Launching ISO 31000 – The New Risk Management Standard

STRI

MA

Nati

onal

Con

fere

nce

Sep

tem

ber 1

3, 2

010

Agenda

• Framing the issue: the need for a broader view of “risk”

• Why do we need a standard on risk management? The evolution of ISO 31000

• Overview of ISO 31000 and 31010• Implementation advice and resources

Financial Risks

Strategic RisksBank failures

Stock market performance

Unemployment

Interest rates

Budget cuts

Investment limitations

Tax caps

Bond ratingRetirement funding

Capital availability

Credit markets stabilityCurrency & foreign exchange rate fluctuations

Unexpected loss of revenue

Health care costs

Revenue & grant $$ management

Counterparty risk

Financial reporting

Mergers & Acquisitions of key partners or vendors

Ethics violationsReputation

Negative media coverage

Stakeholders’ interests

Strategy & initiativesUnion relations

Long-term planning vs. budget limitations

Public-private partnerships

Health & safety violations

HR & personnel risks

Utilities failure

Workplace violence

Public support

Theft, embezzlementGov’t sanctions

Accounting or internal controls failures

Facilities maintenance

Aging infrastructure

IT system failure

Business interruptionLoss of key suppliers

Mandated public services

Code violations

Quality control

OperationalRisks

Workers’ comp

Building security

Public safety

Lawsuits

Piracy & Counterfeiting

War

Natural events & catastrophes

Terrorism

Fraud

Governance

Compliance

Disease & epidemics

Mold exposureAsbestos exposure

Student activities

Director & Officer liabilityGeopolitical risks

Animal or insect infestation

Pollution

Contractual liabilityBuilding subsidence or collapse

Hazard & 3rd Party Risks

Labor practices

Procurement

Unfunded mandates

Internal RisksExternal

Risks

Energy costs

Typical purview of RM

Code of Conduct

Meeting Public expectations

Geopolitical risks

Public safety

The Baltimore SunJuly 16, 2008An underground fire shut down power to 30 residential and commercial buildings in Baltimore and took nearly 10 hours to control. Baltimore’s utility lines are part of the city’s aging infrastructure – carrying electricity, cable, telephone, street light and fiber-optic service through 3.7 million feet of conduits. The cost to update the >100 year-old system is $900 million.

Financial Risks

Strategic RisksBank failures

Stock market performance

Unemployment

Interest rates

Budget cuts

Investment limitations

Tax caps

Bond ratingRetirement funding

Capital availability

Credit markets stabilityCurrency & foreign exchange rate fluctuations

Unexpected loss of revenue

Health care costs

Revenue & grant $$ management

Counterparty risk

Financial reporting

Mergers & Acquisitions of key partners or vendors

Ethics violationsReputation

Negative media coverage

Stakeholders’ interests

Strategy & initiativesUnion relations

Long-term planning vs. budget limitations

Public-private partnerships

Health & safety violations

HR & personnel risks

Utilities failure

Workplace violence

Public support

Theft, embezzlementGov’t sanctions

Accounting or internal controls failures

Facilities maintenance

Aging infrastructure

IT system failure

Business interruptionLoss of key suppliers

Mandated public services

Code violations

Quality control

OperationalRisks

Workers’ comp

Building security

Public safety

Lawsuits

Piracy & Counterfeiting

War

Natural events & catastrophes

Terrorism

Fraud

Governance

Compliance

Disease & epidemics

Mold exposureAsbestos exposure

Student activities

Director & Officer liabilityGeopolitical risks

Animal or insect infestation

Pollution

Contractual liabilityBuilding subsidence or collapse

Hazard & 3rd Party Risks

Labor practices

Procurement

Unfunded mandates

Internal RisksExternal

Risks

Energy costs

Typical purview of RM

Code of Conduct

Meeting Public expectations

Geopolitical risks

Public safety

The Emerging Risk Environment

Technological• Breakdown of critical info

infrastructure• Public data protection• Pressure to keep up

Societal• Pandemics & infectious

diseases • Increase in need for social

services• Public health demands• Push to improve education• Increased crime & violence

Economic• Investment failures• Unfunded mandates• Budgets subject to limited,

decreasing revenue streams• Funding retiree health care

and pensions

Environmental• Climate change• Natural catastrophes• Pollution regulations (e.g

GASB 29)• Global pollution• Aging infrastructure

Geopolitical• International terrorism• Funding disparities – state to

state (e.g. stimulus $$)• Supply chain issues• How will global standard for

RM apply to US?

Sources of Risk

Factors Influencing Public Entities (Cities, Counties, Schools, States)

Traditional Risk Management • Purchase insurance to cover risks• Hazard-based risk identification and

controls• Compliance issues addressed

separately• Safety & emergency mgmt handled

separately• “Silo” approach – risk mgmt is not

integrated across the organization• Risk Manager is the insurance buyer

Advanced Risk Management• Greater use of alternative risk

financing techniques• More proactive about

preventing and reducing risks• Integrates claims mgmt,

contracts review, special event RM, insurance and risk transfer techniques

• Cost allocation used for education and accountability

• More collaboration – as depts are willing

• Risk Manager may be the risk owner

Enterprise-wide Risk Management• A wide range of risks are discussed

and reviewed, including reputational, human capital, strategic and operational

• Aligns RM process with strategy and mission

• May include “upside risks” (opportunities)

• Helps manage growth, allocate capital & resources

• Risks are owned by all & mitigated at the department level

• Many risk mitigation & analytical tools available

• Risk Manager is the risk facilitator and leader

Transactional

Strategic

Risk is bad – focus is on transferring risk

Risk is an expense – focus is on reducing cost-of-risk

Risk is uncertainty – focus is on optimizing risk to achieve goals

Integrated

Risk Management is Evolving

The Development of RM in the USFinance:PRMIA GRC

Audit: IIACOSO

Safety: ASSE NASP ASA

Risk Mgmt: RIMS PRIMASTRIMAURMIAASHRM

Global Corporate Governance Models

All EU Countries• Directives on

Governance

Netherlands• Code Tabaksblatt

UK• Cadbury• Turnbull• Greenbury Rpt• BS 31100 RM

France• Vienot Com.• Mrini Report• Levy-Long Com.

Italy• Draghi

Commission

Australia/New Zeal• HB 317 on Risk

Communication• Stock Exchange

Listing• New Accounting

Standards• Best Practice Stmt

Mgmt

US• Business Round Table• NYSE listing Requirements• Blue Ribbon Commission• Sarbanes Oxley Act• COSO ERM Framework

Canada• Toronto Stock Exchange

Committee• Canadian Securities

Committee• Allen committee Report• COCO• CAN/CSA-Q850 (draft)

South Africa• Code of Best Practice• King Report I, II, III• Stakeholder Communication• Public Finance Mgmt Act

Japan• Corporate

Governance Forum of Japan

• J-SOX

Germany• Bill on The Control

and Transparency of organizations

• Kon TraG Bill

INTERNATIONAL (All countries) - Basel I & II; ISO 31000

Developed by Dorothy Gjerdrum , AJG & Mary Peter of Eide Bailly LLP

A Good Intro to ERMRisk management is an increasingly important businesss driver and stakeholders have become much more concerned about risk.

Risk may be:• A driver of strategic decisions• The cause of uncertainty in an organization• Embedded in the activities of the organization

An enterprise-wide approach to risk management enables an organization to consider the potential impact of all types of risks on all processes, activities, stakeholders, products and services.

Excerpt from the Executive Summary “A Structured Approach to ERM and the Requirements of ISO 31000” published by airmic, alarm and the irm – all based in the U.K.

Evolution of the US TAG

• ANSI sought support early in process – no qualified organization stepped up until 2008

• ASSE Council on Practices & Standards agreed to serve as secretary to US TAG

• ASSE turned to its membership to recruit Technical Advisory Group (TAG) members

ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards.

Established in 1947, ISO is a network of the national standards institutes of 159 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system.

ISO 31000:2009

• Australia, New Zealand & Japan initiated its creation

• 18+ countries participated • 6 meetings over several years• Adopted in November of 2009, now

officially the first International Standard on Risk Management

• Guide 73 & ISO 31010 quickly followed• Now also the American Standard on RM

ASSE Formed the US TAG

Chair: Dorothy Gjerdrum, Arthur J. GallagherVice Chair: Wayne Salen, RIMS

• Consumer/Directly Affected Public (6)• General Interest (5)• Government Body/Organization (2)• Producer/Manufacturer (3)• User (4)

US ISO TAG Participants• AH & T Insurance• AIHA• AJ Gallagher• ASSE• Bayer Materials• Brazosport College• Eide Bailly, LLP• ESIS• McCulley Eastham• PMMI

• Pilz Automation• Project Mgmt Trust• PRIMA• RIMS• Safety Mgmt

Consultants• TC 176 TAG• Washington Group• Woods Hole• Wyeth

• Proposal from the UK to develop an international implementation guide – if that proposal is accepted by ISO, we’ll participate

• US subcommittee working on a US Implementation Guide

• ISO 31000 will be open for revision beginning in 2012

• The US ISO TAG is still open to new members – contact Tim Fisher at ASSE

What’s Next for the US TAG?

ISO 31000 – Quick Overview• The basis of ISO 31000• Overview of the process• Understanding Principles, Framework and

Process• Select definitions• Key concepts

It’s a Broad Approach to Risk1. All organizations exist to achieve their

objectives2. Many internal and external factors affect

those objectives, causing uncertainty about whether the organization will achieve its objectives

3. The effect of this uncertainty has on an organization’s objectives is “risk”

Scope of ISO 31000

This international standard provides principles and generic guidelines on risk management… it can be used by any public, private or community enterprise, association, group or individual. Therefore, this standard is not specific to any industry or sector.

• Streamlined and easy to understand• Proactive approach vs compliance• Emphasizes top-down implementation• Links risks to strategy & the achievement of

objectives• Addresses both upside and downside of risk• Provides a consistent approach that can be

tailored to any type of operation in any location and integrated with other standards and guidelines

ISO 31000 – Highlights

The principles

provide the foundation

and describe the qualities of effective

risk manage-ment in an

organization

The framework

manages the overall

process and its full

integration into the

organization

The process for managing risk

focuses on individual or

groups of risks, their

identification, analysis,

evaluation and treatment

Monitoring & review, continual improvement and communication occur throughout

Overview of the Process from ISO 31000

• Creates value• Part of org.

processes• Part of decision

making• Explicitly

addresses uncertainty• Systematic,

structured & timely• Bsed on best

avail info• Tailored• Considers

human & cultural factors• Transparent &

inclusive• Dynamic,

iterative & responsive to change• Continual

improvement

Principles

Mandate & Commitment

Design framework for managing risk

Framework RM Process

Implementrisk

management

Monitor and review the framework

Continually improve the framework

Establish the context

Com

mun

icat

e an

d co

nsul

t

Mon

itor a

nd re

view

Risk identification

Risk analysis

Risk treatment

Risk evaluation

Risk assessment

Why ISO Outlines PrinciplesThe principles that govern the process:• Establish the values and philosophy of the

process• Support a comprehensive and coordinated

view of risk that applies to the entire organization

• Link the framework and practice of risk management to the strategic goals of the entity

• Align risk management to corporate activities

Risk Management Principles

Risk Management:• Creates value• Is an integral part of all organizational

processes• Is part of decision-making• Explicitly addresses uncertainty• Is systematic, structure and timely• Is based on the best available information

Risk Management Principles (cont’d)

Risk Management:• Is tailored• Takes human and cultural factors into account• Is transparent and inclusive• Is dynamic, iterative and responsive to change• Facilitates continual improvement &

enhancement of the organization

Why ISO Specifies the Framework• Maps out how the management of risk will

be integrated across the organization• Assures that the corporate-wide process is

supported, iterative and effective• Details how risk management will be an

active component in governance, strategy and planning, management, reporting processes, policies, values and culture

• Provides for reporting & accountability

The Framework Includes:

• The organization & its context• Risk Management Policy• Accountability• Integration into organizational processes• Resources• Communication & reporting – internal• Communication & reporting - external

The Risk Management Process

• Applies to portfolio of risks and individual risks

• Begins with the context – always tailored to the organizational environment

• Emphasizes continual: – Communication &

consultation– Monitoring & review

Establish the context

Com

mun

icat

e an

d co

nsul

t

Mon

itor a

nd re

view

Risk identification

Risk analysis

Risk treatment

Risk evaluation

Risk assessment

• Creates value• Part of org.

processes• Part of decision

making• Explicitly

addresses uncertainty• Systematic,

structured & timely• Bsed on best

avail info• Tailored• Considers

human & cultural factors• Transparent &

inclusive• Dynamic,

iterative & responsive to change• Continual

improvement

Principles

Mandate & Commitment

Design framework for managing risk

Framework RM Process

Implementrisk

management

Monitor and review the framework

Continually improve the framework

Establish the context

Com

mun

icat

e an

d co

nsul

t

Mon

itor a

nd re

view

Risk identification

Risk analysis

Risk treatment

Risk evaluation

Risk assessment

Implementation Examples• Community college district wants to review

the risk & opportunity of expanding its journalism department (grant money) and sending students into high-conflict, emerging news areas of the world

• Individual interviews re risk uncover unsafe money transfer procedures

• The “Aha!” moments of realizing crossover risks or cumulative risks

Select DefinitionsRisk = the effect of uncertainty on objectives

An effect is a deviation from the expected – positive or negative. Risks may be described as a combination of likelihood and consequences.

Risk management = the coordinated activities to direct and control an organization with regard to riskRisk owner = the person with the accountability and authority to manage the risk

Risk Mgmt & Other Initiatives• RM supports strategic initiatives, mission and

goals and links to them• RM can support management processes (e.g.

balanced scorecard, performance management measures)

• RM will help build success of key initiatives by identifying barriers and risks and ways to mitigate them

Key Concepts of ISO 31000• Risk Management is about exploiting

opportunities as well as preventing problems (upside & downside risks)

• It is tied to business objectives and strategies – and supports them

• It works within the organization’s culture and will become integral to decision making

• It will ensure that Risk Management applies to all levels of the organization and to all activities

ISO 31010 – Risk Assessment Techniques

• Risk assessment concepts

• Process• Techniques

Establish the context

Com

mun

icat

e an

d co

nsul

t

Mon

itor a

nd re

view

Risk identification

Risk analysis

Risk treatment

Risk evaluation

Risk assessment

Implementation Advice• Educate yourself, develop your “elevator speech”,

build your network of peers

• Seek opportunities for a broader approach to risk

• Develop tools & resources – and develop your leadership skills

• Be patient – it’s a journey, not a destination

• Create an inventory of risk management practices across all operations; can you build support for integration?

Risk Management Standards• COSO ERM Framework (2004)• British Standards Assoc: Risk Management – Code

of Practice – BSI 31100:2008 (under revision)• ISO 31000 – Risk Mgmt Principles and Guidelines• ISO 31010 – Risk Assessment Process• HB 327:2010 Communicating and Consulting About

Risk – from Australia/New Zealand• Canadian Standards Association CAN/CSA-Q850

Implementation of ISO 31000 – publication pending• US Implementation Guide – publication pending

RM Standards – My Recommendations

• Buy the standard – ISO 31000 – Risk Mgmt Principles and Guidelines www.asse.org or www.ansi.org

• Download the alarm/airmic/irm handbook (free)• Buy either the Canadian Standards Association

CAN/CSA-Q850 Implementation of ISO 31000 (expected publication in fall of 2010) or the US Implementation Guide – (publication in 2011)

ERM Training – My Recommendations

• Canadian Standards Association – Implementing ISO 31000

• Insurance Institutes of America (IIA) training on ERM – ARM 57

• www.theiia.org – online risk management training that includes ERM and ISO 31000 references

Dorothy Gjerdrum, ARM-PExecutive Director, PESDArthur J. Gallagher Risk Mgmt ServicesDorothy_Gjerdrum@ajg.com651.642.2999

Thank You!