Riskmanagementbestpractice

Ri
k
tb t
ti
is ISO 31000
isISO31000
JohnShortreed
John
Shortreed
Director,InstituteforRiskResearch
UniversityofWaterloo
y
IMPLEMENTINGRISKMANAGEMENTIN
2008
TorontoMay9,2008

ISO31000isamusthavefor
Organizations
Internationalstandardsallowforeasyinterchangeof
ideas,contractualarrangements,andinnovation
St
Standardscanalsobechecklists,meaninglessexercisesin
d d
l b h k li t
i l
i
i
futilityandaboontoconsultants

31000
31000isnoncertifiablewhichmakesitagood
is non certifiable which makes it a good
standard
Now10yearssinceISOGuide73and20yearssince
Now 10 years since ISO Guide 73 and 20 years since
AUS/NZ4360andCSAQ850 welldiscussed,tested,
andvalidated
WhydidtheCanadiancrosstheroad?
2

31000 is high level but comprehensive

31000ishighlevelbutcomprehensive
30
30countrieshavemetforsome40
countries have met for some 40 +days
days
NOsignificantGAPSandCOVERSalmostALL
POSSIBILITIES
Translationmaybeneeded,forexample,
Canada will have a supplementary standard
Canadawillhaveasupplementarystandard
Implementationisnottrivial,largecompanies
will have 100+existingriskmanagement
willhave100
existing risk management
activitieswithdifferentterminology,processes,
etc. JUNGLEOUTTHERE
3

Short History of Risk Management

ShortHistoryofRiskManagement
3000BC rightorwrongCaptainisrightandgoesdown
withtheship
i h h hi
Darwinsurvivalofthefit getfit
ifyouhaveanenemy,killthem
y
y,
ThePrince
Safetyinnumbers(insurance) Loyds coffeehouse
Britanniarulestheseas goodsetofcontrolsforinternal
(Billy Budd) and external risks (North America)
(BillyBudd)andexternalrisks(NorthAmerica)
1960ZurichReBluebook(heatmap,teams,riskcriteria,
identification,theworks),orBoeingfirst?
1965Drucker
1965 D k riskineverydecision
i ki
d ii
AgainsttheGods PeterBernstein foundation
RiskManagementBooks 1perweek
2009ISO31000 positiveriskandbestpractice
4

One view of an Organization

OneviewofanOrganization
Directed,nonequilibrium,SYSTEMofAGENTS
,
q
,
Nooptimalsystemconfiguration MikeBatty
Normisconstantchangeatthetop,thinkLoblaw,
Stern
Agentsindependentwithincorporatecontext
Managementgameslikescenarios,whatif?,to
M
t
lik
i
h t if? t
understandthechaotic,teeming,caldronofrisks
Rules/accountability to protect society public
Rules/accountabilitytoprotectsociety,public,
employees,andtoguidemanagement
31000isneededparticularlywithglobalization
5

What is ISO 31000?

WhatisISO31000?
PrinciplesandGuidelines
p
onImplementingRisk
p
g
Management
11principlesand5attributesofexcellence
11 principles and 5 attributes of excellence

OBJECTIVESdrivenwithinContextbyRiskCriteria
ACCOUNTABILITY
OrganizationwideFRAMEWORK
Individual decisionmaker
Individualdecision
makerRiskManagementPROCESS
Risk Management PROCESS

Design,implementation,monitorandreview,KPI,
documentation CONTINUOUS IMPROVEMENT
documentation,CONTINUOUSIMPROVEMENT
6

a)Createsvalue
b)Integralpartof
g
p
organizationalprocesses
c)Partofdecisionmaking
d)Explicitlyaddresses
uncertainty
e)Systematic,structured
andtimely
f)
f)Basedonthebest
d
h b
availableinformation
g)Tailored
h)Takeshumanand
culturalfactorsinto
account
i)Transparentandinclusive
j)Dynamic,iterativeand
responsivetochange
k)Facilitatescontinual
improvementand
enhancementofthe
organization

5.2
Mandate
and
and
commitment

ISOOverview
3mainclauses
plusterminology

5.3
g
Designof
framework
formanagingrisk
5.6
Continual
improvement
ofthe
framework

5.4
Implementing
Implementing
risk
management

5.5
Monitoring
andreview
ofthe
framework

Principlesfor
managingrisk
(Clause 4)
(Clause4)

Frameworkfor
managingrisk
(Clause 5)
(Clause5)

Processformanaging
risk
((Clause6))

5.2 Mandateandcommitment

5.3 Designofframeworkformanagingrisk
5.3.1 Understandingtheorganizationanditscontext
5.3.2 Riskmanagementpolicy
5.3.3 Integrationintoorganizationalprocesses
5.3.4 Accountability
5.3.5 Resources
5.3.6 Establishinginternalcommunicationandreportingmechanisms
5.3.7 Establishingexternalcommunicationandreportingmechanisms

5 6 Continualimprovementoftheframework
5.6
Continual improvement of the framework

5.4 Implementingriskmanagement
5.4.1 Implementingtheframeworkformanagingrisk
l
h f
kf
k
5.4.2 Implementingtheriskmanagementprocess

5.5 Monitoringandreviewoftheframework

ISO31000FrameworkforRiskManagement

Terminology
( Guide 73 )
(Guide73)

risk management-coordinated activities to direct and control an organization with regard

to risk
external context
internal context
risk management policy
risk management framework risk management plan risk appetite
risk owner
risk management audit exposure

risk profile
risk attitude
resilience

risk effect
of uncertainty
on objectives
event

risk evaluation-process of comparing the

results of risk analysis against risk criteria to
determine whether the level of risk is acceptable
or tolerable (part of risk management process)

consequence
risk criteria risk tolerance
risk matrix risk aggregation

likelihood

risk aversion

uncertainty

stakeholder those people and

organizations who can affect, be
affected by, or perceive themselves to
be affected by a decision or activity
communication and consultation
risk perception
risk reporting

probability

risk management process-systematic application of management policies, procedures

frequency

and practices to the tasks of communicating, consultation, establishing the context, identifying,
analysing, evaluating, treating, monitoring and reviewing risk

level of risk

risk assessment
risk register

risk source
h
hazard
d

risk identification

risk analysis

monitoring

review

vulnerability

risk treatmentprocess of developing, selecting, and implementing measures to modify

risk

(part of risk management process)

control
risk acceptance

risk sharing
risk avoidance

risk financing
residual risk

risk retention
risk mitigation

Theriskmanagementprocess
g
p

Monito
orandreview

Identifyrisks
Analyserisks
Evaluate risks
Evaluaterisks
Treatrisks

Communiicateandconsult

Establish the context

Establishthecontext

RMInformationSystem
RiskRegisters
TreatmentPlan
AssurancePlan
Reportingtemplates

Advantages of 31000
Advantagesof31000
Strategic,operations,processes,projects,products,assets,
governance,everything
thi
Proactivelycreatevaluebytreatinguncertainty,whilerespecting
regulations,laws,organization
Expectbetterprofits,moral,trust,controls,initiatives,reporting,and
Expect better profits moral trust controls initiatives reporting and
corporateculture
Designedtointegratewithexistingmanagement
Buildonexistingmanagementsystems,addcommitment,alignment,
Build on existing management systems add commitment alignment
IT,stakeholders,ownershipofrisk,etc.
CommunicationandConsultationasappropriate considerthe
valuesandperceptionsofstakeholders
p
p
Riskineverydecisionissetincontext,assessed,treated,documented
Review,review,andreview,thenact,act,act

11

ExampleriskregisterforaspecificObjective illustrationonly
CourtesyofLarryWarneroftheFoodCompany
6.ManagementTeamevaluatestheprobability
ofsuccessinachievingthisinitiativesoverall
objectives
1.Identifyinitiativesandtheirassociated
descriptionswithmeasurableobjectives

Risk
Profile

ReadytoHeat

Aggressivelygrowandbuildthereadytoheatbusinessbyexpandingthe Priority
d t li (15% NSV
th & i t i h
b
30%) d
productline(15%NSVgrowth&maintainsharesabove30%)and
Owner
broadentheavailabilityoftheproduct.

Risks
1

2
3

TreatmentActivities

Increaseofaggressivecompetition
from Rice Master and Fast Rice
fromRiceMasterandFastRice
Aggressiveyearforgrowthtarget
forthesegment&brand
Achievenewproductgrowth
targets

1,2,3
1

Accelerateinnovation
C d t
Conductcompetitoranalysis
tit
l i
session

3.Documentthe
individualinchargeof
thegiveninitiative

5.Listofplannedactivitiesthatwilltreatthe
risks matchthetreatmentstrategiestorisk
throughthereferencenumbers

ActionPlan
4.Listofrisksthatcouldhindertheabilityto
meettheinitiativesobjectives
t th i iti ti bj ti

2.Prioritizeorderof
thekeyinitiatives
basedontheir
contributionto
achievingtheoverall
financialandstrategic
objectives within the
objectiveswithinthe
OP

7.Documentthe
immediatenextsteps
for effective initiative
foreffectiveinitiative
execution

Business units are required to review and update a dashboard on a

quarterly basis which allows tracking of performance over time

Initiative
Initiative

Risk Profile
RiskProfile
Trend
Q305Q405Q106Q206

RelaunchofPedigree
Yellow Green
EffectivelyexecutetherelaunchofPedigreeto
achievethegrowthtargets(10%)

Directtostore(DTS)
IncreaseDTSoperationsby10%andadd500
pointsofsalepercell
p
p

Green Green

Associateengagement
Increaseassociateengagementscorefrom85%to
90%withinthefactory

Blue Green

BringPetDryplantonline
MaketheDryplantfullyoperationalbyP13

Red

LaunchofDove
Launch
of Dove
SuccessfullylaunchDoveintothemassmarketand
achieve65%distribution

Blue Yellow

Blue

Comments

ShipmentsstartedinP2tomeet
Improving advertisingschedule.Advertising
onair(P2W3).Massive
presentation to all customers was
presentationtoallcustomerswas
executedduringP1withexcellent
customerparticipation.
Stable
DTSoperationisimproving
howevertherearestillsomeareas
thatneedtoimprovefurther.We
p
willexpandwhenwehavea
holisticstrategy.
Improving Shiftmanagershavebeen
providedassociateengagement
training.Allmanagershaveheld
meetingswiththeirteam
members.
Stable
Ontrack,constructionpermit
granted.Plantwillbereadyby
P13
Stable
Increased risk due to current
Increasedriskduetocurrent
demandexceedingsupply.We
haverephasedtherolloutfor
themassmarkettoensure
currentsupplyisadequate.

Letscheck
what ISO 31000 is, and
whatISO31000is,and
whatitexpectsofanorganization
then
Discussion,Comments,Questionsand
Discussion
Comments Questions and
usefularguments
14