ISO 3100 International Standard for Risk Management

[Admin]

ISO 31000:2009—The international standard for risk management

The International Standards Organisation (ISO) published ISO 31000:2009, Risk Management – Principles and guidelines on 15th November 2009.

The standard provides a set of principles, a framework and a process for effectively managing risks. It provides critical information for establishing, implementing and maintaining a risk management program, espousing the adoption of an integrated and holistic approach at both strategic and operational levels. This is deemed to be ‘an integral part of good management practice and an essential element of good corporate governance’.

It has been formally adopted as the national Standard of risk management for Australia and New Zealand. Standards Australia and Standards New Zealand produced a local edition—AS/NZS ISO 31000:2009, Risk Management – Principles and guidelines and withdrew its predecessor—the AS/NZS 4360, Risk Management Standard series. The new Australia/New Zealand Standard is identical to the international one, except that it contains a preface and an introduction which address the transition to the current edition.
Note: For simplicity’s sake, further references to the Standard (both local and international versions) will use the short title ISO 31000:2009.

Eleven risk management principles
ISO 31000:2009 stipulates eleven risk management principles that an organisation should address to effectively manage its risks and achieve its objectives. According to these principles, the management of risk must:
1 create and protect value by contributing to the achievement of objectives and improved performance
2 be an integral part of organisational processes, from the setting of organisational objectives to strategic planning, project management and operational activities
3 be an integral part of the decision making process, so that decisions are the right ones and can be managed to a successful outcome
4 explicitly address uncertainty
5 be systematic, structured and timely
6 be based on the best available information, and acknowledge any data limitations
7 be based on the organisations risk profile, and risk appetite for given situations
8 recognise the impact of the human, cultural and environmental paradigms of the organisation on the achievement of objectives
9 address the perceptions of stakeholders, not just company management
10 be dynamic and responsive to change and take account of new or emerging risks
11 be continually improving as the organisation matures.

These principles need to be addressed by an organisation’s Board and senior management when they establish a mandate and commitment to mange risk within the organisation.

Risk management framework

ISO 31000:2009 advocates a risk management framework designed to provide the foundations and arrangements that will embed the management of risk throughout the organisation at all levels.

To be effective, a framework must be founded upon a mandate and commitment by an organisation’s senior management. This undertaking must include a dedication to the implementation, review and continual improvement of how risk is managed, ensuring that each step is fully focused on the achievement of organisational objectives. The framework calls for a clear understanding of the context in which the organisation operates so as to ensure the risk management policy clearly states the Board’s commitment to the management of risk.

The framework also sets out how the management of risk is to be woven into the organisational fabric so as to become an integral part of how things are managed within the organisation rather than having risk management as an add on or separate activity divorced from the mainstream line management of the business.

An organisation’s Board must ensure there is accountability and authority for the management of risk. ISO 31000:2009 seeks to differentiate between risk owners who are accountable for managing risk (i.e. those persons with a corporate and/or legal liability for their decisions or lack of decision) and those who are responsible for specific tasks (i.e. those persons with an obligation to carry out an instruction from a higher authority).

Prescribed risk management process

The risk management process, as prescribed by ISO 31000:2009, consists of five activities:
1 communication and consultation
2 establishing the context
3 risk assessment, including identification, analysis and evaluation
4 treating risks
5 monitoring and review.

These activities are used as the basis for assessing and managing complex risk management portfolios. As a risk management practitioner, you need to understand all of the activities and the steps encompassed by each one. It is this process, graphically represented below, that will be the primary focus of the coming sections of this learning module.
Overview of the risk management process (Source: Figure 3 from ISO 31000:2009)

[Admin]

Many organisations have suffered considerable losses or actually ceased to exist because they have failed to identify the risks to which their organisation was exposed, or they adopted a poor risk management approach.
Here are some of the outcomes that have involved risks faced by international companies in recent years:

Perrier was compelled to instigate a worldwide recall of mineral water bottles when benzine was found in some routine sample tests

Union Carbide was required to pay hundreds of millions of dollars in claims after the gas leak in Bhopal, India.

Exxon incurred considerable costs when the tanker Exxon Valdez ran aground and leaked massive amounts of oil

Intel faced huge recall expenses as well as Directors’ and Officers’ liability suits when certain shareholders filed actions alleging they had badly handled a problem with their Pentium chip. Specifically, a minor problem became a worldwide crisis when the company poorly communicated this issue to its customers.

The World’s largest Insurer, AIG received a $182b bail out by the US Government. It had suddenly collapsed in September 2008 due to bad bets it made insuring mortgage-backed securities. Fox Business Network reported “On the subject of risk management, Mr. Greenberg the once head of AIG was as bold as ever, saying “had I stayed there, what I’m sure about, the break down in risk management would not have taken place”.

BP oil spill 20th April 2010 in the Gulf of Mexico total estimated cost is $9.5b “Thus, it comes as no surprise that, as The Times also reported, no BP official had overall responsibility for safety on the Deepwater Horizon. This points to the main lesson of this case: In hazardous operations — such as the search for energy sources in increasingly dangerous environments — minimizing catastrophic risk demands strong, accountable safety supervisors and workable, realistic planning for emergencies”. Dana M. Radcliffe, Senior Lecturer of Business Ethics at Cornell University’s Johnson Graduate School of Management.

[Admin]

An organisation’s risk management policy should be a high-level document which outlines the organisation’s approach to risk management and sets the risk management program firmly within the management structures of the organisation. According to section 4.3.2 of ISO 31000:2009, the risk management policy should contain:
• the organisation’s rationale for managing risk;

• links between the organisation’s objectives and policies and the risk management policy;

• accountabilities and responsibilities for managing risk;

• the way in which conflicting interests are dealt with;

• commitment to make the necessary resources available to assist those accountable and responsible for managing risk;

• the way in which risk management performance will be measured and reported; and

• commitment to review and improve the risk management policy and framework periodically and in response to an event or change in circumstances.

In short, the risk management policy provides a guide for managing risk within the organisation and it is closely aligned with the overall management of the organisation.

Key issues that the risk management policy should address include:
• the purpose of the risk management program and its aims—objectives, philosophy, culture and structure of the organisation should be clearly reflected in, and totally supported by, the risk management program

• ensuring the risk management program is embedded within the organisation’s management systems

• the scope and parameters of the risk management program—that is,which risk exposures will be managed within which parts of the organisation

• the organisation’s tolerance or appetite for exposure to risks

• ensuring clearly designated responsibility, accountability and authority for specific areas of the risk management program and the overall risk management program is established from the outset—this includes performance measurements and reporting processes and accountabilities

• resources required to implement and maintain the risk management program—this includes the people, skills, information systems and financial resources required

• clear documentation and communication of the risk management process and overall program (including the risk management policy) to all stakeholders

• regular monitoring and review of the implementation and maintenance of risk management initiatives.
Implementing risk management is a difficult task and for it to be successful it’s critical that a well drafted policy is produced and that the implementation has the support, commitment and sponsorship of senior management.
When the risk management policy has been crafted, it should be communicated to all stakeholders to ensure they are all working from the same ‘game plan’.

[Admin]

Section 2.21 of ISO 31000:2009 defines risk analysis as a:
…process to comprehend the nature of risk and to determine the level of risk
NOTE 1: Risk analysis provides the basis for risk evaluation and decisions about risk treatment
NOTE 2: Risk analysis includes risk estimation.

Likelihood
When determining the likelihood of an unexpected event, the number of times it can potentially occur in a year is measured.
The likelihood of an unexpected event can be measured in terms of frequency of occurrences (that is, occurrence per year—No./Yr). The potential frequency of an event needs to be determined using a descriptive scale. Examples of descriptions that may be used for the likelihood of an unexpected event/loss are:
• almost certain
• likely
• possible
• unlikely
• rare
• very rare
• almost incredible.

Consequence
The effect that such event can have on the organisation is also measured. This is the loss consequence and it is often measured in financial ($) terms. Where possible, the following factors are taken into account:
• injury to people
• financial implications, including financial/asset damage or loss
• adverse reputation and image effects
• environmental damage
• disruption of business operations (both short- and long-term).

When both measures of likelihood and consequence have been determined then a qualitative risk analysis matrix can be developed to prioritise exposures by assigning a risk rating to each particular risk. The qualitative and quantitative risk analysis data is used to set priorities for treatment based on the level of risk to which the organisation is exposed.
The following table is an example of a qualitative risk analysis matrix, the framework of which is based on the results of analysis that led to categories of likelihood and consequences.
While the example illustrates the relevant information and structures, it is important that each organisation develops its own matrix tailored to its specific needs.

Example—Risk analysis matrix

[Admin]