7/29/2019 Risk Management and ISO 31000 - An Overview
1/14
Risk Management and ISO 31000
Doug Newdick
7/29/2019 Risk Management and ISO 31000 - An Overview
2/14
Risk Management and ISO 31000
What Is Risk Management?
Risk is:
The effect of uncertainty on the ability of an organisation to
meet its objectives.
Risk management is:The range of activities that an organisation intentionally
undertakes to understand and reduce these effects.
Effective risk management is:
Executing these activities efficiently and in a way thatactually and demonstrably improves the ability of the
organisation to meet its objectives in a repeatable fashion.
7/29/2019 Risk Management and ISO 31000 - An Overview
3/14
Risk Management and ISO 31000
What Is ISO 31000?
ISO 31000:2009 is:
An international standard that provides principles andguidelines for effective risk management
Not specific to any industry or sector
Able to be applied to any kind of risk Able to be applied to any kind of organisation
Intended to be tailored to meet the needs of theorganisation
The generic approach described in this Standard provides theprinciples and guidelines for managing any form of risk in asystematic, transparent and credible manner and within any
scope and context.
7/29/2019 Risk Management and ISO 31000 - An Overview
4/14
Risk Management and ISO 31000
What Does ISO 31000 Cover?
ISO 31000:2009 contains: A set of risk management terms and their definitions
A set of principles for guiding and informing effectiverisk management for an enterprise
An outline and process for creating a riskmanagement framework
An outline and process for creating a riskmanagement process
ISO 31000 is: Clear
Sensible
Brief (24 pages)
7/29/2019 Risk Management and ISO 31000 - An Overview
5/14
Risk Management and ISO 31000
What Does ISO 31000 Not Cover?
Detailed instructions on how to managerisk
A complete risk management framework
A complete risk management process
Formats or attributes for describing risks
Templates
Guidance on how to identify risks Advice on how to manage risks for a
specific domain
7/29/2019 Risk Management and ISO 31000 - An Overview
6/14
Risk Management and ISO 31000
Background to ISO 31000
Australia and NZ developed AS/NZS 4360:1999 in1999. This was revised and reissued as AS/NZS4360:2004 in 2004. Australia and New Zealand ledthe world in enterprise risk management at thispoint!
There was no agreed de jure or de facto internationalstandard in place at this stage. There were a smallnumber of competing frameworks which were regardedas unsatisfactory.
In 2005 the International Standards Organisationstarted work on ISO 31000 using AS/NZS 4360:2004as its first draft.
ISO 31000 was issued to widespread acclaim in 2009.
7/29/2019 Risk Management and ISO 31000 - An Overview
7/14
Risk Management and ISO 31000
ISO 31000 An Overview
Principles guide the creation ofthe framework
The framework defines theprocess
The performance of theprocess feeds back into the
framework
Principles Framework Process
7/29/2019 Risk Management and ISO 31000 - An Overview
8/14
Risk Management and ISO 31000
ISO 31000 An Overview: Principles
Risk Management Principles
Creates and protects value
Integral part of organisational
processes
Explicitly addresses uncertainty
Part of decision making
Systematic, structured, and timely
Based on the best information
Tailored
Takes human and cultural factors
into account
Transparent and inclusive
Dynamic, iterative and responsive tochange
Facilitates continual improvement of
the organisation
7/29/2019 Risk Management and ISO 31000 - An Overview
9/14
Risk Management and ISO 31000
ISO 31000 An Overview: Framework
Mandate and commitment
Monitoring and review of the
framework
Design of framework for managing risk
Understanding the organisation and
its contextEstablishing risk management policy
AccountabilityIntegration into organisational
processes
ResourcesEstablishing internal communication
and reporting mechanisms
Establishing external communication and
reporting mechanisms
Continual improvement of theframework
Implementing risk management
Implementing the framework for
managing risk
Implementing the risk management
process
7/29/2019 Risk Management and ISO 31000 - An Overview
10/14
Risk Management and ISO 31000
ISO 31000 An Overview: Process
Communication
and
consultation
Establishing the context
Risk assessment
Monitoring and
review
Risk treatment
Risk identification
Risk analysis
Risk evaluation
7/29/2019 Risk Management and ISO 31000 - An Overview
11/14
Risk Management and ISO 31000
Why Use ISO 31000?
Save yourself time and effort: Using the terms, principles and guidelines in ISO 31000
means you dont have to spend time and effort creatingyour own.
You can spend time on the things that really add value
managing the actual risks.Facilitate communication: Avoid misunderstandings by using concepts and terms
that are well known in the risk management community.
Provide higher quality output: Take advantage of the significant expertise in risk
management that the ISO has used in coming up with the
standard. Ensure you dont miss out any aspects of risk
management by using the standard as a checklist.
7/29/2019 Risk Management and ISO 31000 - An Overview
12/14
Risk Management and ISO 31000
How Do I Apply ISO 31000?
When should I use ISO 31000?
When you are asked to identify or assess risks
When you are asked to manage risks
When you are asked to assess a riskmanagement framework or process
How should I use ISO 31000
Use it to frame the scope of the work
Use it to guide the engagement Use it to create a risk management process
7/29/2019 Risk Management and ISO 31000 - An Overview
13/14
Risk Management and ISO 31000
ISO 31000 In Summary
ISO 31000 gives you a structured, crediblefoundation for discussions with about risk andrisk management.
ISO 31000 gives you a starting point for a riskmanagement process if you dont have one.
ISO 31000 gives you a standard vocabulary fortalking about risks and risk management.
ISO 31000 gives you a baseline for
comparisons and assessments of riskmanagement processes.
7/29/2019 Risk Management and ISO 31000 - An Overview
14/14
Risk Management and ISO 31000
For Further Resources
Visit my blog:
http://dougnewdick.wordpress.com
Follow me on Twitter:@dougnewdick
http://dougnewdick.wordpress.com/http://dougnewdick.wordpress.com/