2/6/2013
1
Using the ISO 31000Risk Management GuideIn your Risk Control Work
Jim Newberry - ISO 31000 TAG memberRisk Mgt./Ins. Practice Specialty Admin.AVP & Risk Control Mgr. - Island Ins. Co.
Loss Control Virtual SymposiumFebruary 6, 2013
Be Flexible
You can use RM whole sale or ala-carte
RA tools – what you need to knowThere are many tools – go discover
Use the right one for the job
Create a risk register and go from there
Risk Assessment Tools
2/6/2013
2
How to begin
Begin by getting more familiar with the standards/guidelines
Dive into the Risk Assessment tools and put as many at your disposal as possible
Find out which ones are good for your needs
Practice using them within your network
Conclusion
Organizations are looking for better ways to make decisions
By using RM and RA with your customers, they will get exposure to ways and means of improving the management of their risks
Participate in our discussion group
Send me your email for more resources
What Questions do you have?
2/6/2013
3
© 2012 ARTHUR J. GALLAGHER & CO.
How Risk Control Professionals Can Use ANSI/ASSE/ISO 31000
Dorothy M Gjerdrum, ARM-P CIRMArthur J. Gallagher & Co.
© 2012 ARTHUR J. GALLAGHER & CO.
Learning Objectives
• Understand the components of the ISO series on Risk Management – 31000, Guide 73 and 31010
• Review how key components apply to risk control practices
• Consider ways to incorporate ISO 31000 tools, language and concepts into your work
© 2012 ARTHUR J. GALLAGHER & CO.
Agenda• Framing the issue
• The ISO 31000 series• The purpose of a standard• The evolution of risk management
• Overview of ISO 31000• The “architecture” • Key definitions • Desired outcomes
• A quick look at ISO 31010• Implementation examples
2/6/2013
4
© 2012 ARTHUR J. GALLAGHER & CO.
ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards.
Established in 1947, ISO is a network of the national standards institutes of 160+ countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system.
© 2012 ARTHUR J. GALLAGHER & CO.
ISO 31000:2009• Australia, New Zealand & Japan initiated its creation
– based on AS/NZ 4360• 30+ countries participated • 6 meetings over several years• Adopted in November of 2009, now officially the
first International Standard on Risk Management • Guide 73 & ISO 31010 quickly followed• Now the official American Standard on RM
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
The ISO 31000 SeriesANSI/ASSE/ISO 31000 (also known as the Z690 series)
• ANSI/ASSE/ISO 31000 – Risk Management –Principles and Guidelines
• ANSI/ASSE/ISO 31010 – Risk Assessment Techniques• Guide 73 – Vocabulary for Risk Management
Page | 12
2/6/2013
5
© 2012 ARTHUR J. GALLAGHER & CO.
Global Corporate Governance Models
All EU Countries• Directives on
Governance
Netherlands• Code Tabaksblatt
UK• Cadbury• Turnbull• Greenbury Rpt• BS 31100 RM
France• Vienot Com.• Mrini Report• Levy-Long Com.
Italy• Draghi
Commission
Australia/New Zeal• HB 317 on Risk
Communication• Stock Exchange
Listing• New Accounting
Standards• Best Practice
Stmt Mgmt
US• Business Round Table• NYSE listing
Requirements• Blue Ribbon
Commission• Sarbanes Oxley Act• COSO ERM
FrameworkCanada• Toronto Stock
Exchange Committee• Canadian Securities
Committee• Allen committee
Report• COCO• CAN/CSA-Q850
South Africa• Code of Best Practice• King Report I, II, III• Stakeholder Communication• Public Finance Mgmt Act
Japan• Corporate
Governance Forum of Japan
• J-SOX
Germany• Bill on The Control
and Transparency of organizations
• Kon TraG Bill
INTERNATIONAL (All countries) - Basel I & II; ISO 31000 & 31010
Developed by Dorothy Gjerdrum , AJG & Mary Peter of Eide Bailly LLP
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
What this standard is – and isn’t• Guidance (voluntary)• A collaborative effort, the
best thinking of many• The result of an evolution
in the practice of risk management
• Broadly applicable – any size, type or location
14
• Regulation (mandatory)• A certification standard• A compliance tool• Built on controls &
metrics• A prescribed doctrine• An implementation guide
© 2012 ARTHUR J. GALLAGHER & CO.
Traditional Risk Management • Purchase insurance to cover risks• Hazard-based risk identification
and controls• Compliance issues addressed
separately• Safety & emergency mgmt
handled separately• “Silo” approach – risk mgmt is not
integrated across the organization• Risk Manager is the insurance
buyer
Advanced Risk Management• Greater use of alternative risk
financing techniques• More proactive about
preventing and reducing risks• Integrates claims mgmt,
contracts review, special event RM, insurance and risk transfer techniques
• Cost allocation used for education and accountability
• More collaboration – as depts are willing
• Risk Manager may be the risk owner
Enterprise-wide Risk Management• A wide range of risks are
discussed and reviewed, including reputational, human capital, strategic and operational
• Aligns RM process with strategy and mission
• May include “upside risks” (opportunities)
• Helps manage growth, allocate capital & resources
• Risks are owned by all & mitigated at the department level
• Many risk mitigation & analytical tools available
• Risk Manager is the risk facilitator and leader
Risk is bad – focus is on transferring risk
Risk is an expense – focus is on reducing cost-of-risk
Risk is uncertainty – focus is on optimizing risk to
achieve goals
Risk Management is Evolving
2/6/2013
6
Financial StrategicBank failures
Stock market performance
Unemployment
Interest rates
Budget cuts
Investment limitations
Tax caps
Bond ratingRetirement funding
Capital availability
Credit markets stabilityCurrency & foreign exchange rate fluctuations
Unexpected loss of revenue
Health care costs
Revenue & grant $$ management
Counterparty risk
Financial reporting
Mergers & Acquisitions of key partners or vendors
Ethics violationsReputation
Negative media coverage
Stakeholders’ interests
Strategy & initiativesUnion relations
Long-term planning vs. budget limitations
Public-private partnerships
Health & safety violations
HR & personnel risks
Utilities failure
Workplace violence
Public support
Theft, embezzlementGov’t sanctions
Accounting or internal controls failures
Facilities maintenance
Aging infrastructure
IT system failure
Business interruptionLoss of key suppliers
Mandated public services
Code violations
Quality control
Operational
Workers’ comp
Building security
Public safety
Lawsuits
Piracy & Counterfeiting
War
Natural events & catastrophes
Terrorism
Fraud
Governance
Compliance
Disease & epidemics
Mold exposureAsbestos exposure
Student activities
Director & Officer liabilityGeopolitical risks
Animal or insect infestation
Pollution
Contractual liabilityBuilding subsidence or collapse
Hazard & 3rd Party
Labor practices
Procurement
Unfunded mandates
Internal ThreatsExternalThreats
Energy costs
Typical purview of RM
Code of Conduct
Meeting Public expectations
Geopolitical risks
Public safety
© 2012 ARTHUR J. GALLAGHER & CO.
The Baltimore SunJuly 16, 2008An underground fire shut down power to 30 residential and commercial buildings in Baltimore and took nearly 10 hours to control. Baltimore’s utility lines are part of the city’s aging infrastructure –carrying electricity, cable, telephone, street light and fiber-optic service through 3.7 million feet of conduits. The cost to update the >100 year-old system is $900 million.
Financial StrategicBank failures
Stock market performance
Unemployment
Interest rates
Budget cuts
Investment limitations
Tax caps
Bond ratingRetirement funding
Capital availability
Credit markets stabilityCurrency & foreign exchange rate fluctuations
Unexpected loss of revenueHealth care costs
Revenue & grant $$ management
Counterparty risk
Financial reporting
Mergers & Acquisitions of key partners or vendors
Ethics violationsReputation
Negative media coverage
Stakeholders’ interests
Strategy & initiativesUnion relations
Long-term planning vs. budget limitations
Public-private partnerships
Health & safety violations
HR & personnel risks
Utilities failure
Workplace violence
Public support
Theft, embezzlementGov’t sanctions
Accounting or internal controls failures
Facilities maintenance
Aging infrastructure
IT system failure
Business interruptionLoss of key suppliers
Mandated public services
Code violations
Quality control
Operational
Workers’ comp
Building security
Public safety
Lawsuits
Piracy & Counterfeiting
War
Natural events & catastrophes
Terrorism
Fraud
Governance
Compliance
Disease & epidemics
Mold exposureAsbestos exposure
Student activities
Director & Officer liabilityGeopolitical risks
Animal or insect infestation
Pollution
Contractual liabilityBuilding subsidence or collapse
Hazard & 3rd Party
Labor practices
Procurement
Unfunded mandates
Internal ThreatsExternalThreats
Energy costs
Typical purview of RM
Code of Conduct
Meeting Public expectations
Geopolitical risks
Public safety
2/6/2013
7
© 2012 ARTHUR J. GALLAGHER & CO.
A Good Intro to ERMRisk management is an increasingly important businesss driver and stakeholders have become much more concerned about risk.Risk may be:• A driver of strategic decisions• The cause of uncertainty in an organization• Embedded in the activities of the organizationAn enterprise-wide approach to risk management enables an organization to consider the potential impact of all types of risks on all processes, activities, stakeholders, products and services.
Excerpt from the Executive Summary “A Structured Approach to ERM and the Requirements of ISO 31000” published by airmic, alarm and the irm – all based in the U.K.
© 2012 ARTHUR J. GALLAGHER & CO.
ISO 31000 – Quick Overview
• The basis of ISO 31000• Overview of the “architecture”• Understanding Principles, Framework and Process• Select definitions• Key concepts
© 2012 ARTHUR J. GALLAGHER & CO.
It’s a Broad Approach to Risk
1. All organizations exist to achieve their objectives2. Many internal and external factors affect those
objectives, causing uncertainty about whether the organization will achieve its objectives
3. The effect of this uncertainty has on an organization’s objectives is “risk”
2/6/2013
8
© 2012 ARTHUR J. GALLAGHER & CO.
Scope of ISO 31000This international standard provides principles and generic guidelines on risk management… it can be used by any public, private or community enterprise, association, group or individual. Therefore, this standard is not specific to any industry or sector.
© 2012 ARTHUR J. GALLAGHER & CO.
• Streamlined and easy to understand• Proactive approach vs compliance• Emphasizes top-down implementation• Links risks to strategy & the achievement of
objectives• Addresses both threats and opportunities• Provides a consistent approach that can be tailored
to any type of operation in any location and integrated with other standards and guidelines
ISO 31000 – Highlights
© 2012 ARTHUR J. GALLAGHER & CO.
The principlesprovide the foundation
and describe the qualities of effective risk manage-ment
in an organization
The frameworkmanages the
overall process and
its full integration
into the organization
The process for managing risk
focuses on individual or
groups of risks, their
identification, analysis,
evaluation and treatment
Monitoring & review, continual improvement and communication occur throughout
The “Architecture”
2/6/2013
9
© 2012 ARTHUR J. GALLAGHER & CO.
• Creates value• Part of org.
processes• Part of decision
making• Explicitly
addresses uncertainty
• Systematic, structured & timely
• Based on best avail info
• Tailored• Considers human
& cultural factors
• Transparent & inclusive
• Dynamic, iterative & responsive to change
• Continual improvement
Principles
Mandate & Commitment
Design framework for managing risk
Framework RM Process
Implementrisk
management
Monitor and review the framework
Continually improve the framework
Establish the context
Com
mun
icat
e an
d co
nsul
t
Mon
itor a
nd re
view
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
© 2012 ARTHUR J. GALLAGHER & CO.
Why ISO Outlines Principles
The principles that govern the process:• Establish the values and philosophy of the process• Support a comprehensive and coordinated view of risk
that applies to the entire organization• Link the framework and practice of risk management to
the strategic goals of the entity• Align risk management to corporate activities
© 2012 ARTHUR J. GALLAGHER & CO.
Risk Management PrinciplesRisk Management:• Creates value• Is an integral part of all organizational processes• Is part of decision-making• Explicitly addresses uncertainty• Is systematic, structure and timely• Is based on the best available information
2/6/2013
10
© 2012 ARTHUR J. GALLAGHER & CO.
Risk Management Principles (cont’d)Risk Management:• Is tailored• Takes human and cultural factors into account• Is transparent and inclusive• Is dynamic, iterative and responsive to change• Facilitates continual improvement & enhancement of
the organization
© 2012 ARTHUR J. GALLAGHER & CO.
Why ISO Specifies the Framework• Maps out how the management of risk will be
integrated across the organization• Assures that the corporate-wide process is
supported, iterative and effective• Details how risk management will be an active
component in governance, strategy and planning, management, reporting processes, policies, values and culture
• Provides for reporting & accountability
© 2012 ARTHUR J. GALLAGHER & CO.
The Framework Includes:• The organization & its context• Risk Management Policy• Accountability• Integration into organizational processes• Resources• Communication & reporting – internal• Communication & reporting - external
2/6/2013
11
© 2012 ARTHUR J. GALLAGHER & CO.
Framework Example: Benefits of RM• Increase likelihood of achieving
objectives• Encourage proactive management• Be aware of the need to identify and
treat risk throughout the organization
• Improve the identification of opportunities & threats
• Effectively allocate and use resources
• Comply with relevant legal and regulatory requirements and international norms
• Improve mandatory and voluntary reporting
• Improve operational effectiveness & efficiency
• Improve stakeholder confidence and trust
• Establish a reliable basis for decision making & planning
• Improve controls• Improve governanceISO/ANSI/ASSE 31000:2009
Risk management – Principles and guidelines
© 2012 ARTHUR J. GALLAGHER & CO.
The Risk Management Process
• Begins with the context –always tailored to the organizational environment
• Applies to portfolio of risks and individual risks
• Emphasizes continual: •Communication & consultation•Monitoring & review
Establish the context
Com
mun
icat
e an
d co
nsul
t
Mon
itor a
nd re
view
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
© 2012 ARTHUR J. GALLAGHER & CO.
What is “risk”??• Risk is present in everything we do.• The definition we use is from ISO 31000, the
international standard on risk management.
Risk = the effect of uncertainty on your objectives.
• Risk can be a threat or an opportunity
Anything that could harm, prevent, delay or enhanceyour ability to achieve your objectives = risk
2/6/2013
12
© 2012 ARTHUR J. GALLAGHER & CO.
Select DefinitionsRisk = the effect of uncertainty on objectives
Note 1 An effect may be positive, negative or a deviation from the expected
Note 2 An objective may be financial, related to health and safety or defined in other terms
Note 3 Risk is often described by an event, a change in circumstances, a consequence or a combination of these and how they may affect the achievement of objectives
Note 4 Risk can be expressed in terms of a combination of the consequences of an event or a change in circumstances and their likelihood
Note 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence or likelihood
© 2012 ARTHUR J. GALLAGHER & CO.
Risk 1 Risk 2 Risk 3 Risk 4
Risk
The threat is that we are not prepared for a disruptive event. If people don't know (or aren't trained to follow) the protocol, if facilities are not "disaster ready," we will not be ready to respond or be able to return to normal quickly. If we manage this risk well, the opportunity is that we build resilience.
With a large number of impending retirements in the coming years, the threat is that we are not prepared for continuity of operations ‐maintaining our culture and institutional knowledge. The opportunities of this risk include improving processes and programs through the influx of new ideas & employees.
The threat of future financial instability and continued budget pressures. The opportunities include the opportunity to streamline operations & operate more efficiently.
The threat is that we won't keep up with infrastructure needs and care for our aging facilities and infrastructure. The opportunity is that if we plan ahead, we will be able to justify needs, prioritize projects and implement improvements over time.
Likelih
ood
4 5 2.5 4
Conseq
uence
3 4 4 4
Key Risks in Higher Ed
© 2012 ARTHUR J. GALLAGHER & CO.
Select DefinitionsRisk management = the coordinated activities to direct and control an organization with regard to riskRisk owner = the person with the accountability and authority to manage the riskStakeholder = any person or organization that can affect, be affected by or perceive themselves to be affected by a decision or activity. They are both internal and external. Stakeholders are important to the process and key to activities like communication, consultation and reporting. Stakeholders’ interests and fears should be taken into account
2/6/2013
13
© 2012 ARTHUR J. GALLAGHER & CO.© 2012 ARTHUR J. GALLAGHER & CO.
A Vision for Enhanced Risk ManagementKey Outcomes• The organization has a current, correct and comprehensive
understanding of its risks.• The organization's risks are managed to an acceptable level of
tolerance.
Page | 37
Attributes• Continual improvement• Full accountability for risks• Application of risk management in all decision making• Continual communications• Full integration into the organization’s governance structure
Excerpt from Annex A: ISO/ANSI/ASSE 31000: 2009
© 2012 ARTHUR J. GALLAGHER & CO.
RM & Decision Making
Accept grant money?•Traditional RM – review hold harmless, place insurance
•ERM – gather stakeholders, assess risks, make decision in alignment with district goals, then manage risks
© 2012 ARTHUR J. GALLAGHER & CO.
Page | 39
2/6/2013
14
© 2012 ARTHUR J. GALLAGHER & CO.
Getting to “Yes”
© 2012 ARTHUR J. GALLAGHER & CO.
• After full consideration of all risks, the community college supported the trip
• Six students & one faculty member participated.• Threats were addressed through training, info on
cultural context, travel abroad insurance
• Result: Awarded silver medal!
Getting to “Yes”
© 2012 ARTHUR J. GALLAGHER & CO.
ISO 31010 – Risk Assessment Techniques
• Risk assessment concepts• Process• Techniques
Establish the context
Com
mun
icat
e an
d co
nsul
t
Mon
itor a
nd re
view
Risk identification
Risk analysis
Risk treatment
Risk evaluation
Risk assessment
2/6/2013
15
© 2012 ARTHUR J. GALLAGHER & CO.
© 2012 ARTHUR J. GALLAGHER & CO.
• Publishing an Implementation Guide as a Technical Report – 2013/2014
• ISO 31000 will be open for revision beginning late 2013
• ISO 31010 will also be reconsidered
• Being broadly implemented across the globe: Japan, Europe, Ireland, Canada, Australia & New Zealand
What’s Next for ISO 31000?
© 2012 ARTHUR J. GALLAGHER & CO.
FEBRUARY 6, 2013
DOROTHY M GJERDRUMEXECUTIVE DIRECTOR, PUBLIC SECTOR
Page | 45