440 likes | 864 Views
ISO 31000 (Nov. 2009) What is it? What’s new? How to Implement? Please interrupt, thank you. John Shortreed ORIMS Workshop Wednesday, April 21, 2010 Arts & Letters Club , 14 Elm Street , Toronto, Ontario. Proposed AGENDA – OK? Risk is “effect of uncertainty on objectives”
E N D
ISO 31000 (Nov. 2009)What is it? What’s new?How to Implement?Please interrupt, thank you John Shortreed ORIMS Workshop Wednesday, April 21, 2010 Arts & Letters Club, 14 Elm Street, Toronto, Ontario ORMIS April 21, Toronto, ISO
Proposed AGENDA – OK? • Risk is “effect of uncertainty on objectives” • Discussion of Adopt 31000 - PHB Bilton and KISS • Overview of 31000; introduction, scope, principles, framework, process • How to “sell” ERM to senior management? • The role of risk appetite risk tolerance and the ubiquitous risk matrix/map/profile to deal with existing silos • How will ERM help improve existing risk management? • Next steps? How to measure success? • Monitor, communications and consultation, and risk ownership. • Role of CRO? (Ans- Minimal) • What did we learn today? ORMIS April 21, Toronto, ISO
Risk - “effect of uncertainty on objectives” (ISO 31000) • NOTE 1 An effect is a deviation from the expected — positive and/or negative.(wrt achieving objectives) • NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and canapply at different levels (such as strategic, organization-wide, project, product and process). • NOTE 3 Risk is often characterized (i.e. named, e.g. credit risk)by reference to potential events (2.17) and consequences (2.18), or acombination of these. • NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes incircumstances) and the associated likelihood (2.19) of occurrence. ORMIS April 21, Toronto, ISO
There are two ways a risk can have an effect on objectives. • the effect of a risk when and if it should occur, or • 2. the very existence of a risk whether it happens or not. • (2.) is the acceptance, or not, of being in risky situations - a friend of mine says he can not sleep at night if his money is invested in stocks, even knowing they provide better returns. So he invests in government bonds. It is the uncertainty that he can not stand. Related to risk appetite. • (1.) is the traditional risk and where risk management seeks to increase the good and decrease the bad consequences (as translated into objectives) • The "uncertainty" or ambiguity, is the essence of risk, and can be part of: • a. the risk identification (source, associated event(s) & consequence(s) ) • b. the event effect or consequence as estimated by analysis methods • c. the probability itself (in addition to uncertainty of identification (a), event (b), and effect (d)) [probability of a probability drives mathematicians mad] • d. the objectives themselves and the link between consequences and objectives (either measurement or how objectives reflect values or how attitudes might bias selection and metrics of objectives) Discussion from last week ORMIS April 21, Toronto, ISO
(Aside)ISO Definitions are nested – rigorous substitution rule (2.18) Consequence - outcome of an event (2.17) affecting objectives and since Event - occurrence or change of a particular set of circumstances, then (2.18) Consequence - outcome of an occurrence or change of a particular set of circumstances affecting objectives (2.26 )control - measure that is modifying risk (2.1) (2.26 )control - measure that is modifying effect of uncertainty on objectives Try residual risk (2.27) – insert risk treatment, control (?) and risk ORMIS April 21, Toronto, ISO
Discussion of “YES Adopt 31000 “- PHB Bilton and KISS • survey question – which framework is right?) • Answer - ISO 31000 should be adopted immediately and that existing COSO, PMI, and other frameworks and processes integrated with 31000 in the short term and in the longer term modified to better reflect, not so much 31000, as the “ERM risk framework” in the organization. • The rational is that ISO incorporates these other approaches [with gaps], is principle and performance based and is simple enough and flexible enough to be used by any organization. ORMIS April 21, Toronto, ISO
Entity objectives can be viewed in the context of four categories: • Strategic • Operations • Reporting • Compliance The COSO ERM Frameworkonly negative risk!(a common problem) ORMIS April 21, Toronto, ISO
BHP Billiton RISK MANAGEMENT POLICY Risk is inherent in our business. The identification and management of risk is central to delivering on the Corporate Objective. • By understanding and managing risk we provide greater certainty and confidence for our shareholders, employees, customers and suppliers, and for the communities in which we operate. • Successful risk management can be a source of competitive advantage. • Risks faced by the Group shall be managed on an enterprise-wide basis. • Risk Management will be embedded into our critical business activities, functions and processes. Risk understanding and our tolerance for risk will be key considerations in our decision making. • Risk issues will be identified, analysed and ranked in a consistent manner. Common systems and methodologies will be used. (cont.) ORMIS April 21, Toronto, ISO
Risk controls will be designed and implemented to reasonably assure the achievement of our Corporate Objective. The effectiveness of these controls will be systematically reviewed and, where necessary, improved. • Risk management performance will be monitored, reviewed and reported. Oversight of the effectiveness of our risk management processes will provide assurance to executive management, the Board and shareholders. • The effective management of risk is vital to the continued growth and success of our Group. • signed Chip Goodyear • Chief Executive Officer (see web site for all the BHP good stuff) Done by 3 people (lead Grant Purdy) in 4 years for all 200,000 employees, with 80,000 risk owners identified Over 12,000 risk assessments on file (open), and then Risk management department eliminated. IT CAN BE DONE – Keep It Sweet and Simple Senior Management leads the charge ORMIS April 21, Toronto, ISO
Commit and Mandate • Policy Statement • Standards • Guidelines • RM Plan and RM Process • Assurance Plan • Communicate & Train • Stakeholder analysis • Training needs analysis • Communicationstrategy • Training strategy • Roles and Reporting Framework Implementation Establish context Risk assessment Identify risks Analyse risks Communicate and consult Monitor and review Framework Implementation Framework Continuous Improvement Cycle Evaluate risks Treat risks Processfor Managing Risk • Review & Improve • Control assurance • RM Plan progress • RM Maturity Evaluation • RM KPIs • Benchmarking • Governance reporting • Structure &Accountability • Board RM Committee • Executive RM Group • RM Working Group • Facilitator for Risk Management • RM Champions • Risk and Control Owners Management Information System -Risk Registers -Treatment Plans -Assurance Plan -Reporting templates Framework Continuous Improvement Cycle
ISO Overview 3 main clauses plus terminology from ISO Guide 73 a) Creates value b) Integral part of organizational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organization 4.2 Mandate and commitment 4.3 Design of framework for managing risk 4.6 Continual improvement of the framework 4.4 Implementing risk management 4.5 Monitoring and review of the framework Process for managing risk (Clause 5) Principles for managing risk (Clause 3) Framework for managing risk (Clause 4) ORMIS April 21, Toronto, ISO
How to “sell” ERM to senior management? Up to Organization not you When implemented and maintained in accordance with this International Standard, the management of risk enables an organization to, for example: • increase the likelihood of achieving objectives; • encourage proactive management; • be aware of the need to identify and treat risk throughout the organization; • improve the identification of opportunities and threats; • comply with relevant legal and regulatory requirements and international norms; • improve mandatory and voluntary reporting; • improve governance; • improve stakeholder confidence and trust; • establish a reliable basis for decision making and planning; • improve controls; • effectively allocate and use resources for risk treatment; • improve operational effectiveness and efficiency; • enhance health and safety performance, as well as environmental protection; • improve loss prevention and incident management; • minimize losses; • improve organizational learning; and • improve organizational resilience. ORMIS April 21, Toronto, ISO
The role of risk appetite & risk attitude“amount and type of riskthat an organization is willing to pursue or retain”“organization's approach to assess and eventually pursue, retain, take or turn away from risk “ • Vague term that is still evolving, can be bottom up (from typical decisions) or top down from basics of survival and comfort of board and senior management • In conceptual terms • Identify all risks (events and consequences ) [high level] • Estimate plausible worst case and best case scenarios – may be expressed as a risk profile • Examine the robustness of the organization wrt plausible cases • Balance opportunities and threats against the organization’s capabilities/resources and select a risk appetite or risk attitude – how risk adverse? ORMIS April 21, Toronto, ISO
Risk Tolerance is the practical step between risk appetite and risk criteria(riskevaluation)(also deals with silos) • for specific consequence categories (reputation, credit, compliance, country, etc.) • for predetermined categories of likelihood • find equivalent effects on objectives • done by senior management (workshops) • using risk matrix results as a check and perhaps involving voting, delphi, etc. ORMIS April 21, Toronto, ISO
Likelihood Scale for Tolerance (Simple Rating Scale) • (Hydro 1 Harvard Business School case study 9-109-001) • Remote 5% probability that the event will occur in the next 36 months • Unlikely 25% probability that the event will occur in the next 36 months • Even Odds 50% probability that the event will occur in the next 36 months • Very Likely 75% probability that the event will occur in the next 36 months • Virtually Certain 95% probability that the event will occur in the next 36 months ORMIS April 21, Toronto, ISO
Hydro 1 Risk Tolerances for 3 Silos (Fraser, 2009) ORMIS April 21, Toronto, ISO
Standard sort of Risk Matrixbe careful, extremely careful, with risk matrices works well at the understanding/communications level, BUT Risk levels plotted in structured Workshop with Experts, voting, Delphi… ORMIS April 21, Toronto, ISO
2. Vegetation Mgmt KPI - Dx SAIDI VL VL L Medium L Likelihood M M Likelihood UL UL VUL VUL Mod Cata. Major Minor Severe Consequences 1-5 .2-1 5-10 <0.2 > 10 Consequences KPI - Dx SAIFI VL L Medium Likelihood M UL VUL Mod Major Cata. Minor Severe Consequences High High High Medium Low Low Low 3. IT Upgrade 1. Refurbish Example of use of Risk Matrixto set prioritiesWhat might be wrong with this? KPI - Tx/Dx Reliability No Impact ORMIS April 21, Toronto, ISO
How will ERM help improve existing risk management? Basic and overarching in 31000 – Integration ISO 31000 “recommends that ; organizations develop, implement and continuously improve a framework whose purpose isto integrate the process for managing risk (RMP) into the organization's overall governance, strategy and planning,management, reporting processes, policies, values and culture.” ORMIS April 21, Toronto, ISO
Overarching in 31000 – Integration (continued) • 4.3.4 Integration into organizational processes • Risk management (RM) should be embedded in all the organization's practices and processes in a way that it isrelevant, effective and efficient. • The risk management process should become part of, and not separate from,those organizational processes • When you make any decision/choice then part, and only a part, of the decision process is the Risk Management Process (RMP) ORMIS April 21, Toronto, ISO
Overarching in 31000 – Integration (continued) • “2.7risk owner - person or entity with the accountability and authority to manage a risk ” • Every risk (effect of uncertainty on objectives) is owned • Risk owners are listed in risk register • Ownership has its privileges – get to monitor: risk, risk controls (may be responsibility of others), cost of controls, effectiveness of controls, value of RMP (risk management process); and continuously improve all • your annual evaluation includes how well you manage your owned risks (part of the standard!) ORMIS April 21, Toronto, ISO
Ironically, 48.7% of respondents describe the sophistication of their risk oversight processes as immature to minimally mature. Forty-seven percent do not have their business functions establishing or updating assessments of risk exposures on any formal basis. Almost 70% noted that management does not report the entity’s top risk exposures to the board of directors. These trends are relatively unchanged from those noted in the 2009 report.(NCU ERM center 2010 report) ORMIS April 21, Toronto, ISO
“risk management framework –set of components that provide the foundations andorganizational arrangements for designing, implementing,monitoring, reviewing and continuallyimproving risk management throughoutthe organizationNOTE 1 The foundations include the policy, objectives,mandate and commitment to manage risk NOTE 2 The organizational arrangements include plans,relationships, accountabilities, resources, processes andactivitiesNOTE 3 The risk management framework is embeddedwithin the organization's overall strategic and operationalpolicies and practices “ (ISO 31000) ORMIS April 21, Toronto, ISO
1. Mandate and commitment to the framework(step 1) a.Agreement in principle to proceed b. Gap analysis c. Context for framework d. Design of framework e. Implementation plan 2. Risk management policy a. Policies for theframework, its processes and procedures b.Policies for risk management decisions; i. Risk Appetite ii. Risk Criteria iii. Internal Risk Reporting 3. Integration into the Organization 4. Risk Management Process 5. Communications and Reporting 6. Accountability a. Risk ownership and risk register b. Managers’ performance evaluation 7. Monitoring, Review and Continuous improvement a. Responsibility for maintaining and improving framework b. Risk Maturity and continuous improvement of framework 7 components to the ERM Framework ORMIS April 21, Toronto, ISO
Commit and Mandate • Policy Statement • Standards • Guidelines • RM Plan and RM Process • Assurance Plan • Communicate & Train • Stakeholder analysis • Training needs analysis • Communicationstrategy • Training strategy • Roles and Reporting Framework Implementation Establish context Risk assessment Identify risks Analyse risks Communicate and consult Monitor and review Framework Implementation Framework Continuous Improvement Cycle Evaluate risks Treat risks Processfor Managing Risk • Review & Improve • Control assurance • RM Plan progress • RM Maturity Evaluation • RM KPIs • Benchmarking • Governance reporting • Structure &Accountability • Board RM Committee • Executive RM Group • RM Working Group • Facilitator for Risk Management • RM Champions • Risk and Control Owners Management Information System -Risk Registers -Treatment Plans -Assurance Plan -Reporting templates Framework Continuous Improvement Cycle
The risk management process Used by every manager for every decision Establish the context Identify risks Analyse risks Monitor and review Communicate and consult Evaluate risks Treat risks ORMIS April 21, Toronto, ISO
Risk Assessment • Identify the risks • Analyze the risks (Note: when numerical estimates of likelihood, consequences not available then subjective risk matrix methods may be used) • Evaluate the risks against Risk Criteria • Result of Evaluation is to (or not to) Accept Risk- ”informed decision to take a particular risk” • Not Acceptable, go to Risk Treatment ORMIS April 21, Toronto, ISO
Risk Treatment- “process to modify risk” “NOTE 1 Risk treatment can involve: — avoiding the risk —increasing risk in order to pursue anopportunity; — removing the risk source — changing the likelihood — changing the consequences — sharing the risk with another party or parties [includingrisk financing] — retaining the risk by informed decision NOTE 3 Risk treatment can create new risks or modifyexisting risks.” Risk Treatment is often a cycle of: Control options, Assessment of Residual Risk, Accept?, Treat risk?, Control options, Assessment… ORMIS April 21, Toronto, ISO
“communication and consultation” “continual and iterative processes that an organizationconducts to provide, share or obtain information,and to engage in dialogue with stakeholdersregarding the management of risk • NOTE 1 The information can relate to the existence,nature, form, likelihood, significance,evaluation, acceptability, treatment aspects • NOTE 2 Consultation is a two-way process of informedcommunication between an organization and its stakeholderson an issue prior to making a decision ordetermining a direction on that issue. Consultation is: • a process which impacts on a decision throughinfluence rather than power; and • an input to decision making, not joint decisionmaking. “ ORMIS April 21, Toronto, ISO
Example risk register for a specific Strategic Objective – illustration only Courtesy of the Food Company Objective xx “Ready-to-Heat” Risk Profile • High Aggressively grow and build the ready-to-heat business by expanding the product line (15% NSV growth & maintain shares above 30%) and broaden the availability of the product. Priority • yes Owner • Joe Risks (uncertainties re Obj) Control Activities • Increase of aggressive competition from Rice Master and Fast Rice • Aggressive year for growth target for the segment & brand • Achieve new product growth targets • Accelerate innovation • Conduct competitor analysis session Action Plan 6. Management Team evaluates the probability of success in achieving this initiative’s overall objectives 1. Identify initiatives and their associated descriptions with measurable objectives 2. Prioritize order of the key initiatives based on their contribution to achieving the overall financial and strategic objectives within the OP 3. Document the individual in charge of the given initiative 1 1,2,3 1 2 3 5. List of planned activities that will modify the risks – match the treatment strategies to risk through the reference numbers 7. Document the immediate next steps for effective initiative execution Jane to develop 2-3 innovation schemes within 2 months Joe to do market analysis 4. List of risks that could hinder the ability to meet the initiative’s objectives ORMIS April 21, Toronto, ISO
Example of an integrated tool for RM Process ORMIS April 21, Toronto, ISO
How to measure success? – Risk Maturity? Standard and Poor’s ERM perspective (still too negative) Companies that are considered "strong" demonstrate an enterprise-wide view of risks, but are still focused on losscontrol. These companies have control processes for major risks, thus giving them advantages due to lower expectedlosses in adverse times, as such companies can consistently identify, measure, and manage risk exposures and lossesin predetermined tolerance guidelines. Strong ERM firms are unlikely to experience unexpected losses outside oftolerance levels. Risk and risk management are usually importantconsiderations in such firms' corporate judgment. Companies that are considered "excellent" possess all of the characteristics of those scored "strong" and will alsodemonstrate risk/reward optimization. Such companies have very well-developed capabilities to consistently identify,measure, and manage risk exposures and losses in predetermined tolerance guidelines. Risk and risk managementare always important considerations in such firms' corporate judgment. It is highly unlikely that these firms willexperience losses outside of their risk tolerance. ORMIS April 21, Toronto, ISO
Risk Maturity Score – Fraser Valley Health ORMIS April 21, Toronto, ISO
Organization Philosophy & Culture ORMIS April 21, Toronto, ISO
Organization Philosophy & Culture cont’d ORMIS April 21, Toronto, ISO
Leadership Commitment to Risk Management ORMIS April 21, Toronto, ISO
Risk Management Capabilities ORMIS April 21, Toronto, ISO
Risk Management Process ORMIS April 21, Toronto, ISO
Monitoring & Review ORMIS April 21, Toronto, ISO
Reporting & Control ORMIS April 21, Toronto, ISO
Integration with Other Management Systems ORMIS April 21, Toronto, ISO
Roles in ERM – One scheme CRO or Risk Management Department Roles for Management At all levels of organization Internal Audit roles ORMIS April 21, Toronto, ISO
Are we done yet? Agenda Covered? Questions? • Risk is “effect of uncertainty on objectives” • Discussion of Adopt 31000 - PHB Bilton and KISS • Overview of 31000; introduction, scope, principles, framework, process • How to “sell” ERM to senior management? • The role of risk appetite risk tolerance and the ubiquitous risk matrix/map/profile to deal with existing silos • How will ERM help improve existing risk management? • Next steps? How to measure success? • Monitor, communications and consultation, and risk ownership. • Role of CRO? (Ans- Minimal) • What did we learn today? ORMIS April 21, Toronto, ISO
Opportunities Threats Anatomy of Risk Risks: +ve and -ve Strategic Risk Management Process Decision to “Take a Risk” or not Detailed (RMP) Risk Management Process Risk Control(s) Objectives Residual Risk Risk Financing Actual Risk ??? ORMIS April 21, Toronto, ISO