ISO 31000 & Risk Management

Process

M. Bilal Qureshi

ORMIS April 21, Toronto, ISO 1

 The risk management process
Used by every manager for every decision

Establish the context

Communicate and consult

Monitor and review

Identify risks

Analyse risks

Evaluate risks

Treat risks

ORMIS April 21, Toronto, ISO 2

 Risk Assessment

• Identify the risks

• Analyze the risks (Note: when numerical estimates
of likelihood, consequences not available then
subjective risk matrix methods may be used)
• Evaluate the risks against Risk Criteria
• Result of Evaluation is to (or not to) Accept Risk-
”informed decision to take a particular risk”
• Not Acceptable, go to Risk Treatment

ORMIS April 21, Toronto, ISO 3

 Risk Treatment- “process to modify risk”

“NOTE 1 Risk treatment can involve:

— avoiding the risk
—increasing risk in order to pursue an opportunity;
— removing the risk source
— changing the likelihood
— changing the consequences
— sharing the risk with another party or parties [including risk
financing]
— retaining the risk by informed decision

NOTE 3 Risk treatment can create new risks or modify existing risks.”

Risk Treatment is often a cycle of: Control options, Assessment of

Residual Risk, Accept?, Treat risk?, Control options, Assessment…

ORMIS April 21, Toronto, ISO 4

“communication and consultation”
“continual and iterative processes that an organization
conducts to provide, share or obtain information, and to
engage in dialogue with stakeholders regarding the
management of risk
• NOTE 1 The information can relate to the existence, nature, form,
likelihood, significance, evaluation, acceptability, treatment aspects
• NOTE 2 Consultation is a two-way process of informed
communication between an organization and its stakeholders on an
issue prior to making a decision or determining a direction on that
issue. Consultation is:
– a process which impacts on a decision through influence rather
than power; and
– an input to decision making, not joint decision making. “

ORMIS April 21, Toronto, ISO 5

Example risk register for a specific Strategic Objective – illustration only
Courtesy of the Food Company
6. Management Team evaluates the probability
of success in achieving this initiative’s overall
objectives
1. Identify initiatives and their associated
descriptions with measurable objectives

2. Prioritize order of
the key initiatives
Risk based on their
Objective xx “Ready-to-Heat” Profile
•High contribution to
achieving the overall
Aggressively grow and build the ready-to-heat business by expanding the Priority •yes financial and strategic
product line (15% NSV growth & maintain shares above 30%) and broaden the objectives within the
availability of the product. Owner •Joe OP

Risks (uncertainties re Obj) Control Activities

1  Increase of aggressive competition 1,2,3  Accelerate innovation

from Rice Master and Fast Rice 1  Conduct competitor analysis
 Aggressive year for growth target 3. Document the
session individual in charge of
2 for the segment & brand the given initiative
 Achieve new product growth
3 targets 5. List of planned activities that will modify the
risks – match the treatment strategies to risk
through the reference numbers

Action Plan
7. Document the
4. List of risks that could hinder the ability to Jane to develop 2-3 innovation immediate next steps
meet the initiative’s objectives schemes within 2 months for effective initiative
execution
Joe to do market analysis
ORMIS April 21, Toronto, ISO 6
 © Broadleaf Capital International, 2006

Bow-Tie Risk Treatment Tool

2. Causes 3. Impacts
1. 1.
2. 2.
3. 3.
4. 4.
5. 5.
4. Existing Controls 5. Existing Controls
6. 6.
Preventative Reactive – Post Event
7. 7.
8. 8.
9. 9.
10. 10.

Existing Preventative Controls Control Owner Existing Reactive Controls Control Owner
1. 1.
2. 2.
3. 3.
4. Example of an integrated tool for RM Process
4.
5. 5.
6. 6.

Task (future controls) Task Owner Due Date Task (future controls) Task Owner Due Date

1. 1.
2. 2.

3. 3.

6. Risk Control 7. Consequence 8. Likelihood 9. RISK 11. Risk Owner

10, Comments
Effectiveness rating rating RATING

ORMIS April 21, Toronto, ISO 7

 How to measure success? – Risk Maturity?
Standard and Poor’s ERM perspective (still too negative)
Companies that are considered "strong" demonstrate an enterprise-wide view
of risks, but are still focused on loss control. These companies have control
processes for major risks, thus giving them advantages due to lower expected
losses in adverse times, as such companies can consistently identify, measure,
and manage risk exposures and losses in predetermined tolerance guidelines.
Strong ERM firms are unlikely to experience unexpected losses outside of
tolerance levels. Risk and risk management are usually important
considerations in such firms' corporate judgment.
Companies that are considered "excellent" possess all of the characteristics of
those scored "strong" and will also demonstrate risk/reward optimization.
Such companies have very well-developed capabilities to consistently
identify, measure, and manage risk exposures and losses in predetermined
tolerance guidelines. Risk and risk management are always important
considerations in such firms' corporate judgment. It is highly unlikely that
these firms will experience losses outside of their risk tolerance.

ORMIS April 21, Toronto, ISO 8

Risk Maturity Score – Fraser Valley Health
Level of ERM Maturity

Elements of ERM 1 2 3 4 5
Initial Repeatable Defined Managed Optimized
Organization Philosophy &
Culture
Leadership Commitment

RM Capabilities

RM Process

Monitoring & Review

Reporting & Control

Integration with other

Management Systems

ORMIS April 21, Toronto, ISO 9

 Organization Philosophy & Culture
Level of 1 2 3 4 5
Maturity Initial Repeatable Defined Managed Optimized

1. Risk The focus is People tend to be risk RM is done Risks are consistently RM is done at every
management primarily on averse. Risks are proactively to managed. Staff are level in the
responding to crises identified primarily anticipate risks and encouraged to be organization, and is
culture and tends to be at operational and develop mitigation innovative. The strongly integrated
reactive rather than project levels. RM plans. Emerging risks organization fosters a with management
proactive. concepts are are considered. Focus culture of continuous practices. Individual
intuitively is on opportunities, learning and and organization
understood and not just risk participation. Staff expectations for RM
practised on ad hoc avoidance. Risk are highly committed are synchronized.
basis. A cautious implications are to organization
approach is taken to considered in all success.
RM overall. major decisions.

2. Roles and Roles and Responsibilities for Roles and RM is embedded in Individual
responsibilities responsibilities are managing risk have responsibilities for individual behaviour. accountability for
not documented and been established (job RM are clear, well Individuals are RM is firmly
for managing risk are unclear. No descriptions, terms of communicated and empowered to embedded in
individual reference, etc.), but understood manage risks. organization culture.
accountability for are not understood or throughout the Responsibility for Roles and
managing risk. RM is consistently organization. RM is an integral part responsibilities for
viewed as a followed. Risk is of goal setting and RM is aligned with
department rather managed intuitively, performance overall organization
than a process. on an ad hoc basis. planning. accountability
framework.

ORMIS April 21, Toronto, ISO 10

Organization Philosophy & Culture cont’d
Level of 1 2 3 4 5
Maturity Initial Repeatable Defined Managed Optimized

3. Linkage to No ethics policy or Organization has an Ethics and values Ethics and values Ethics, values and
ethics and values guidelines in place. ethics and values principles and help managers take a sensitivity to
Policy statements are statement. RM legal/political balanced approach to legal/political
issued on ad hoc philosophy is considerations are RM, and reconcile considerations are
basis. No clear reflected in written well understood by competing external consistently reflected
statements of shared code of ethics and staff, and applied forces. Ethics and in organization
values or principles, values. Philosophy is consistently values surveys practices and RM
or attention to legal attuned to legal and throughout the consider risk, and are approach.
or political political organization. RM carried out regularly. Atmosphere of
considerations. considerations. approach is closely Improvements are mutual trust exists at
Policies are aligned with ethics made. all levels of
communicated across and values. organization. Few
the organization but infractions or
applied incidents occur.
inconsistently.

4. Valuing risk High level of People are consulted The working Recognition and Staff encouraged and
management scepticism exists and given environment supports rewards programs recognized for
within organization. opportunity to a proactive approach encourage staff to identifying risks and
behaviour Mixed messages are participate in RM. to managing risks. manage risks and opportunities, and for
given to staff. RM is Staff contribution to Information on risk is take advantage of identifying risks not
not considered in managing risk is shared openly. opportunities. being appropriately
assessing and recognized on ad hoc Strong sense of Management is managed. Staff
rewarding basis. Performance in teamwork exists committed to continuously cited
performance. Staff managing risks is across the continuous RM for their exemplary
contribution to considered in organization. learning. Sanctions in behaviour. Value of
managing risk is not recognition and place for knowingly human capital in the
recognized or valued. rewards programs. ignoring risks. Staff organization is
development is a measured.
major organization
priority.

ORMIS April 21, Toronto, ISO 11

Leadership Commitment to Risk Management
Level of 1 2 3 4 5
Maturity Initial Repeatable Defined Managed Optimized

5. Leadership RM is the concern of RM initiatives are Senior management Senior management Board and senior
managers, and is supported by senior regularly engaged in oversee and management
dealt with on an ad management on ad formal RM process. champion the commitment for RM
hoc basis. RM hoc basis. Risks are Minimal Board organization’s RM clearly articulated,
concepts are ill managed by engagement. framework, and lead and strongly
defined and not well operational by example. Some embedded at all
understood. No managers. No Board Board engagement. levels of the
leadership engagement. organization.
engagement.

6. Risk The organization has Some RM policies Organization RM Organization RM Board approved RM
management no formal RM for specific areas framework in place. framework and framework and
framework or policy. have been formally policy. These are policy are well
framework & documented to well communicated communicated,
policy address specific risks. and followed. followed and
compliance is
monitored.

7. Roles and Unclear roles and Specialists are Senior management Senior management Senior management
responsibilities of responsibilities for responsible for assume responsibility roles and promote and support
RM. The audit managing risks. for RM practices. responsibilities for research into RM
senior function is seen as Managers identify Collectively, they RM are well best practice to
management responsible for and respond to risks identify and assess documented in ensure evidence-
identifying risks. on an ad hoc basis. key organization accountability based approach.
risks, and develop agreements or They are seen as
mitigation plans. governance leaders and
documents. They are innovators for
consistently applied implementing state of
and monitored. the art RM concepts.

ORMIS April 21, Toronto, ISO 12

 Risk Management Capabilities
Level of 1 2 3 4 5
Maturity Initial Repeatable Defined Managed Optimized

8. Risk RM is not perceived RM competencies Training in RM is RM competency Ongoing

management to be a formal have been identified, high priority. Skills development is commitment to
competency. RM and skills gap gap is being integral part of ensure continuous
competencies concepts are not well established by some addressed. Training individual learning renewal of RM
understood. managers. Little or is being sourced. plans, and competencies. The
no formal training There is “cross- organization organization is well
has been done. fertilization” between development known and respected
specialists and programs. Staff at all for its RM training
managers. levels are being program.
trained, and skills
gaps addressed.

9. Risk Limited RM tools Managers tend to use Managers have Wide range of RM RM tools and
management and techniques are their own individual access to various RM tools/techniques techniques are
available. approach for risk techniques that available to all staff integrated with other
techniques analysis. Available integrate financial who understand how management decision
RM techniques have and non-financial to use them, as well support tools. Strong
limited focus in information for risk as their benefits and interface with IS.
specialised areas analysis. Tools are limitations. Periodic review and
(e.g., finance, OH&S, used with specialist Knowledge transfer update of tools and
IT project support. occurs between techniques.
management). specialists and
managers.

10. Specialist No specialist support Specialists are used Specialists are known The expert advisory Specialists advise on
support for RM. by management to throughout the role of specialists is broad range of issues,
carry out basic risk organisation and valued by all levels on an integrated
analysis on an ad hoc often called upon by of management. basis, through multi-
basis. managers to provide Specialist support disciplinary teams.
RM analysis and viewed as a key Externally
advice on specific enabler in initiating recognized.
issues. change.

ORMIS April 21, Toronto, ISO 13

 Risk Management Process
Level of 1 2 3 4 5
Maturity Initial Repeatable Defined Managed Optimized

11. Risk No formal process to Risks are identified Formal risk Formal process and Risk assessment
identification & identify and assess for specific areas, assessment process tools available to process and tools are
risks. and assessed by and tools available to managers who integrated with other
assessment managers on an ad managers. Tools are understand their management decision
hoc basis. No formal used with specialist benefits/limitations, support tools. Strong
process in place. No support. Risks are and know how to interface with
attempt to aggregate identified across the apply them. More organization
risks across the organisation to sophisticated tools management
organization. provide aggregate available with information systems.
view. specialist support.
Risk categories
provide aggregate
view for better
understanding.

12. Risk Risk tolerance is not Risk tolerance is not Risk tolerance is Common Risk tolerance levels
tolerance defined. defined. Specific risk somewhat defined for understanding and established at all
levels are accepted or the organization and application of levels of the
rejected intuitively. used by management. specific risk tolerance organization guide
levels. decision making.

13. Risk No formal risk No formal process in Formal Formal Formal

documentation documentation is place. Risks documentation of documentation of documentation of
done. documentation that risks in some areas – risks at all levels of risk (risk register,
does occur is ad hoc i.e., risk register, RM the organisation. RM plans) is an
and inconsistent. plans. Risk registers and integral part of
RM plans are planning and
regularly monitored decision making –
and updated. and a requirement of
the Board.

ORMIS April 21, Toronto, ISO 14

 Monitoring & Review
Level of 1 2 3 4 5
Maturity Initial Repeatable Defined Managed Optimized

14. Performance No formal Performance Organization-wide Risk indicators are Strategic and
measurement performance measurement at performance interpreted in relation operational risk
measurement system departmental level measurement system to other corporate indicators and
in place. involves monitoring includes monitoring performance performance
of risks. Some risk of risk indicators. measures. Regular measures are closely
indicators have been monitoring and linked. Regular
developed but not review by Executive. monitoring and
consistently applied. review by Executive
and the Board.

15. Review of the No measurement Evaluation of RM Performance Information is Performance against

risk management framework in place practices occurs in indicators to assess regularly collected to indicators is
to assess RM specific areas. This is progress in monitor outcomes measured, and results
practices practices. typically done by implementing achieved as a result tracked over time.
internal audit. organization RM of RM framework Action taken to
framework, and the and practices. improve. RM
effectiveness of RM Benchmarks performance
practices have been established against indicators and
developed. which to assess benchmarks are
progress. regularly reviewed
and updated.

ORMIS April 21, Toronto, ISO 15

 Reporting & Control
Level of 1 2 3 4 5
Maturity Initial Repeatable Defined Managed Optimized

16. Risk No formal RM plans Formal RM plans in RM is discussed as a Organization-wide Organization RM

management exist. place to address and part of the strategic RM plan in place that plan is viewed as
report on specific and business includes integral to
plans risks. However, RM planning processes. comprehensive organization success.
plans are not Plans include an analysis of The plan is regularly
developed on a overview of key risks organization risks reviewed and
consistent basis and mitigation. and mitigation. Plan updated by senior
throughout the is regularly reported management, and
organization. against, reviewed reported to the
and updated by Board.
senior management.

17. Controls Existing controls are Controls are used on Controls reflect Risk significance, as The organization’s
not linked to an ad hoc basis to corporate objectives well as the cost/ control environment
corporate objectives respond to new risks. and risk appetites. benefit of mitigation is integrally linked to
or risk appetites. No Limited cost/ benefit Cost/ benefit analysis options is considered objectives, risk
criteria in place to analysis of controls. of controls is prior to appetites and RM
evaluate controls Controls regularly conducted. implementing strategies. Controls
effectiveness. effectiveness is not Controls compliance controls. Compliance compliance and
monitored on a and effectiveness is with, and effectiveness is
regular basis. monitored at high effectiveness of, regularly monitored
level. controls is regularly and reported against,
monitored and and improvements
reported throughout made as required.
the organization.

ORMIS April 21, Toronto, ISO 16

Integration with Other Management Systems
Level of 1 2 3 4 5
Maturity Initial Repeatable Defined Managed Optimized

18. Linkage with RM is not linked with Risks are considered Formal consideration Formal RM process RM process is fully
strategic and organization planning in development of of risks is integral integral to strategic embedded in
processes. business and part of strategic and and operational organization
operational operational plans on operational planning. planning. Risks are planning at all levels.
planning ad hoc and prioritized, and A variety of
inconsistent basis. cost/benefit of modelling techniques
mitigation options used to quantify
are assessed. risks.

19. Linkage to Limited management Management Management Organization-wide Sophisticated

management information to information exists to information exists for performance decision support
support RM. varying degrees to organisation as a management system tools available on-
information support RM at whole but with in place. Information line to support RM at
system departmental level. limited “drill-down” is used on ongoing all levels of the
capability. basis to support RM. organization.

20. Linkage to No formal internal Ad hoc Communication on Risk information is RM best practices
internal communication communication on risk issues follows shared across the and lessons learned
channels for risk risk issues at normal reporting organization. A pro- are regularly
communication issues. departmental level. channels. Some active effort made to communicated to the
and feedback on Managers tend to sharing of communicate organization via
risks work independently information across information on RM newsletter, web page,
with some the organization. best practices and orientation, etc.
interaction. lessons learned.

21. Linkage to No formal Communication with Formal process to Regular reporting to Careful consideration
communication communication with stakeholders is ad communication with stakeholders on of stakeholder
external stakeholders hoc. Risk information stakeholders on risk performance and interests in risk
with external on risk issues. is communicated on a issues. risks. Stakeholder mitigation. The
stakeholders “need to know” feedback obtained organization is
basis. and considered in widely respected by
risk mitigation. stakeholders.

ORMIS April 21, Toronto, ISO 17

 Roles in ERM – One scheme
CRO or Risk Management Department

Central coordinating point for ERM

Facilita

siness

sks
Fac

bu

on ri

ork
ilitat

ting Ma
Ch

cross the

ew
am

in

ng

ram

l
g ris

va
pio

porti
na

pro
Gi

Mf
nin

k wo
vin

gemen

ap
tic re
ge

ER
g risks a
g

e
rd
ad

tit
Re

rksh
sta

pe
a
t he
vi c

vie

Bo
Holis

ap
t’s re
blis
e

wi

ops

ting

for
s

k
on

ng
se

ris
hm

Monitorin
th s

gy
ide

sponse
Ev ce

era

e
e
en

th
alu ro

ate
m
nt

tp

ng
ati

Op
an
t
ify

str
ng
of
n

tti
ag e on
ing

rep

Se
em
ER em nt

RM
to risks
ort g e
&

Ev in en a m
alu M an ge
ev

go to

ing
at ing m ana isks
alu

fm
fm k m r

lop
isk R ate ris by and
at

at e
Ma ria er g

ve
c
ing

l s es
Givi nag l ri
s k al r
i sin ran ro ons
su cont

De
ng a e po s p
ris

ssur m s isk A s r e
e nt p Im isk
k

anc on r
s

e th roc s n s
at ri es s isio
Giving
sks
are es n g dec
i ehalf
assura
nce on
corr
e c Tak m ent’s b
tly e a ge
the Ris valu n Man
k Mana
gemen
ated
g i n g risks o
t proce Man a
sses s
Giving assurance that the con
trol systems are effective Accountability for risks and control

Legitimate Internal Audit Roles Internal Audit should

Core Internal Audit roles

Internal Audit roles

roles with safeguards
Roles for Management not undertake

At all levels of organization

ORMIS April 21, Toronto, ISO 18
 Are we done yet? Agenda Covered? Questions?

• Risk is “effect of uncertainty on objectives”

• Discussion of Adopt 31000 - PHB Bilton and KISS
• Overview of 31000; introduction, scope, principles,
framework, process
• How to “sell” ERM to senior management?
• The role of risk appetite risk tolerance and the ubiquitous
risk matrix/map/profile to deal with existing silos
• How will ERM help improve existing risk management?
• Next steps? How to measure success?
• Monitor, communications and consultation, and risk
ownership.
• Role of CRO? (Ans- Minimal)
• What did we learn today?

ORMIS April 21, Toronto, ISO 19

 Opportunities
Threats Anatomy of Risk
 
Risks: +ve
and -ve
Strategic Risk Management Process

Decision to “Take a Risk” or not

Objectives

Detailed (RMP) Risk

Risk Control(s) Management Process

Residual Risk Risk Financing

Actual Risk ???

ORMIS April 21, Toronto, ISO 20