Post on 25-Jan-2016
description
transcript
ISO 31000 – Opportunities & Implications for Turkish
Organisations & Projects
Joint IRM Regional Group Turkey & IPYD MeetingIstanbul, 1 October 2009
Nicola Crawford
Nicola Crawford, IRM IPYD – ISO 31000, 1 October 20092
Disclaimer
The information contained in this presentation is intended for public use to assist knowledge and discussion on ISO 31000. The information should
not be relied upon for the purpose of a particular matter. Specialist and/or appropriate legal advice should be obtained before any action or decision
is taken on the basis of any material in this document. The Business Resilience Group and Business Resilience Europe Ltd, the authors or
contributors do not assume liability of any kind whatsoever resulting from any person's use or reliance upon the content of this presentation.
This paper is made available on the basis that no part of the content may be reproduced or in any way made available to any party without prior
consent being granted in writing by Nicola Crawfordnicci@businessresilience.com
0534 3994092
3
What today’s presentation is not…
• Technically-focused : ‘soft’ issues rather than the mechanics of risk measurement and risk models…..
• Definitive : no-one can offer a set of ‘Answers’ : all I will do today is illustrate some - but by no means all - of the ‘Questions’…..
The intent of today’s workshop is to answer the question – “What is ISO 31000, what are its benefits and the implications for Turkish businesses and projects?
4
• Introduction – why a new standard?• ISO 31000
– Scope– Users– Core Elements – Risk definitions– Benefits
• ISO 31000 & Project Risk Management– Links to project risk management framework– How does project risk management link to ERM– Links to project risk management & how to align
• ISO 31000 - Opportunities
Overview
Why a new standard?
5 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
Kevin Knight 2008
ISO 31000:2009 - Scope
• Provides principles and generic guidelines on principles and implementation of risk management.
• Can be applied to any kind of organisation, risk type and is not specific to any industry or sector.
• Is NOT intended to be used for the purpose of certification.
6 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
ISO 31000:2009 - Users
ISO 31000:2009 is intended to be used by a wide range of stakeholders including:•those responsible for implementing risk management within their organisation;•those who need to ensure that an organisation manages risk;•those who need to manage risk for the organisation as a whole or within a specific area or activity;•those needing to evaluate an organisation’s practices in managing risk; and•developers of standards, guides, procedures, and codes of practice that in whole or in part set out how risk is to be managed within the specific context of these documents
7 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
ISO 31000: A Business Principles Approach to Risk Management
8 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
Kevin Knight 2008
ISO 31000: Key Elements
9 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
Kevin Knight 2008
10 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
ISO 31000: Framework Development & Implementation
11 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
ISO 31000: RM Process
12 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
value protection + value creation
Risk
Risk (the new definition)“effect of uncertainty on objectives”ISO 31000:2009, ISO/IEC Guide 73:2009
Control (the new definition)“measure to modify risk”ISO 31000:2009, ISO/IEC Guide 73:2009
ISO 31000 & Risk
Project Management
Tactical & Ops Management
Strategic Management
Project Management
Tactical & Ops Management
Strategic Management
13 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
• Strategic, operations, processes, projects, products, assets, governance, everything
• Proactively create value by treating uncertainty, while respecting regulations, laws, organization
• Expect better profits, moral, trust, controls, initiatives, reporting, and corporate culture
• Designed to integrate with existing management– Build on existing management systems, add commitment, alignment, IT, stakeholders, ownership of risk, etc.
• Communication and Consultation as appropriate – consider the values and perceptions of stakeholders
• Risk in every decision is set in context, assessed, treated, documented
• Enhance alignment ERM and Project Risk Management
ISO 31000: Benefits
14 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
• An essential aspect of project management is controlling the inherent risks of a project.
• Risks arise from uncertainty surrounding project decisions and outcomes.
• Most individuals associate the concept of risk with the potential for loss in value, control, functionality, quality, or timeliness of completion of a project. However, project outcomes may also result in failure to maximize gain in an opportunity and the uncertainties in decision making leading up to this outcome can also be said to involve an element of risk
ISO 31000 & Project Management
15 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
ISO 31000 & Project Risk Management Framework
Project Risk Management Framework
16 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
How does Project RM relate to ERM?
17 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
How does Project RM relate to ERM?
Project
DeliverablesDeliverablesDeliverablesDeliverables
Change
Business Objectives
Benefits
Change
Strategy
(Why)Methods
(What & how)
Program/ Portfolio
Execution Gap = risks
Program / project
objectives
Stakeholders
Benefits
Realization
Project schedule etcRisk Management Adapted from
Hillison 2003
How does Project RM relate to ERM?
Planning Definition Execution Start Up
Ab
ility
to
infl
uen
ce t
he
ou
tco
mes
Full
None
Closure
Early risk management and mitigation builds better valued projects
Co
st o
f M
itig
atio
n S
tep
s
High
Low
Benefits of alignment to business outcomes
20 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
PMBOK vs. ISO 31000 risk process – differences lie in the framework & context
ISO 31000 & Project Risk Management Process
21 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
How to Align Organisational & Project Risk
• Target the business’ ‘desired business outcomes’ — the measurable end states that the business wants/needs to achieve to generate and realize the benefits – focus on value creation and protection
• Treat every project as a ‘change project’ from day-1. When you adopt the ‘desired business outcomes’ approach your project becomes an exercise in changing the organization to realize these outcomes and their associated benefits and value.
• Treat the budget as a profit and loss statement — any cost increase or value decrease cuts into the ‘profit’ of the project
• Differentiate but align risk appetites – risk evaluation criteria should be related to organisational and project drivers
• Use risk break down structure that is aligned to expected benefits and project structure
22 Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
•Better communication - By providing clear, unambiguous and consistent terms and definitions, ISO 31000 can help to establish a common understanding of the relevant topics throughout the entire organization including projects•Provides a blueprint for organizations / projects aiming at designing and implementing an an effective and efficient risk management framework - ISO 31000 outlines the essential principles, components, processes and organizational structures required•Provides a benchmark to which organizations / projects can compare their existing approaches – ISO 3100 can assist in identification of gaps and weaknesses in current approach•Contributes to the confidence and trust of internal and external stakeholders in the risk management abilities of an organization / project - ISO 31000 allows the transparency of its organisation’s/ project’s approach to risk management
ISO 31000: The Opportunities