510 likes | 890 Views
Launching ISO 31000 – The New Risk Management Standard. STRIMA National Conference September 13, 2010. Agenda. Framing the issue: the need for a broader view of “risk” Why do we need a standard on risk management? The evolution of ISO 31000 Overview of ISO 31000 and 31010
E N D
Launching ISO 31000 – The New Risk Management Standard STRIMA National Conference September 13, 2010
Agenda • Framing the issue: the need for a broader view of “risk” • Why do we need a standard on risk management? The evolution of ISO 31000 • Overview of ISO 31000 and 31010 • Implementation advice and resources
External Risks Internal Risks Unemployment Geopolitical risks Mergers & Acquisitions of key partners or vendors Credit markets stability Currency & foreign exchange rate fluctuations Strategic Risks Meeting Public expectations Financial Risks Unexpected loss of revenue Bank failures Reputation Public support Stock market performance Ethics violations Health care costs Tax caps Budget cuts Long-term planning vs. budget limitations Stakeholders’ interests Energy costs Financial reporting Capital availability Strategy & initiatives Unfunded mandates Union relations Interest rates Retirement funding Code of Conduct Public-private partnerships Counterparty risk Bond rating Revenue & grant $$ management Governance Investment limitations Negative media coverage Building subsidence or collapse Terrorism Aging infrastructure HR & personnel risks Public safety Contractual liability Accounting or internal controls failures Procurement Natural events & catastrophes Workers’ comp Facilities maintenance Piracy & Counterfeiting Health & safety violations Code violations Student activities Lawsuits Labor practices Mandated public services Gov’t sanctions Asbestos exposure Pollution Mold exposure Theft, embezzlement Building security Quality control Hazard & 3rd Party Risks IT system failure Public safety Director & Officer liability Workplace violence Loss of key suppliers Geopolitical risks Disease & epidemics Business interruption Animal or insect infestation OperationalRisks Utilities failure Fraud War Typical purview of RM Compliance
The Baltimore Sun July 16, 2008 An underground fire shut down power to 30 residential and commercial buildings in Baltimore and took nearly 10 hours to control. Baltimore’s utility lines are part of the city’s aging infrastructure – carrying electricity, cable, telephone, street light and fiber-optic service through 3.7 million feet of conduits. The cost to update the >100 year-old system is $900 million.
External Risks Internal Risks Unemployment Geopolitical risks Mergers & Acquisitions of key partners or vendors Credit markets stability Currency & foreign exchange rate fluctuations Strategic Risks Meeting Public expectations Financial Risks Unexpected loss of revenue Bank failures Reputation Public support Stock market performance Ethics violations Health care costs Tax caps Budget cuts Long-term planning vs. budget limitations Stakeholders’ interests Energy costs Financial reporting Capital availability Strategy & initiatives Unfunded mandates Union relations Interest rates Retirement funding Code of Conduct Public-private partnerships Counterparty risk Bond rating Revenue & grant $$ management Governance Investment limitations Negative media coverage Building subsidence or collapse Terrorism Aging infrastructure HR & personnel risks Public safety Contractual liability Accounting or internal controls failures Procurement Natural events & catastrophes Workers’ comp Facilities maintenance Piracy & Counterfeiting Health & safety violations Code violations Student activities Lawsuits Labor practices Mandated public services Gov’t sanctions Asbestos exposure Pollution Mold exposure Theft, embezzlement Building security Quality control Hazard & 3rd Party Risks IT system failure Public safety Director & Officer liability Workplace violence Loss of key suppliers Geopolitical risks Disease & epidemics Business interruption Animal or insect infestation OperationalRisks Utilities failure Fraud War Typical purview of RM Compliance
Economic • Investment failures • Unfunded mandates • Budgets subject to limited, decreasing revenue streams • Funding retiree health care and pensions • Geopolitical • International terrorism • Funding disparities – state to state (e.g. stimulus $$) • Supply chain issues • How will global standard for RM apply to US? Sources of Risk • Environmental • Climate change • Natural catastrophes • Pollution regulations (e.g GASB 29) • Global pollution • Aging infrastructure • Societal • Pandemics & infectious diseases • Increase in need for social services • Public health demands • Push to improve education • Increased crime & violence • Technological • Breakdown of critical info infrastructure • Public data protection • Pressure to keep up The Emerging Risk Environment Factors Influencing Public Entities (Cities, Counties, Schools, States)
Risk Management is Evolving Strategic Integrated Transactional • Enterprise-wide Risk Management • A wide range of risks are discussed and reviewed, including reputational, human capital, strategic and operational • Aligns RM process with strategy and mission • May include “upside risks” (opportunities) • Helps manage growth, allocate capital & resources • Risks are owned by all & mitigated at the department level • Many risk mitigation & analytical tools available • Risk Manager is the risk facilitator and leader • Advanced Risk Management • Greater use of alternative risk financing techniques • More proactive about preventing and reducing risks • Integrates claims mgmt, contracts review, special event RM, insurance and risk transfer techniques • Cost allocation used for education and accountability • More collaboration – as depts are willing • Risk Manager may be the risk owner • Traditional Risk Management • Purchase insurance to cover risks • Hazard-based risk identification and controls • Compliance issues addressed separately • Safety & emergency mgmt handled separately • “Silo” approach – risk mgmt is not integrated across the organization • Risk Manager is the insurance buyer Risk is bad – focus is on transferring risk Risk is an expense – focus is on reducing cost-of-risk Risk is uncertainty – focus is on optimizing risk to achieve goals
The Development of RM in the US Audit: IIA COSO Safety: ASSE NASP ASA Risk Mgmt: RIMS PRIMA STRIMA URMIA ASHRM Finance: PRMIA GRC
Global Corporate Governance Models INTERNATIONAL (All countries) - Basel I & II; ISO 31000 • France • Vienot Com. • Mrini Report • Levy-Long Com. • UK • Cadbury • Turnbull • Greenbury Rpt • BS 31100 RM • All EU Countries • Directives on Governance • Germany • Bill on The Control and Transparency of organizations • Kon TraG Bill • Netherlands • Code Tabaksblatt • Italy • Draghi Commission • US • Business Round Table • NYSE listing Requirements • Blue Ribbon Commission • Sarbanes Oxley Act • COSO ERM Framework • Japan • Corporate Governance Forum of Japan • J-SOX • Australia/New Zeal • HB 317 on Risk Communication • Stock Exchange Listing • New Accounting Standards • Best Practice Stmt Mgmt • Canada • Toronto Stock Exchange Committee • Canadian Securities Committee • Allen committee Report • COCO • CAN/CSA-Q850 (draft) • South Africa • Code of Best Practice • King Report I, II, III • Stakeholder Communication • Public Finance Mgmt Act Developed by Dorothy Gjerdrum , AJG & Mary Peter of Eide Bailly LLP
A Good Intro to ERM • Risk management is an increasingly important businesss driver and stakeholders have become much more concerned about risk. • Risk may be: • A driver of strategic decisions • The cause of uncertainty in an organization • Embedded in the activities of the organization • An enterprise-wide approach to risk management enables an organization to consider the potential impact of all types of risks on all processes, activities, stakeholders, products and services. • Excerpt from the Executive Summary “A Structured Approach to ERM and the Requirements of ISO 31000” published by airmic, alarm and the irm – all based in the U.K.
Evolution of the US TAG • ANSI sought support early in process – no qualified organization stepped up until 2008 • ASSE Council on Practices & Standards agreed to serve as secretary to US TAG • ASSE turned to its membership to recruit Technical Advisory Group (TAG) members
ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards. Established in 1947, ISO is a network of the national standards institutes of 159 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system.
ISO 31000:2009 • Australia, New Zealand & Japan initiated its creation • 18+ countries participated • 6 meetings over several years • Adopted in November of 2009, now officially the first International Standard on Risk Management • Guide 73 & ISO 31010 quickly followed • Now also the American Standard on RM
ASSE Formed the US TAG Chair: Dorothy Gjerdrum, Arthur J. Gallagher Vice Chair: Wayne Salen, RIMS • Consumer/Directly Affected Public (6) • General Interest (5) • Government Body/Organization (2) • Producer/Manufacturer (3) • User (4)
US ISO TAG Participants • AH & T Insurance • AIHA • AJ Gallagher • ASSE • Bayer Materials • Brazosport College • Eide Bailly, LLP • ESIS • McCulley Eastham • PMMI • Pilz Automation • Project Mgmt Trust • PRIMA • RIMS • Safety Mgmt Consultants • TC 176 TAG • Washington Group • Woods Hole • Wyeth
What’s Next for the US TAG? • Proposal from the UK to develop an international implementation guide – if that proposal is accepted by ISO, we’ll participate • US subcommittee working on a US Implementation Guide • ISO 31000 will be open for revision beginning in 2012 • The US ISO TAG is still open to new members – contact Tim Fisher at ASSE
ISO 31000 – Quick Overview • The basis of ISO 31000 • Overview of the process • Understanding Principles, Framework and Process • Select definitions • Key concepts
It’s a Broad Approach to Risk • All organizations exist to achieve their objectives • Many internal and external factors affect those objectives, causing uncertainty about whether the organization will achieve its objectives • The effect of this uncertainty has on an organization’s objectives is “risk”
Scope of ISO 31000 This international standard provides principles and generic guidelines on risk management… it can be used by any public, private or community enterprise, association, group or individual. Therefore, this standard is not specific to any industry or sector.
ISO 31000 – Highlights • Streamlined and easy to understand • Proactive approach vs compliance • Emphasizes top-down implementation • Links risks to strategy & the achievement of objectives • Addresses both upside and downside of risk • Provides a consistent approach that can be tailored to any type of operation in any location and integrated with other standards and guidelines
The principles provide the foundation and describe the qualities of effective risk manage-ment in an organization Overview of the Process from ISO 31000 The framework manages the overall process and its full integration into the organization The process for managing risk focuses on individual or groups of risks, their identification, analysis, evaluation and treatment Monitoring & review, continual improvement and communication occur throughout
Creates value Part of org. processes Part of decision making Explicitly addresses uncertainty Systematic, structured & timely Bsed on best avail info Tailored Considers human & cultural factors Transparent & inclusive Dynamic, iterative & responsive to change Continual improvement Principles Framework RM Process Mandate & Commitment Establish the context Risk assessment Design framework for managing risk Risk identification Implement risk management Continually improve the framework Risk analysis Monitor and review Communicate and consult Risk evaluation Monitor and review the framework Risk treatment
Why ISO Outlines Principles The principles that govern the process: • Establish the values and philosophy of the process • Support a comprehensive and coordinated view of risk that applies to the entire organization • Link the framework and practice of risk management to the strategic goals of the entity • Align risk management to corporate activities
Risk Management Principles Risk Management: • Creates value • Is an integral part of all organizational processes • Is part of decision-making • Explicitly addresses uncertainty • Is systematic, structure and timely • Is based on the best available information
Risk Management Principles (cont’d) Risk Management: • Is tailored • Takes human and cultural factors into account • Is transparent and inclusive • Is dynamic, iterative and responsive to change • Facilitates continual improvement & enhancement of the organization
Why ISO Specifies the Framework • Maps out how the management of risk will be integrated across the organization • Assures that the corporate-wide process is supported, iterative and effective • Details how risk management will be an active component in governance, strategy and planning, management, reporting processes, policies, values and culture • Provides for reporting & accountability
The Framework Includes: • The organization & its context • Risk Management Policy • Accountability • Integration into organizational processes • Resources • Communication & reporting – internal • Communication & reporting - external
The Risk Management Process • Applies to portfolio of risks and individual risks • Begins with the context – always tailored to the organizational environment • Emphasizes continual: • Communication & consultation • Monitoring & review Establish the context Risk assessment Risk identification Risk analysis Monitor and review Communicate and consult Risk evaluation Risk treatment
Creates value Part of org. processes Part of decision making Explicitly addresses uncertainty Systematic, structured & timely Bsed on best avail info Tailored Considers human & cultural factors Transparent & inclusive Dynamic, iterative & responsive to change Continual improvement Principles Framework RM Process Mandate & Commitment Establish the context Risk assessment Design framework for managing risk Risk identification Implement risk management Continually improve the framework Risk analysis Monitor and review Communicate and consult Risk evaluation Monitor and review the framework Risk treatment
Implementation Examples • Community college district wants to review the risk & opportunity of expanding its journalism department (grant money) and sending students into high-conflict, emerging news areas of the world • Individual interviews re risk uncover unsafe money transfer procedures • The “Aha!” moments of realizing crossover risks or cumulative risks
Select Definitions Risk = the effect of uncertainty on objectives An effect is a deviation from the expected – positive or negative. Risks may be described as a combination of likelihood and consequences. Risk management = the coordinated activities to direct and control an organization with regard to risk Risk owner = the person with the accountability and authority to manage the risk
Risk Mgmt & Other Initiatives • RM supports strategic initiatives, mission and goals and links to them • RM can support management processes (e.g. balanced scorecard, performance management measures) • RM will help build success of key initiatives by identifying barriers and risks and ways to mitigate them
Key Concepts of ISO 31000 • Risk Management is about exploiting opportunities as well as preventing problems (upside & downside risks) • It is tied to business objectives and strategies – and supports them • It works within the organization’s culture and will become integral to decision making • It will ensure that Risk Management applies to all levels of the organization and to all activities
ISO 31010 – Risk Assessment Techniques • Risk assessment concepts • Process • Techniques Establish the context Risk assessment Risk identification Risk analysis Monitor and review Communicate and consult Risk evaluation Risk treatment
Implementation Advice • Educate yourself, develop your “elevator speech”, build your network of peers • Create an inventory of risk management practices across all operations; can you build support for integration? • Seek opportunities for a broader approach to risk • Develop tools & resources – and develop your leadership skills • Be patient – it’s a journey, not a destination
Risk Management Standards • COSO ERM Framework (2004) • British Standards Assoc: Risk Management – Code of Practice – BSI 31100:2008 (under revision) • ISO 31000 – Risk Mgmt Principles and Guidelines • ISO 31010 – Risk Assessment Process • HB 327:2010 Communicating and Consulting About Risk – from Australia/New Zealand • Canadian Standards Association CAN/CSA-Q850 Implementation of ISO 31000 – publication pending • US Implementation Guide – publication pending
RM Standards – My Recommendations • Buy the standard – ISO 31000 – Risk Mgmt Principles and Guidelines www.asse.org or www.ansi.org • Download the alarm/airmic/irm handbook (free) • Buy either the Canadian Standards Association CAN/CSA-Q850 Implementation of ISO 31000 (expectedpublication in fall of 2010) or the US Implementation Guide – (publication in 2011)
ERM Training – My Recommendations • Canadian Standards Association – Implementing ISO 31000 • Insurance Institutes of America (IIA) training on ERM – ARM 57 • www.theiia.org – online risk management training that includes ERM and ISO 31000 references
Thank You! Dorothy Gjerdrum, ARM-P Executive Director, PESD Arthur J. Gallagher Risk Mgmt Services Dorothy_Gjerdrum@ajg.com 651.642.2999