risk Management in Canada
 What is in ISO 31000 ?  How ISO 31000 can help  Bringing it to your clients  Steps to implementing a sustainable and risk based adaptive management regime  

2

Assurance

“a process that provides confidence that planned objectives will be achieved within an acceptable degree of residual risk.”
IIA Professional Practices Framework

After G. Purdy, 2008

3

Drivers for a Global Standard  Multinational companies operating in many countries around the globe  A need to set priorities and address risks based on global importance  Need a “common look and feel”  Need to demonstrate that effective and reliable standards have been used.  Many existing standards are “down in the weeds” and unsuited to broad application 4 .

 Use of AS/NZS 4360 extended globally over a 13 year period.  It became apparent that the demand of a global standard was high enough to interest ISO 5 .The Search for a Standard  AS/NZS 4360 was originally written to guide the implementation of risk management in Australia and New Zealand. global leaders in the new “enterprise risk management” approach.

the first steps towards the development of a government wide Management Accountability Framework which would be used to assess the performance of departments annually 6 . It was the beginning of a new focus on results. In 2000.The Canadian Context A pivotal point was in 1998. the publication of a report called “Results for Canadians”. and eventually things that could impair their delivery.

Management Accountability Framework Performance Indicators Framework 7 .

Performance Indicators for IRM Risk Management • Key risks identified and managed • Risk lens in decision making • Risk smart culture • Capacity to communicate and manage risk in public context .

horizontal or government-wide level. • Sound stewardship of project funds is demonstrated. • Accountability for project outcomes is transparent.2 Expected results The expected results of this policy. and • Outcomes are achieved within time and cost constraints. processes and controls for managing projects are in place. and support the achievement of project and program outcomes while limiting the risk to stakeholders and taxpayers.1 Objective The objective of this policy is to ensure that the appropriate systems.In June of 2007 The “Policy for the Management of Projects” was approved by the Treasury Board Secretariat 5. at a departmental. 9 . 5. associated standards and directive are that: • Projects achieve value for money.

A project is required to produce defined outputs and realize specific outcomes in support of a public policy objective.What the Policy requires  That each Department or Agency assess its capacity to manage risks using a specified assessment tool  That (by April of 2011)the risk of every “project” is assessed using a standard risk assessment tool and those projects whose risk level exceed the departmental capacity must come before Treasury Board Secretariat for assessment Project– Is an activity or series of activities that has a beginning and an end. A project is undertaken within specific time. within a clear schedule and resource plan. cost and performance parameters. 10 .

Principle On Which ISO 31000 is based Risk “the effect of uncertainty on objectives” ISO 31000 identifies risk as the uncertainty between an enterprise and its objectives. This approach implies a topdown approach and risk is neither positive nor negative Defined in Guide 73 As defined in Guide 73 11 .

ISO 31000 Table of Contents Foreword Introduction 1 Scope 2 Normative references 3 Terms and definitions 4 Principles for managing risk 5 Framework for managing risk 6 Process for managing risk 12 .

Steps to Develop and Sustain a Risk Management Framework 5.2 Mandate and Commitment 5.4 Implementing Risk Management 6. Risk Mgmt.6 Continual Improvement if the Framework 5.5 Monitoring and Reviewing the Framework 13 . Process 5.3 Designing the Framework 5.

iterative and responsive to change. k) facilitates continual improvement and enhancement of the organization. b) is an integral part of organizational processes. 14 . Risk Management: a) creates value. j) is dynamic. an organization’s risk management should adhere to the following principles. h) takes human and cultural factors into account.Chapter 4 Principles for Managing Risk To be most effective. c) is part of decision making. f) is based on the best available information. g) is tailored. d) explicitly addresses uncertainty. i) is transparent and inclusive. e) is systematic. structured and timely.

5 Resources 5.2 Risk management policy 5.4 Implementing risk management 5.4.Chapter 5 Framework for Managing Risk 5.3 Design of framework for managing risk 5.3.4.3. 5.3.2 Mandate and commitment 5.2 Implementing the risk management process.4 Accountability 5.3.1 Implementing the framework for managing risk 5.6 Establishing internal communication and reporting mechanisms 5.7 Establishing external communication and reporting mechanisms 5.6 Continual improvement of the framework 15 .5 Monitoring and review of the framework 5.3.3 Integration into organizational processes 5.3.3.1 General 5.1 Understanding the organization and its context 5.

3.5 Risk treatment 6.4.4.Chapter 6 Process for Managing Risk 6.3.4 Risk assessment 6.1 General 6.6 Monitoring and review 6.3.2 Establishing the external context 6.4 Establishing the context of the risk management process 6.3 Establishing the internal context 6.2 Communication and consultation 6.3.3 Preparing and implementing risk treatment plans 6.1 General 6.4 Risk evaluation 6.5 Developing risk criteria 6.5.2 Risk identification 6.1 General 6.5.3 Risk analysis 6.7 Recording the risk management process 16 .4.2 Selection of risk treatment options 6.4.3.5.1 General 6.3 Establishing the context 6.

CSA Q850 will be withdrawn 17 . A “guide” that will provide more detail and clarity.How Can ISO 31000 Help ? Risk Practitioners are best placed to make these assessments based on their experience with clients. A number of interested Canadian risk practitioners are working with the Canadian Standards Association (CSA) to build a bridge between ISO 31000 and the Canadian condition. and may include examples.

Working With Clients Adaptive Management Assess Adjust Evaluate Monitor 18 Design Implement .

Where Integrated Risk Management Fits In Assess Adjust IRM Occurs Here Design Implement Monitor 19 Evaluate .

 Where: Activities  Outputs  Outcomes  Often an evaluation framework or a “results based management accountability framework” (RMAF) is a good place to start.The Assessment Phase  It is at this stage where the overall goal or objective of the enterprise is assessed.  An RMAF shows how success is measured and who is accountable 20 .

Integrated Risk Management in the Assessment Phase Integrated Risk Management of negative risks:  Starts with “what can. and does. activity 21 . or proposed. go wrong?”  It looks to similar enterprises and experiences  Seeks specifics for:  Causes (risk drivers)  Remedies (treatment)  Consequences (if/when the risk expresses) This can be done for an existing.

Statement of the risk event that. processes. such as environmental factors or management framework weaknesses Risk Drivers Current Risk • Identifies examples Treatment of current actions. . controls.. if it materializes.Sample Risk Information Sheet There is a risk that . or severity if it were to occur Possible Consequences • Describes possible impacts if the risk were to fully express . etc. can affect the achievement of enterprise objectives • Identifies possible sources of the risk event. . that reduce likelihood of risk occurring.

quarterly reporting) •Consultations (Local communities and selfgovt requirements.g. regulatory..g. …) •Procurement (e.g. monitoring and compliance by site (e.. Aboriginal Content Requirements) •Transfer resources & responsibilities •Delivery of DTA obligations •Applying for permits and licenses •Compliance with applicable internal and external regulations and licenses •Activities to support ISO compliance •Ensuring compliance with applicable H&S regulations Outputs •Listing of policy and regulatory requirements •Work Plans/procedures to reflect requirements •Reports on conformance/status of violations/corrective actions Outcomes •Aware of applicable regulation and policy requirements •In compliance with all relevant legislations. FTA.. Program Components •Liaison with federal departments and agencies (e. constitutional requirements. regulations. Interdepartmental Regional Working Group) •Ongoing identification and tracking of requirements in each region (tracking territorial requirements) •Internal communication of requirements. audits.Activities  Outputs Outcomes To Meet Legal and Policy Obligations. policies and procedures •Reports on conformance/status of violations/corrective actions 23 .

Risk Drivers •length including warmer winters limiting the reliability and capacity of winter roads •Sending goods by ship in the open water season is unreliable. especially to small coastal sites •Lack of coordination between sites results in lost opportunities to share or divert transportation resources •Limited number of fixed and rotary wing aircraft for charter •High prices for charter because of competition from other development (e.Sample Risk One: Logistics There is a risk that logistics failures or limitations of winter roads. especially for mobilization •Communication •Coordination with other users of winter roads •Provide opportunity to transportation firms to go on site visits to determine the best way to address logistic constraints •Project delays •Planning delays •Increased costs •Missed milestones •Injury or death to staff or contractors •Lapsed funds •Non-compliance with permits 24 .g. thin ice) •Quality of airstrips •Storms •Hazards of flying in fixed and rotary wing aircraft in icy conditions Current Risk Mitigation Possible Consequences •Increased efforts for coordination between sites •Scheduling to account for anticipated delays. diamond mines) •Access to winter roads •Limited capacity to store fuel at distribution facilities •Inability to construct linear infrastructure •Identification of site pathways for winter travel across open land has risks (crossing private land. land or water transportation firms will prevent a Northern program from achieving its objectives. and air.

Large Appetite for Risk Increasing Impact  Increasing Impact  Plan for All Extreme Risks CEO Director Manager Chief Increasing Likelihood  Increasing Likelihood  Standard Increasing Impact  Increasing Impact  Increasing Likelihood  Risk Averse Increasing Likelihood  .

The Profile of One Risk The Nature Of the Risk Impact Very High Likelihood 26 Likely .

Risk Assessment by Strategic Objective 27 .

The Next Step is Design Assess Adjust IRM Occurs Here Design Implement Monitor 28 Evaluate .

Risk Treatment should be “Designed In” Risk Event Toleranc e Acceptable ? YES NO Assume Escalate For information Escalate For action Can You Act? YES NO Monitor Avoid Treat Share Specific actions with owner and date .

Evaluate the effectiveness of treating risks The Profile of One Risk The level of risk before treatment The level of risk after treatment Treatment Very High t c a p m I y l e k i L Likelihood 30 .

Then Implement Assess Adjust IRM Occurs Here Design Implement Monitor 31 Evaluate .

Then Monitor Assess Adjust IRM Occurs Here Design Implement Monitor 32 Evaluate .

And. Evaluate Assess Adjust IRM Occurs Here Design Implement Monitor 33 Evaluate . after one cycle.

Adjust after Evaluation In response to the evaluation step Adjust To account for risk treatment that has worked. and to identify treatment that has been incomplete or ineffective. 34 .

Enterprise Wide Evaluation of Treatment Table showing the effect of risk treatment 35 .

Questions? 36 .

Sign up to vote on this title
UsefulNot useful