260 likes | 473 Views
ISO 31000 – Opportunities & Implications for Turkish Organisations & Projects. Joint IRM Regional Group Turkey & IPYD Meeting Istanbul, 1 October 2009. Nicola Crawford. Disclaimer.
E N D
ISO 31000 – Opportunities & Implications for Turkish Organisations & Projects Joint IRM Regional Group Turkey & IPYD Meeting Istanbul, 1 October 2009 Nicola Crawford
Disclaimer The information contained in this presentation is intended for public use to assist knowledge and discussion on ISO 31000. The information should not be relied upon for the purpose of a particular matter. Specialist and/or appropriate legal advice should be obtained before any action or decision is taken on the basis of any material in this document. The Business Resilience Group and Business Resilience Europe Ltd, the authors or contributors do not assume liability of any kind whatsoever resulting from any person's use or reliance upon the content of this presentation. This paper is made available on the basis that no part of the content may be reproduced or in any way made available to any party without prior consent being granted in writing by Nicola Crawford nicci@businessresilience.com 0534 3994092 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
What today’s presentation is not… • Technically-focused : ‘soft’ issues rather than the mechanics of risk measurement and risk models….. • Definitive : no-one can offer a set of ‘Answers’ : all I will do today is illustrate some - but by no means all - of the ‘Questions’….. The intent of today’s workshop is to answer the question – “What is ISO 31000, what are its benefits and the implications for Turkish businesses and projects?
Overview • Introduction – why a new standard? • ISO 31000 • Scope • Users • Core Elements • Risk definitions • Benefits • ISO 31000 & Project Risk Management • Links to project risk management framework • How does project risk management link to ERM • Links to project risk management & how to align • ISO 31000 - Opportunities
Why a new standard? Kevin Knight 2008 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
ISO 31000:2009 - Scope • Provides principles and generic guidelines on principles and implementation of risk management. • Can be applied to any kind of organisation, risk type and is not specific to any industry or sector. • Is NOT intended to be used for the purpose of certification. Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
ISO 31000:2009 - Users ISO 31000:2009 is intended to be used by a wide range of stakeholders including: • those responsible for implementing risk management within their organisation; • those who need to ensure that an organisation manages risk; • those who need to manage risk for the organisation as a whole or within a specific area or activity; • those needing to evaluate an organisation’s practices in managing risk; and • developers of standards, guides, procedures, and codes of practice that in whole or in part set out how risk is to be managed within the specific context of these documents Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
ISO 31000: A Business Principles Approach to Risk Management Kevin Knight 2008 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
ISO 31000: Key Elements Kevin Knight 2008 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
ISO 31000: Framework Development & Implementation Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
ISO 31000: RM Process Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
ISO 31000 & Risk Project Management Project Management Tactical & Ops Management Tactical & Ops Management Risk (the new definition) “effect of uncertainty on objectives” ISO 31000:2009, ISO/IEC Guide 73:2009 Strategic Management Strategic Management value protection + value creation Risk Control (the new definition) “measure to modify risk” ISO 31000:2009, ISO/IEC Guide 73:2009 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
ISO 31000: Benefits • Strategic, operations, processes, projects, products, assets, governance, everything • • Proactively create value by treating uncertainty, while respecting regulations, laws, organization • • Expect better profits, moral, trust, controls, initiatives, reporting, and corporate culture • • Designed to integrate with existing management– Build on existing management systems, add commitment, alignment, IT, stakeholders, ownership of risk, etc. • • Communication and Consultation as appropriate – consider the values and perceptions of stakeholders • • Risk in every decision is set in context, assessed, treated, documented • • Enhance alignment ERM and Project Risk Management Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
ISO 31000 & Project Management • An essential aspect of project management is controlling the inherent risks of a project. • Risks arise from uncertainty surrounding project decisions and outcomes. • Most individuals associate the concept of risk with the potential for loss in value, control, functionality, quality, or timeliness of completion of a project. However, project outcomes may also result in failure to maximize gain in an opportunity and the uncertainties in decision making leading up to this outcome can also be said to involve an element of risk Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
ISO 31000 & Project Risk Management Framework Project Risk Management Framework Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
How does Project RM relate to ERM? Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
How does Project RM relate to ERM? Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
Business Objectives Project Change Deliverables Deliverables Deliverables Deliverables Benefits How does Project RM relate to ERM? Execution Gap = risks Stakeholders Program/ Portfolio Change Program / project objectives Strategy (Why) Methods (What & how) Project schedule etc Benefits Realization Risk Management Adapted from Hillison 2003
Benefits of alignment to business outcomes Full None High Cost of Mitigation Steps Ability to influence the outcomes Low Planning Definition Execution Start Up Closure Early risk management and mitigation builds better valued projects
ISO 31000 & Project Risk Management Process PMBOK vs. ISO 31000 risk process – differences lie in the framework & context Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
How to Align Organisational & Project Risk • Target the business’ ‘desired business outcomes’ — the measurable end states that the business wants/needs to achieve to generate and realize the benefits – focus on value creation and protection • Treat every project as a ‘change project’ from day-1. When you adopt the ‘desired business outcomes’ approach your project becomes an exercise in changing the organization to realize these outcomes and their associated benefits and value. • Treat the budget as a profit and loss statement — any cost increase or value decrease cuts into the ‘profit’ of the project • Differentiate but align risk appetites – risk evaluation criteria should be related to organisational and project drivers • Use risk break down structure that is aligned to expected benefits and project structure Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
ISO 31000: The Opportunities • Better communication - By providing clear, unambiguous and consistent terms and definitions, ISO 31000 can help to establish a common understanding of the relevant topics throughout the entire organization including projects • Provides a blueprint for organizations / projects aiming at designing and implementing an an effective and efficient risk management framework - ISO 31000 outlines the essential principles, components, processes and organizational structures required • Provides a benchmark to which organizations / projects can compare their existing approaches – ISO 3100 can assist in identification of gaps and weaknesses in current approach • Contributes to the confidence and trust of internal and external stakeholders in the risk management abilities of an organization / project - ISO 31000 allows the transparency of its organisation’s/ project’s approach to risk management Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009