Aubsi-Risk Management Iso 31000 PPT AMITY JAIPUR BBA

Risk Management
ISO 31000 Course
Copyright © 2012 BSI. All rights reserved. C

opyright©
2012BSI.A
lrightsreserved. 1
2
Welcome
• Safety - be aware of emergency exits

• Restroom and Telephones - nearest locations
• Contact Number - for urgent messages
• Personal Property - keep possessions secure
• Phones - please avoid interruptions
• Recording Devices - not allowed in class
• Lunch and Breaks - please return on time
• Smoking - not permitted in the classroom
• Special Needs - please inform the instructor
C
opyright©2012BSI.Alrightsreserved. 2
3
Introductions
• Name
• Course pursuing
• Exposure to standards
• Your aim for attending this course
• Something interesting about yourself
Copyright © 2012 BSI. All rights reserved. 3

4
Learning Objectives
Upon completion, participants will be able to:

• Describe the fundamentals of Risk Management (RM)
• Understand the evolution of Risk Management
• Describe the relevance and context of ISO 31000
• Elaborate on the key principles of ISO 31000
• Identify key aspects and interrelationships of a Risk Management framework
with the organization’s management system
• Specify the components and process of building a Risk Management
framework
• Outline a process for implementation of a RM framework
• Understand the Risk Maturity Model

5
Offer closes on 3rd March 2012
This BMW car

is available for
Rs. 10 Lakhs
only…
C
6
Here is the Catch

The position of the
brake and the
accelerator are
interchanged.
Brake is on the right and

accelerator on the left.

“The policy of being too cautious is the biggest risk of all”
Jawaharlal Nehru
Copyright©
2012BSI.Alrightsreserved. 7
8
Risk - definition
Source Definition
Frank H. Knight (1921) ‘Measurable uncertainty.’
Risk, Uncertainty and
Profit
ISO/IEC Guide 51:1999 ‘Combination of the probability of occurrence of harm
and the severity of that harm.’
ISO/IEC Guide 73:2002 ‘Combination of the probability of an event and its
consequence.’
AS/NZS 4360:2004 ‘Chance of something happening that will have an impact
on objectives.’
COSO (2004) ERM - ‘Events with a negative impact represent risks, which can
Integrated Framework prevent value creation or erode existing value. Events
with positive impact may offset negative impacts or
represent opportunities.’
Lars Oxelheim and Clas ‘The concept of risk refers in general to the magnitude
Wihlborg (2008) Corporate and likelihood of unanticipated changes that have an
Decision-Making with impact on a firm’s cash flows, value or profitability. […]
Macroeconomic Risk has a negative connotation, but uncertainty can be
Uncertainty a source of opportunities as well as costs.’
C
9
Risk – definition Cl.2.1
• Effect of uncertainty on objectives

• Effect: is a deviation from the expected –positive and/or negative or positive
• Objectives can have different angles (such as financial, health and safety and environmental goals)
and can apply at different levels (such as strategic, organisation wide, project, product and process)
• Risk is a function of potential events , its consequences (including changes in circumstances) and
the associated likelihood of occurrence
• Uncertainty is the state even partial. of deficiency of information related to, understanding or
knowledge of an event, its consequence or likelihood.

1
Risk Management Cl. 2.2 0
•Coordinated activities to direct and

control an organization with regard to
risk
C
1
1
The Seven Golden Truths of Risk

Management
C
Risk is not uncertainty. Risk is the effect of uncertainty
Copyright©
The impossible always happens somewhere, sometime, to someone....
Copyright©
The greatest risk of all is denial
Copyright©
Much of the risk that affects us is manufactured by us
Copyright©
Control what we can control – don’t try to control what we cannot
control
Copyright©
control
Risk management is impossible without knowledge
Copyright©
control
The ‘Unthinkable’, the ‘Impossible’ and the ‘Unknowable’ together can
create the perfect risk storm which no company can survive
Copyright©
control
The ‘Unthinkable’, the ‘Impossible’ and the ‘Unknowable’ together can
create the perfect risk storm which no company can survive
Copyright©
2
Risk Mismanagement 0
Risk mismanagement or the absence of risk management are at the root of each
and every corporate failure that we have seen

2
Fukushima Daiichi Plant 1
C
Event description 12.03.
• Units 4-6 in shut down status for periodic maintenance and refueling
• Units 1-3 were stopped automatically after the quake
• Reactor buildings and the containment successfully resist to the
earthquake
• All reactor were disconnected from the external AC supply
• Backup sources (diesel generators) started
• At approximately one hour after the earthquake tsunami hit the site
– destroyed fuel tanks of the diesel generators
– flooded the diesel generator building
(10m protection wall was not sufficient)
• Mobile generators were sent to the site in a short time but they ran out
of fuel
• Hydrogen Explosion Unit 1
• Evacuation of population from the area of 20km Daiichi NPP and
10km Daina NPP (approx. 200 000 person
• On-site radioactivity increased

•Kolkata 9th Dec. 2011 2
3
AMRI Fire
Annexe 1, where the fire occurred, is
squeezed between Panchanantala
slum and Annexe 2 with a wall closely
guarding the building all around,
violating safety norms.
The basement where the fire started
used for central storage packed with
power units, combustible material and
oxygen cylinde
Despite a fire in the same building in
2008, the hospital authorities failed to
clean up the basement. rs, among
other things.
Smoke detectors had been switched
off.
Though the fire was detected as early
as little past 2 am by slum-dwellers
who rushed to the hospital to help,
only to be turned away rudely by
security guards.

2
Today's risk management 4

2
5
Historically Speaking
2001 The
1993 The title “Chief terrorism of
1950s-1960s 1970s 1980s Risk Officer” is first used September 11 and
by James Lam, at GE the collapse of 2004
Traditional Risk Risk management Companies Release of
Capital, to describe a Enron remind the
Management gains wider begin Risk function to manage “all world that nothing COSO ERM
(“TRM”) acceptance departments, aspects of risk,” including is too big for Integrated
typically risk management, back- collapse
office operations, and Framework
focused on business and financial
insurance planning 2009 ISO 31000
published- Principles
1950 and Guidelines.
2010
1977 1992 2002
Foreign Committee of Sarbanes-Oxley
Corrupt Sponsoring Act of 2002
1920 British Practices Organizations
Petroleum forms Act (“COSO”)
Tanker Insurance (“FCPA”) published 1995 A multi- 2008 BS 31100
Company, Ltd., disciplinary task force published which is
Internal Principles and
one of the first of Standards
captive insurance Control — Guidelines on Risk
companies, Integrated
Australia/Standards
beginning a Framework
New Zealand Management .
movement that publishes the first
exploded in the Risk Management
1970s and 1980s. Standard, AS/NZS
4360:1995.
Copyright©
26
Exercise 1
Who should own Risk Management in a Company

2
7
Sample Organizational Risk Culture
Seeks strategic dialogue about Board

risk but must rely on intuition Lacks the knowledge & risk
vocabulary to engage in dialogue
with management
Understands the risks but has CEO Has narrow & siloed view of
little influence on decision risk, often focusing on
making compliance
CRO CFO
Treasurer's Business Business Business

office Unit Unit Unit
Uses sophisticated risk Lacks the sophistication to

management tools, but only for understand, much less measure,
short term risk their own risks Source HBR Sept 08
C
opyright©2012B
S
I.A
lrightsreserved. 27
2
So who owns the risk 8
• Risk lives here

• If you own the business unit, you own the risk.
• Risk owners have the responsibility to identify, measure,
monitor, control, and report on risks to executive
management; promote risk awareness; and reprioritize
activities as dictated by effective risk analyses

2
Nature and Impact of Risk 9
• Risks are related to

• Strategy - the long-term aims of the organisation, the strategic planning
horizon for an organisation will typically be 3, 5 or more years.
• Tactics - how an organisation intends to achieve change. Therefore, tactical
risks are typically associated with projects, mergers, acquisitions and product
developments.
• Operations - are the routine activities of the organisation.
C
3
Risk Categories 0
• Internal risk
• External risk
• strategic risk
• programme risk
• project risk
• financial risk
• operational risk
C
3
1

32
Exercise 2
Examples of Risk

33
Exercise 3
Benefits of Risk Management

3
Benefits of Risk Management 4
•increase the likelihood of achieving objectives;

•encourage proactive management;
•be aware of the need to identify and treat risk throughout the
organization;
•improve the identification of opportunities and threats;
•comply with relevant legal and regulatory requirements and
international norms;
•improve mandatory and voluntary reporting;
•improve governance;
•improve stakeholder confidence and trust;
C
3
Contd.. 5
• establish a reliable basis for decision making and planning;

• improve controls;
• effectively allocate and use resources for risk treatment;
• improve operational effectiveness and efficiency;
• enhance health and safety performance, as well as environmental
protection;
• improve loss prevention and incident management;
• minimize losses;
• improve organizational learning; and
• improve organizational resilience.
C
Background to the standard
Copyright © 2012 BSI. All rights reserved. Copyright©

3
Global Corporate Governance Model 7
C
3
Proliferation of Standards 8
• Standard Organizations
- CAN, UK, AUS/NZ, etc.
• Functions
- Security, Safety, Software, Systems, etc.
• Market/Industry Sectors
- Medicine, Energy, Aviation, etc.
• ISO/IEC/IEEE Std 16085 lists over 40 standards involving risk

management relevant to it
C
3
Risk Management Standards 9
• COSO - Enterprise Risk Management

• Internal Control – Integrated Framework (1992); and
• Enterprise Risk Management – Integrated Framework (2004).
• AS/NZS 4360 Risk Management Standard – revised to become ISO 31000
• OCEG “Red Book” 2.0: 2009 - GRC Capability Model
• FERMA: 2002 A Risk Management Standard
• SOLVEN CY II: 2012 Risk Management for the Insurance Industry
C
Why ISO 31000 4
0
• Describes the generic processes of an 'enterprise-wide' risk

management framework that operates at organisational level
• Sets the principles in which the framework seeks to integrate
into all critical organisations processes where decisions are
made.
• Aims to assist an organization to manage its risks effectively
through the application of the risk management process at
varying levels
• Addresses the Risks within specific contexts of the organization
• Actively identifying risks that reflect external factors and
circumstances.
• Identifies "attributes of enhanced risk management" which may
be used to identify the maturity of risk management practices
and culture in an organization
C
4
How we look at Risk 1

4
How should we look at Risk? 2

4
Myths 3
• It will never happen to me

• Things have been fine so far
• We are covered by insurance
• The risk is negligible
• Our customers will understand
• These things are OK in India
• We will manage
C
44
ISO 31000 Value Proposition
Copyright © 2012 BSI. All rights reserved. Copyright © 2012 BSI. All rights reserved. 44
4
ISO 31000- Common sense approach 5
• ISO 31000 -The importance of the standard is that it helps organisations of any
size and in any industry strive towards their business goals by managing risk
effectively.
• It provides a common language and model to be used by organizations to
implement a risk management model that would be consistent, replicable and
accurate
• ISO 31000 pulls together and replaces a number of similar international
standards and will also supersede national standards such as AS/NZS
4360:2004.
C
4
Family of ISO 31000 Standards 6
C
4
The RiSM Model 7

4
Some Other RM Standards 8
• ISO 14971 Medical devices - Application of risk management to

medical devices
• ISO/IEC 16085 Systems and software engineering - Life cycle
processes - Risk management
• ISO 17666 Space systems - Risk management
• ISO/IEC 27005 Information technology - Security techniques -
Information security risk management
• AS/NZS 4360 Risk Management
• COSO Enterprise Risk Management - Integrated Framework
• NIST 800-30 Risk Management Guide for Information Technology
Systems
C
4
PDCA Cycle 9
C
5
Exercise 4 0
• A presentation to senior management

• Make a persuasive case for putting in place comprehensive Risk Management
framework in your organizations
• 10 minutes long
What goes in it?
C
51
Understanding the ISO 31000

5
Scope of ISO 31000 Risk Management 2
• provides principles and generic guidelines on risk management.

• can be used by any public, private or community enterprise, association,
group or individual ( not specific to any industry or sector).
• can be applied throughout the life of an organization, and to a wide
range of activities, including strategies and decisions, operations,
processes, functions, projects, products, services and assets.
• can be applied to any type of risk, whatever its nature, whether having
positive or negative consequences.
• Design and implementation of risk management plans and frameworks
will need to take into account the varying needs of a specific
organization,
• be utilized to harmonize risk management processes in existing and
future standards.
• is not intended for the purpose of certification.
C
5
The Flow of Risk Management 3
C
5
Principles 4
• Creates Value
• Integral part of organisational process
• Part of Decision making
• Explicitly address uncertainty
• Systematic, Structured and timely
• Based on the best available information
• Tailored
• Takes human and cultural factors into account
• Transparent and inclusive
• Dynamic , iterative and responsive to change
• Facilitates continual improvement and enhancement of the
organisation

5
Principle 1 -Creates Value 5
• Achievement of objectives and improvement in performance

• Examples:
• Human health
• Security
• Legal and regulatory complains
• Public acceptance
• Environmental protection
• Product quality
• Project management
• Efficiency of operations
• Governance and reputation

5
Principle 2 – Integral part of all organisational 6
processes
• Not a stand alone activity
• Part of responsibility of management
• Integral part of organisational processes
• Including strategic planning
• Project and change management

5
Principle 3 – Part of decision making 7
• Helps decision makers make informed choices

• Prioritize actions
• Distinguish amongst alternative courses of action

5
Principle 4 – Explicitly addresses uncertainty 8
• Explicitly takes account of uncertainty

• Nature of uncertainty
• How it can be addressed

5
Principle 5 – Systematic, structured and 9
timely
• Systematic, timely and structured
• Contributes to efficiency
• Consistent
• Comparable
• Reliable results

6
Principle – 6 – Based on best available 0
information
• Based on information sources such as
• Historical data
• Experience
• Stakeholder feedback
• Observation
• Forecasts
• Expert judgment
• Should take into account
• Limitations of data or modeling
• Divergence amongst experts

6
Principle 7- Tailored 1
• Management is aligned with organisation’s

• External context and risk profile
• Internal context and risk profile

6
Principle 8 – Human and cultural factors 2
• Recognizes factors that can facilitate or hinder achievement of organisation’s

objectives (for internal and external people)
• Capabilities
• Perceptions
• intentions

6
Principle 9 – Transparent and inclusive 3
• Timely involvement of stakeholders in particular decision makers at all levels

• Remains relevant and current
• Stakeholders properly represented
• Stakeholders views taken into account

6
Principle 10 – Dynamic, iterative and 4
responsive to change
• Continually senses and responds to change
• Monitoring and review of risks
• Accounts for
• new risks
• changes to risks
• disappearance of risks

6
Principle 11 – Continual improvement of the 5
organisation
• Organisations should develop and implement strategies to improve their risk
management maturity

66
Exercise 5
Identification of Principles

6
7
Three Essential Elements for Effective Risk Management
Risks need to be identified and managed and the treatments embedded

into the culture of the organization.
RISK
MANAGEMENT
SYSTEM CULTURE
C
68
ISO 31000 Framework

69
Exercise 6
Understanding the components of a framework

7
PDCA 0

7
4.1 Framework- General 1
• Effective management framework that provide

• a foundation
• Embedding throughout organisation
• Apply at all levels
• Assists in managing through Risk Management Process
• Information about Risk is adequately reported
• Used for decision making
• Used for accountability at all relevant levels
C
7
Risk Management Framework: 2
Mandate and Commitment
Principles (3) Mandate and

Commitment (4.2)
PLAN
Design of Framework for
Managing Risk (4.3)
ACT DO
Continual Improvement of Implementing Risk
the Framework (4.6) Management (4.4)
CHECK
Monitoring and Review of the
Framework (4.5)
C
opyright©2012B
S
I.A
lrightsreserved. 72
7
4.2 Mandate and commitment 3
• Strong sustained commitment from management

• Strategic and rigorous planning
• Achieve commitment at all levels management should
• Define Risk Management Policy and endorse it
• Ensure alignment of culture to policy
• Determine performance indicators for risk management in line with organisation’s performance
indicators
• Align Risk management objectives with Objectives and Strategies
• Ensure legal and regulatory compliance
C
7
Mandate and commitment-2 4
• Assign accountability and responsibility

• Allot resources to risk management
• Communicate benefits of risk management to stakeholders
• Ensure framework is appropriate over time.

75
Exercise 7
Leadership and Commitment

7
Risk Governance- BS 31100 6
• Board discharges their responsibility towards RISM

• Risk recognized as Board matter with ultimate accountability
• Risk management objectives designed to support risk appetite
• Ownership and accountability for managing and reporting on risk
• Roles responsibility and accountabilities for RISM are communicated and understood in the
organisation
• Define and effectively communicate RISM Policy
• Flow of risk information to flow within the organisation
C
7
4.3 Designing the framework 7
• Understanding the organisation and its context

• Establishing the risk management policy
• Accountability
• Integration into organisational processes
• Resources
• Establishing internal communication and reporting mechanisms
• Establishing external communication and reporting mechanisms
C
7
Framework Considerations 8
Example framework relationships between corporate, national, business, etc. –

there may be many nested or related frameworks within a given organization.
Corporate Framework for Risk Management
International Business Unit

framework for National framework framework
product line
C
opyright©2012B
S
I.A
lrightsreserved. 78
7
4.3.1 Understanding the organisation and its 9
context
• Evaluate the external context
• Social and cultural, political, legal, regulatory, financial, technological, economic, natural, and
competitive environment.
• Key drivers and trends having impact on objectives
• Relationship, perceptions and values of stakeholders
C
8
Understanding the organisation and its 0
context
• Evaluate the internal context
• Governance, structure, roles and accountabilities
• Polices, objectives and strategies to achieve the above
• Capabilities (terms of knowledge and resources)
• Information systems, flows and decision making process
• Culture
• Standards, guidelines used
• Form and extent of contractual relationships
C
81
Exercise 8
Framework Context

8
2
4.3.2 Establishing risk management policy
• Policy should state
• Objectives for risk management
• Commitment
• Rationale for managing risk
• Links between business objectives and risk management policy
• Accountabilities and responsibilities
• Addressing conflicting interests
• Commitment for provision of resources
• Reporting risk management performance
• Commitment to review and improve policy and framework
C
83
Exercise 9
Risk Management Policy

8
4.3.3 Accountability 4
• For Managing Risk, there is to be:

• Accountability
• Authority
• Appropriate competence
• Ensure adequacy, effectiveness and efficiency of controls through:
• Identify risk owners with accountability and authority
• Identify accountability for developing, implementing and maintaining framework
• Establish performance measurements , reporting and escalation
C
8
4.3.4 Integration into organisational processes 5
• Risk management must be embedded so that it is

• Relevant
• Effective
• Efficient
• Should be part of other processes, including Strategic planning,
organisational planning.
• Should be part of
• Policy
• Development
• Business and strategy planning and review
• Change management
C
8
RM Integration into Organizational Processes 6
Bear in mind that common requirements of multiple management system

standards or specifications can be integrated into one common system.
PAS 99, Figure 1

Specific Specific Specific Specific
Requirements for Requirements for Requirements for Requirements for
Environment OH&S MSS (O) Quality MSS (Q) Other MSS (OM)
MSS (E)
E O Q OM
Common Common Common Common PAS 99

Requirements Requirements Requirements Requirements Common
Requirements
C
8
Resources 7
Allocate resources appropriate to your RM implementation, such as:

• Personnel with competence
• Training
• IT/tools/software
• Physical plant/resources
• Documentation
Clause 4.3.5

8
Senior Management responsibilities 8
• ensuring that there is a fit-for-purpose and up-to-date risk management

framework and process in place and that risk management is adequately
resourced and funded;
• providing strategic direction on the appropriate recognition of risk in decisions
and setting risk appetite and associated authority;
• culture for managing risk and embedding risk management;
• ensuring the key risks facing the organization are properly assessed and
managed;
C
8
Roles of individuals 9
• the risks that relate to their roles and their activities;

• how the management of risk relates to the success of the organization
and how the management of risk helps them to achieve their own
goals and objectives;
• their accountability for particular risks and how they can manage them
and contribute to continuous improvement of risk management;
• that risk management is a key part of the organization’s culture and
report to senior management any perceived new or emerging risks,
near misses or failures of existing control measures within the
parameters

9
Risk Management Oversight Body 0
• supporting senior management in establishing the risk appetite, monitoring

compliance with the organization’s risk policy
• monitoring the adequacy of controls
• monitoring changes to the organization’s risk profile
• assisting the organization to understand its key risks;
• periodically reviewing the effectiveness and appropriateness and adequacy of
the risk management and reporting process;
C
Role of Risk Manager 9
1
• promoting the consistent use of risk management and ownership of risk

at all levels within the organization
• building a risk aware culture within the organization, including
appropriate education and training
• developing, implementing and reviewing the risk management
framework and risk management processes
• coordinating the other functions that advise on specific aspects of risk
management;
• coordinating responses where risks impact more than one area;
C
9
Role of Auditor 2
• The audit committee reports to the board of directors on the effectiveness of

internal control and risk management systems based on information it acquires
directly or with the assistance of the audit functions.
• Monitoring risk management, internal control and internal audit requires
considerable time commitment from the audit committee.
• The audit committee needs to know how much effort, resources and budget are
needed to perform as expected.
C
9
Auditor.. 3
• To fulfil its responsibilities, the audit committee spends time assessing :

• information provided by senior management, reviews major risks and critical processes each year,
challenges senior management objectives about these items and benchmarks company practices.
• The work of the audit committee can only be valuable if sufficient time is allotted on the board
agenda for the audit committee to present the results of its work. The audit committee should also
feel that the board is taking appropriate action on its report.
• Leading audit committees have therefore their own performance and
effectiveness assessed on an annual basis.
C
94
Exercise 10
Role of Internal Auditors

9
4.3.6 Establishing internal communication and 5
reporting
• Components of risk management and modifications communicated
• Internal reporting on framework, its effectiveness and outcomes
• Relevant information from risk management is available at appropriate levels
and times
• Processes for consultation with internal stakeholders
C
9
4.3.7 Establishing external communication and 6
reporting
• Effective exchange of information with appropriate stakeholders
• Comply with legal, regulatory and governance reporting
• Providing feedback and reporting on communication and consultation
• Communication to build confidence in organisation
• Crises communication with stakeholders
C
9
4.4 Implementing Risk Management 7
• Implement the RM framework

• Define the appropriate timing and strategy
• Apply the RM policy and process to organizational processes
• Ensure decisions align with objectives
• Ensure compliance with legal and regulatory requirements
• Provide training and awareness sessions
• Communicate and consult with stakeholders
• Implement the RM process
• Implement the RM process as outlined in Clause 5
• Applied through an RM Plan
• At all relevant levels and functions of the organization
• Integral to the organization's practices and processes
C
9
Implementation Framework 8
• A generic template that applies to all management systems

• Intended for guidance only
• An organization's approach will depend upon their scale, style, culture and
complexity
• Assumes the decision to implement has already been made (subject to
refinement and approval of the plan)
• Matches well with an ISO 31000 implementation - can be used as a high-level
roadmap to your implementation effort
C
9
Implementation Outline 9
1. Gain Top Management 6. Approve the

Commitment Implementation Plan
2. Appoint 7. Implement the Plan
Implementation Team 8. Operate & Assess the
3. Promote Awareness System
4. Perform Gap Analysis 9. Continually Improve
5. Develop the System
Implementation Plan
See the References document for further details.
C
1
0
Monitoring and Review of the Framework
Mandate and
Commitment (4.2)
PLAN
Managing Risk (4.3)
ACT DO
CHECK
Framework (4.5)
C
opyright©2012B
S
I.A
lrightsreserved. 100
1
4.5 Monitoring and Review of the Framework 0
1
• Measure RM performance against criteria

• Measure progress against plan
• Review for continued appropriateness of framework, policy and plan
• Report on status, changes, trends
• Review effectiveness of framework
C
1
0
Links Between Framework and Process 2
Design of
framework - Implementing RM (4.4)
context (4.3.1)
Determine external and internal contexts for the risk

management process (5.3.4) and Instances of the risk
management process (5.5) identified for treatment e.g.:
Supply chain risk Safety risk Quality risk Information

management management management security
process process process risk management
process, etc.
C
opyright©2012B
S
I.A
1
Monitoring and Review BS 31100 0
3
• Minimum yearly to cover

• Framework and processes are fit for purpose
• Framework and processes adopted delivering results
• Relevant stakeholders receive adequate reports
• People in organisation have sufficient risk management skills, knowledge and competence
• RiSM resources are adequate
• Lessons have been learned
• RiSM maturity and capability to achieve set out objectives
C
10
4
Exercise 11
Framework Review

1
5
Continual Improvement of the Framework
Mandate and
Commitment (4.2)
PLAN
Managing Risk (4.3)
ACT DO
CHECK
Framework (4.5)
C
opyright©2012B
S
I.A
1
4.6 Continual Improvement of the Framework 0
6
Use the outputs of the review(s) as inputs to improvement decisions

• Framework
• Policy
• Plan

1
Other MS Models for Continual Improvement 0
7
Use can be made of the processes used in management systems standards as a

model for:
• Evaluating effectiveness
• Opportunities for improvement
• Review of the framework, e.g.:
• Evaluation of compliance
• Internal audit
• Management review
C
1
Learning from Risk events- BS 31100 0
8
• Organization should learn from Risk Events through a review that covers:
• What happened
• How and why the risk occurrence came about
• What action has been taken
• The likelihood of risk happening again
• Any additional responses or steps to be taken
• Key learning points and who to be communicated to
C
10
9
Risk Management Process

1
Fig 1 Relationship between the Risk Management Principles, Framework 1
and Process 0
Principles Framework Process

(Clause 3) (Clause 4) (Clause 5)
A. Creates Value Mandate &
B. Integral part of Commitment
organisational process Establishing the context
(4.2) (5.3)
C. Part of Decision
making
D. Explicitly address Design of
Communication and consultation (.52.)

Risk Assessment (5.4)
Monitoring and review (5.6)

uncertainty Framework for
E. Systematic, Structured managing risk
and timely (4.3) Risk identification
F. Based on the best (5.4.2)
available information Continual Implementing
G. Tailored improvement of risk Risk Analysis
H. Takes human and the framework management (5.4.3)
cultural factors into
account (4.6) (4.4)
I. Transparent and Risk evaluation
inclusive (5.4.4)
J. Dynamic , iterative
and responsive to Monitoring and
change review of the Risk Treatment
K. Facilitates continual framework (5.5)
improvement and (4.5)
enhancement of the
organisation
Copyright©2012BSI.Alrightsreserved. 110
1
Process for Managing Risk 1
1
Clause 5
Principles Framework Process
Establishing the Context
Communication and Consultation

Risk Assessment
Monitoring and Review

Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment

1
Process, Clause 5 1
2
Establishing the Context (5.3)
Communication and Consultation (5.2)
Monitoring and Review (5.6)

Risk Identification (5.4.2)
Risk Analysis (5.4.3)
Risk Evaluation (5.4.4)
Risk Treatment (5.5)
C
1
5 Process 1
Establishing the context 3
(5.3)
Communication and consultation (.52.)

Monitoring and review (5.6)

• Integral part of Risk identification
(5.4.2)
management
• Embedded in culture Risk Analysis
and practices (5.4.3)
• Tailored to business
processes Risk evaluation
(5.4.4)
Risk Treatment
(5.5)
1
5.2 Communication and Consultation 1
4
• Communicate and consult with external and internal stakeholders at

every step of the RM process
• Develop plans and processes at an early stage to address:
• The risk itself
• Its causes
• Its consequences
• Risk treatment measures
• Clear dialog between all parties concerned provides useful information,
opinion and fact for all parties
• Document the results
C
1
Communication and Consultation: Importance and Benefits 1
5
What are some of the benefits of a consultative team approach?
C
1
5.2 Communication and Consultation 1
6
• Consultative team approach may

• Establish context
• Ensure interests of stakeholders and understood
• Ensure risks are identified
• Bring different areas of expertise together for risk analysis
• Consider different views when defining risk criteria and evaluating risks
• Secure support and endorsement for risk treatment plan
• Enhance change management
• Develop internal external communication plan
• With external and internal stakeholders
• Plans should be made
• Effective communication and consultation
• To ensure that person responsible and accountable understand basis for decisions and reasons
for actions
C
1
5.3.1 Establish the context 1
7
• By establishing the context, the organization articulates its objectives, defines

the external and internal parameters to be taken into account when managing
risk, and sets the scope and risk criteria for the remaining process. While many
of these parameters are similar to those considered in the design of the risk
management framework (see 4.3.1), when establishing the context for the risk
management process, they need to be considered in greater detail and
particularly how they relate to the scope of the particular risk management
process.
C
1
5.3.2 External Context 1
8
• Refers to environment in which organisation seeks to achieve its objectives

• Include
• Social and cultural, political, legal, regulatory, financial, technological, economic, natural and
competitive environment
• Drivers and trends that have impact on objectives
• Relationships with perceptions and values of stakeholders
C
1
5.3.3 Internal Context 1
9
• Aligned to culture, processes, structure and strategy

• Internal context provides
• Risk management is with regard to objectives
• Objectives of a particular project, process or activity to be considered in light of objectives
• Opportunities to achieve strategic, project or business objectives
C
1
Internal context to include 2
0
• Governance, structure, roles and accountabilities

• Polices, objectives and strategies to achieve the above
• Capabilities (terms of knowledge and resources)
• Information systems, flows and decision making process
• Culture
• Standards, guidelines used
• Form and extent of contractual relationships
C
1
5.3.4 Context of Risk management Process 2
1
• Define goals and objectives

• Responsibilities
• Scope including depth and breadth
• Define activity, process function, project service or asset in terms of
time and location
• Define relationships between particular project, process or activity with
other
• Define risk assessment methodologies
• Define performance and effectiveness evaluation
• Identify decisions that are made
• Identify scoping and framing studies
C
1
Framework vs. Process Context 2
2
How is establishing the context for the RM Process different from that of the RM
Framework?
C
1
5.3.5 Risk Criteria 2
3
• To be defined for evaluating significance of risk

• Criteria to reflect objectives and resources
• Include legal and regulatory requirements
• Consistent with Risk Policy
• Defined at beginning of risk management
• Continually reviewed
C
1
Risk Criteria factors 2
4
• Nature and types of causes and consequence

• Define likelihood
• Timeframes of likelihood and/or consequence
• How level of risk is determined
• Views of stakeholders
• Risk acceptance levels
• Combinations of multiple risks
C
12
5
Exercise 12
Risk Criteria

1
Risk Criteria BS 31100 2
6
• the organization should prepare a risk appetite statement, which may:

• provide direction and boundaries on the risk that can be accepted
• consider the context and the organization’s understanding of value, cost-effectiveness of
management, rigour of controls and assurance process;
• recognize that the organization might be prepared to accept a higher than usual proportion of risk
in one area if the overall balance of risk is acceptable;
• define the control, permissions and sanctions environment,
C
1
5.4 Risk Assessment 2
7
Establishing the Context (5.3)
Risk Identification (5.4.2)
Risk Analysis (5.4.3)
Risk Evaluation (5.4.4)
Risk Treatment (5.5)
C
1
Process in Detail 2
8
Communicate and Consult
Establish the Identify Risks Analyse Risk Evaluate Risks Treat Risks
Context
Compare against
Internal Context What can Identify existing controls Identify options
criteria
happen?
External Determin Assess options
Determine Set priorities
Context When and
Consequen e
where? Prepare and
ces Likelihoo
Risk d implement
Management How and why? Tre YES treatment plans
Determine levels of at
Context
risk Risk
Analyse and
sNO
Develop the evaluate residual
Criteria risk
Define the Monitor and Review

Structure
1
Risk Criteria –BS 31100 2
9
• points, and identifying the escalation process for risk outside the acceptance
criteria, capability or capacity.
• include qualitative statements outlining specific risks the organization is or is
not prepared to accept
• include quantitative statements, described as limits, thresholds or key risk
indicators.
C
1
5.4 Risk assessment 3
0
• Risk Identification
• Risk Analysis
• Risk Evaluation

1
Risk Assessment 3
1
A first step in this process is to determine the tools that may be needed:
• To help and to implement risk management in practice
• To ensure the organization’s risk management framework is aligned with the
overall management system and the objectives
• To ensure it is in keeping with the organization’s nature, scale, complexity and
culture
• Assist in the development and risk management knowledge and expertise
within the organization
C
1
5.4.2 Risk identification 3
2
• Identify
• Source of risk
• Areas of impacts
• Events and their causes including their potential consequence
• Purpose is to establish risks that impact objectives by
• Create
• Enhance
• Prevent
• Degrade
• Accelerate or delay
C
1
Risk Identification 3
3
• The aim should be to produce a set of well-defined risks

• It should include all risks
• Including those not necessarily under the control of the organization
• But not necessarily consider every possible sequence of cause and effect
• It should be approached methodically and thoroughly
Clause 5.4.2
C
1
Risk identification 3
4
• Risks not under organization's control need to be covered

• Cover knock-on effects including cascade and cumulative
• Use appropriate risk identification tool suited to the objectives
• People with appropriate knowledge should be involved in identification of risks
C
1
3
Risk Categorization 5
• Grouping similar risks together into appropriate categories helps to

• Define scope of risk management
• Provide a structure and framework for risk identification
• Aggregate and map similar kinds of risks across units or the
organization as a whole
• Allocate management responsibilities for the response and
management of risk
• Identify and obtain internal and external skills, knowledge and
expertise to manage risks
• Provide a platform to build more advanced measurement
methodologies as risk tools
• Overcome organizational silos
• Allocate accountability
C
1
Risk categorization 3
6
• Generally Risk Categories will include:
• Strategic Risk
• Programme Risk
• Project Risk
• Financial Risk
• Operational Risk
C
13
7
Exercise 13
Risk Identification

1
5.4.3 Risk Analysis 3
8
• To develop an understanding of the risk

• Provides input to risk evaluation and decisions
• To arrive at appropriate treatment
• Risk analysis involves:
• Consideration of causes and sources
• Positive and negative consequence
• Likelihood
• Factors that affect consequence and likelihood identified
C
opyright©
2012 BSI. All rights reserved. 138
1
5.4.3 Risk Analysis 3
9
• Consider existing controls and their efficiency and effectiveness

• Level of risk determined as a combination of consequence and likelihood
• Consider interdependence of risks
• Should determine confidence in determining risk levels
• Divergence of opinion, uncertainty, availability quality, quantity to be identified
C
1
Risk Analysis (cont.) 4
0
• Should enable balancing of one risk against another as part of the risk
management decision making process
• The aim is to try and understand the source of the risk and the causes
• Where there are existing controls in place, it can be useful to analyze the risk
with and without the control in place and to determine whether the control is
robust enough
C
opyright©
14
1
Exercise 14
Risk Analysis

1
5.4.4. Risk Evaluation 4
2
• Purpose if to enable decisions

• To compare risk level found during analysis with risk criteria then decide on
treatment
• Consider wider context by considering tolerance of risks borne by other parties
• Can lead to further analysis
• Decisions may be based on risk attitude and risk criteria of organisation
C
opyright©
14
3
Exercise 14
Risk Evaluation

opyright©
1
5.5 Risk Treatment 4
4
• Risk treatment is a cyclical process

• Assessing a risk treatment
• Deciding whether residual risk levels are tolerable
• If not, then generate a new risk treatment
• Assessing the effectiveness of the treatment
C
opyright©
1
5.5 Risk Treatment 4
5
• Cost/benefit analysis of treatment(s)

• Select and implement one or more options for modifying risks
• There can be one or more (in combination or priority order)
• Identify resultant and/or residual risks from treatment
• Document the risk treatment plan
• Assess effectiveness
C
opyright©
1
5.5.2 Risk Treatment Options 4
6
• Avoid the risk by aborting/stopping activity giving rise to risk

• Taking or increasing risk by taking the opportunity
• Removing the risk source
• Changing the likelihood
• Changing the consequence
• Sharing the risk with another party
• Retaining the risk by informed decision
C
opyright©
1
4 Tees 4
7
• Terminate
• Treat
• Tolerate
• Transfer
C
opyright©
1
Selecting risk treatment options 4
8
• Involves balancing costs and efforts considering

• Legal and regulatory requirements
• Social responsibility
• Protection of natural environment
• Consider risk treatment which are not justifiable economically
• Consider values and perceptions of stakeholders
• Treatment plan should indicate priority order
• Risk treatment can introduce new risks
• Secondary risks may emerge due to treatment and may be considered
for treatment as part of original risk
C
opyright©
14
9
Exercise 15
Risk Treatment

opyright©
1
5.5.3 Risk treatment plans 5
0
• To document how risk will be treated and should include

• Reasons for selection of treatment including benefits to be gained
• Those accountable for approving and for implementing plans
• Proposed actions
• Resource requirements
• Performance measures and constraints
• Reporting and monitoring requirements
• Timing and schedule
C
opyright©
1
5
Example 1

1
Example pg 2 5
2

1
Example pg 3 5
3

1
5.6 Monitoring and Review 5
4
• Uses information from and provides input to Establishing the Context (5.3), Risk
Assessment (5.4), and Risk Treatment (5.5)
• Plan for regular checking or surveillance
• Define responsibilities
• Ensure effective and efficient controls
• Evaluate event results, changes, trends, successes and failures
• Identify changes in context, risk criteria, risk
• Report results and incorporate for process improvement
C
opyright©
1
Monitoring and Review 5
5
• Use a common approach across processes if the organization already has a

management system in place
• Consider useful inputs to and outputs from a review process
C
opyright©
15
6
Exercise 16
Linking the Principles

opyright©
1
5.7 Recording the RM Process 5
7
• How long records should be kept will depend on the risk to the organization of
not being able to provide evidence of its risk management
• Records are needed to provide evidence of conformity and control
• A procedure is needed for the identification, storage, protection, retrieval,
retention and disposition of records
• Records should be legible, readily identifiable and retrievable
C
opyright©
1
5.7 Records 5
8
• Records provide the foundation for improvement in methods, tools and

process
• Records to cover
− the organization's needs for continuous learning;
− benefits of re-using information for management purposes;
− costs and efforts involved in creating and maintaining records;
− legal, regulatory and operational needs for records;
− method of access, ease of irretrievability and storage media;
− retention period; and
− sensitivity of information.

1
Risk Maturity Model BS 31100 5
9
• has risk management been made mandatory by the Board (or

equivalent)/senior management?
• are the risk management roles and responsibilities identified and established?
• has a risk management policy been prepared?
• has the risk management policy been communicated?
• has a risk management process been defined?
C
opyright©
1
Risk Maturity Model-contd 6
0
• is there a plan for embedding risk management?

• have reporting requirements been made explicit?
• are appropriate tools being used to support risk management?
• is risk management information captured in a consistent way?
• is the frequency at which risk management is carried out
• appropriate to the organization’s business cycle?
C
opyright©
1
Risk Maturity Model- contd 6
1
• do the appropriate organizational activities include risk management?

• is risk management being used to support the pursuit of opportunities?
• has risk management increased Board (or equivalent) confidence in pursuing
new opportunities?
• is there a process of continual improvement?
C
opyright©
1
6
Standards Hierarchy 2
AS/NZS 4360
FRAMEWORK ISO 31000 PRINCIPLES SAQ ONR 49001

AFNOR CN FD_X50-252
TERMINOLOGY ISO GUIDE 73 ISO GUIDE 14050
NFPA 101 ISO 9001 ISO 14001

REQUIREMENTS
ANSI/ASHRAE 62 NFPA 75
OHSAS 18001 ISO/IEC 27001
GUIDELINES HB 436 ISO 10005 ISO/IEC 27002

CSA Q850
TOOLS ISO 31010 ISO/IEC 15408
RISK SAFETY QUALITY TECHNOLOGY ENVIRONMENTAL
C
opyright©
1
Obstacles to Effective RM 6
3
• Top management support

• Internal communication/buy-in
• Fragmented risk systems/processes
• Risk measurement
• Dispersed/global operations
• Changing regulatory/legal requirements
• 3rd-party risks
• Risk prioritization over time
C
opyright©
Risk Management
A survey by
Copyright © 2012 BSI. All rights reserved. Copyright © 2012 BSI. All rights reserved. 164
1
Key Finding 1 6
5
• Overall, post the global crisis, there is a consensus that anticipating and
managing risks proactively is going to deliver tremendous long term value to
organizations. Establishing a global footprint, cross border regulations, geo-
political events and increased complexity in the value chain are leading to more
risks.
•
C
opyright©
1
Key Finding 2 6
6
• While organizations are making progress in implementing risk management

processes and structures, the biggest challenge is around integrating risk with
strategy and the business. There is a need to de-mystify risk and make it
simpler for business managers to grasp and implement. A firm commitment at
the top and training in the use of risk management tools and approaches is
essential to overcome this hurdle.
C
opyright©
1
Key Finding 3 6
7
• Boards today are expected to play the watchdog role – that of linking strategy,
risks, rewards and executive compensation to ensure that there are no
misalignments. Risk oversight challenges faced by independent directors are on
account of their limited review of strategy and inadequate inputs into the
information architecture to know about the business, industry and external
factors.
C
opyright©
1
Key Finding 4 6
8
• The survey also reveals that organizations have made little or no

progress in actually linking up the dots. Risk responses / mitigation
strategies are still developed in isolation rather than on the basis of
more holistic views that takes into account multiple scenarios and
potential events. The usage of economic models and technology is
limited. Also, few organizations look beyond 3 years while identifying
and assessing risks and aspects such as sustainability and climate
change are given limited importance. Some companies are now
adopting the practice of appointing Chief Risk Officers; even within the
non-financial services sector. CEOs expect their risk officers to be more
market and strategy-oriented than be overly focused on the operations
and processes. Risk officers who are able to transcend to a strategic
role will deliver the greatest value to their organizations.
C
opyright©
1
Imperative 1 6
9
• Enhancing board governance of risk

1
7
Governance-Board Level 0

1
Imperative 2 7
1
• Linking objectives, strategies and Risks to KRIs.

Imperative 3 1
7
2
• Instill a robust Risk Culture
• Three key focus areas of the risk culture survey:
• 1. Part 1 – Understand CXO and senior management perceptions
about risks and the way they are/should be managed?
• 2. Part 2 – Figure the organization’s pressure points in implementing
Risk Management including understanding the pressure points
from an implementation perspective. The pressure points included
aspects such as clarity on business intelligence and information,
understanding of the risk appetite, ability to communicate difficult
issues freely and having clarity around roles and responsibilities.
• 3. Part 3 – Establishing the expectations of the CEO from the risk
function – what role should it be playing in the organization?
C
opyright©
1
Imperative 5 7
3
• Integrating Risk Management at Enterprise Level

1
Mechanisms for Risk Management 7
4

1
Enhanced Risk Management - 7
5
• Need to measure performance of RM Framework and ENHANCE it.

• Key attributes for performance need to be defined.
• As a result of this key outcomes are:
• Current, correct and comprehensive understanding of risks
• Risks remain within the Risk Criteria.
C
opyright©
1
Attribute: Continual Improvement 7
6
• Input
• Goals
o Performance goals -organization
o Measurements - KPI’s – individual
• Review against goals – at least annual
• Output
• Modification of processes, systems, resources, capability and skills
• R M performance assessment - an integral part of overall
organization’s performance assessment and measurement systems for departments and
individuals
C
opyright©
Attribute : Full Accountability 1
7
7
• Comprehensive, fully defined and fully accepted accountability for risks,

controls and risk treatment tasks.
• Availability of skills and resources to check controls, monitor risks,
improve controls and communicate effectively about risks and their
management to external and internal stakeholders.
• Awareness of risks, controls and tasks and inclusion in job/position
descriptions, databases or information systems and part of induction.
• Provision of authority, time, training, resources and skills to assume
accountabilities.
C
opyright©
1
Attribute: RM in Decision Making 7
8
• Decisions involve consideration of risk or application of risk management

• Evidence –
• Records of meetings
C
opyright©
1
Attribute: Risk Reporting 7
9
• Organisations should have formal risk management reporting processes in

place. This includes reporting of “significant risks” and risk treatments.
• Continuous two way communication with
• External stakeholders
• Internal stakeholders
C
opyright©
1
Attribute: Integration with Governance 8
0
• Organisations need to consider risks at both policy and practice levels. This is
achieved by explicitly considering risks and the affect of uncertainty on
achieving organisational objectives.
• The governance structure and process are based on the management of risk.
• Effective risk management is regarded by managers as essential for the
achievement of the organization's objectives.
• Evidence:
• Interviews , Statements, Actions
C
opyright©
1
Contact Information 8
1
BSI India
The Mira Corporate Suites (A-2), Plot 1& 2,
Ishwar Nagar, Mathura Road,
Address: New Delhi 110065, India
Telephone: 91 11 2692 9000

Fax: 91 11 2692 9001
Email: indiatraining@bsigroup.com
Links: www.bsigroup.co.in
Shama.bhardwaj@bsigroup.com
C
opyright©
1
8
2
Thank you
C
opyright©

Aubsi-Risk Management Iso 31000 PPT AMITY JAIPUR BBA

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aubsi-Risk Management Iso 31000 PPT AMITY JAIPUR BBA

Uploaded by

Copyright:

Available Formats

Risk Management

ISO 31000 Course

Copyright © 2012 BSI. All rights reserved. C

• Safety - be aware of emergency exits

Copyright © 2012 BSI. All rights reserved. 3

Upon completion, participants will be able to:

Copyright © 2012 BSI. All rights reserved. 4

Offer closes on 3rd March 2012

This BMW car

Here is the Catch

Brake is on the right and

Copyright © 2012 BSI. All rights reserved. 6

• Effect of uncertainty on objectives

Copyright © 2012 BSI. All rights reserved. 9

•Coordinated activities to direct and

The Seven Golden Truths of Risk

Copyright © 2012 BSI. All rights reserved. 20

Copyright © 2012 BSI. All rights reserved. 22

Copyright © 2012 BSI. All rights reserved. 23

Copyright © 2012 BSI. All rights reserved. 24

Who should own Risk Management in a Company

Copyright © 2012 BSI. All rights reserved. C

Seeks strategic dialogue about Board

Treasurer's Business Business Business

Uses sophisticated risk Lacks the sophistication to

• Risk lives here

Copyright © 2012 BSI. All rights reserved. 28

• Risks are related to

Copyright © 2012 BSI. All rights reserved. 31

Copyright © 2012 BSI. All rights reserved. C

Benefits of Risk Management

Copyright © 2012 BSI. All rights reserved. C

•increase the likelihood of achieving objectives;

• establish a reliable basis for decision making and planning;

Copyright © 2012 BSI. All rights reserved. Copyright©

• ISO/IEC/IEEE Std 16085 lists over 40 standards involving risk

• COSO - Enterprise Risk Management

• Describes the generic processes of an 'enterprise-wide' risk

Copyright © 2012 BSI. All rights reserved. 41

Copyright © 2012 BSI. All rights reserved. 42

• It will never happen to me

ISO 31000 Value Proposition

Copyright © 2012 BSI. All rights reserved. 47

• ISO 14971 Medical devices - Application of risk management to

• A presentation to senior management

What goes in it?

Understanding the ISO 31000

Copyright © 2012 BSI. All rights reserved. C

• provides principles and generic guidelines on risk management.

Copyright © 2012 BSI. All rights reserved. 54

• Achievement of objectives and improvement in performance

Copyright © 2012 BSI. All rights reserved. 55

Copyright © 2012 BSI. All rights reserved. 56

• Helps decision makers make informed choices

Copyright © 2012 BSI. All rights reserved. 57

• Explicitly takes account of uncertainty

Copyright © 2012 BSI. All rights reserved. 58

Copyright © 2012 BSI. All rights reserved. 59

Copyright © 2012 BSI. All rights reserved. 60

• Management is aligned with organisation’s

Copyright © 2012 BSI. All rights reserved. 61

• Recognizes factors that can facilitate or hinder achievement of organisation’s

Copyright © 2012 BSI. All rights reserved. 62