ISO 31000, a risk management standard for decision-makers
Alex Dali, MBA, ARM President at G31000 Alex.Dali@G31000.org
About ISO 31000
History Objectives of ISO 31000
Scope Structure Users Benefits
About the First global survey on ISO 31000 About certification Certification of organisations Certification of individuals 2
History of ISO 31000
3
About ISO 31000
Quality OH&S Environment
Finance IT security Food safety
Equipment
Project Supply chain 4
About ISO 31000
Engineer Scenario Manager Health Finance Public sector
risk = hazard risk = event risk = uncertainty on objectives risk = threat (purely negative) risk = return risk = discontinuity of service
Organisations of all types face a range of risks… Organisations of all types face a range of combinations of the probability of an event and its consequences … Organisations of all types face a range of effects of uncertainty on objectives… 5
About ISO 31000
? AZ/NZS ISO31000 AS/NZS4360 2009 95/99/04 Australia ONR 49000:2008 Austria(DE/CH)
COSO 2 (ERM) : 2004 USA
FERMA:2004 Europe
JIS JISQQ31000 2001
Japan Japan CAN/CSAQ850-1997 ISO 31000
•AIRMIC, ALARM, IRM:2002 • M_o_R:2002/2007/2011 • BS ISO31000 • BS 31100 Guide
UK
Canada 6
About ISO 31000
Internationally-recognised reference • International consensus • single global reference for stakeholders • wide application • “umbrella” for more than 60 standards • should not be ignored 7
About ISO 31000
OECD
Argentina, Australia, Austria, Belarus, Bulgaria, Brazil, Canada, Chile, China, Czech Republic, Denmark, Estonia, Finland, France, Germany, India, Iran, Israel, Italy, Japan, Malaysia, Mexico, Netherlands, New-Zealand, Norway, Poland, Portugal, Romania, Russia, Singapore, Slovak Republic, Slovenia, South-Africa, Spain, Sweden, Switzerland, Thailand, Turkey, United Kingdom, Uruguay, United States
ISO31000 standards in Europe
SFS ISO31000 SS ISO31000 EVS ISO 31000
NS ISO31000
LVS ISO 31000
GOST R ISO 31000 BS ISO31000
DS ISO 31000
STB ISO 31000
PN ISO 31000
NEN ISO31000
CSN ISO 31000 DIN ISO31000
STN ISO 31000 NF ISO31000 ÖNORM ISO 31000 ISO31000
SIST ISO 31000 NP ISO31000 SR ISO 31000
xxxISO 31000 UNE ISO31000
UNI ISO31000
Based on informal information received on 6th August 2012
Survey Population USA – 20%
UK– 10%
(based on 1823 responses)
111 countries
Australia– 10%
United Arab Emirates– 3%
South Africa– 10% © G31000. Commercial in Confidence. 2012
India– 4%
Canada– 4% 10
Participation by Department
Š G31000. Commercial in Confidence. 2012
11
Objectives of ISO 31000
SCOPE
All organisation: Any sector, any activity, any size All risk: Any type of risk, + or - consequences Generic guidelines: Harmonizes processus, not practices Global reference: Harmonize RM in existing and future standards
Global application: Objectives, context, structure, operations, processes, functions, projects, products, services, or assets
12
Objectives of ISO 31000
SCOPE
ISO Standard vs ISO Guideline ?
• Risk Management – Principles and Guidelines • voluntary application, not prescriptive, no legal requirement
• specifically not intended for certification • ISO certifiable standard ? NO ! 13
Objectives of ISO 31000
SCOPE
… not a parallel management system
• avoid the troubled implementation of ISO 9000 series • promote business performance
• no bureaucratic compliance reporting system • simplify further if necessary
Objectives of ISO 31000
STRUCTURE
Process Principles
Framework
Objectives of ISO 31000
STRUCTURE
Simple risk management architecture • 3-pillar structure • robust and simple to apply • opportunity to review existing RM practices
• Track similarities and differences
Objectives of ISO 31000
STRUCTURE FRAMEWORK
PRINCIPLES
MANDATE AND COMMITMENT
a) Creates value
b) Integral part of organizational processes
DESIGN OF
c) Part of decision making
FRAMEWORK FOR MANAGING
d) Explicitly addresses uncertainty
RISK
e) Systematic, structured and timely f) Based on the best available information g) Tailored
IMPLEMENTING CONTINUAL
RISK
IMPROVEMENT
MANAGEMENT
h) Takes human and cultural factors into account
MONITORING
i) Transparent and inclusive
AND REVIEW
j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the
17
Objectives of ISO 31000
STRUCTURE
COMMUNICATION AND CONSULTATION
ESTABLISH THE CONTEXT
RISK IDENTIFICATION
RISK ANALYSIS RISK EVALUATION
RISK TREATMENT
MONITORING AND REVIEW
RISK MANAGEMENT PROCESS
+
ISO GUIDE 73 RISK MANAGEMENT VOCABULARY
18
Objectives of ISO 31000
STRUCTURE
Text of the ISO 31000 standard • The text is short and clear
• Not radically new • Some statements like “embedded in all...” seem ideallic goals
Objectives of ISO 31000
STRUCTURE
Vocabulary ISO Guide 73
• reviewed by the same committee • 51 definitions related to RISK
• many improvements • use language meaningful to your organisation
Objectives of ISO 31000
USERS
1. CORPORATE LEVEL : policy, program, framework 2. OPERATIONAL LEVEL : Project, activity, sectors 3. AUDIT : Audit, evaluation and reporting 4. WRITERS : Guides, procedures, practices
Objectives of ISO 31000
BENEFITS
1. Standard = consensus (compromise) 2. Standards regulation voluntary endorsment 3. Wide range of input one point of view 4. Apply to any activity or domain in any organisation 5. Integrated appoach for the management of risk 6. Very general allowing interpretation guideline 7. Regular updates through ISO 8. Recognizing best practices 9. Facilitate communication and training 10. Recognization for the profession
Certification
ORGANISATIONS
• ISO certifiable standard ? NO !
The 3 last slides could be used for debatting…
Certification
SURVEY 2011
Certification
SURVEY 2011
Certification
ORGANISATIONS
PROS
CONS
• Validation by external independant third parties
• Rarely objective and different in each countries • Additional burden on ressources with no • Validation of the decision-making process or tangible gain • Certified companies do not enojyed • Simple link with mandatory obligation in better performance
specific sectors/areas
• False security
• Confidence of • Might become mandatory by law stakeholders to an international recognized • In a legal dispute, source of negligence standard • Too much focussing on audits and not on processes!
Certification
INDIVIDUALS
Growing understanding of the importance of effectively managing risk Increasing recognition of ISO 31000
individuals wishing for knowledge and understanding about risk management Improved decision making through explicit consideration of uncertainty
ISO 31000 discussion group Link to the LinkedIn group : www.linkedin.com/groups?mostPopular=&gid=1834592
OTHER GROUPS
COUNTRIES
ISO 31000 SURVEY
2011
Global ISO 31000 survey 2011 Results & analysis
ISO 31000 SURVEY
2011
What is your level of awareness about ISO 31000 ?
ISO 31000 SURVEY
2011
What is your level of awareness about ISO 31000 ?
ISO 31000 SURVEY
2011
What is your level of awareness about ISO 31000 ?
ISO 31000 SURVEY
2011
How is risk management mainly used within your organization ?
ISO 31000 SURVEY
2011
How is risk management mainly used within your organization ?
www.G31000conference2012.org
QUIZZ on the ISO 31000 STANDARD
Quizz on the ISO 31000 risk Management standard
QUIZZ on the ISO 31000 STANDARD
Question 1 : The ISO 31000 document is a A
Technical specifications for Risk Management
B
Guidance standard for Risk Management
C
Certificable standard for Risk Management
D
Umbrella standard for in existing or future standards
USEFUL LINKS
•
ISO 31000 GLOBAL SURVEY 2011 : http://www.g31000conference2012.org/ISO31000Survey2011
•
ISO 31000 INTERNATIONAL CONFERENCE :http://g31000conference2012.org/
•
LINKEDIN GROUP on ISO 31000 : http://www.linkedin.com/groups?mostPopular=&gid=1834592
•
About ISO 31000 – official link: http://www.iso.org/iso/catalogue_detail?csnumber=43170
40