Professional Documents
Culture Documents
C
opyright©2012BSI.Alrightsreserved. 2
3
Introductions
• Name
• Course pursuing
• Exposure to standards
• Your aim for attending this course
• Something interesting about yourself
C
opyright©2012BSI.Alrightsreserved. 5
6
Jawaharlal Nehru
Copyright©
2012BSI.Alrightsreserved. 7
8
Risk - definition
Source Definition
Frank H. Knight (1921) ‘Measurable uncertainty.’
Risk, Uncertainty and
Profit
ISO/IEC Guide 51:1999 ‘Combination of the probability of occurrence of harm
and the severity of that harm.’
ISO/IEC Guide 73:2002 ‘Combination of the probability of an event and its
consequence.’
AS/NZS 4360:2004 ‘Chance of something happening that will have an impact
on objectives.’
COSO (2004) ERM - ‘Events with a negative impact represent risks, which can
Integrated Framework prevent value creation or erode existing value. Events
with positive impact may offset negative impacts or
represent opportunities.’
Lars Oxelheim and Clas ‘The concept of risk refers in general to the magnitude
Wihlborg (2008) Corporate and likelihood of unanticipated changes that have an
Decision-Making with impact on a firm’s cash flows, value or profitability. […]
Macroeconomic Risk has a negative connotation, but uncertainty can be
Uncertainty a source of opportunities as well as costs.’
C
opyright©2012BSI.Alrightsreserved. 8
9
Risk – definition Cl.2.1
C
opyright©2012BSI.Alrightsreserved. 10
1
1
C
opyright©2012BSI.Alrightsreserved. 11
Risk is not uncertainty. Risk is the effect of uncertainty
Copyright©
2012BSI.Alrightsreserved. 12
Risk is not uncertainty. Risk is the effect of uncertainty
The impossible always happens somewhere, sometime, to someone....
Copyright©
2012BSI.Alrightsreserved. 13
Risk is not uncertainty. Risk is the effect of uncertainty
The impossible always happens somewhere, sometime, to someone....
The greatest risk of all is denial
Copyright©
2012BSI.Alrightsreserved. 14
Risk is not uncertainty. Risk is the effect of uncertainty
The impossible always happens somewhere, sometime, to someone....
The greatest risk of all is denial
Much of the risk that affects us is manufactured by us
Copyright©
2012BSI.Alrightsreserved. 15
Risk is not uncertainty. Risk is the effect of uncertainty
The impossible always happens somewhere, sometime, to someone....
The greatest risk of all is denial
Much of the risk that affects us is manufactured by us
Control what we can control – don’t try to control what we cannot
control
Copyright©
2012BSI.Alrightsreserved. 16
Risk is not uncertainty. Risk is the effect of uncertainty
The impossible always happens somewhere, sometime, to someone....
The greatest risk of all is denial
Much of the risk that affects us is manufactured by us
Control what we can control – don’t try to control what we cannot
control
Risk management is impossible without knowledge
Copyright©
2012BSI.Alrightsreserved. 17
Risk is not uncertainty. Risk is the effect of uncertainty
The impossible always happens somewhere, sometime, to someone....
The greatest risk of all is denial
Much of the risk that affects us is manufactured by us
Control what we can control – don’t try to control what we cannot
control
Risk management is impossible without knowledge
The ‘Unthinkable’, the ‘Impossible’ and the ‘Unknowable’ together can
create the perfect risk storm which no company can survive
Copyright©
2012BSI.Alrightsreserved. 18
Risk is not uncertainty. Risk is the effect of uncertainty
The impossible always happens somewhere, sometime, to someone....
The greatest risk of all is denial
Much of the risk that affects us is manufactured by us
Control what we can control – don’t try to control what we cannot
control
Risk management is impossible without knowledge
The ‘Unthinkable’, the ‘Impossible’ and the ‘Unknowable’ together can
create the perfect risk storm which no company can survive
Copyright©
2012BSI.Alrightsreserved. 19
2
Risk Mismanagement 0
Risk mismanagement or the absence of risk management are at the root of each
and every corporate failure that we have seen
C
opyright©2012BSI.Alrightsreserved. 21
Event description 12.03.
• Units 4-6 in shut down status for periodic maintenance and refueling
• Units 1-3 were stopped automatically after the quake
• Reactor buildings and the containment successfully resist to the
earthquake
• All reactor were disconnected from the external AC supply
• Backup sources (diesel generators) started
• At approximately one hour after the earthquake tsunami hit the site
– destroyed fuel tanks of the diesel generators
– flooded the diesel generator building
(10m protection wall was not sufficient)
• Mobile generators were sent to the site in a short time but they ran out
of fuel
• Hydrogen Explosion Unit 1
• Evacuation of population from the area of 20km Daiichi NPP and
10km Daina NPP (approx. 200 000 person
• On-site radioactivity increased
AMRI Fire
Annexe 1, where the fire occurred, is
squeezed between Panchanantala
slum and Annexe 2 with a wall closely
guarding the building all around,
violating safety norms.
The basement where the fire started
used for central storage packed with
power units, combustible material and
oxygen cylinde
Despite a fire in the same building in
2008, the hospital authorities failed to
clean up the basement. rs, among
other things.
Smoke detectors had been switched
off.
Though the fire was detected as early
as little past 2 am by slum-dwellers
who rushed to the hospital to help,
only to be turned away rudely by
security guards.
2001 The
1993 The title “Chief terrorism of
1950s-1960s 1970s 1980s Risk Officer” is first used September 11 and
by James Lam, at GE the collapse of 2004
Traditional Risk Risk management Companies Release of
Capital, to describe a Enron remind the
Management gains wider begin Risk function to manage “all world that nothing COSO ERM
(“TRM”) acceptance departments, aspects of risk,” including is too big for Integrated
typically risk management, back- collapse
office operations, and Framework
focused on business and financial
insurance planning 2009 ISO 31000
published- Principles
1950 and Guidelines.
2010
1977 1992 2002
Foreign Committee of Sarbanes-Oxley
Corrupt Sponsoring Act of 2002
1920 British Practices Organizations
Petroleum forms Act (“COSO”)
Tanker Insurance (“FCPA”) published 1995 A multi- 2008 BS 31100
Company, Ltd., disciplinary task force published which is
Internal Principles and
one of the first of Standards
captive insurance Control — Guidelines on Risk
companies, Integrated
Australia/Standards
beginning a Framework
New Zealand Management .
movement that publishes the first
exploded in the Risk Management
1970s and 1980s. Standard, AS/NZS
4360:1995.
Copyright©
2012BSI.Alrightsreserved. 25
26
Exercise 1
Understands the risks but has CEO Has narrow & siloed view of
little influence on decision risk, often focusing on
making compliance
CRO CFO
C
opyright©2012B
S
I.A
lrightsreserved. 27
2
So who owns the risk 8
C
opyright©2012BSI.Alrightsreserved. 29
3
Risk Categories 0
• Internal risk
• External risk
• strategic risk
• programme risk
• project risk
• financial risk
• operational risk
C
opyright©2012BSI.Alrightsreserved. 30
3
1
Exercise 2
Examples of Risk
Exercise 3
C
opyright©2012BSI.Alrightsreserved. 34
3
Contd.. 5
C
opyright©2012BSI.Alrightsreserved. 35
Background to the standard
C
opyright©2012BSI.Alrightsreserved. 37
3
Proliferation of Standards 8
• Standard Organizations
- CAN, UK, AUS/NZ, etc.
• Functions
- Security, Safety, Software, Systems, etc.
• Market/Industry Sectors
- Medicine, Energy, Aviation, etc.
C
opyright©2012BSI.Alrightsreserved. 38
3
Risk Management Standards 9
C
opyright©2012BSI.Alrightsreserved. 39
Why ISO 31000 4
0
C
opyright©2012BSI.Alrightsreserved. 40
4
How we look at Risk 1
C
opyright©2012BSI.Alrightsreserved. 43
44
Copyright © 2012 BSI. All rights reserved. Copyright © 2012 BSI. All rights reserved. 44
4
ISO 31000- Common sense approach 5
• ISO 31000 -The importance of the standard is that it helps organisations of any
size and in any industry strive towards their business goals by managing risk
effectively.
• It provides a common language and model to be used by organizations to
implement a risk management model that would be consistent, replicable and
accurate
• ISO 31000 pulls together and replaces a number of similar international
standards and will also supersede national standards such as AS/NZS
4360:2004.
C
opyright©2012BSI.Alrightsreserved. 45
4
Family of ISO 31000 Standards 6
C
opyright©2012BSI.Alrightsreserved. 46
4
The RiSM Model 7
C
opyright©2012BSI.Alrightsreserved. 48
4
PDCA Cycle 9
C
opyright©2012BSI.Alrightsreserved. 49
5
Exercise 4 0
C
opyright©2012BSI.Alrightsreserved. 50
51
C
opyright©2012BSI.Alrightsreserved. 52
5
The Flow of Risk Management 3
C
opyright©2012BSI.Alrightsreserved. 53
5
Principles 4
• Creates Value
• Integral part of organisational process
• Part of Decision making
• Explicitly address uncertainty
• Systematic, Structured and timely
• Based on the best available information
• Tailored
• Takes human and cultural factors into account
• Transparent and inclusive
• Dynamic , iterative and responsive to change
• Facilitates continual improvement and enhancement of the
organisation
processes
• Not a stand alone activity
• Part of responsibility of management
• Integral part of organisational processes
• Including strategic planning
• Project and change management
timely
• Systematic, timely and structured
• Contributes to efficiency
• Consistent
• Comparable
• Reliable results
information
• Based on information sources such as
• Historical data
• Experience
• Stakeholder feedback
• Observation
• Forecasts
• Expert judgment
• Should take into account
• Limitations of data or modeling
• Divergence amongst experts
responsive to change
• Continually senses and responds to change
• Monitoring and review of risks
• Accounts for
• new risks
• changes to risks
• disappearance of risks
organisation
• Organisations should develop and implement strategies to improve their risk
management maturity
Exercise 5
Identification of Principles
RISK
MANAGEMENT
SYSTEM CULTURE
C
opyright©2012BSI.Alrightsreserved. 67
68
Exercise 6
C
opyright©2012BSI.Alrightsreserved. 71
7
Risk Management Framework: 2
Mandate and Commitment
PLAN
Design of Framework for
Managing Risk (4.3)
ACT DO
Continual Improvement of Implementing Risk
the Framework (4.6) Management (4.4)
CHECK
Monitoring and Review of the
Framework (4.5)
C
opyright©2012B
S
I.A
lrightsreserved. 72
7
4.2 Mandate and commitment 3
C
opyright©2012BSI.Alrightsreserved. 73
7
Mandate and commitment-2 4
Exercise 7
C
opyright©2012BSI.Alrightsreserved. 76
7
4.3 Designing the framework 7
C
opyright©2012BSI.Alrightsreserved. 77
7
Framework Considerations 8
C
opyright©2012B
S
I.A
lrightsreserved. 78
7
4.3.1 Understanding the organisation and its 9
context
• Evaluate the external context
• Social and cultural, political, legal, regulatory, financial, technological, economic, natural, and
competitive environment.
• Key drivers and trends having impact on objectives
• Relationship, perceptions and values of stakeholders
C
opyright©2012BSI.Alrightsreserved. 79
8
Understanding the organisation and its 0
context
• Evaluate the internal context
• Governance, structure, roles and accountabilities
• Polices, objectives and strategies to achieve the above
• Capabilities (terms of knowledge and resources)
• Information systems, flows and decision making process
• Relationship, perceptions and values of stakeholders
• Culture
• Standards, guidelines used
• Form and extent of contractual relationships
C
opyright©2012BSI.Alrightsreserved. 80
81
Exercise 8
Framework Context
C
opyright©2012BSI.Alrightsreserved. 82
83
Exercise 9
C
opyright©2012BSI.Alrightsreserved. 84
8
4.3.4 Integration into organisational processes 5
C
opyright©2012BSI.Alrightsreserved. 85
8
RM Integration into Organizational Processes 6
C
opyright©2012BSI.Alrightsreserved. 86
8
Resources 7
C
opyright©2012BSI.Alrightsreserved. 88
8
Roles of individuals 9
C
opyright©2012BSI.Alrightsreserved. 90
Role of Risk Manager 9
1
C
opyright©2012BSI.Alrightsreserved. 91
9
Role of Auditor 2
C
opyright©2012BSI.Alrightsreserved. 92
9
Auditor.. 3
C
opyright©2012BSI.Alrightsreserved. 93
94
Exercise 10
reporting
• Components of risk management and modifications communicated
• Internal reporting on framework, its effectiveness and outcomes
• Relevant information from risk management is available at appropriate levels
and times
• Processes for consultation with internal stakeholders
C
opyright©2012BSI.Alrightsreserved. 95
9
4.3.7 Establishing external communication and 6
reporting
• Effective exchange of information with appropriate stakeholders
• Comply with legal, regulatory and governance reporting
• Providing feedback and reporting on communication and consultation
• Communication to build confidence in organisation
• Crises communication with stakeholders
C
opyright©2012BSI.Alrightsreserved. 96
9
4.4 Implementing Risk Management 7
C
opyright©2012BSI.Alrightsreserved. 97
9
Implementation Framework 8
C
opyright©2012BSI.Alrightsreserved. 98
9
Implementation Outline 9
C
opyright©2012BSI.Alrightsreserved. 99
1
0
Risk Management Framework: 0
Monitoring and Review of the Framework
Mandate and
Commitment (4.2)
PLAN
Design of Framework for
Managing Risk (4.3)
ACT DO
Continual Improvement of Implementing Risk
the Framework (4.6) Management (4.4)
CHECK
Monitoring and Review of the
Framework (4.5)
C
opyright©2012B
S
I.A
lrightsreserved. 100
1
4.5 Monitoring and Review of the Framework 0
1
C
opyright©2012BSI.Alrightsreserved. 101
1
0
Links Between Framework and Process 2
Design of
framework - Implementing RM (4.4)
context (4.3.1)
C
opyright©2012B
S
I.A
lrightsreserved. 102
1
Monitoring and Review BS 31100 0
3
C
opyright©2012BSI.Alrightsreserved. 103
10
4
Exercise 11
Framework Review
Mandate and
Commitment (4.2)
PLAN
Design of Framework for
Managing Risk (4.3)
ACT DO
Continual Improvement of Implementing Risk
the Framework (4.6) Management (4.4)
CHECK
Monitoring and Review of the
Framework (4.5)
C
opyright©2012B
S
I.A
lrightsreserved. 105
1
4.6 Continual Improvement of the Framework 0
6
C
opyright©2012BSI.Alrightsreserved. 107
1
Learning from Risk events- BS 31100 0
8
• Organization should learn from Risk Events through a review that covers:
• What happened
• How and why the risk occurrence came about
• What action has been taken
• The likelihood of risk happening again
• Any additional responses or steps to be taken
• Key learning points and who to be communicated to
C
opyright©2012BSI.Alrightsreserved. 108
10
9
Copyright©2012BSI.Alrightsreserved. 110
1
Process for Managing Risk 1
1
Clause 5
Risk Analysis
Risk Evaluation
Risk Treatment
C
opyright©2012BSI.Alrightsreserved. 112
1
5 Process 1
Establishing the context 3
(5.3)
• Tailored to business
processes Risk evaluation
(5.4.4)
Risk Treatment
(5.5)
Copyright©2012BSI.Alrightsreserved. 113
1
5.2 Communication and Consultation 1
4
C
opyright©2012BSI.Alrightsreserved. 114
1
Communication and Consultation: Importance and Benefits 1
5
C
opyright©2012BSI.Alrightsreserved. 115
1
5.2 Communication and Consultation 1
6
C
opyright©2012BSI.Alrightsreserved. 116
1
5.3.1 Establish the context 1
7
C
opyright©2012BSI.Alrightsreserved. 117
1
5.3.2 External Context 1
8
C
opyright©2012BSI.Alrightsreserved. 118
1
5.3.3 Internal Context 1
9
C
opyright©2012BSI.Alrightsreserved. 119
1
Internal context to include 2
0
C
opyright©2012BSI.Alrightsreserved. 120
1
5.3.4 Context of Risk management Process 2
1
C
opyright©2012BSI.Alrightsreserved. 121
1
Framework vs. Process Context 2
2
How is establishing the context for the RM Process different from that of the RM
Framework?
C
opyright©2012BSI.Alrightsreserved. 122
1
5.3.5 Risk Criteria 2
3
C
opyright©2012BSI.Alrightsreserved. 123
1
Risk Criteria factors 2
4
C
opyright©2012BSI.Alrightsreserved. 124
12
5
Exercise 12
Risk Criteria
C
opyright©2012BSI.Alrightsreserved. 126
1
5.4 Risk Assessment 2
7
C
opyright©2012BSI.Alrightsreserved. 127
1
Process in Detail 2
8
Establish the Identify Risks Analyse Risk Evaluate Risks Treat Risks
Context
Compare against
Internal Context What can Identify existing controls Identify options
criteria
happen?
External Determin Assess options
Determine Set priorities
Context When and
Consequen e
where? Prepare and
ces Likelihoo
Risk d implement
Management How and why? Tre YES treatment plans
Determine levels of at
Context
risk Risk
Analyse and
sNO
Develop the evaluate residual
Criteria risk
Copyright©2012BSI.Alrightsreserved. 128
1
Risk Criteria –BS 31100 2
9
• points, and identifying the escalation process for risk outside the acceptance
criteria, capability or capacity.
• include qualitative statements outlining specific risks the organization is or is
not prepared to accept
• include quantitative statements, described as limits, thresholds or key risk
indicators.
C
opyright©2012BSI.Alrightsreserved. 129
1
5.4 Risk assessment 3
0
• Risk Identification
• Risk Analysis
• Risk Evaluation
A first step in this process is to determine the tools that may be needed:
• To help and to implement risk management in practice
• To ensure the organization’s risk management framework is aligned with the
overall management system and the objectives
• To ensure it is in keeping with the organization’s nature, scale, complexity and
culture
• Assist in the development and risk management knowledge and expertise
within the organization
C
opyright©2012BSI.Alrightsreserved. 131
1
5.4.2 Risk identification 3
2
• Identify
• Source of risk
• Areas of impacts
• Events and their causes including their potential consequence
• Purpose is to establish risks that impact objectives by
• Create
• Enhance
• Prevent
• Degrade
• Accelerate or delay
C
opyright©2012BSI.Alrightsreserved. 132
1
Risk Identification 3
3
Clause 5.4.2
C
opyright©2012BSI.Alrightsreserved. 133
1
Risk identification 3
4
C
opyright©2012BSI.Alrightsreserved. 134
1
3
Risk Categorization 5
C
opyright©2012BSI.Alrightsreserved. 135
1
Risk categorization 3
6
• Strategic Risk
• Programme Risk
• Project Risk
• Financial Risk
• Operational Risk
C
opyright©2012BSI.Alrightsreserved. 136
13
7
Exercise 13
Risk Identification
C
opyright©
2012 BSI. All rights reserved. 138
1
5.4.3 Risk Analysis 3
9
C
opyright©2012BSI.Alrightsreserved. 139
1
Risk Analysis (cont.) 4
0
• Should enable balancing of one risk against another as part of the risk
management decision making process
• The aim is to try and understand the source of the risk and the causes
• Where there are existing controls in place, it can be useful to analyze the risk
with and without the control in place and to determine whether the control is
robust enough
C
opyright©
2012 BSI. All rights reserved. 140
14
1
Exercise 14
Risk Analysis
C
opyright©
2012 BSI. All rights reserved. 142
14
3
Exercise 14
Risk Evaluation
C
opyright©
2012 BSI. All rights reserved. 144
1
5.5 Risk Treatment 4
5
C
opyright©
2012 BSI. All rights reserved. 145
1
5.5.2 Risk Treatment Options 4
6
C
opyright©
2012 BSI. All rights reserved. 146
1
4 Tees 4
7
• Terminate
• Treat
• Tolerate
• Transfer
C
opyright©
2012 BSI. All rights reserved. 147
1
Selecting risk treatment options 4
8
C
opyright©
2012 BSI. All rights reserved. 148
14
9
Exercise 15
Risk Treatment
C
opyright©
2012 BSI. All rights reserved. 150
1
5
Example 1
• Uses information from and provides input to Establishing the Context (5.3), Risk
Assessment (5.4), and Risk Treatment (5.5)
• Plan for regular checking or surveillance
• Define responsibilities
• Ensure effective and efficient controls
• Evaluate event results, changes, trends, successes and failures
• Identify changes in context, risk criteria, risk
• Report results and incorporate for process improvement
C
opyright©
2012 BSI. All rights reserved. 154
1
Monitoring and Review 5
5
C
opyright©
2012 BSI. All rights reserved. 155
15
6
Exercise 16
• How long records should be kept will depend on the risk to the organization of
not being able to provide evidence of its risk management
• Records are needed to provide evidence of conformity and control
• A procedure is needed for the identification, storage, protection, retrieval,
retention and disposition of records
• Records should be legible, readily identifiable and retrievable
C
opyright©
2012 BSI. All rights reserved. 157
1
5.7 Records 5
8
C
opyright©
2012 BSI. All rights reserved. 159
1
Risk Maturity Model-contd 6
0
C
opyright©
2012 BSI. All rights reserved. 160
1
Risk Maturity Model- contd 6
1
C
opyright©
2012 BSI. All rights reserved. 161
1
6
Standards Hierarchy 2
AS/NZS 4360
C
opyright©
2012 BSI. All rights reserved. 162
1
Obstacles to Effective RM 6
3
C
opyright©
2012 BSI. All rights reserved. 163
Risk Management
A survey by
Copyright © 2012 BSI. All rights reserved. Copyright © 2012 BSI. All rights reserved. 164
1
Key Finding 1 6
5
• Overall, post the global crisis, there is a consensus that anticipating and
managing risks proactively is going to deliver tremendous long term value to
organizations. Establishing a global footprint, cross border regulations, geo-
political events and increased complexity in the value chain are leading to more
risks.
•
C
opyright©
2012 BSI. All rights reserved. 165
1
Key Finding 2 6
6
C
opyright©
2012 BSI. All rights reserved. 166
1
Key Finding 3 6
7
• Boards today are expected to play the watchdog role – that of linking strategy,
risks, rewards and executive compensation to ensure that there are no
misalignments. Risk oversight challenges faced by independent directors are on
account of their limited review of strategy and inadequate inputs into the
information architecture to know about the business, industry and external
factors.
C
opyright©
2012 BSI. All rights reserved. 167
1
Key Finding 4 6
8
C
opyright©
2012 BSI. All rights reserved. 168
1
Imperative 1 6
9
C
opyright©
2012 BSI. All rights reserved. 172
1
Imperative 5 7
3
C
opyright©
2012 BSI. All rights reserved. 175
1
Attribute: Continual Improvement 7
6
• Input
• Goals
o Performance goals -organization
o Measurements - KPI’s – individual
• Review against goals – at least annual
• Output
• Modification of processes, systems, resources, capability and skills
• R M performance assessment - an integral part of overall
organization’s performance assessment and measurement systems for departments and
individuals
C
opyright©
2012 BSI. All rights reserved. 176
Attribute : Full Accountability 1
7
7
C
opyright©
2012 BSI. All rights reserved. 177
1
Attribute: RM in Decision Making 7
8
C
opyright©
2012 BSI. All rights reserved. 178
1
Attribute: Risk Reporting 7
9
C
opyright©
2012 BSI. All rights reserved. 179
1
Attribute: Integration with Governance 8
0
• Organisations need to consider risks at both policy and practice levels. This is
achieved by explicitly considering risks and the affect of uncertainty on
achieving organisational objectives.
• The governance structure and process are based on the management of risk.
• Effective risk management is regarded by managers as essential for the
achievement of the organization's objectives.
• Evidence:
• Interviews , Statements, Actions
C
opyright©
2012 BSI. All rights reserved. 180
1
Contact Information 8
1
BSI India
The Mira Corporate Suites (A-2), Plot 1& 2,
Ishwar Nagar, Mathura Road,
Address: New Delhi 110065, India
C
opyright©
2012 BSI. All rights reserved. 181
1
8
2
Thank you
C
opyright©
2012 BSI. All rights reserved. 182