Implementing Enterprise Risk

Management with ISO

31000:2009
Introduction
Exploring Enterprise Risk
Management
What Risk is All About
 Risks have consequences in terms of societal,
environmental, technological, safety and security
outcomes;
 They have commercial, financial and economic results
 They also have social, cultural and political reputation
impacts
 ISO 31000:2009 helps organizations of all types and sizes to
manage risk effectively
What Is Risk Management?
Risk
The effect of uncertainty on the ability of an organisation to meet its objectives
Risk Management
The range of activities that an organisation intentionally undertakes to
understand and reduce these effects
Effective Risk Management
Executing these activities efficiently and in a way that actually and
demonstrably improves the ability of the organisation to meet its objectives in a
repeatable fashion 10 Dec 2013
Risk Management with ISO
• ISO 31000:2009 – Principles and Guidelines on Implementation (20
November 2009)
• ISO/IEC 31010:2009 – Risk Assessment Techniques (1 December
2009)
• ISO Guide 73:2009 – Vocabulary (15 November 2009)
• HB 327:2010 – Communicating and consulting about risk (23 February
2010)
Risk Management with ISO (cont’d)
• AS/NZS 5050:2010 Business continuity – Managing disruption-related
risk (28 June 2010)
• HB 266:2010 – Guide for managing risk in not-for-profit organizations
(12 August 2010)
• HB 246:2010 Guidelines for managing risk in sport and recreation
organizations (18 August 2010)
Understanding ISO 31000
Understanding ISO 31000
• Provides principles, a framework and a process for managing any
form of risk in a transparent, systematic and credible manner within
any scope or context
• It recommends that organizations develop, implement and
continuously improve a risk management framework as an integral
component of their management system
• In concrete, it’s a practical document that seeks to assist
organizations in developing their own approach to the management
of risk
Understanding ISO 31000 (cont’d)
• This is NOT a standard that organizations can seek
certification to
• Organizations can compare their risk management practices
with an internationally recognized benchmark
• It provides sound principles for effective management
• ISO Guide 73:2009 provide a collection of terms and
definitions relating to the management of risk
• ISO 31000 is designed to help organizations
What Is ISO 31000?
ISO 31000:2009:
• An international standard that provides principles and guidelines
for effective risk management
• Not specific to any industry or sector
• Able to be applied to any kind of risk
• Able to be applied to any kind of organisation
• Intended to be tailored to meet the needs of the organisation
“The generic approach described in this standard provides the
principles and guidelines for managing any form of risk in a
systematic, transparent and credible manner and within any scope
and context.”
History of ISO 31000
 AS/NZS 4360:1999 was developed by Australia and NZ in 1999
 Revised and reissued as AS/NZS 4360:2004 in 2004
 No agreed de jure or de facto international standard in place at this
stage
 A small number of competing frameworks which were regarded as
unsatisfactory
 International Standards Organisation started work on ISO 31000 using
AS/NZS 4360:2004 in 2005 as its first draft
 ISO 31000 was issued worldwide in 2009
What Does ISO 31000 Cover of?
ISO 31000:2009 contains:
• A set of risk management terms and their definitions
• A set of principles for guiding and informing effective risk
management for an enterprise
• An outline and process for creating a risk management framework
• An outline and process for creating a risk management process
ISO 31000 is:
• Clear
• Sensible
• Brief (34 pages)
What Does ISO 31000 Cover of? (cont’d)
Scope of this approach is enabling all strategic, management and
operational tasks throughout projects, functions, and processes to be
aligned to risk management objectives
It is intended for stakeholder group like:
• Executive level
• Appointment holders in ERM group
• Risk analysts and management officers
• Line managers and project managers
• Compliance and internal auditors
• Independent practitioners
What ISO 31000 Doesn’t Cover?
• Detailed instructions on how to manage risk
• A complete risk management framework
• A complete risk management process
• Formats or attributes for describing risks
• Templates
• Guidance on how to identify risks
• Advice on how to manage risks for a specific domain
ISO 31000 Will Help Us To…
• Increase the likelihood of achieving objectives
• Encourage proactive management
• Identify and treat risk throughout the organization
• Improve the identification of opportunities and threats
• Comply with relevant legal and regulatory requirements and
international norms
• Improve financial reporting
• Improve governance
ISO 31000 Will Help To… (cont’d)
• Improve stakeholder confidence and trust
• Establish a reliable basis for decision making and planning
• Improve controls
• Effectively allocate and use resources for risk treatment
• Improve operational effectiveness and efficiency
• Enhance health and safety performance, as well as environmental
protection
• Improve loss prevention and incident management
• Minimize losses
• Improve organizational learning and resilience
Why Use ISO 31000?
Save ourselves time and effort:
• Using the terms, principles and guidelines in ISO 31000 means you
don’t have to spend time and effort creating your own.
• You can spend time on the things that really add value – managing
the actual risks.
Facilitate communication:
• Avoid misunderstandings by using concepts and terms that are well
known in the risk management community.
Provide higher quality output:
• Take advantage of the significant expertise in risk management that
the ISO has used in coming up with the standard.
• Ensure you don’t miss out any aspects of risk management by using
the standard as a checklist.
How Do I Apply ISO 31000?
When should I use ISO 31000?
• When you are asked to identify or assess risks
• When you are asked to manage risks
• When you are asked to assess a risk management framework or
process
How should I use ISO 31000
• Use it to frame the scope of the work
• Use it to guide the engagement
• Use it to create a risk management process 24 Dec 2013
ISO 31000 In Short
• It gives you a structured, credible foundation for discussions with
about risk and risk management
• It gives you a starting point for a risk management process if you
don’t have one
• It gives you a standard vocabulary for talking about risks and risk
management
• It gives you a baseline for comparisons and assessments of risk
management processes
ISO 31000 in Diagram
Navigating ISO 31000 Principles
and Guidelines
What’s inside
ISO 31000:2009 It consists of three major parts
• 11 principles for managing risk (Clause 3)
• 5 (five) components to the framework for managing risk (Clause 4)
• 5 (five) processes for managing risks (Clause 6)
ISO 31000 Principles
Creates and Protects Value
Risk management contributes to the demonstrable
achievement of objectives and improvement of performance
in, for example, human health and safety, security, legal and
regulatory compliance, public acceptance, environmental
protection, product quality, project management, efficiency
in operations, governance and reputation.
31. Integral Part of Organizational Processes
Risk management is not a stand-alone activity that is separate
from the main activities and processes of the organisation.
Risk management is part of the responsibilities of
management and an integral part of all organisational
processes, including strategic planning and all project and
change management processes.
Part of Decision Making
Risk management helps decision makers make informed choices,
prioritise actions and distinguish among alternative courses of action.
Explicitly Addresses Uncertainty
Risk management explicitly takes account of uncertainty, the
nature of that uncertainty, and how it can be addressed.
Systematic, Structured and Timely
A systematic, timely and structured approach to risk
management contributes to efficiency and to
consistent, comparable and reliable results.
Based on the Best Information
The inputs to the process of managing risk are based on
information sources such as historical data, experience,
stakeholder feedback, observation, forecasts and expert
judgement. However, decision makers should inform
themselves of, and should take into account, any limitations of
the data or modelling used or the possibility of divergence
among experts.
Tailored
Risk management is aligned with the organisation's
external and internal context and risk profile.
Takes Human and Cultural Factors into
Account
• Risk management recognises the capabilities, perceptions
and intentions of external and internal people that can
facilitate or hinder achievement of the organisation's
objectives.
Transparent and Inclusive
Appropriate and timely involvement of stakeholders and, in particular,
decision makers at all levels of the organisation, ensures that risk
management remains relevant and up-to-date. Involvement also allows
stakeholders to be properly represented and to have their views taken
into account in determining risk criteria.
Dynamic, Iterative and Responsive to
Change
Risk management continually senses and responds to change.
As external and internal events occur, context and knowledge
change, monitoring and review of risks take place, new risks
emerge, some change, and others disappear.
Facilitates Continual Improvement of the
Organisation

Organisations should develop and implement strategies to

improve their risk management maturity alongside all other
aspects of their organisation.
Risk Management Framework
Set of components that provide the foundations and organizational
arrangements for designing, implementing, monitoring, reviewing and
continually improving risk management throughout the organization
• The foundations include the policy, objectives, mandate and
commitment to manage risk
• The organizational arrangements include plans, relationships,
accountabilities, resources, processes and activities
• RMF is embedded within the organization's overall strategic and
operational policies and practices
ISO 31000 Framework
Mandate and Commitment
• Introducing risk management and ensuring its ongoing
effectiveness require strong and sustained commitment by
management, as well as strategic and rigorous planning to
achieve commitment at all levels
• Management should: ⎯ Define and endorse the risk
management policy
⎯ Ensure that the organization's culture and risk management policy
are aligned ⎯ Determine risk management performance indicators
that align with performance indicators of the organization
Mandate and Commitment (cont’d)
⎯ Align risk management objectives with the objectives and strategies
of the organization
⎯ Ensure legal and regulatory compliance
⎯ Assign accountabilities and responsibilities at appropriate levels
within the organization
⎯ Ensure that the necessary resources are allocated to risk
management
⎯ Communicate the benefits of risk management to all stakeholders ⎯
Ensure that the framework for managing risk continues to remain
appropriate
Understanding the Organization and Its
Context
Evaluating organization's external context may include, but is not
limited to:
• Social and cultural, political, legal, regulatory, financial, technological,
economic, natural and competitive environment, whether
international, national, regional or local
• Key drivers and trends having impact on the objectives of the
organization
• Relationships with, and perceptions and values of, external
stakeholders
Understanding the Organization and Its
Context (cont’d)
Evaluating the organization's internal context may include, but is not
limited to:
⎯ Governance, organizational structure, roles and accountabilities
⎯ Policies, objectives, and the strategies that are in place to achieve
them
⎯ Capabilities, understood in terms of resources and knowledge (e.g.
capital, time, people, processes, systems and technologies)
Understanding the Organization and Its
Context (cont’d)
⎯ Information systems, information flows and decision making
processes (both formal and informal)
⎯ Relationships with, and perceptions and values of, internal
stakeholders
⎯ Organization's culture
⎯ Standards, guidelines and models adopted by the organization
⎯ The form and extent of contractual relationships
Establishing Risk Management Policy
It should clearly state organization's objectives for, and commitment to,
and addresses:
⎯ the organization's rationale for managing risk
⎯ links between the organization's objectives and policies and the risk
management policy
⎯ accountabilities and responsibilities for managing risk
⎯ the way in which conflicting interests are dealt with
Establishing Risk Management Policy
(cont’d)
⎯ commitment to make the necessary resources available to assist
those accountable and responsible for managing risk
⎯ the way in which risk management performance will be measured
and reported
⎯ commitment to review and improve the risk management policy and
framework periodically and in response to an event or change in
circumstances
Accountability
Accountability, authority and appropriate competence for managing risk
which is facilitated by:
• Identifying risk owners that have the accountability and authority to
manage risks
• Identifying who is accountable for development, implementation and
maintenance of framework for managing risk
• Identifying other responsibilities of people at all levels for risk management
process
• Establishing performance measurement and external and/or internal
reporting and escalation processes
• Ensuring appropriate levels of recognition
Resources
The organization should allocate appropriate resources for risk
management such as:
⎯ people, skills, experience and competence
⎯ resources needed for each step of the risk management
process
⎯ the organization's processes, methods and tools to be used
for managing risk
⎯ documented processes and procedures
⎯ information and knowledge management systems
⎯ training program
Establishing Internal Communications and
Reporting Mechanisms
It is to support and encourage accountability and ownership of
risk as well as ensure:
• Key components of risk management framework, and any
subsequent modifications, are communicated appropriately
• There is adequate internal reporting on framework, its
effectiveness and outcomes
• Relevant information derived from the application of risk
management is available at appropriate levels and times
• There are processes for consultation with internal stakeholders
Establishing Internal Communications and
Reporting Mechanisms (cont’d)
It should involve:
• Engaging appropriate external stakeholders and ensuring an
effective exchange of information
• External reporting to comply with legal, regulatory, and
governance requirements
• Providing feedback and reporting on communication and
consultation
• Using communication to build confidence
• Communicating with stakeholders in the event of a crisis or
contingency
Implementing Framework for Managing Risk
In implementing framework for managing risk, the
organization should:
• Define appropriate timing and strategy for implementing the
framework
• Apply risk management policy and process to the
organizational processes
• Comply with legal and regulatory requirements
Implementing Framework for Managing Risk
(cont’d)
• Ensure that decision making, including the development and
setting of objectives, is aligned with risk management
processes outcomes
• Hold information and training sessions
• Communicate and consult with stakeholders to ensure that
its risk management framework remains appropriate
Risk Management Process

Systematic application of management policies, procedures

and practices to the activities of communicating, consulting,
establishing the context, and identifying, analyzing,
evaluating, treating, monitoring and reviewing risk
Monitoring and Reviewing Framework
In order to ensure that risk management is effective and
continues to support organizational performance, the
organization should:
⎯ Measure risk management performance against indicators,
which are periodically reviewed for appropriateness
⎯ Periodically measure progress against, and deviation from,
the risk management plan
Monitoring and Reviewing Framework
(cont’d)
- Periodically review whether risk management framework,
policy and plan are still appropriate, given the organizations'
external and internal context
- Report on risk, progress with risk management plan and how
well risk management policy is being followed
- Review risk management framework effectiveness
ISO 31000 Process
Risk Management: Establishing the Context

Defining the external and internal parameters to be taken into

account when managing risk, and setting the scope and risk
criteria for the risk management policy.
Risk Management: Establishing the Context (cont’d)
External context
• Legal, Regulatory, Financial
• International, National, Regional or Local
• Relationships with, perceptions and values of external
stakeholders
Internal context
• Organizational objectives
• Project, process, or activity objectives
• Policy, standards, guidelines and models adopted by the
organization
• Contractual relationships
Risk Management: Establishing the Context (cont’d)

Process context
• Objectives, scope, responsibilities, methods
• Defining risk criteria
- Measures
- Tolerance levels
- Views of stakeholders
Monitoring and Review
• Ensuring that controls are effective and efficient in both
design and operation
• Obtaining further assessment information to improve risk
• Analyzing and learning lessons from events (including near-
misses), changes, trends, successes and failures
• Detecting changes in the external and internal context,
including changes to risk criteria and the risk itself which
can require revision of risk treatments and priorities
• Identifying emerging risks
Recording Risk Management Process
Objectives:
• Organization's needs for continuous learning
• Benefits of re-using information for management purposes
• Costs and efforts in creating and maintaining records
• Legal, regulatory and operational needs for records
• Method of access, ease of retrievability and storage media
• Retention period
• Sensitivity of information
ISO 31000 Key Success Factors
• Risk Management (RM) should function within a Risk
Management Framework (RMF)
• The framework provides necessary foundations and
organizational arrangements to embed RM throughout all levels
within the organization
• This foundation can assist organizations in managing risk
effectively through application of RM process at varying levels
and within specific contexts
• RMF ensure risk information is adequately reported and used as
a basis for decision making and accountability at all relevant
organizational levels
 Valuing ISO31010: Risk
Assessment and its Techniques
Rehearsing ISO/IEC 31010: 2009
• A supporting standard for AS/NZS ISO 31000:2009
• It provides guidance on selection and application of systematic
techniques for risk assessment
• The application of a range of techniques is introduced, with specific
references to other international standards
• Concept and application of techniques are described in greater detail
• This standard does not provide specific criteria for identifying need
for risk analysis
• It also doesn’t specify type of risk analysis method required for a
particular application
Rehearsing ISO Guide 73:2009
• It provides the definitions of generic terms related to risk
management
• Aimed to encourage a mutual and consistent understanding of, and a
coherent approach to, the description of activities relating to the
management of risk
• Aimed to encourage the use of uniform risk management terminology
in processes and frameworks dealing with the management of risk
Risk Assessment
• ISO/IEC 31010:2009, Risk assessment techniques, jointly
developed by ISO and IEC (International Electrotechnical
Commission)
• A structured process for organizations to identify how
objectives may be affected
• Analyze risk in terms of consequences and their probabilities,
before further action taken up
• Provides better understanding on risks affecting achievement
of objectives, as well as adequacy and effectiveness of
controls already in place
Risk Assessment (cont’d)
• In short, Risk Assessment is overall process of risk
identification, risk analysis and risk evaluation
• Risk Identification
oProcess of finding, recognizing and describing risks
involving identification of risk sources, events, causes and
potential consequences.
o It involves historical data, theoretical analysis, informed
and expert opinions, and stakeholder's needs.
Risk Source and Event
• Risk Source: element which alone or in combination has the
intrinsic potential to give rise to risk (tangible or intangible)

• Event Occurrence or change of a particular set of

circumstances:
• It could be one or more occurrences, and can have several causes
• It could consist of something not happening
• Sometimes be referred to as “incident” or “accident”
Consequences

Outcome of an event affecting objectives

• An event can lead to a range of consequences
• A consequence can be certain or uncertain and can have positive or
negative effects on objectives
• Consequences can be expressed qualitatively or quantitatively
• Initial consequences can escalate through knock-on effects
Risk Analysis
• Process to comprehend the nature of risk and to determine
the level of risk
• It involves consideration of the causes and sources of risk,
their positive and negative consequences, and the likelihood
that those consequences can occur
• Provides the basis for risk evaluation and decisions about risk
treatment
• It includes risk estimation as well
Risk Analysis (cont’d)
Risk Criteria and Level of Risk
• Risk criteria Terms of reference against which the significance
of a risk is evaluated:
• Based on organizational objectives, and external and internal
context
• It can be derived from standards, laws, policies and other
requirements
• Level of risk Magnitude of a risk or combination of risks,
expressed in terms of the combination of consequences and
their likelihood
Risk Evaluation
Process of comparing the results of risk analysis with risk
criteria to determine whether the risk and/or its magnitude is
acceptable or tolerable. Risk evaluation assists in the decision
about risk treatment.
Risk Treatment
 Process to modify risk that can involve:
• avoiding the risk by deciding not to start or continue with the
activity that gives rise to the risk
• taking or increasing risk in order to pursue an opportunity
• removing the risk source
• changing the likelihood
• changing the consequences
Risk Treatment (cont’d)
• sharing the risk with another party or parties (including
contracts and risk financing)
• retaining the risk by informed decision
 Risk treatments that deal with negative consequences are
sometimes referred to as “risk mitigation”, “risk elimination”,
“risk prevention” and “risk reduction”
 It can create new risks or modify existing risks
Residual Risk
• Risk remaining after risk treatment
• It can contain unidentified risk
• It can also be known as “retained risk”
Risk Assessment Three Bands
Utilizing Risk Assessment
Techniques
Risk Assessment Techniques
 Risk identification
 Risk analysis – consequence analysis
 Risk analysis – qualitative, semi-quantitative or quantitative
probability estimation
 Risk analysis – assessing the effectiveness of any existing
controls
 Risk analysis – estimation the level of risk
 Risk evaluation
Factors Influenced The Selection
• Complexity of the problem and the methods needed to
analyze it
• The nature and degree of uncertainty of the risk assessment
based on the amount of
• Information available and what is required to satisfy
objectives
• The extent of resources required in terms of time and level
of expertise, data needs or cost
• Whether the method can provide a quantitative output
Tools used For Risk Assessment
 Referred to Table A.1 at ISO 31010 on Applicability of tools used for
risk assessment
 Referred to Table A.2 at ISO 31010 on Attributes of risk assessment
tools
 Details at Annex B (Informative) at ISO 31010
Analyzing and Evaluating
Risk Assessment Result
Risk Identification
 Process of finding, recognizing and describing risks
 Comprehensive list of risks based on events that might
create, enhance, prevent, degrade, accelerate or delay
achievement of objectives
 Identify risks associated with not pursuing an opportunity
 A risk that is not identified at this stage will not be included
in further analysis
 Identification should include risks whether or not their
source is under the control of the organization
Risk Evaluation
• The purpose of risk evaluation is to assist in making
decisions, based on the outcomes of risk analysis, about
which risks need treatment and the priority for treatment
implementation
• Decisions should take account of the wider context of the
risk and include consideration of the tolerance of the risks
borne by parties other than the organization that benefits
from the risk
Risk Evaluation (cont’d)
 Decisions should be made in accordance with legal,
regulatory and other requirements
 In some circumstances, the risk evaluation can lead to a
decision to undertake further analysis
 The risk evaluation can also lead to a decision not to treat
the risk in any way other than maintaining existing controls
Risk Evaluation (cont’d)
 Decisions should take account of the wider context of the
risk and include consideration of the tolerance of the risks
borne by parties other than the organization that benefits
from the risk
 Decisions should be made in accordance with legal,
regulatory and other requirements
 The purpose of risk evaluation is to assist in making
decisions, based on the outcomes of risk analysis, about
which risks need treatment and the priority for treatment
implementation
Risk Evaluation (cont’d)
 Decisions should be made in accordance with legal,
regulatory and other requirements
 In some circumstances, the risk evaluation can lead to a
decision to undertake further analysis
 The risk evaluation can also lead to a decision not to treat
the risk in any way other than maintaining existing controls
Managing Risk
A list in order of preference on how to deal with risk
 Avoiding by not to start or continue the activity that rise to the
risk
 Accepting or increasing risk in order to pursue an opportunity
 Removing risk source
 Changing likelihood and consequences
 Sharing risk with another party/parties such as contracts and
risk financing
 Retaining risk by informed decision
Risk Treatment
 Risk treatment involves selecting one or more options for
modifying risks, and implementing those options
 Risk treatment options are not necessarily mutually exclusive
 The options can include the following:
 TRANSFER
Sharing the risk with another party or parties (including contracts
and risk financing)
Risk Treatment (cont’d)
 AVOID Avoiding the risk by deciding not to start or continue
with the activity that gives rise to the risk Removing the risk
source
 MITIGATE Changing the likelihood Changing the consequences
(impact)
 ACCEPT Retaining the risk by informed decision Taking or
increasing the risk in order to pursue an opportunity
Risk Treatment (cont’d)
 Selecting the most appropriate risk treatment option
involves balancing the costs and efforts of implementation
against the benefits derived, with regard to legal, regulatory,
and other requirements such as social responsibility and the
protection of the natural environment
 A number of treatment options can be considered and
applied either individually or in combination
Risk Treatment (cont’d)
 Risk treatment itself can introduce risks
 A significant risk can be the failure or ineffectiveness of the
risk treatment measures
 Monitoring needs to be an integral part of the risk
treatment plan to give assurance that the measures remain
effective
Understanding Risk Register
Entry
What Is Risk Register?
Record of information about identified risks
1. Risk owner; “person or entity with the accountability and
authority”
2. Risk evaluation – use risk analysis to compare risk against risk
criteria and find level of risk – is it acceptable?
3. Risk treatment; “process of developing, selecting, and
implementing measures to modify risk” (control in “measures to
modify risk)
4. Risk trend, performance measures for risk risk control
5. Record for every risk in organization
Risk Register Should Contain
• A unique code for each risk
• A description of each risk and its potential consequences
(operational and strategic)
• Actions and controls that currently exist to mitigate risks
• Factors that may impact upon the likelihood and
consequence of the residual risk
• Risk grade (priority)
• Whether the risk grade is acceptable
• Early warning factors and upward reporting thresholds
Risk Treatment Action Shall Include
 Planned actions to reduce the likelihood a negative risk will occur
and/or reduce the seriousness should it occur (What should you do
now?)
 Contingency actions - planned actions to reduce the immediate
seriousness of a negative risk when it does occur. (What should you
do when?)
 Recovery actions - planned actions taken once a negative risk has
occurred to allow you to move on. (What should you do after?)
 Risk Transfer (e.g. Through responsibilities or insurance. assignment
of contractual
 Actions necessary to ensure the realisation of opportunities (positive
risks)
Sample of Risk Registers
Utilizing Risk Register Entry
 Discussing and
Implementing Risk Register
Monitoring and Managing Risk
Management
Monitoring and Reviewing Risk
Monitoring
• Continual checking, supervising, critically observing or determining the
status in order to identify change from the performance level required or
expected
• Can be applied to a risk management framework, risk management
process, risk or control
Reviewing
• Activity undertaken to determine suitability, adequacy and effectiveness of
subject matter to achieve established objectives
• Can be applied to a risk management framework, risk management
process, risk or control
Monitoring and Reviewing Risk (cont’d)
 An integral part of the risk management process involving regular
checking or surveillance
 Ensure controls are effective & efficient
 Detect change in external or internal context
 Analysis, lessons learned, continuous improvement
 Identify emerging risks