Upload
etan
View
82
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Launching ISO 31000 – The New Risk Management Standard. STRIMA National Conference September 13, 2010. Agenda. Framing the issue: the need for a broader view of “risk” Why do we need a standard on risk management? The evolution of ISO 31000 Overview of ISO 31000 and 31010 - PowerPoint PPT Presentation
Citation preview
Launching ISO 31000 – The New Risk Management Standard
STRI
MA
Nati
onal
Con
fere
nce
Sep
tem
ber 1
3, 2
010
Agenda
• Framing the issue: the need for a broader view of “risk”
• Why do we need a standard on risk management? The evolution of ISO 31000
• Overview of ISO 31000 and 31010• Implementation advice and resources
Financial Risks
Strategic RisksBank failures
Stock market performance
Unemployment
Interest rates
Budget cuts
Investment limitations
Tax caps
Bond ratingRetirement funding
Capital availability
Credit markets stabilityCurrency & foreign exchange rate fluctuations
Unexpected loss of revenue
Health care costs
Revenue & grant $$ management
Counterparty risk
Financial reporting
Mergers & Acquisitions of key partners or vendors
Ethics violationsReputation
Negative media coverage
Stakeholders’ interests
Strategy & initiativesUnion relations
Long-term planning vs. budget limitations
Public-private partnerships
Health & safety violations
HR & personnel risks
Utilities failure
Workplace violence
Public support
Theft, embezzlementGov’t sanctions
Accounting or internal controls failures
Facilities maintenance
Aging infrastructure
IT system failure
Business interruptionLoss of key suppliers
Mandated public services
Code violations
Quality control
OperationalRisks
Workers’ comp
Building security
Public safety
Lawsuits
Piracy & Counterfeiting
War
Natural events & catastrophes
Terrorism
Fraud
Governance
Compliance
Disease & epidemics
Mold exposureAsbestos exposure
Student activities
Director & Officer liabilityGeopolitical risks
Animal or insect infestation
Pollution
Contractual liabilityBuilding subsidence or collapse
Hazard & 3rd Party Risks
Labor practices
Procurement
Unfunded mandates
Internal RisksExternal
Risks
Energy costs
Typical purview of RM
Code of Conduct
Meeting Public expectations
Geopolitical risks
Public safety
The Baltimore SunJuly 16, 2008An underground fire shut down power to 30 residential and commercial buildings in Baltimore and took nearly 10 hours to control. Baltimore’s utility lines are part of the city’s aging infrastructure – carrying electricity, cable, telephone, street light and fiber-optic service through 3.7 million feet of conduits. The cost to update the >100 year-old system is $900 million.
Financial Risks
Strategic RisksBank failures
Stock market performance
Unemployment
Interest rates
Budget cuts
Investment limitations
Tax caps
Bond ratingRetirement funding
Capital availability
Credit markets stabilityCurrency & foreign exchange rate fluctuations
Unexpected loss of revenue
Health care costs
Revenue & grant $$ management
Counterparty risk
Financial reporting
Mergers & Acquisitions of key partners or vendors
Ethics violationsReputation
Negative media coverage
Stakeholders’ interests
Strategy & initiativesUnion relations
Long-term planning vs. budget limitations
Public-private partnerships
Health & safety violations
HR & personnel risks
Utilities failure
Workplace violence
Public support
Theft, embezzlementGov’t sanctions
Accounting or internal controls failures
Facilities maintenance
Aging infrastructure
IT system failure
Business interruptionLoss of key suppliers
Mandated public services
Code violations
Quality control
OperationalRisks
Workers’ comp
Building security
Public safety
Lawsuits
Piracy & Counterfeiting
War
Natural events & catastrophes
Terrorism
Fraud
Governance
Compliance
Disease & epidemics
Mold exposureAsbestos exposure
Student activities
Director & Officer liabilityGeopolitical risks
Animal or insect infestation
Pollution
Contractual liabilityBuilding subsidence or collapse
Hazard & 3rd Party Risks
Labor practices
Procurement
Unfunded mandates
Internal RisksExternal
Risks
Energy costs
Typical purview of RM
Code of Conduct
Meeting Public expectations
Geopolitical risks
Public safety
The Emerging Risk Environment
Technological• Breakdown of critical info
infrastructure• Public data protection• Pressure to keep up
Societal• Pandemics & infectious
diseases • Increase in need for social
services• Public health demands• Push to improve education• Increased crime & violence
Economic• Investment failures• Unfunded mandates• Budgets subject to limited,
decreasing revenue streams• Funding retiree health care
and pensions
Environmental• Climate change• Natural catastrophes• Pollution regulations (e.g
GASB 29)• Global pollution• Aging infrastructure
Geopolitical• International terrorism• Funding disparities – state to
state (e.g. stimulus $$)• Supply chain issues• How will global standard for
RM apply to US?
Sources of Risk
Factors Influencing Public Entities (Cities, Counties, Schools, States)
Traditional Risk Management • Purchase insurance to cover risks• Hazard-based risk identification and
controls• Compliance issues addressed
separately• Safety & emergency mgmt handled
separately• “Silo” approach – risk mgmt is not
integrated across the organization• Risk Manager is the insurance buyer
Advanced Risk Management• Greater use of alternative risk
financing techniques• More proactive about
preventing and reducing risks• Integrates claims mgmt,
contracts review, special event RM, insurance and risk transfer techniques
• Cost allocation used for education and accountability
• More collaboration – as depts are willing
• Risk Manager may be the risk owner
Enterprise-wide Risk Management• A wide range of risks are discussed
and reviewed, including reputational, human capital, strategic and operational
• Aligns RM process with strategy and mission
• May include “upside risks” (opportunities)
• Helps manage growth, allocate capital & resources
• Risks are owned by all & mitigated at the department level
• Many risk mitigation & analytical tools available
• Risk Manager is the risk facilitator and leader
Transactional
Strategic
Risk is bad – focus is on transferring risk
Risk is an expense – focus is on reducing cost-of-risk
Risk is uncertainty – focus is on optimizing risk to achieve goals
Integrated
Risk Management is Evolving
The Development of RM in the USFinance:PRMIA GRC
Audit: IIACOSO
Safety: ASSE NASP ASA
Risk Mgmt: RIMS PRIMASTRIMAURMIAASHRM
Global Corporate Governance Models
All EU Countries• Directives on
Governance
Netherlands• Code Tabaksblatt
UK• Cadbury• Turnbull• Greenbury Rpt• BS 31100 RM
France• Vienot Com.• Mrini Report• Levy-Long Com.
Italy• Draghi
Commission
Australia/New Zeal• HB 317 on Risk
Communication• Stock Exchange
Listing• New Accounting
Standards• Best Practice Stmt
Mgmt
US• Business Round Table• NYSE listing Requirements• Blue Ribbon Commission• Sarbanes Oxley Act• COSO ERM Framework
Canada• Toronto Stock Exchange
Committee• Canadian Securities
Committee• Allen committee Report• COCO• CAN/CSA-Q850 (draft)
South Africa• Code of Best Practice• King Report I, II, III• Stakeholder Communication• Public Finance Mgmt Act
Japan• Corporate
Governance Forum of Japan
• J-SOX
Germany• Bill on The Control
and Transparency of organizations
• Kon TraG Bill
INTERNATIONAL (All countries) - Basel I & II; ISO 31000
Developed by Dorothy Gjerdrum , AJG & Mary Peter of Eide Bailly LLP
A Good Intro to ERMRisk management is an increasingly important businesss driver and stakeholders have become much more concerned about risk.
Risk may be:• A driver of strategic decisions• The cause of uncertainty in an organization• Embedded in the activities of the organization
An enterprise-wide approach to risk management enables an organization to consider the potential impact of all types of risks on all processes, activities, stakeholders, products and services.
Excerpt from the Executive Summary “A Structured Approach to ERM and the Requirements of ISO 31000” published by airmic, alarm and the irm – all based in the U.K.
Evolution of the US TAG
• ANSI sought support early in process – no qualified organization stepped up until 2008
• ASSE Council on Practices & Standards agreed to serve as secretary to US TAG
• ASSE turned to its membership to recruit Technical Advisory Group (TAG) members
ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards.
Established in 1947, ISO is a network of the national standards institutes of 159 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system.
ISO 31000:2009
• Australia, New Zealand & Japan initiated its creation
• 18+ countries participated • 6 meetings over several years• Adopted in November of 2009, now
officially the first International Standard on Risk Management
• Guide 73 & ISO 31010 quickly followed• Now also the American Standard on RM
ASSE Formed the US TAG
Chair: Dorothy Gjerdrum, Arthur J. GallagherVice Chair: Wayne Salen, RIMS
• Consumer/Directly Affected Public (6)• General Interest (5)• Government Body/Organization (2)• Producer/Manufacturer (3)• User (4)
US ISO TAG Participants• AH & T Insurance• AIHA• AJ Gallagher• ASSE• Bayer Materials• Brazosport College• Eide Bailly, LLP• ESIS• McCulley Eastham• PMMI
• Pilz Automation• Project Mgmt Trust• PRIMA• RIMS• Safety Mgmt
Consultants• TC 176 TAG• Washington Group• Woods Hole• Wyeth
• Proposal from the UK to develop an international implementation guide – if that proposal is accepted by ISO, we’ll participate
• US subcommittee working on a US Implementation Guide
• ISO 31000 will be open for revision beginning in 2012
• The US ISO TAG is still open to new members – contact Tim Fisher at ASSE
What’s Next for the US TAG?
ISO 31000 – Quick Overview• The basis of ISO 31000• Overview of the process• Understanding Principles, Framework and
Process• Select definitions• Key concepts
It’s a Broad Approach to Risk1. All organizations exist to achieve their
objectives2. Many internal and external factors affect
those objectives, causing uncertainty about whether the organization will achieve its objectives
3. The effect of this uncertainty has on an organization’s objectives is “risk”
Scope of ISO 31000
This international standard provides principles and generic guidelines on risk management… it can be used by any public, private or community enterprise, association, group or individual. Therefore, this standard is not specific to any industry or sector.
• Streamlined and easy to understand• Proactive approach vs compliance• Emphasizes top-down implementation• Links risks to strategy & the achievement of
objectives• Addresses both upside and downside of risk• Provides a consistent approach that can be
tailored to any type of operation in any location and integrated with other standards and guidelines
ISO 31000 – Highlights
The principles
provide the foundation
and describe the qualities of effective
risk manage-ment in an
organization
The framework
manages the overall
process and its full
integration into the
organization
The process for managing risk
focuses on individual or
groups of risks, their
identification, analysis,
evaluation and treatment
Monitoring & review, continual improvement and communication occur throughout
Overview of the Process from ISO 31000
• Creates value• Part of org.
processes• Part of decision
making• Explicitly
addresses uncertainty• Systematic,
structured & timely• Bsed on best
avail info• Tailored• Considers
human & cultural factors• Transparent &
inclusive• Dynamic,
iterative & responsive to change• Continual
improvement
Principles
Mandate & Commitment
Design framework for managing risk
Framework RM Process
Implementrisk
management
Monitor and review the framework
Continually improve the framework
Establish the context
Com
mun
icat
e an
d co
nsul
t
Mon
itor a
nd re
view
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
Why ISO Outlines PrinciplesThe principles that govern the process:• Establish the values and philosophy of the
process• Support a comprehensive and coordinated
view of risk that applies to the entire organization
• Link the framework and practice of risk management to the strategic goals of the entity
• Align risk management to corporate activities
Risk Management Principles
Risk Management:• Creates value• Is an integral part of all organizational
processes• Is part of decision-making• Explicitly addresses uncertainty• Is systematic, structure and timely• Is based on the best available information
Risk Management Principles (cont’d)
Risk Management:• Is tailored• Takes human and cultural factors into account• Is transparent and inclusive• Is dynamic, iterative and responsive to change• Facilitates continual improvement &
enhancement of the organization
Why ISO Specifies the Framework• Maps out how the management of risk will
be integrated across the organization• Assures that the corporate-wide process is
supported, iterative and effective• Details how risk management will be an
active component in governance, strategy and planning, management, reporting processes, policies, values and culture
• Provides for reporting & accountability
The Framework Includes:
• The organization & its context• Risk Management Policy• Accountability• Integration into organizational processes• Resources• Communication & reporting – internal• Communication & reporting - external
The Risk Management Process
• Applies to portfolio of risks and individual risks
• Begins with the context – always tailored to the organizational environment
• Emphasizes continual: – Communication &
consultation– Monitoring & review
Establish the context
Com
mun
icat
e an
d co
nsul
t
Mon
itor a
nd re
view
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
• Creates value• Part of org.
processes• Part of decision
making• Explicitly
addresses uncertainty• Systematic,
structured & timely• Bsed on best
avail info• Tailored• Considers
human & cultural factors• Transparent &
inclusive• Dynamic,
iterative & responsive to change• Continual
improvement
Principles
Mandate & Commitment
Design framework for managing risk
Framework RM Process
Implementrisk
management
Monitor and review the framework
Continually improve the framework
Establish the context
Com
mun
icat
e an
d co
nsul
t
Mon
itor a
nd re
view
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
Implementation Examples• Community college district wants to review
the risk & opportunity of expanding its journalism department (grant money) and sending students into high-conflict, emerging news areas of the world
• Individual interviews re risk uncover unsafe money transfer procedures
• The “Aha!” moments of realizing crossover risks or cumulative risks
Select DefinitionsRisk = the effect of uncertainty on objectives
An effect is a deviation from the expected – positive or negative. Risks may be described as a combination of likelihood and consequences.
Risk management = the coordinated activities to direct and control an organization with regard to riskRisk owner = the person with the accountability and authority to manage the risk
Risk Mgmt & Other Initiatives• RM supports strategic initiatives, mission and
goals and links to them• RM can support management processes (e.g.
balanced scorecard, performance management measures)
• RM will help build success of key initiatives by identifying barriers and risks and ways to mitigate them
Key Concepts of ISO 31000• Risk Management is about exploiting
opportunities as well as preventing problems (upside & downside risks)
• It is tied to business objectives and strategies – and supports them
• It works within the organization’s culture and will become integral to decision making
• It will ensure that Risk Management applies to all levels of the organization and to all activities
ISO 31010 – Risk Assessment Techniques
• Risk assessment concepts
• Process• Techniques
Establish the context
Com
mun
icat
e an
d co
nsul
t
Mon
itor a
nd re
view
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
Implementation Advice• Educate yourself, develop your “elevator speech”,
build your network of peers
• Seek opportunities for a broader approach to risk
• Develop tools & resources – and develop your leadership skills
• Be patient – it’s a journey, not a destination
• Create an inventory of risk management practices across all operations; can you build support for integration?
Risk Management Standards• COSO ERM Framework (2004)• British Standards Assoc: Risk Management – Code
of Practice – BSI 31100:2008 (under revision)• ISO 31000 – Risk Mgmt Principles and Guidelines• ISO 31010 – Risk Assessment Process• HB 327:2010 Communicating and Consulting About
Risk – from Australia/New Zealand• Canadian Standards Association CAN/CSA-Q850
Implementation of ISO 31000 – publication pending• US Implementation Guide – publication pending
RM Standards – My Recommendations
• Buy the standard – ISO 31000 – Risk Mgmt Principles and Guidelines www.asse.org or www.ansi.org
• Download the alarm/airmic/irm handbook (free)• Buy either the Canadian Standards Association
CAN/CSA-Q850 Implementation of ISO 31000 (expected publication in fall of 2010) or the US Implementation Guide – (publication in 2011)
ERM Training – My Recommendations
• Canadian Standards Association – Implementing ISO 31000
• Insurance Institutes of America (IIA) training on ERM – ARM 57
• www.theiia.org – online risk management training that includes ERM and ISO 31000 references
Dorothy Gjerdrum, ARM-PExecutive Director, PESDArthur J. Gallagher Risk Mgmt [email protected]
Thank You!