Ferma Risk Management Forum 2009
Prague, 4-7 October
Considerations elaborated by Alex Dali & Christopher Lajtha
The Global Village
Future of Risk Management
Ferma Risk Management Forum 2009
Prague, 4-7 October
Considerations elaborated by Alex Dali & Christopher Lajtha
“ISO 31000:2009, an incentive or a constraint for
implementing Risk Management in an organization?”
Things to watch out for….
Alex DaliManaging Partner ATLASCOPE
ARM, EFARM, Master in Risk Management & Insurance
Member of the AFNOR French Commission on RISKSCo-author of the article “ISO 31000 : the Gold Standard”
published by StrategicRISK, September 2009
Ferma Risk Management Forum 2009
Prague, 4-7 October
Considerations elaborated by Alex Dali & Christopher Lajtha
Internationally-recognised reference
• International consensus
• single global reference for stakeholders
• wide application
• “umbrella” for more than 60 standards
• should not be ignored
Ferma Risk Management Forum 2009
Prague, 4-7 October
Considerations elaborated by Alex Dali & Christopher Lajtha
ISO Standard vs ISO Guideline ?
• Risk Management – Principles and Guidelines
• Voluntary application, not prescriptive, no legal requirement
• specifically not intended for certification
• ISO ���� certifiable standard ? NO !
Ferma Risk Management Forum 2009
Prague, 4-7 October
Considerations elaborated by Alex Dali & Christopher Lajtha
Simple risk management architecture
• 3-pillar structure
• robust and simple to apply
• Opportunity to review existing RM practices
• Track similarities and differences
Ferma Risk Management Forum 2009
Prague, 4-7 October
Considerations elaborated by Alex Dali & Christopher Lajtha
Mandate
and
Commitment(4.2)
Implementing risk
Management(4.4)
Design of framework
(4.3)
Continual improvement
of the Framework
(4.6)
Monitoring and review
of the Framework
(4.5)
Framework(Clause 4)
a) Creates value
b) Integral part of organizationalprocesses
c) Part of decisionmaking
d) Explicitly addressesuncertainty
e) Systematic, structured and timely
f) Based on the bestavailable information
g) Tailoredh) Takes human and
cultural factors into account
i) Transparent and inclusive
j) Dynamic, iterative andresponsive to change
k) Facilitates continual improvement and enhancement of the organization
Principles(Clause 3)
Process(Clause 5)
Establishing
the context (5.3)
Risk treatment(5.5)
Riskidentification
(5.4.2)
Risk analysis(5.4.3)
Riskevaluation
(5.4.4)
Risk assessment(5.4)
Monitor
ing
&
review
(5.6)
C
omunication&consultation
5.2
ISO 31000:2009 Figure 1 – Relationship between the principles, framework and process
Ferma Risk Management Forum 2009
Prague, 4-7 October
Considerations elaborated by Alex Dali & Christopher Lajtha
… not a parallel management system
• avoid the troubled implementation of ISO 9000 series
• Promote business performance
• No bureaucratic compliance reporting system
Ferma Risk Management Forum 2009
Prague, 4-7 October
Considerations elaborated by Alex Dali & Christopher Lajtha
Text of the ISO 31000 standard
• The text is short and clear
• Not radically new
• Exaggeration and self-serving statements
Ferma Risk Management Forum 2009
Prague, 4-7 October
Considerations elaborated by Alex Dali & Christopher Lajtha
Vocabulary ISO Guide 73
Engineer � risk = danger
Modéliste � risk = event
Manager � risk = uncertainty towardsobjectives
Health � risk = threat (purely negative)
Finance � risk = return
Public sector � risk = disruption of service or job losses
� All activities of an organization involve risks
� All activities of an organization involve combinations of
probabilities of events and their consequences !!!
� All activities of an organization involve effects of
uncertainty on its objectives
Ferma Risk Management Forum 2009
Prague, 4-7 October
Considerations elaborated by Alex Dali & Christopher Lajtha
Vocabulary ISO Guide 73
• Review by the same committee
• 51 definitions related to RISK
• Many improvements
• use language meaningful to your organisation• remove terms and definitions invented locally
Ferma Risk Management Forum 2009
Prague, 4-7 October
Considerations elaborated by Alex Dali & Christopher Lajtha
Credit Rating Agency enquiries…
� S&P - Development of ERM analysis in response…
� Points of interest : Strategy, management vision,
diagnostic, communications
� Exclusions : Treatment (risk-control measures)
� Existing ERM processes not very formalized
� A decentralized ERM organization
� Underfunded and underintegrated ERM
� Weak ERM culture and strategic risk management
extracts
Ferma Risk Management Forum 2009
Prague, 4-7 October
Considerations elaborated by Alex Dali & Christopher Lajtha
Standards & Poors
Rating and cost of capital
Ferma Risk Management Forum 2009
Prague, 4-7 October
Considerations elaborated by Alex Dali & Christopher Lajtha
Quality
Environment
OH&SInformation
securityFinance
Equipements
safetyFood safety
Supply
chain
Ferma Risk Management Forum 2009
Prague, 4-7 October
Considerations elaborated by Alex Dali & Christopher Lajtha
COSO - ERM
« ERM is effective if management has reasonable
assurance that they understand the following :
� Strategic objective are being achieved
� Operational objectives are being achieved
� Reporting is reliable
� Laws and regulations are being complied with »
Is it risk management or compliance ?
Ferma Risk Management Forum 2009
Prague, 4-7 October
Considerations elaborated by Alex Dali & Christopher Lajtha
FERMA:2004
Europe
AS/NZS4360
2004
Australia/NZ
COSO ERM
USA
Japan
CAN/CSA-
Q850-1997
Canada
BSI 31100
AIRMIC, ALARM,
IRM:2002
Great-Britain.
ONR 49000:2008
Austria
(Germany/Switzerland
)
Certification of RM Certification
remainReference by law
AZ/NZS
4360 : 2009
ONR 49000BSI 31100JIS Q 200x CAN/CSA-
Q850-20xx
?
?