ISO 31000 AND INTEGRATED RISK MANAGEMENT RIMS Breakfast Thursday October 16th, 8:30 Earl Grey Room, Minto Suites Hotel 427 Laurier Street Ottawa John Lark, Stratos Inc.
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 1/36
ISO 31000AND
INTEGRATED RISKMANAGEMENT
RIMS BreakfastThursday October 16th, 8:30Earl Grey Room, Minto Suites Hotel427 Laurier StreetOttawaJohn Lark, Stratos Inc.
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 2/36
A Global StandardIntegrated Risk Management in CanadaWhat is in ISO 31000 ?How ISO 31000 can helpBringing it to your clientsSteps to implementing a sustainable and risk based adaptive management regime
2
This Presentation
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 3/36
Assurance
3
“a process that provides confidencethat planned objectives will be
achieved within an acceptabledegree of residual risk .”
IIA Professional Practices Framework
After G. Purdy, 2008
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 4/36
Drivers for a Global Standard
Multinational companies operating in manycountries around the globeA need to set priorities and address risksbased on global importanceNeed a “common look and feel” Need to demonstrate that effective and
reliable standards have been used.Many existing standards are “down in theweeds” and unsuited to broad application
4
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 5/36
The Search for a Standard
AS/NZS 4360 was originally written to guide theimplementation of risk management in Australiaand New Zealand, global leaders in the new
“enterprise risk management” approach.Use of AS/NZS 4360 extended globally over a 13year period.It became apparent that the demand of a globalstandard was high enough to interest ISO
5
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 6/36
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 7/36
7
Management Accountability Framework Framework Performance Indicators
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 8/36
Performance Indicators for IRM
Risk Management
• Key risks identified andmanaged
• Risk lens in decision making
• Risk smart culture
• Capacity to communicateand manage risk in publiccontext
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 9/36
In June of 2007
The “Policy for the Management of Projects” was approved bythe Treasury Board Secretariat5.1 Objective The objective of this policy is to ensure that the appropriate
systems, processes and controls for managing projects are in place, at adepartmental, horizontal or government-wide level, and support theachievement of project and program outcomes while limiting the risk tostakeholders and taxpayers.
5.2 Expected resultsThe expected results of this policy, associated standards and directive are that:• Projects achieve value for money;• Sound stewardship of project funds is demonstrated;• Accountability for project outcomes is transparent; and
• Outcomes are achieved within time and cost constraints.
9
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 10/36
What the Policy requires
That each Department or Agency assess its capacity to managerisks using a specified assessment toolThat (by April of 2011)the risk of every “project” is assessedusing a standard risk assessment tool and those projects
whose risk level exceed the departmental capacity must comebefore Treasury Board Secretariat for assessment
Project – Is an activity or series of activities that has a beginning and an end. A project is required to produce defined outputs and realize specific outcomes insupport of a public policy objective, within a clear schedule and resource plan. A
project is undertaken within specific time, cost and performance parameters.
10
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 11/36
Principle On Which ISO 31000 is based
Risk
“the effect of uncertainty on objectives”
ISO 31000 identifies risk as the uncertainty between anenterprise and its objectives. This approach implies a top-down approach and risk is neither positive nor negative
Defined in Guide 73
As defined in Guide 73
11
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 12/36
ISO 31000 Table of Contents
ForewordIntroduction1 Scope
2 Normative references3 Terms and definitions4 Principles for managing risk
5 Framework for managing risk6 Process for managing risk
12
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 13/36
Steps to Develop and Sustain a Risk Management Framework
13
5.2 Mandate andCommitment
5.3 Designingthe Framework
5.4 ImplementingRisk Management
5.5 Monitoring andReviewing theFramework
5.6 ContinualImprovement if the Framework
6. RiskMgmt.Process
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 14/36
Chapter 4 Principles for Managing Risk To be most effective, an organization’s risk management should adhere to the
following principles.Risk Management:
a) creates value.b) is an integral part of organizational processes.c) is part of decision making.
d) explicitly addresses uncertainty.e) is systematic, structured and timely.f) is based on the best available information.g) is tailored.h) takes human and cultural factors into account.
i) is transparent and inclusive. j) is dynamic, iterative and responsive to change.k) facilitates continual improvement and enhancement of the organization.
14
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 15/36
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 16/36
Chapter 6 Process for Managing Risk 6.1 General
6.2 Communication and consultation6.3 Establishing the context6.3.1 General
6.3.2 Establishing the external context6.3.3 Establishing the internal context6.3.4 Establishing the context of the risk management process6.3.5 Developing risk criteria6.4 Risk assessment6.4.1 General6.4.2 Risk identification6.4.3 Risk analysis6.4.4 Risk evaluation6.5 Risk treatment
6.5.1 General6.5.2 Selection of risk treatment options
6.5.3 Preparing and implementing risk treatment plans6.6 Monitoring and review6.7 Recording the risk management process
16
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 17/36
How Can ISO 31000 Help ?
Risk Practitioners are best placed to make theseassessments based on their experience with clients.
A number of interested Canadian risk practitioners areworking with the Canadian Standards Association(CSA) to build a bridge between ISO 31000 and theCanadian condition. A “guide” that will provide moredetail and clarity, and may include examples.
CSA Q850 will be withdrawn
17
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 18/36
Working With Clients
Adaptive Management
18
Assess
Design
Implement
MonitorEvaluate
Adjust
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 19/36
Where Integrated Risk Management Fits In
19
Assess
Design
Implement
Monitor
Evaluate
AdjustIRM Occurs Here
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 20/36
The Assessment Phase
It is at this stage where the overall goal orobjective of the enterprise is assessed.Where:
Activities Outputs OutcomesOften an evaluation framework or a “resultsbased management accountability framework”
(RMAF) is a good place to start.An RMAF shows how success is measured andwho is accountable
20
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 21/36
Integrated Risk Management in the Assessment Phase
Integrated Risk Management of negative risks:Starts with “what can, and does, go wrong?” It looks to similar enterprises and experiencesSeeks specifics for:
Causes (risk drivers)Remedies (treatment)Consequences (if/when the risk expresses)
This can be done for an existing, or proposed, activity
21
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 22/36
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 23/36
23
Activities Outputs Outcomes
Outputs• Listing of policy and regulatoryrequirements• Work Plans/procedures to reflectrequirements
• Reports on conformance/status of violations/corrective actions
Program Components• Liaison with federal departments andagencies (e.g. Interdepartmental RegionalWorking Group)• Ongoing identification and tracking of requirements in each region (trackingterritorial requirements)• Internal communication of requirements,monitoring and compliance by site (e.g.audits, quarterly reporting)• Consultations (Local communities and self-govt requirements, constitutionalrequirements, regulatory, …)• Procurement (e.g. FTA, Aboriginal ContentRequirements)• Transfer resources & responsibilities• Delivery of DTA obligations• Applying for permits and licenses• Compliance with applicable internal andexternal regulations and licenses• Activities to support ISO compliance• Ensuring compliance with applicable H&Sregulations
Outcomes•
Aware of applicable regulation andpolicy requirements• In compliance with all relevantlegislations, regulations, policies andprocedures
• Reports on conformance/status of
violations/corrective actions
To Meet Legal and Policy Obligations....
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 24/36
24
Sample Risk One: LogisticsThere is a risk that logistics failures or limitations of winter roads, and air, land orwater transportation firms will prevent a Northern program from achieving its
objectives.
Risk Drivers• length including warmer winters limitingthe reliability and capacity of winterroads• Sending goods by ship in the openwater season is unreliable, especially tosmall coastal sites• Lack of coordination between sitesresults in lost opportunities to share ordivert transportation resources• Limited number of fixed and rotary wingaircraft for charter• High prices for charter because of competition from other development(e.g. diamond mines)• Access to winter roads• Limited capacity to store fuel at
distribution facilities• Inability to construct linearinfrastructure• Identification of site pathways forwinter travel across open land has risks(crossing private land, thin ice)• Quality of airstrips• Storms• Hazards of flying in fixed and rotarywing aircraft in icy conditions
Current Risk Mitigation
• Increased efforts forcoordination between sites• Scheduling to account for
anticipated delays, especiallyfor mobilization• Communication• Coordination with other usersof winter roads• Provide opportunity totransportation firms to go onsite visits to determine thebest way to address logisticconstraints
Possible Consequences
• Project delays• Planning delays•
Increased costs• Missed milestones• Injury or death tostaff or contractors• Lapsed funds• Non-compliance withpermits
L A i Pl f All
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 25/36
Large Appetitefor Risk
Standard
Plan for AllExtreme Risks
Risk Averse
Increasing Likelihood Increasing Likelihood
Increasing Likelihood Increasing Likelihood
IncreasingImpact
IncreasingImpact
IncreasingImpact
IncreasingImpact
CEO
Director
Manager
Chief
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 26/36
26
The Profile of One Risk
I m p
a c t
Likelihood
The Nature Of the Risk
Very High
L i k e
l y
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 27/36
Risk Assessment by Strategic Objective
27
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 28/36
The Next Step is Design
28
Assess
Design
Implement
Monitor
Evaluate
AdjustIRM Occurs Here
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 29/36
Risk Treatment should be “Designed In”
Risk Event
Acceptable ? Assume
Can You Act? Monitor
Avoid Treat Share
Specific actions with owner and date
YES
YES
NO
NO
Tolerance
EscalateFor action
EscalateFor information
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 30/36
Evaluate the effectiveness of treating risks
30
The Profile of One Risk
Im
pact
Likelihood
The level of risk before treatment
Very High
Likely
Treatment
The level of riskafter treatment
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 31/36
Then Implement
31
Assess
Design
Implement
Monitor
Evaluate
AdjustIRM Occurs Here
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 32/36
Then Monitor
32
Assess
Design
Implement
Monitor
Evaluate
AdjustIRM Occurs Here
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 33/36
And, after one cycle, Evaluate
33
Assess
Design
Implement
Monitor
Evaluate
AdjustIRM Occurs Here
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 34/36
Adjust after Evaluation
In response to the evaluation step
To account for risk treatment that has worked,and to identify treatment that has been
incomplete or ineffective.
34
Adjust
8/7/2019 ISO 31000 and Integrated Risk Management
http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 35/36
Enterprise Wide Evaluation of Treatment
35
Table showing the effect of risk treatment