ISO 31000 and Integrated Risk Management

8/7/2019 ISO 31000 and Integrated Risk Management

http://slidepdf.com/reader/full/iso-31000-and-integrated-risk-management 1/36

ISO 31000AND

INTEGRATED RISKMANAGEMENT

RIMS BreakfastThursday October 16th, 8:30Earl Grey Room, Minto Suites Hotel427 Laurier StreetOttawaJohn Lark, Stratos Inc.



A Global StandardIntegrated Risk Management in CanadaWhat is in ISO 31000 ?How ISO 31000 can helpBringing it to your clientsSteps to implementing a sustainable and risk based adaptive management regime

2

This Presentation



Assurance

3

“a process that provides confidencethat planned objectives will be

achieved within an acceptabledegree of residual risk .”

IIA Professional Practices Framework

After G. Purdy, 2008



Drivers for a Global Standard

Multinational companies operating in manycountries around the globeA need to set priorities and address risksbased on global importanceNeed a “common look and feel” Need to demonstrate that effective and

reliable standards have been used.Many existing standards are “down in theweeds” and unsuited to broad application

4



The Search for a Standard

AS/NZS 4360 was originally written to guide theimplementation of risk management in Australiaand New Zealand, global leaders in the new

“enterprise risk management” approach.Use of AS/NZS 4360 extended globally over a 13year period.It became apparent that the demand of a globalstandard was high enough to interest ISO

5





7

Management Accountability Framework Framework Performance Indicators



Performance Indicators for IRM

Risk Management

• Key risks identified andmanaged

• Risk lens in decision making

• Risk smart culture

• Capacity to communicateand manage risk in publiccontext



In June of 2007

The “Policy for the Management of Projects” was approved bythe Treasury Board Secretariat5.1 Objective The objective of this policy is to ensure that the appropriate

systems, processes and controls for managing projects are in place, at adepartmental, horizontal or government-wide level, and support theachievement of project and program outcomes while limiting the risk tostakeholders and taxpayers.

5.2 Expected resultsThe expected results of this policy, associated standards and directive are that:• Projects achieve value for money;• Sound stewardship of project funds is demonstrated;• Accountability for project outcomes is transparent; and

• Outcomes are achieved within time and cost constraints.

9



What the Policy requires

That each Department or Agency assess its capacity to managerisks using a specified assessment toolThat (by April of 2011)the risk of every “project” is assessedusing a standard risk assessment tool and those projects

whose risk level exceed the departmental capacity must comebefore Treasury Board Secretariat for assessment

Project – Is an activity or series of activities that has a beginning and an end. A project is required to produce defined outputs and realize specific outcomes insupport of a public policy objective, within a clear schedule and resource plan. A

project is undertaken within specific time, cost and performance parameters.

10



Principle On Which ISO 31000 is based

Risk

“the effect of uncertainty on objectives”

ISO 31000 identifies risk as the uncertainty between anenterprise and its objectives. This approach implies a top-down approach and risk is neither positive nor negative

Defined in Guide 73

As defined in Guide 73

11



ISO 31000 Table of Contents

ForewordIntroduction1 Scope

2 Normative references3 Terms and definitions4 Principles for managing risk

5 Framework for managing risk6 Process for managing risk

12



Steps to Develop and Sustain a Risk Management Framework

13

5.2 Mandate andCommitment

5.3 Designingthe Framework

5.4 ImplementingRisk Management

5.5 Monitoring andReviewing theFramework

5.6 ContinualImprovement if the Framework

6. RiskMgmt.Process



Chapter 4 Principles for Managing Risk To be most effective, an organization’s risk management should adhere to the

following principles.Risk Management:

a) creates value.b) is an integral part of organizational processes.c) is part of decision making.

d) explicitly addresses uncertainty.e) is systematic, structured and timely.f) is based on the best available information.g) is tailored.h) takes human and cultural factors into account.

i) is transparent and inclusive. j) is dynamic, iterative and responsive to change.k) facilitates continual improvement and enhancement of the organization.

14





Chapter 6 Process for Managing Risk 6.1 General

6.2 Communication and consultation6.3 Establishing the context6.3.1 General

6.3.2 Establishing the external context6.3.3 Establishing the internal context6.3.4 Establishing the context of the risk management process6.3.5 Developing risk criteria6.4 Risk assessment6.4.1 General6.4.2 Risk identification6.4.3 Risk analysis6.4.4 Risk evaluation6.5 Risk treatment

6.5.1 General6.5.2 Selection of risk treatment options

6.5.3 Preparing and implementing risk treatment plans6.6 Monitoring and review6.7 Recording the risk management process

16



How Can ISO 31000 Help ?

Risk Practitioners are best placed to make theseassessments based on their experience with clients.

A number of interested Canadian risk practitioners areworking with the Canadian Standards Association(CSA) to build a bridge between ISO 31000 and theCanadian condition. A “guide” that will provide moredetail and clarity, and may include examples.

CSA Q850 will be withdrawn

17



Working With Clients

Adaptive Management

18

Assess

Design

Implement

MonitorEvaluate

Adjust



Where Integrated Risk Management Fits In

19

Assess

Design

Implement

Monitor

Evaluate

AdjustIRM Occurs Here



The Assessment Phase

It is at this stage where the overall goal orobjective of the enterprise is assessed.Where:

Activities Outputs OutcomesOften an evaluation framework or a “resultsbased management accountability framework”

(RMAF) is a good place to start.An RMAF shows how success is measured andwho is accountable

20



Integrated Risk Management in the Assessment Phase

Integrated Risk Management of negative risks:Starts with “what can, and does, go wrong?” It looks to similar enterprises and experiencesSeeks specifics for:

Causes (risk drivers)Remedies (treatment)Consequences (if/when the risk expresses)

This can be done for an existing, or proposed, activity

21





23

Activities Outputs Outcomes

Outputs• Listing of policy and regulatoryrequirements• Work Plans/procedures to reflectrequirements

• Reports on conformance/status of violations/corrective actions

Program Components• Liaison with federal departments andagencies (e.g. Interdepartmental RegionalWorking Group)• Ongoing identification and tracking of requirements in each region (trackingterritorial requirements)• Internal communication of requirements,monitoring and compliance by site (e.g.audits, quarterly reporting)• Consultations (Local communities and self-govt requirements, constitutionalrequirements, regulatory, …)• Procurement (e.g. FTA, Aboriginal ContentRequirements)• Transfer resources & responsibilities• Delivery of DTA obligations• Applying for permits and licenses• Compliance with applicable internal andexternal regulations and licenses• Activities to support ISO compliance• Ensuring compliance with applicable H&Sregulations

Outcomes•

Aware of applicable regulation andpolicy requirements• In compliance with all relevantlegislations, regulations, policies andprocedures

• Reports on conformance/status of

violations/corrective actions

To Meet Legal and Policy Obligations....



24

Sample Risk One: LogisticsThere is a risk that logistics failures or limitations of winter roads, and air, land orwater transportation firms will prevent a Northern program from achieving its

objectives.

Risk Drivers• length including warmer winters limitingthe reliability and capacity of winterroads• Sending goods by ship in the openwater season is unreliable, especially tosmall coastal sites• Lack of coordination between sitesresults in lost opportunities to share ordivert transportation resources• Limited number of fixed and rotary wingaircraft for charter• High prices for charter because of competition from other development(e.g. diamond mines)• Access to winter roads• Limited capacity to store fuel at

distribution facilities• Inability to construct linearinfrastructure• Identification of site pathways forwinter travel across open land has risks(crossing private land, thin ice)• Quality of airstrips• Storms• Hazards of flying in fixed and rotarywing aircraft in icy conditions

Current Risk Mitigation

• Increased efforts forcoordination between sites• Scheduling to account for

anticipated delays, especiallyfor mobilization• Communication• Coordination with other usersof winter roads• Provide opportunity totransportation firms to go onsite visits to determine thebest way to address logisticconstraints

Possible Consequences

• Project delays• Planning delays•

Increased costs• Missed milestones• Injury or death tostaff or contractors• Lapsed funds• Non-compliance withpermits

L A i Pl f All



Large Appetitefor Risk

Standard

Plan for AllExtreme Risks

Risk Averse

Increasing Likelihood Increasing Likelihood

Increasing Likelihood Increasing Likelihood

IncreasingImpact

IncreasingImpact

IncreasingImpact

IncreasingImpact

CEO

Director

Manager

Chief



26

The Profile of One Risk

I m p

a c t

Likelihood

The Nature Of the Risk

Very High

L i k e

l y



Risk Assessment by Strategic Objective

27



The Next Step is Design

28

Assess

Design

Implement

Monitor

Evaluate




Risk Treatment should be “Designed In”

Risk Event

Acceptable ? Assume

Can You Act? Monitor

Avoid Treat Share

Specific actions with owner and date

YES

YES

NO

NO

Tolerance

EscalateFor action

EscalateFor information



Evaluate the effectiveness of treating risks

30

The Profile of One Risk

Im

pact

Likelihood

The level of risk before treatment

Very High

Likely

Treatment

The level of riskafter treatment



Then Implement

31

Assess

Design

Implement

Monitor

Evaluate




Then Monitor

32

Assess

Design

Implement

Monitor

Evaluate




And, after one cycle, Evaluate

33

Assess

Design

Implement

Monitor

Evaluate




Adjust after Evaluation

In response to the evaluation step

To account for risk treatment that has worked,and to identify treatment that has been

incomplete or ineffective.

34

Adjust



Enterprise Wide Evaluation of Treatment

35

Table showing the effect of risk treatment



ISO 31000 and Integrated Risk Management

Documents