25
ISO 31000 and Risk Management Copyright 2010 Assura, Inc. All rights reserved. August 19, 2010
ISO 31000 and Risk Management
Copyright 2010 Assura, Inc. All rights reserved.
August 19, 2010
What is risk?What is risk?
All management is risk management!
Copyright 2010 Assura, Inc. All rights reserved.
All management is risk management!
Ri k M tRisk Management “Boot camp”
Threat + Vulnerability = Risk
Risk Controls = Residual RiskRisk – Controls = Residual Risk
Residual Risk Probability + Residual Risk Impact = Risk Rating
Copyright 2010 Assura, Inc. All rights reserved.
Ri k TRisk Types
• Strategic Risks – Inherent risks of doing business, going after new markets, regulatory
• Finance Risks – Treasury risks, credit risks, trading risks
• Operations Risks –People, compliance, process
• Information Risks –Operational and
Copyright 2010 Assura, Inc. All rights reserved.
Technological risks
About controls…
Control Types Control CategoriesControl Types• Preventive• Detective
Control Categories• Administrative• TechnicalDetective
• CorrectiveTechnical
• Personnel• Physical
Copyright 2010 Assura, Inc. All rights reserved.
How do you manage and track risks?
• Enterprise Risk Management– What is it?
ERM is establishes the oversight, control and discipline to drive continuous improvement of an entity’s risk management capabilities in a changingentity s risk management capabilities in a changing operating environment.
– Who is involved?Everyone in the organization and the Board
Copyright 2010 Assura, Inc. All rights reserved.
And you should care becauseAnd you should care because…
Copyright 2010 Assura, Inc. All rights reserved.
Recent History of ERM• Cadbury Committee (UK) (1992)• Chief Risk Officer created at GE
(1992)• AS/NZS 4360:1995 (revised 1999,
2004) released – first ever ERM standard
• 9/11 and collapse of Enron• 9/11 and collapse of Enron resulting in Sarbanes-Oxley Act (2000)
• International Standards Organization (ISO) forms an international working group to write a global guideline of managing risk released 2009
Copyright 2010 Assura, Inc. All rights reserved.
managing risk – released 2009.
Global Corporate Governance Models
All EU Countries• Directives on
Governance
Netherlands• Code Tabaksblatt
UK• Cadbury• Turnbull
G b R t
France• Vienot Com.• Mrini Report
Italy• Draghi
Commission
Germany• Bill on The Control
and Transparency
INTERNATIONAL - Basel I & II; ISO 31000 & 31010
• Greenbury Rpt• BS 31100 RM
p• Levy-Long Com.
Canada• Toronto Stock
Japan• Corporate Governance
p yof organizations• Kon TraG Bill
Australia/New Zeal• AS/NZS
Toronto Stock Exchange Committee
• Canadian Securities Committee
• Allen committee Report
Governance Forum of Japan
• J-SOX
• AS/NZS 4360:2004
• Stock Exchange Listing
• New Accounting Standards
US• Business Round Table
• NYSE listing Requirements
• COCO
• Best Practice Stmt Mgmt
Requirements• Blue Ribbon
Commission• Sarbanes Oxley Act
• COSO ERM Framework
South Africa• Code of Best Practice• King Report I, II and III Source: RIMS org
Copyright 2010 Assura, Inc. All rights reserved.
King Report I, II and III • Stakeholder Communication
• Public Finance Mgmt Act
Source: RIMS.org
Risk Management Frameworksg
• Organizational • Information Technology Focused (supports
Which one is best for your organization?
– Committee of Sponsoring Organizations of the TreadwayCommission (COSO) Enterprise Risk Management Internal Framework (ERM IF)
Organizational)– Control Objectives for Information and
related Technology (COBIT from ISACA) G id t A t f IT Ri k (GAIT(ERM-IF)
– Risk and Insurance Management Society (RIMS) Risk Maturity Model (RMM) for Enterprise Risk Management
– Guide to Assessment of IT Risk (GAIT from IIA)
g– Australian/New Zealand Standard
(AZ/NZA 4360:2004)– ISO 31000:2009 (Replaced AZ/NZA
4360:2004)• Risk Management Publications
• BS 31100:2008 and ISO 31000:2009 • ISO guide 73 risk management – vocabulary • ISO 31010 risk assessment techniques
Copyright 2010 Assura, Inc. All rights reserved.
ISO 31000 Risk Management –gPrinciples and Guidelines• Provides a very general and
flexible framework for best practices in ERMI t COSO PMI• Incorporates COSO, PMI (Project Management Institute, and AS/NZS4360:2004
• Built on the premise that risk management is fully integrated into the
i ti d t f llorganization and part of all decisions
• Allows for management of negative and positive risk
Copyright 2010 Assura, Inc. All rights reserved.
negative and positive risk
ISO 31000 10 Basic PrinciplesISO 31000 10 Basic Principles
1. Creates value – not focused on loss
2. Integral part of the i ti i j torganization – in project
management, strategic planning, etc.
3 Decision making through3. Decision making through analysis and evaluation to understand risk
4. Explicitly addresses p yuncertainty and how it can be modified
5. Systematic, structured, timely repeatable
Copyright 2010 Assura, Inc. All rights reserved.
timely, repeatable
10 Basic Principles (Cont.)
6. Based on available information – historic data, expert opinion.
7 Big or small – tailored to the7. Big or small – tailored to the organization
8. Includes human, cultural as well as technical factors that impact likelihood ofimpact likelihood of consequences
9. Transparent and inclusive –communication and consultation with stakeholders
10. Incorporates continuous improvement and responds
Copyright 2010 Assura, Inc. All rights reserved.
p pto changing environment
ERM Framework
• 31000 focuses on the framework that supports the Risk Management Process(es) or RMPProcess(es) or RMP
• Does not specify components, but gives conceptual guidancep g
• Aggregates information on risks, risk management, and performance of risk controls
• Must be practical and part of existing processes
Copyright 2010 Assura, Inc. All rights reserved.
ERM Framework Components“Th L k 7”“The Lucky 7”
1. Mandate and commitment to the ERM framework
5. Communications and reporting
6 A t bilitERM framework2. Risk management
policy
6. Accountability7. Monitoring, review,
and continuouspolicy3. Integration of ERM
in the organization
and continuous improvement (Plan, Do Check Act)in the organization
4. Risk Management Process (RMP)
Do, Check, Act)
Copyright 2010 Assura, Inc. All rights reserved.
Process (RMP)
Copyright 2010 Assura, Inc. All rights reserved.
Source: RIMS.org
Risk Management ProcessE t bli hi th C t tE t bli hi th C t tEstablishing the ContextEstablishing the Context
Risk Management Risk Management environment definedenvironment definedRisk Management Risk Management
environment definedenvironment definedRisk Appetite/Tolerance Risk Appetite/Tolerance
Should Should Be DefinedBe DefinedRisk Appetite/Tolerance Risk Appetite/Tolerance
Should Should Be DefinedBe DefinedInternal and External Internal and External
ContextContextInternal and External Internal and External
ContextContext Risk Mgmt. ContextRisk Mgmt. ContextRisk Mgmt. ContextRisk Mgmt. Context
Risk AssessmentRisk AssessmentRisk IdentificationRisk IdentificationRisk IdentificationRisk Identification Risk AnalysisRisk AnalysisRisk AnalysisRisk Analysis Risk EvaluationRisk EvaluationRisk EvaluationRisk Evaluation
Treat RiskTreat RiskIdentify control optionIdentify control optionIdentify control optionIdentify control option Select control optionSelect control optionSelect control optionSelect control option Implementation of controlImplementation of controlImplementation of controlImplementation of control
Monitor and ReviewMonitor and Review
Communicate and ConsultationCommunicate and ConsultationOngoing Tracking and MonitoringOngoing Tracking and MonitoringOngoing Tracking and MonitoringOngoing Tracking and Monitoring
Copyright 2010 Assura, Inc. All rights reserved.
How To Leverage BC in an ERM ProcessERM Process
Enterprise Risk Managementp g
ning
ec.
TooToo Risk Management Risk Management
ProcessProcess
rg. P
lann
Con
trols
pera
tions
sast
er R
e
Sec
urity
ls to leverals to levera
ProcessProcess
Risk Mgmt. PolicyRisk Mgmt. Policy
OO
P/E
me
nanc
ial C
sine
ss O
p
curit
y/ D
is
hysi
cal S
age for inteage for inte
Business Impact Business Impact AnalysisAnalysis
BC
/CO Fi
n
Bus
IT S
ec Ph egration
egration Risk AssessmentRisk Assessment
Copyright 2010 Assura, Inc. All rights reserved.
Analyze Risk: Risk Mapping (a k a Heat Map)(a.k.a. Heat Map)
Secondary RisksSecondary Risks Key RisksKey RisksHigh
•• Lower likelihood, but could Lower likelihood, but could have significant adverse impact on have significant adverse impact on
business objectivesbusiness objectives
•• Critical risks that potentially threaten Critical risks that potentially threaten the achievement of business the achievement of business
objectivesobjectives
pact
)
Low Priority RisksLow Priority Risks Secondary RisksSecondary Risksance
(Im
•• Significant monitoring not necessary Significant monitoring not necessary unless change in classificationunless change in classification
•• Periodically reassessPeriodically reassess
•• Lesser significance, but more likely to Lesser significance, but more likely to occuroccur
•• Consider cost/benefit tradeConsider cost/benefit trade--offoff•• Reassess often to ensure changing Reassess often to ensure changing
diti ( t hi h i ifi )diti ( t hi h i ifi )
Sign
ifica
conditions (move to high significance)conditions (move to high significance)
Low Likelihood (Probability) High
Copyright 2010 Assura, Inc. All rights reserved.
Source: www.knowledgeleader.comLikelihood (Probability) g
Risk Ratings Other typesRisk Ratings – Other types
RISK IMPACT
FREQUENCY OF OCCURANCE/ PROBABILITY
RISK IMPACT
IV(Catastrophic or Emergency)
III(Critical or High)
II(Marginal or Medium)
I(Negligible or Low) Emergency) ) )
4 (Frequent) 8 7 6 5
3 (Probable) 7 6 5 4
2 (Occasional) 6 5 4 3
1 (Remote) 5 4 3 2
0 (Improbable) 4 3 2 1
Copyright 2010 Assura, Inc. All rights reserved.
Evaluate Risks:Types of Risk Decisions
• Avoidance - a decision not to become involved in, or to withdraw from, a risk situation.situation.
• Acceptance: acceptance of the burden of loss, or benefit of gain, from a particular risk.Reduction: actions taken to• Reduction: actions taken to lessen the likelihood, negative, or both, associated with a risk.S f• Sharing of risk: sharing with another party the burden of loss, or benefit of gain from a particular risk.
Copyright 2010 Assura, Inc. All rights reserved.
Monitor Risk: Tracking the Risk
• Risk Register (Keep It Simple!)
Id tifi d Ri k ith– Identified Risk with Description
– Risk Category (Type g y ( ypof Risk)
– Risk Score (Residual Risk Probability +Risk Probability Residual Risk Impact)
– Risk OwnerRi k D i i
Copyright 2010 Assura, Inc. All rights reserved.
– Risk Decision
Perceived Deficiencies with ISO 31000
Risk management policies, roles and responsibilities I ffi i t d t il f i k hit t t t t l• Insufficient detail of risk architecture, strategy, protocols
Risk management principles • Confusion between what risk management is and what it• Confusion between what risk management is and what it
delivers Risk management specialist areas no included • Project risk management and clinical risk management Risk governance • No mention of “risk appetite”• Lack of detail for risk reporting and auditing controls
Copyright 2010 Assura, Inc. All rights reserved.
Source: RIMS.org
Final Thoughts…g• Start Small – Document and
obtain agreement on theobtain agreement on the Risk Appetite –“Establishing the Context”
• There are no “right” and “wrong” answers to every risk. Make the best decision you can with the most available data!E ll t f th• Engage all parts of the organization!
Copyright 2010 Assura, Inc. All rights reserved.
K L C l CBCP SBCIKaren L. Cole, CBCP, SBCI Assura, Inc.,
804.672.8714K l @ [email protected]
www.assuraconsulting.com
Copyright 2010 Assura, Inc. All rights reserved.
g
