24
Implementing Risk Management under ISO 31000 A guide for community housing providers June 2015
Implementing Risk Management under ISO 31000 A guide for community housing
providers
June 2015
This report was prepared by:
Shirley Liew, Probus Advisory
On behalf of NSW Federation of Housing Associations
Suite 301, 64 -76 Kippax St
Surry Hills 2010, NSW
T: 02 9281 7144
W: www.communityhousing.org.au
Page 1
Contents
Contents .............................................................................................. 1
Introduction .......................................................................................... 2
Guide to ISO 31000 ............................................................................. 2
Action for CHPs ................................................................................. 13
Strategic risk management for risk mature CHPs............................... 18
Useful references ............................................................................... 19
Appendix A ........................................................................................ 20
Appendix B ........................................................................................ 21
2
Introduction
This guide has been written to assist Community Housing Providers (CHPs) that are
developing a risk management system that is consistent with AUS/NZ ISO31000:2009 and
provides practical guidance for CHPs that are developing their risk processes in line with ISO
31000.
Guide to ISO 31000
Just about any business activity involves a certain amount of risk. Acceptance of risks in
concert with a structured risk management approach suggests that effective community
housing providers are focused on a risk-based approach to doing things.
This does not mean avoiding risks; rather it means using a process that helps identify and
minimise risks, while allowing your organisation to focus on its core competencies at the
same time. Successful risk management is an integral part of your organisation’s strategy and
a critical dimension of good governance. This is where you can begin incorporating risk
management activities into operations and strategy. Adherence to ISO 31000 will ensure that
your efforts are consistent with good risk management practice.
Support for risk management standards like ISO 31000 demonstrates a commitment to
building a risk-focused organisation. Investing time and resources to stay current with risk
management developments and improve compliance can not only help CHPs mitigate
potential risks, but can also uncover opportunities for performance improvement and growth.
3
ISO 31000: an overview
This section outlines the main elements of ISO 31000 for CHPs. The diagram below provides
an effective summary of the process to be followed and the following sections take you
through the main steps from a CHP perspective.
4
Mandate and commitment (4.2)1
Corporate governance, risk management and effective control have always been the concern
of boards and senior management teams, even if the language has changed over the years.
ISO 31000 makes it clear that there must be an organisation wide commitment to risk
management. This commitment must be led by the board and be implemented by all levels of
management.
This mandate and commitment will be given fresh emphasis by the requirements of the
National Regulatory System for Community Housing (NRSCH). Under performance outcome
4: Governance2, which is designed to assess whether CHPs have robust and coherent
strategic, operational, financial and risk planning, the guide provides for risk management
to be consistent with ISO31000 for Tier 1 and Tier 2 providers. The NRSCH has prompted a
change in focus towards finding the most useful and effective means of implementing a
comprehensive and dynamic risk management process.
1 Numbers refer to ISO 31000 clauses
2 National Regulatory System for Community Housing Directorate (2013) Evidence guidelines.
5
Designing a framework for managing risk (4.3)
This section of ISO 31000 is designed to make sure that there is an appropriate, relevant
and effective framework for managing risk that is embedded across the organisation.
Some of the main elements are:
Take the CHP’s context into consideration when managing risk. Context means both external context (for example its political, social, regulatory, legal and financial environment) and internal context (for example governance, organisational structure, roles and accountabilities) as well as the main drivers and trends that could have an impact on the CHP achieving its objectives.
Having risk owners with ‘accountability, authority and appropriate competence for managing risk’.
Establishing risk management policy.
Embedding and integrating risk management into all of the CHPs practices and processes by establishing an enterprise-wide risk management function.
Closely aligned with your culture are the organisation's core values, such as individual
ownership and accountability, integrity, teamwork and collaboration, communications, and a
commitment to excellence.
Adopting an enterprise wide approach to risk management helps:
Ensure the right people have the right information at the right time.
Culture is key and business management should be synonymous with risk management.
Helps organisation focus and spend time and money where it’s needed most.
Optimise risk, return, capital.
Links strategy to risk process and control
Improve decision-making
Making sure you have the right resources including the right systems and people with skills, experience and competence in managing risk.
6
Establishing internal communication and reporting mechanisms (4.3.6)
For example, reporting to your board on risk, progress with the risk management plan and how well the risk management policy is being followed; and reviewing of the effectiveness of the risk management framework from time to time. (4.5).
Once the risk management framework has been in operation for a period, each CHP should
consider how the framework, policy and plan can be improved (continual improvement of the
framework 4.6).
Implementing risk management (4.4) and the risk management process
(5)
Under ISO31000, organisations should establish risk criteria and then evaluate risks against
those criteria to determine which risks need treatment:
7
Establishing context (5.3)
Consider your organisation’s context when you define the scope of its risk management
program, formulate its risk management policy, and when you establish its risk criteria.
Context would include things such as the size and scale of your CHP, which activities you
carry out, your location, experience, changes in your operating environment etc.
Risk Assessment (5.4)
Risk assessment should consider the categories of risk beyond operational. It should look at
scanning the external and internal environment and context and should be enterprise wide,
holistic, integrated and strategic in approach. For a CHP, some categories of risk to be
assessed would include Strategic, Financial, Operational (property management, housing
management, procurement, WHS), Human Resources, Information technology, Economic,
Policy, Funding, Corporate Governance, Reputation, Regulatory, Business
Continuity/Disaster recovery risks.
Risk Identification (5.4.2)
Identify the risk in line with your procedures and policy as well as assess its potential impact on your organisation.
Having the risk management principles, policy, framework and process documentation will be critical as it communicates to people what a risk is for your organisation. It encapsulates your organisation’s method and provide a means for capturing risks, exploiting opportunities, establishing the appetite for risk held within the business and the principles against which your organisation operates.
How does your organisation know it's keenly focused on identifying and managing risk? More than simply stating it has a risk focus, organisations must actively develop (or update) risk management programs that examine risks at all levels of the business. By doing this, and by leveraging established benchmarks like ISO 31000, your organisation can assess its risk posture, risk appetite, and overall risk readiness. Documented efforts to analyse and address risks using recognised benchmarks can underscore the organisation's intent to perform at the highest levels.
Undertake a risk assessment and identification of all major risks that might prevent them achieving their objectives;
8
Very much depending on the organisation, a list of selected major risks could look something
like this:
Activity within Risk Appetite? YES / NO
NRAS schemes
Housing with support
Development outside normal geographic area of operation
Key worker accommodation
Stock transfer
Rent arrears of 5%
Building properties with retail lots
Private sector agency management agreement loss making for 7 years
Establish alliance to embark on development projects
Defer staff development program in customer service for a year
Outsource responsive maintenance
Shared ownership
Etc.
Risk Analysis (5.4.3)
Look at the impact the risk may have in ways your organisation can understand. Normally headings will include money, time, reputation etc.
Understand your business - make sure you know what you want to achieve by understanding your risks, threats and vulnerabilities. Most likely it will be to minimise interruptions to activities that generate income, provide better customer service and reduce response times to customers. Whatever the issues, identify those business activities first, then identify the risks and threats (these can range from a hurricane or an earthquake, depending on the company's location) to continued operation of those activities, and finally figure out what needs to be done to achieve it.
Measure risk in terms of consequences (impact) and likelihood (probability).
Risk comes from both the internal environment within your organisation and the external
environment within which it operates. The internal factors tend to be the more controllable,
whereas the external factors tend to be the least controllable by the organisation.
Nevertheless, there are ways in which both sources of risk can be managed effectively.
You should develop a risk reference table for the purpose of establishing guidance as to how
risks are to be evaluated, assessed, measured, accepted and reported.
9
Controls Rating Table – an assessment of how effective the controls are:
10
Consequence Rating Table – describes what the consequences may be:
11
Likelihood Rating Table:
When dealing with risks that result in a “Service Interruption,” your organisation may need to
formulate a Business Continuity Plan (BCP) to address risks with major and/or catastrophic
consequences (irrespective of likelihood rating). If you do identify a risk that will interrupt your
services, you should determine what would be a maximum acceptable downtime. That is,
how long can you afford to have downtime, e.g. computer outages and lack of access to
tenant registers and housing management software, before the consequences become
unacceptable? Once implemented the BCP is a risk control to facilitate the provision of critical
services in a less than perfect operating environment until operations can be restored to
normal.
Risk Evaluation (5.4.4)
Assess each risk’s importance to your organisation so you can prioritise your resource allocation and decide what to do.
The first step in evaluating risk is often the confirmation (or setting) of corporate objectives. Whatever technique or framework is used to evaluate risks, it is essential that they are related directly to the corporate objectives of the organisation.
It is also useful to challenge the coverage of the objectives – are they appropriately set and do they reflect the requirements of all stakeholders e.g. community housing providers will ignore tenant involvement objectives at their peril.
12
Risk Treatment (5.5)
Risk treatment is a risk modification process. Select and implement one or more treatment options.
You may choose between avoiding the risk, reducing the risk, removing the source of the risk, modifying the consequences, changing the probabilities, sharing the risk with others, simply retaining the risk, or even increasing the risk in order to pursue an opportunity.
Once a treatment has been implemented, it becomes a control or it modifies existing controls.
Risk Appetite or Tolerance?
Risk cannot be completely avoided. However, it can be managed by organisations, to ensure
their survival and the achievement of their objectives. It has been said that “all entities,
regardless of size, structure, nature or industry, encounter risks at all levels within their
organisations. Risks affect each entity’s ability to survive; successfully compete within its
industry; maintain its financial strength and positive public image; and maintain the overall
quality of its products, services and people. There is no practical way to reduce risk to zero.
Indeed, the decision to be in business creates risk. Management must determine how much
risk is to be prudently accepted, and strive to maintain risk within these levels.” 3
The organisation’s past experience of risk-taking will also influence its current risk appetite,
which may well change year on year.
3 COSO (Committee of Sponsoring Organisations of the Treadway Commission)
13
Action for CHPs
Community housing providers must operate a framework that effectively identifies and
manages risks. To do so, you must first:
Ensure you have the right risk culture:
Getting the culture right and keeping that culture alive is key to a successful risk management process
A distinct and consistent tone and commitment is needed from the top led by the board and senior management in respect of risk taking and avoidance as well as consideration of tone at all levels.
Encourage a common acceptance through your organisation of the importance of the continuous management of risk, including clear accountability for and ownership of specific risks and risk areas.
Encourage transparent and timely risk information flowing up and down the organisation with bad news rapidly communicated without fear of blame.
Actively seek to learn from mistakes and near misses by encouraging risk event reporting and whistle blowing.
Reward and encourage appropriate risk taking behaviours whilst challenging and sanctioning inappropriate behaviours.
Engage staff in identifying and prioritising risks.
Ensure performance measures, policies and procedures, job descriptions, board papers and reward systems encompass risk issues.
Consistently and rigorously challenge the status quo to encourage sufficient diversity of perspectives, values and beliefs.
Risk culture needs to be centre stage. Establish and drive the cultural change needed to support the risk management policy, process and performance in risk management.
Understand your external and internal context; these are the clues. Ensure there is alignment between culture and policy. True accountability depends on the right risk culture and this too is recognised within the standard. Risk management takes human and cultural factors into account.
14
Have a robust risk recording and sharing system:
Communication and consultation is vital.
Establish a process to monitor continual assessment of what has been implemented and periodically assess the effectiveness of your risk management strategy.
Risk management is systematic, structured and timely. Risk management is dynamic.
Regularly update your risk management strategy to take account of changes in your organisation. New risks will emerge and existing risks will disappear. Risks that you have already acknowledged may become more or less frequent, severe or relevant to your organisation.
Set timelines and deadlines for ensuring risks are managed and treated starting with the most urgent risks. Write down when things need to be checked and tick them off your risk register when they've been completed or when that area should be reviewed again. The regularity of your review will depend on the activity in question. For example, smoke detectors may only need to be checked once a year but the common areas may need to be inspected much more frequently to ensure they are safe.
Make sure you are able to adequately capture your organisational risks, share the information appropriately and in time, and mine the risk information for subtle changes. Risk management not only creates but also protects value.
Risk management is an integral part of decision making.
Risk management explicitly addresses uncertainty
Risk management is inclusive and transparent.
Be clear about addressing uncertainty and have ability to share the information at an enterprise level.
Manage the strategic balancing act: empowering and defining the limits:
Risk capacity: the amount and type of risk your organisation is able to support in pursuit of its business objectives.
Risk appetite: the amount and type of risk your organisation is willing to accept in pursuit of its business objectives.
Risk tolerance: the specific maximum risk that your organisation is willing to take regarding each relevant risk.
Risk target: the optimal level of risk that your organisation wants to take in pursuit of a specific business goal.
Risk limit: thresholds to monitor that actual risk exposure does not deviate too much from the risk target and stays within an organisation’s risk tolerance/risk appetite. Exceeding risk limits will typically act as a trigger for management action. Communicate your risk appetite.
Risk language: ensure everyone understands a common risk language. One of the most important ways in which everyone can contribute effectively to a risk aware culture is to make the terminology as simple as it really is and not over-complicate it. Risk management is a process that everyone at some level manages by instinct. Understanding meaning and good communication are everything in a process that relies on people coming to a conclusion about the same event.
15
Integrate risk management with strategy and business management:
Does risk drive the business strategy?
Make risk an integral part of business planning and budget.
Establish clear link between objectives and risks at all levels.
Review risks regularly as part of the business planning cycle.
Ensure sufficient attention is given to control identification and evaluation.
Establish appropriate reporting of actions completed (or not) to the board.
Ensure ownership from top-down and bottom-up:
A risk planning workshop for Board and Senior Management and other key stakeholders may be a useful way amongst others, to ensure that risk identification is both a top down and bottom up approach.
Monitoring and learning:
Review control failures for learning points.
Share good practice arising from good risk management and from remedies for control failures.
Keep the board informed of control failures at the appropriate level.
Examples of risk overview
A risk overview based on internal and external contexts helps identify risk sources that have
the intrinsic potential to give rise to risks. A risk source is where a risk originates. Potential
sources of risk include at least the following: strategic aspects including failure to achieve
strategic objectives, inability to recover from disaster, commercial relationships and
obligations, legal expectations and liabilities, economic shifts and circumstances,
technological innovations and upheavals, political changes and trends, natural events and
forces, human factors and tendencies, and management shortcomings and excesses.
Other internal failings around operations such as poor housing management, poor property
maintenance, lack of proper governance and financial management could lead to risks for
your organisation. All of these elements could potentially generate a risk that must be
managed.
16
Developing a risk register
From the risk overview, categories of risk to be considered would include: Strategic, Financial, Operational (property management, housing management, procurement, WHS), Human Resources, Information technology, Economic, Policy, Funding, Corporate Governance, Reputation, Regulatory, Business Continuity/Disaster recovery.
Under each category, risks are identified which may threaten business objectives.
Each risk identified is then rated based on the risk, likelihood and impact criteria.
A risk management strategy is then derived based on the tolerance levels and associated controls and mitigating strategies developed.
This can then be represented on a heat map for high level overview and management.
(Refer to Appendix A for an example risk register and heat map)
Example risk categories:
Internal
Risk Category Risk Sub-Categories Category Description
Operational
Property
Management
Poor asset management Poor asset management planning results in
poor property management, lower levels of
tenant satisfaction and increasing costs
Housing
Management
Void and vacancy levels
above benchmark
Inability to fill void and vacancies leaving
long periods of lost revenue and may result
in the CHP dropping below regulatory
thresholds
Procurement Poor project financing
skills/financial modelling
expertise
Increased financial risks and funding
exposure due to increased leveraging and
borrowing costs
Financial
Management
Rent arrears above
benchmark
Poor debt recovery and control results in
reduced surplus and deteriorating cashflows
Information
technology
Poor IT controls and lack of
backup and disaster
recovery process
Risk of loss of critical data and extended
disruption to time critical operations
Human
Resources
Lack of succession
planning
High staff turnover lead to lack of continuity
Business
continuity
Lack of disaster recovery
plan
Risk that all or part of operations and/or
computer services are rendered unusable.
Inability to recover from disruption of
operations and to achieve organisational
stability and orderly recovery after a
disaster. Inability to minimise downtime and
data loss
17
External
Risk Category Risk Sub-Categories Category Description
Strategic
Environmental Natural disasters, flood, fire
damage
Changes in location, weather,
terrain of other physical factors that
could materially impact business
operations
Government and
Political
Changes in government and
policy setting
Changes to Government policy that
may advantage or disadvantage the
industry, industry sector, or in
special cases, the funding and
property title transfers.
Stakeholders and
Relationships
Poor stakeholder relationships Relationship management and
development of long-term
collaboration / alignment of efforts
and direction.
Suppliers Poorly drafted service level
agreements
Reputational risk due to third party
reliance of critical processes
Economic factors Rising interest rates Increased inflation lead to inability to
pay rent and debtor days and also
increased demand on waiting list
Corporate
governance
Non-compliance with
legislative and registration
requirements and reporting to
external agencies
Poor understanding of legislative
compliance requirements lead to
fines and other penalties and non-
registration
Reputational Poor community perception Lack of trust from community and
tenants lead to failure to achieve
strategic objectives and inability to
influence stakeholders
18
Strategic risk management for risk mature CHPs
Strategic risk management is key to ensure the organisation will be a leader in the industry
and links performance and opportunities with risk management. For organisations to evolve to
a higher level of risk maturity is to implement a process where the organisation can:
Integrate risk with strategy setting and risk management with performance management
Understand the critical assumptions underlying the strategy and perform what ifs analysis to challenge the norm and assumptions.
Proactively identify the uncertainties inherent in the strategy, with a focus on minimising as much as possible what they don’t know about the soft spots in the strategy and business plan and what lies ahead in the planning horizon.
Use the results of strategic risk analysis to drive monitoring of the external environment.
Keep the risk assessment up to date as the business environment changes.
19
Useful references
In keeping abreast of best practice from the private and public sector, the NSW Federation of
Housing Associations has developed this guide specifically for the housing sector. Key
reading recommendations are:
CompliSpace (2010) The Risk Management Challenge for Community Housing Providers.
Available at:
http://www.complispace.com.au/images/PDF/riskresources/the%20risk%20management%20
challege%20for%20community%20housing.pdf
CompliSpace (2011) Risk Management –Emergence, Obligations & what it means for
Community Housing Providers. Available at:
http://www.complispace.com.au/images/PDF/riskresources/risk%20management%20emerge
nce%20obligations%20%20what%20it%20means%20for%20community%20housing%20prov
iders.pdf
Deloitte (2009) Inside ISO 31000
Standards Australia (2009) AS/NZS ISO 31000:2009 Risk management – Principles and
guidelines
20
Appendix A Example Risk Register
21
Appendix B
Key Differences between AS/NZ 4360 and ISO 31000
Most CHPs will be familiar with the previous risk management standard AS/NZ 4360. AS/NZ 4360
proposed a clear and effective process for risk management activities that included establishing the
risk management context for the organisation and then identifying, analysing, evaluating and
treating the risks. For an introductory guide to AS/NZ 4360, please see the Federation’s Risk
Management Good Practice Guide4
4 NSWFHA (2006) Corporate Governance Series Good Practice Guide 3 Risk Management written under
the previous Australian Standard for risk management AS/NZS 4360: 2004
22
ISO 31000 builds upon and incorporates this process. However, ISO 31000 goes further and
addresses the entire risk management system – including the design, implementation and
improvement of risk management processes.
CHPs should have a mandate and commitment to risk management under ISO 31000. ISO 31000
also emphasises the importance of making managers and the organisation as a whole accountable
for risks and risk controls.
The standard makes clear that risk management itself should create value. In practice, this means
that the resources dedicated to the risk management process should not be in excess of the
potential consequences of the risk. Although ISO 31000 is based significantly on the 2004 edition
AS/NZS 4360 there are distinct differences, for example, under AS/NZS 4360, the definition of risk
was “the chance of something happening that will have an impact on objectives”. Under
AS/NZS/ISO 31000:2009, the definition of risk is now “the effect of uncertainty on objectives”. The
change in definition shifts the emphasis from “the event” (something happening) to “the effect”,
which is the effect of the event on the objectives (be it achieving a CHPs objectives, or individual
project objectives.
