You are on page 1of 61

ISO 31000:2009;

ISO/IEC 31010
& ISO Guide 73:2009
International Standards for the
Management of Risk
Kevin W Knight AM;
CPRM; Hon FRMIA; FIRM (UK); LMRMIA.

CHAIRMAN
ISO PROJECT COMMITTEE 262 - RISK MANAGEMENT

MEMBER
STANDARDS AUSTRALIA / STANDARDS NEW ZEALAND
JOINT TECHNICAL COMMITTEE OB/7 - RISK MANAGEMENT

P 0 BOX 226, NUNDAH Qld 4012, Australia
E-mail: kknight@bigpond.net.au
03/12

Managing Risk
• We all manage risk consciously or unconsciously
- but rarely systematically
• Managing risk means forward thinking
• Managing risk means responsible thinking
• Managing risk means balanced thinking
• Managing risk is all about maximising opportunity
and minimising threats
• The risk management process provides a framework to
facilitate more effective decision making

The Pivotal Definition
risk
effect of uncertainty on objectives

NOTE 1 An effect is a deviation from the expected — positive and/or
negative.
NOTE 2 Objectives can have different aspects (such as financial, health and
safety, and environmental goals) and can apply at different levels (such as
strategic, organization-wide, project, product and process).
NOTE 3 Risk is often characterized by reference to potential events and
consequences, or a combination of these.
NOTE 4 Risk is often expressed in terms of a combination of the
consequences of an event (including changes in circumstances) and the
associated likelihood of occurrence.
NOTE 5 Uncertainty is the state, even partial, of deficiency of information
related to, understanding or knowledge of, an event, its consequence, or
likelihood.

[ISO Guide 73:2009]

device. policy.risk owner person or entity with the accountability and authority to manage a risk control measure that is modifying risk NOTE 1 Controls include any process. practice. [ISO Guide 73:2009] . NOTE 2 Controls may not always exert the intended or assumed modifying effect. or other actions which modify risk.

Yet to be defined Accountable Liability for the outcomes of actions or decisions NOTE: Includes failure to act or make decisions OR being obligated to answer for a decision OR obligation to answer for an action. ___________________________________________________________________________________________ Obligation to carry out duties or Responsible decisions. or control over others as directed OR having the obligation to act OR obligation to carry out instructions. .

au/publications/document/AGReports/9899/report7. Corporate Governance The way in which an organisation is governed and controlled in order to achieve its objectives.qao. 7 1998.gov.99: - http://www.qld. The control environment makes an organisation reliable in achieving these objectives within a tolerable degree of risk. It is the glue which holds the organisation together in pursuit of its objectives while risk management provides the resilience.html . Queensland Audit Office – Report No.

iterative and i u (5.4) i d) Explicitly addresses Design of i t uncertainty framework c o e) Systematic.3) c account Framework (4.4. Risk a r structured and timely identification (4.a) Creates value Mandate Establishing b) Integral part of and C the context (5.4) responsive to change e Monitoring l k) Facilitates continual w and review t (5.5) i (5.2 Principles Framework Process (Clause 3) (Clause 4) (Clause 5) AS/NZS ISO 31000:2009 Figure 1 – Relationship between the principles.3) organizational Commitment o M processes (4.2) m o c) Part of decision u Risk assessment n making n (5. framework and process .6) e n Risk inclusive v s evaluation j) Dynamic.3) t i f) Based on the best (5.5) o n 5.2) i n available information o g g) Tailored Continual Implementing n h) Takes human and improvement risk Risk analysis & & cultural factors into of the Management (5.6) improvement and of the a enhancement of the Framework t Risk treatment organization (4.4.4) r o i) Transparent and (4.4.

Be dynamic. Take into account human factors 9. Be capable of continual improvement and enhancement . 1. Business Principles Approach AS/NZS ISO 31000:2009 Principles (Clause 3) Risk management should…. Be transparent and inclusive 10. Be tailored 8. Be part of decision making 4. Be based on the best available information 7. Explicitly address uncertainty 5. Be systematic and structured 6. Be an integral part of organisational processes 3. Create value 2. iterative and responsive to change 11.

. protects people. systems and processes. • Protects value – minimise downside risk.Risk management should create value • RM contributes to the achievement of objectives.

.Risk management should be an integral part of organizational processes • RM is not a stand-alone activity from the management system of the organisation.not an „additional‟ compliance task. • RM is part of the process .

Risk management should be part of decision making • Risk management helps decision makers make informed choices. . prioritize actions and distinguish among alternative courses of action. • Helps allocate scarce resources.

. no matter the level of uncertainty. the nature of that uncertainty. and how it can be addressed. • RM addresses uncertainty.Risk management explicitly addresses uncertainty • Risk management explicitly takes account of uncertainty.

. • The more aligned – the more effective and efficient. comparable and reliable results. timely and structured approach to the management of risk contributes to efficiency and to consistent.Risk management should be systematic and structured • A systematic.

forecasts and expert judgement. experience. • Increase information as the level of risk increases. Risk management should be based on the best available information • The inputs to the process of managing risk are based on information sources such as historical data. observation. • Information costs money. Perfect information is not always possible. . stakeholder feedback. • Start with resources/expertise you have or gain easily.

. Risk management should be tailored • Risk management is aligned with the organization's external and internal context and risk profile. • Different risk appetites & different measurements. • Context remains one of the most difficult areas.

Risk management should take into account human factors The management of risk recognizes the capabilities. perceptions and intentions of people that make every organisation different. .

. Risk management should be transparent and inclusive • Appropriate and timely involvement of stakeholders at all levels of the organization. ensures that the management of risk remains relevant and up-to-date. • The management of risk must be clearly set out in job profiles/employment contracts and annual appraisals.

iterative and responsive to change • External and internal events happen. • Internal audit programme informed by corporate risk register. context and knowledge change.Risk management should be dynamic. • Must keep RM relevant and accurate so as to support decisions and strategies. some change. and others disappear. . monitoring and review take place. new risks emerge. • Regular reviews of risk register and framework.

Risk management should be capable of continual improvement and enhancement • Organizations should develop and implement strategies to improve the maturity of their management of risk alongside all other aspects of their management system. • RM maturity and improvement strategies should be included in the RM Plan. .

it is to assist the organization to integrate risk management within its overall management system. • Therefore. AS/NZS ISO 31000:2009 Risk management framework (Clause 4) • The framework in Clause 4 of AS/NZS ISO 31000:2009 is not intended to describe a management system. organizations should adapt the components of the framework to their specific needs. but rather. .

RM RM Plan progress Against Plan RM Champions Governance reporting Identify Deviations and Risk. Risk owners Benchmarking Assurance providers Performance criteria Issues . PDCA – the starting point of any management system Commitment and Mandate Communicate and Train Policy Statement Plan Communications and Risk Management Plan Define & Analyse a reporting plan Assurance plan Training strategy Standards Problem and Identify the RM Network Procedures/Guidelines Root Cause Act Do Common Approach Devise a Solution Standardise Solution Develop Detailed Action Used in ISO Review and Define Management Plan & Implement It Next Issues Systematically System Standards Organise and Allocate Measure and review Check Board RM Committee Exec RM Committee Control assurance Confirm Outcomes Manager. Control.

2 Implementing the risk management process 4.5 Monitoring and review of the framework AS/NZS ISO 31000:2009 Figure 2 — Relationship between the components of the framework for managing risk . Mandate and commitment (4.3.4.3.3.3.7 Establishing external communication and reporting mechanisms 4.2) 4.3.4 Implementing risk management 4.4 Integration into organizational processes 4.3.3 Design of framework 4.5 Resources 4.6 Continual improvement of the framework 4.6 Establishing internal communication and reporting mechanisms 4.1 Understanding the organization and its context 4.1 Implementing the framework for managing risk 4.3.3 Accountability 4.2 Establishing risk management policy 4.4.

Legal. Economic.Understanding the organisation and its context • External Context –Consider: • Trends • Key drivers • Perceptions/values of key stakeholders • PESTLE: (Political. Social. Environmental factors) . Technological.

skills and resources – Organisational culture – Contractual relationships . strategies and policies – Knowledge.Understanding the organisation and its context • Internal Context – Governance Structures – Objectives.

Risk Management Policy • Must be simple. achievable. • Document components – Rationale and policy links – Accountability and responsibility – Management of conflicts of interest – Measurement of RM performance – Reporting processes – Policy review process/cycle . understandable and auditable with the clear mandate and commitment of top management • aligned to the organisation‟s culture with the risk makers and the risk takers the risk owners.

Accountability • All accountable risk owners are clearly identified and provided with authority & resources to manage risk • Board accountability for framework implementation • Accountability of risk owners at all levels of the organisation clearly identified • Performance measurement processes in place • Reporting and escalation processes clearly established .

operational plans etc . implementation plans. Integration into organisational processes • The management of risk should be part of routine organisational processes – Policy development – Business/strategic planning – Change management – Decision-making processes • Risk Management Plan – Organisation-wide – Linked to or integrated in to other plans: strategic plans.

Resources • expenditure on the management of risk is an investment – Good RM will make an organisation more effective. experience and competence – Time and funds: to execute the process – Defined processes. but it requires dedicated resources • Resources include: – People: skills. methods and tools – Information systems – Awareness. education and training programs .

Establishing internal & external communication and reporting mechanisms • Internal – Ongoing awareness. education and training – Framework performance reporting and outcome reviews – Information management – Stakeholder engagement • External – Stakeholder engagement – Regulatory reporting requirements – Use reporting to build confidence – Business continuity (management of disruption related risk) communication .

Implementing risk management • Implementing the framework – Ensure • Appropriate timing • Alignment with organisational strategy and processes • Compliance with regulation – Apply to organisational processes – Train and educate staff – Communicate and consult • Implementing the risk management process – Define the process for the organisation – Implement at all levels (appropriate processes) – Establish a monitoring process .

and monitoring and review. • includes five activities: communication and consultation. risk treatment. be embedded in culture and practices and tailored to the business processes of the organization. AS/NZS ISO 31000:2009 Risk management process (Clause 5) • should be an integral part of management. risk assessment. establishing the context. .

AS/NZS ISO 31000:2009 Process Overview C O ESTABLISHING THE CONTEXT M M M U O N I RISK IDENTIFICATION N C I A T T I O O RISK ANALYSIS R N & RISK ASSESSMENT & RISK EVALUATION R C O E N V S I U RISK TREATMENT L E T W I O N 24 .

2 RISK IDENTIFICATION M M What can happen.3 RISK ANALYSIS 5.3 ESTABLISHING THE CONTEXT 5.4. U I L Establish priorities. where.2 External Context 5.4.5 Developing Risk Criteria C 5. E T A W T I 5.4 S I C Determine existing controls T A R Determine Determine E T Likelihood Consequences O I I S R O S Estimate Level of Risk S N K M & & E C 5.2 5.4.3 Preparing and implementing risk treatment plans AS/NZS ISO 31000:2009 Risk management process in detail .3.5.5 RISK TREATMENT O 5. when.2 Selection of risk treatment options N 5.3 Internal Context 5. N Identify & assess options.3.4 Risk Management Process Context 5.3.5. how & why U A O N S N I 5.3. T V S Decide on response.4 RISK EVALUATION R O N E Compare against criteria. 5.6 O M 5.

6 O M M M 5.2 RISK IDENTIFICATION U A O N S N I I C 5.3 ESTABLISHING THE CONTEXT 5.2 C 5.4.3 RISK ANALYSIS E T O I I S R O S N S K M & & E C R O N E N T S 5. 5.5 RISK TREATMENT N AS/NZS ISO 31000:2009 Risk management process in detail .4 RISK EVALUATION V U I L E T A W T I O 5.4 S A T R 5.4.4.

University of Calgary. Risk communication seeks to improve performance based on informed. Principles of Communicating Risks. Communicate & Consult Communicating risk successfully is neither a public relations nor a crisis communications exercise. Jean Mulligan. Alberta 1998 . The Macleod Institute for Environmental Analysis. mutual decisions with respect to … risk. Elaine McCoy and Angela Griffiths. Its aim is not to avoid all conflict or to diffuse all concerns. Calgary.

where and how • identify controls • internal context • identify key processes. activities • determine likelihood • risk management context • recognise risk areas • determine consequence/impact • risk criteria (i. tasks.e. threshold levels) • define risks • determine level of risk • define the structure • categorise risk Step 6 : Monitor and Review Risks Communicate and Step 4 : Evaluate Risks • process consult .Step 1 : Establish the Context Step 2 : Identify Risks Step 3 : Analyse Risks • external context • what can happen. when.at all steps • identify tolerable/unacceptable risks • environment (referring risk rating against risk criteria) • organisation • prioritise risks for treatment • strategy • stakeholders Accept/Retain Step 5 : Treat Risks Share • based on judgement or • insurance documented • outsourcing procedures/policy Avoid Reduce likelihood • consider discontinuing or • controls avoiding activity Reduce consequence • process improvement • consult • Business Continuity Plans • training & education • risk treatment preferable to • contractual arrangements • policies and communication risk aversion • public relations • audit and compliance Communication & Consultation in the risk management process .

3.4 5.4 Risk Management Process Context 5.3.3 Internal Context 5.3.3 RISK ANALYSIS S T A R E T O I I S R O S S N K M & & E C R O N E N 5.2 External Context 5.6 O M M M 5.4 RISK EVALUATION T S V U I L E T A W T I 5.4.2 5.4.5 RISK TREATMENT O N AS/NZS ISO 31000:2009 Risk management process in detail . 5.4.2 RISK IDENTIFICATION U A O N S N I I C 5.5 Developing Risk Criteria C 5.3.3 ESTABLISHING THE CONTEXT 5.

Establish the Context Objectives and environment Relevant Legislation Stakeholder identification & analysis Government Policy Corporate Policy Management Structures Community Expectations Criteria Consequence criteria .

Stories
(business
experiences) Symbols

Rituals & An
Routines Organisation’s Power
Paradigm Structures

Control
Systems Organisational
Structures

Adapted from Johnson & Scholes, 1993, p.61

5.3 ESTABLISHING THE CONTEXT
5.2
C 5.6
O
M M
M 5.4.2 RISK IDENTIFICATION
U A O
N S N
I I
C
5.4 S
5.4.3 RISK ANALYSIS T
A
R E
T O
I I S R
O
S S
N
K M &
&
E
C R
O N E
N
5.4.4 RISK EVALUATION T V
S
U I
L E
T
A W
T
I
O 5.5 RISK TREATMENT
N

AS/NZS ISO 31000:2009 Risk management process in detail

ISO/IEC 31010:2009
Risk Management - Risk Assessment Techniques

In particular, those carrying out risk assessments should be
clear about
• the context and objectives of the organization,
• the extent and type of risks that are tolerable, and how
unacceptable risks are to be treated,
• how risk assessment integrates into organizational
processes,
• methods and techniques to be used for risk assessment,
and their contribution to the risk management process,
• accountability, responsibility and authority for performing
risk assessment,
• resources available to carry out risk assessment,
• how the risk assessment will be reported and reviewed.

where.3 RISK ANALYSIS T A R E T O I I S R O S S N K M & & E C R O N E N 5. 5.6 O M 5. when. how & why U A O N S N I I C 5.4.4.5 RISK TREATMENT N AS/NZS ISO 31000:2009 Risk management process in detail .3 ESTABLISHING THE CONTEXT 5.2 RISK IDENTIFICATION M M What can happen.4 RISK EVALUATION T V S U I L E T A W T I O 5.4 S 5.4.2 C 5.

Political circumstances. Economic circumstances. The activity itself. Technology/technical issues. Commercial and legal relationships. Public/professional/product liability. .Identification of sources of risk Personnel/human behaviour. Management activities and controls. Natural and unnatural events.

3 RISK ANALYSIS 5.4 RISK EVALUATION T V S U I L E T A W T I 5.2 C 5.4. 5.3 ESTABLISHING THE CONTEXT 5.2 RISK IDENTIFICATION U A O N S N I 5.4 S I C Determine existing controls T A R Determine Determine E T Likelihood Consequences O I I S R O S Estimate Level of Risk S N K M & & E C R O N E N 5.5 RISK TREATMENT O N AS/NZS ISO 31000:2009 Risk management process in detail .6 O M M M 5.4.4.

Purpose: Separate minor risks from major. Risk Analysis Where possible confidence limits placed on estimates and the best available information sources are used. . Provide data to assist in evaluation. Preliminary analysis: Excluded Risks where possible should be listed.

N Identify & assess options.3 ESTABLISHING THE CONTEXT 5.4 RISK EVALUATION R O N E Compare against criteria. 5. E T A W T I 5.4.3 RISK ANALYSIS T A R E T O I I S R O S S N K M & & E C 5. U I L Establish priorities. T V S Decide on response.4 S 5.2 C 5.4.2 RISK IDENTIFICATION U A O N S N I I C 5.4.6 O M M M 5.5 RISK TREATMENT O N ISO 31000:2009 Risk management process in detail .

Risk Evaluation Consider Objectives of projects and opportunities Tolerability of risks to others Whether a risk needs treatment Deciding whether risk can be tolerated Whether an activity should be undertaken Priorities for treatment Comparing levels of risk found in analysis with previously established criteria. .

3 Preparing and implementing risk treatment plans AS/NZS ISO 31000:2009 Risk management process in detail .5.2 C 5.2 Selection of risk treatment options N 5.3 RISK ANALYSIS T A R E T O I I S R O S S N K M & & E C R O N E N 5.3 ESTABLISHING THE CONTEXT 5.6 O M M M 5.4.4 RISK EVALUATION T V S U I L E T A W T I 5.4.5.5 RISK TREATMENT O 5.4 S 5. 5.2 RISK IDENTIFICATION U A O N S N I I C 5.4.

Risk Treatment Reduce Likelihood Consequence Continuity planning Sharing in full or part (this creates a new risk) Avoid (but not because of aversion) Retain residual .

4.4.6 C O M M M 5.4 RISK EVALUATION U E L V T A I T I E 5.2 5.4.4 I C S A 5.3 ESTABLISHING THE CONTEXT 5. 5.2 RISK IDENTIFICATION O U A N N S I 5.5 RISK TREATMENT O W N AS/NZS ISO 31000:2009 Risk management process in detail .3 RISK ANALYSIS E T T R O I I S O S R N S K M & E & C O N N T R S 5.

Review is an integral part of the risk management process. Monitor and Review What may be of minor significance today may be the disaster of tomorrow. .

RISK MANAGEMENT A Journey – Not a Destination .

not just as a risk control. Other interested stakeholders can also benefit from the risk process. security. safety & environment management.AS/NZS ISO 31000:2009 Extending The Process The role of assurance activity. The process is all about facilitating linkages between different stakeholders across the organisation . This should go further than just audit. such as quality assurance. but as part of ‘Monitor and Review’ should be developed.

Comprehensive. are appropriately skilled and have adequate resources to check controls. monitor risks. controls and treatment tasks. A pronounced emphasis on continuous improvement in risk management through the setting of organizational performance goals. AS/NZS ISO 31000:2009 Annex A (Informative) Attributes of enhanced risk management 1. . 2. improve controls and communicate effectively about risks and their management to interested parties. review and the subsequent modification of processes. resources and capability/skills. fully defined and fully accepted accountability for risks. Named individuals fully accept. systems. measurement.

comprehensive and frequent reporting of risk management performance to all “interested parties” as part of a governance process. involves the explicit consideration of risks and the application of the risk management process to some appropriate degree. All decision making within the organization. AS/NZS ISO 31000:2009 Annex A (Informative) Attributes of enhanced risk management 3. . Continual communications and highly visible. whatever the level of importance and significance. 4.

Critically. . effective risk management is regarded by senior managers as essential for the achievement of the organization‟s objectives. AS/NZS ISO 31000:2009 Annex A (Informative) Attributes of enhanced risk management 5. The organization’s governance structure and process are founded on the risk management process. Risk management is always viewed as a core organizational process where risks are considered in terms of sources of uncertainty that can be treated to maximize the chance of gain while minimizing the chance of loss.

AS/NZS ISO 31000:2009 – Reducing the Risk in Risk Management • Avoids organisations re-inventing the wheel • Allows all to benefit from proven best practice • Provides a universal benchmark • Reduces barriers to trade • Advises exactly what you need to do and how you need to do it – no wasted effort and no false starts • Scalable – works for all sizes of organisation • Risk management = making optimal decisions in the face of uncertainty .

but will also allow silo/project risk management • Following AS/NZS ISO 31000:2009 will provide a low cost. high chance of success approach to ERM • AS/NZS ISO 31000:2009 will add value and reduce risk in risk management • Managing risk is about creating value out of uncertainty . And Finally!! • AS/NZS ISO 31000:2009 is the natural successor to AS/NZS 4360:2004 • It will fit „ERM‟ requirements.

YOU DO NOT HAVE TO MANAGE RISK!! SURVIVAL IS NOT COMPULSORY .

The greatest risk of all is to take no risk at all! .

Manage the Risk U Culture Communication L T Structure Direction Processes . ISO/IEC 31010 and ISO Guide 73 provide generic guidance on how to embrace the management of risk in order to maximise the opportunities and minimise the threats to the achievement of your objectives. C 1. The Journey Continues A journey ………. Analyze & T S 4. A race In pursuit of performance Building Value AS/NZS ISO 31000. Identify Threats T N O I R C A A 3. Assess E S R E 5. Assess/ E S V C S I Opportunities Risks O E N W S 7. Strategic Ct M O O M N M I U 2.