The ISO 31000 Standard - Risk Engineering
The ISO 31 000 standardon risk managementEric Marsden eric.marsden@risk-engineering.org ‘‘Govern well thy appetite, lest SinSurprise thee, and her black attendant Death.— John Milton, Paradise Lost
The ISO 31000 standard An international standard that provides principles and guidelines foreffective risk management published in 2009, revised in 2018 Generic approach: not specific to any industry or sector can be applied to any type of risk (financial, technological, natural, project) can be applied to any type of organization A brief standard (24 pages) Provides foundations for discussing risk management and undertaking acritical review of an organization’s risk management process
The ISO 31000 standard: scope Includes: definitions and terms relevant to risk management a set of principles that inform effective risk management recommendations for establishing a risk management framework recommendations for establishing a risk management process Does not include: detailed instructions/guidance on how to manage specific risks advice relevant to any specific domain any elements related to certification
Related standards The International Organization for Standardization (iso) is aninternational, membership-based ngo based in Geneva, represented in 165 member countries has published over 19 000 international standards Web: www.iso.org iso Guide 73:2009 on Risk management – Vocabulary provides definitions for commonly used terminology in risk management andrisk assessment iso 31004:2013 on Risk management – Guidance for the implementation ofISO 31000 how do I implement iso 31000 in my organization? iso 31010:2009 on Risk management – Risk assessment techniques guidance on selecting and applying systematic techniques for risk assessment
Background to development of ISO 31000 standard The coso framework on Enterprise Risk Management mostly internal control/auditing: sees risk management primarily as acompliance activity iso 31000 sees risk management as a strategic process for makingrisk-adjusted decisions The Australian/New Zealand risk management standard, as/nzs 4360 Work started on iso 31000 in 2005, using as/nzs 4360 as a first draft consensus-driven process with input from risk management professionalsaround the world Standard published in 2009, well received by critics revised version published in 2018 (simplifications)
Some controversy in the standard’s creation The iec Advisory Committee on Safety removed its support fromthe iso working group, arguing that: safety risks are a special case and should be excluded from ageneral-purpose risk management process any risk to people is unacceptable Position of the iso working group on risk: most human activities lead to some safety risks a uniform process for managing risks is usefulSource: Purdy (2010). ISO 31000:2009 — Setting a new standard for risk management, Risk Analysis 30:6IEC: InternationalElectrotechnicalCommission
New notions in theISO 31000 standard
What’s new? A new definition of risk The notion of risk appetite The risk management framework A management philosophy where riskmanagement is an inseparable aspect of managingchange and other forms of decision-making
The classical definition of riskRisk: a combination of the probability and scope of the consequences.— iso risk management vocabulary, 2002More precisely, after Kaplan and Garrick, we ask: What can go wrong? How likely is it to go wrong? If it does go wrong, what are the consequences?Further reading: Kaplan & Garrick (1984), On the quantitative definition of risk, Risk Analysis 1:1
The classical definition of risk: exampleScenarioAnnual probabilityConsequencesFire on tank F0.45 · 10 43 killed, 20 M lossFire on tank F1.2 · 10 41 injured, 20 M lossSmall leak on pipe D3 · 10 31 M equivalent of environmental damageLarge leak on pipe D1 · 10 320 M equivalent of environmental damage Risk on this installation is the set of all the lines in this table.
Classical definition and financial risksRisk set of triples ⟨ scenario𝑖 , 𝑝𝑖 , consequence𝑖 ⟩For financial risks (where consequences can be all uncontroversiallybe expressed in monetary units), can be converted into an expectedloss.Risk is then the mathematical expectation of the total loss.𝔼(𝑙𝑜𝑠𝑠) 𝑝𝑖 consequence𝑖𝑖ks whenThis definition also worpositivesome consequences are
Classical definition and safety risksPlace each scenario in your organization’s risk matrix, according to itsprobability and level of consequences.Examine whether the sum of possible outcomes is acceptable.FrequencyConsequencevery infrequentinfrequentfairly frequentfrequentvery frequentcatastrophicvery largelargemediumsmallUnacceptableReduce risks as low as reasonably practicableAcceptablesequencesFor safety risks, all coneare negativ
A new definition of riskRisk: the effect of uncertainty on an organization’s ability to meetits objectives
A new definition of riskRisk: the effect of uncertainty on an organization’s ability to meetits objectivesAn effect is a deviation from what was expected,which can be positive or negative.Safety risks are generally negative (losses, deaths,pollution). Financial risks may be positive. Thisdefinition is relevant for safety, financial risks,strategic risks, project risks.
A new definition of riskRisk: the effect of uncertainty on an organization’s ability to meetits objectivesLack of information or knowledge concerning anevent, its consequences or its likelihood
A new definition of riskRisk: the effect of uncertainty on an organization’s ability to meetits objectivesMakes the role of objectives explicit: an activity is onlyundertaken to reach some goal. Objectives can be financial,health and safety, environmental goals. They can apply at astrategic level, or per project, per product, per site.This definition leads to more transparency in discussionswith stakeholders because objectives (possibly competing)are made explicit.
A new definition of riskobjective 𝑂start𝑡0Figure adapted from slides by Prof. G. Motet (INSA Toulouse)𝑡1timeThe organization establishes itsobjectives: at time 𝑡1 it wants tobe at position 𝑂.
A new definition of riskobjective 𝑂The organization establishes itsobjectives: at time 𝑡1 it wants tobe at position 𝑂.It establishes an action plan tomove from its current position toposition 𝑂.start𝑡0Figure adapted from slides by Prof. G. Motet (INSA Toulouse)𝑡1time
A new definition of riskThe presence of uncertaintymeans that unexpectedperturbations can causedeviations from the plan definedat 𝑡0 . If unchecked, these wouldmean that the organizationdoes not achieve its objectiveof reaching position 𝑂.This is risk, the effect ofuncertainty on the possibilityof reaching your objectives.timeFigure adapted from slides by Prof. G. Motet (INSA Toulouse)
A new definition of riskThe risk management activityconsists of trying to anticipateand looking out for deviationsfrom the plan, and implementingcorrective actions so that theorganization’s objectives arereached despite the unexpectedperturbations.timeFigure adapted from slides by Prof. G. Motet (INSA Toulouse)
Riskappetite
Concept of “risk appetite” Risk appetite: the amount and type of risk that an organization isprepared to pursue, retain or take in pursuit of its objectives Represents a balance between the potential benefits of innovation (andrisk) and the threats that change inevitably brings Helps to guide people within the organization on the level of riskpermitted and encourage consistency of approach across an organization Generally expressed (for a company) by a broad statement of approach,which is written by the board
Expressing an organization’s risk appetite: example‘‘The Organization operates within a low overall risk range. TheOrganization’s lowest risk appetite relates to safety and complianceobjectives, including employee health and safety, with a marginallyhigher risk appetite towards its strategic, reporting, and operationsobjectives. This means that reducing to reasonably practicablelevels the risks originating from various medical systems, products,equipment, and our work environment, and meeting our legalobligations will take priority over other business objectives.— Risk appetite statement used by a health-care organizationSource: Understanding and Communicating Risk Appetite, COSO, 2012
Expressing an organization’s risk appetite: exampleWillingness to accept riskLow1Earnings volatilityCapital requirementsReputationCredit ratingsRegulatory standingSource: Understanding and articulating risk appetite, KPMG, 2008Medium23High45ossAppetite may vary acrrisk categories
Establishingthe contextRisk identificationRisk analysisRisk evaluationMonitoring & reviewThe standard comprises three main elements:Communication & consultationComponents of the standardRisk treatment the risk management process how are risks identified, analyzed and treated?mandate the overall structure and operation of risk management across theorganization similar to the plan/do/check/act (pdca) cycle design ofmanagementframeworkthe risk management frameworka set of principles which guide risk management activitiescontinualimprovementimplement riskmanagementmonitoring &review
The ISO 31000 risk management processRisk identification: what could prevent usfrom achieving our objectives?Risk identificationRisk analysisRisk evaluationRisk treatmentRisk analysis: understanding the sources &causes of the identified risks; studyingprobabilities and consequences given theexisting controls, to identify the level ofresidual risk.Risk evaluation: comparing risk analysisresults with risk criteria to determine whetherthe residual risk is tolerable.Risk treatment: changing the magnitude andlikelihood of consequences, both positive andnegative, to achieve a net increase in benefit.
The ISO 31000 risk management processRisk assessmentRisk identificationRisk analysisRisk evaluationRisk treatment
The ISO 31000 risk management processEstablishingthe contextDefine the scope for the risk managementprocess, define organization’s objectives,establish the risk evaluation criteria.Includes:Risk identification external context: regulatory environment,market conditions, stakeholder expectationsRisk analysis internal context: organization’sgovernance, culture, standards and rules,capabilities, existing contracts, workerexpectations, information systems, etc.Risk evaluationRisk treatment
The ISO 31000 risk management processMonitoring and reviewRisk identificationRisk analysisRisk evaluationRisk treatmentMonitoring & reviewEstablishingthe contextMeasure risk management performance againstindicators, which are periodically reviewed forappropriateness.Check for deviations from the risk management plan.Check whether the risk management framework,policy and plan are still appropriate, givenorganizations’ external and internal context.Report on risk, progress with the risk managementplan and how well the risk management policy isbeing followed.Review the effectiveness of the risk managementframework.
The ISO 31000 risk management processRisk identificationRisk analysisRisk evaluationRisk treatmentMonitoring & reviewCommunication & consultationCommunication and consultationEstablishingthe contextEarly on: helps understand stakeholders’interests and concerns, to check that therisk management process is focusing onthe right elements.Later on: helps explain the rationale fordecisions and for particular risk treatmentoptions.
The risk management framework Determines how risk management is integrated withthe organization’s management system Should include: risk architecture: roles and responsibilities ofindividuals and committees that support the riskmanagement process (who “owns” different risks?) strategy: objectives of the risk management activity inthe organization protocols: how the strategy will be implemented andrisks managed (procedures, indicators, risk reporting andescalation procedures)mandatedesign ofmanagementframeworkcontinualimprovementimplement riskmanagementmonitoring &review
Sample risk architecture & responsibility allocation1. RM responsibilities for the CEO / Board:Determine strategic approach to risk and set risk appetiteAudit CommitteeThe BoardOverall responsibility for riskmanagementReceive routine reports from GRMCEnsure risk management isembedded into all processes andactivitiesMonitor progress with audit recommendationsReview group risk profileSet annual audit programme and prioritiesProvide risk assurance to the BoardOversee RM structures and processesEstablish the structure for risk managementUnderstand the most significant risksManage the organisation in a crisis2. RM responsibilities for the business unit manager:Build risk aware culture within the unitAgree risk management performance targetsEnsure implementation of risk improvement recommendationsIdentify and report changed circumstances / risks3. RM responsibilities for individual employees:Understand, accept and implement RM processesGroup Risk Management Committee (GRMC)Formulate strategy and policy based on risk appetite,risk attitudes and risk exposuresReceive reports from business units, review riskmanagement activities and compile the group riskregisterReceive reports from business units and make reportsand recommendations to the BoardDisclosures CommitteeReview and evaluate disclosurecontrols and proceduresConsider materiality of informationdisclosed to external partiesReport inefficient, unnecessary or unworkable controlsReport loss events and near miss incidentsCo-operate with management on incident investigations4. RM responsibilities for the risk manager:Develop the risk management policy and keep it up to dateDocument the internal risk policies and structuresTrack RM activity in the business units and keep the riskmanagement context under reviewCo-ordinate the risk management (and internal control) activitiesCompile risk information and prepare reports for the Board5. RM responsibilities for specialist risk management functions:Assist the company in establishing specialist risk policiesBusiness unitsDirect and monitorReports for evaluationProduce specific policy statements, as necessaryPrepare and update the business unit risk registerSet risk priorities for business unitMonitor projects and risk improvementsPrepare reports for GRMCManage control risk self-certification activitiesDevelop specialist contingency and recovery plansKeep up to date with developments in the specialist areaSupport investigations of incidents and near misses6. RM responsibilities for internal audit manager:Develop a risk-based internal audit programmeAudit the risk processes across the organisationReceive and provide assurance on the management of riskReport on the efficiency and effectiveness of internal controlsSource: A structured approach to Enterprise Risk Management, Airmic/Alarm/IRM, 2010
How do the components fit together?Risk management Principlesce thePrinciples should influenn ofdesign & implementatioagementorganization’s risk manframework and process creates and protects value is based on the best information is an integral part of organizational processes is tailored is part of decision-making takes human and cultural factors into account explicitly addresses uncertainty is transparent and inclusive is systematic, structured and timely is dynamic, iterative and responsive to change facilitates continual improvement of the organization
How do the components fit together?Principles guide thecreation of the frameworkFrameworkmandatedesign timplement riskmanagementmonitoring &review
How do the components fit together?The framework defines therisk management entimplement riskmanagementEstablishingthe contextRisk identificationRisk analysisRisk evaluationRisk treatmentmonitoring &reviewMonitoring & reviewdesign ofmanagementframeworkCommunication & consultationmandate
How do the components fit ementimplement riskmanagementEstablishingthe contextRisk identificationRisk analysisRisk evaluationRisk treatmentmonitoring &reviewFeedback on the performance of theprocess is used for monitoring and reviewsMonitoring & reviewdesign ofmanagementframeworkCommunication & consultationmandate
A non-certifiable standard Many iso standards are certifiable: your organization canobtain (purchase!) a certificate from an accredited conformityassessment body stating that its activities on a specificperimeter conform to the standard example: many large organizations certify their quality managementsystem to the iso 9001 standard The 31000 standard provides guidance rather thanrequirements, so is “not intended for the purposes ofcertification”
Relationship with other standards
Reading the standardYou can purchase the iso standard in pdf format from the iso Storefor a “mere” 80 .Or you can consult the publication of the Bureau of Indian Standards identical to iso 31 000:2009 Risk management — Principles andguidelinesmade available to interested readers on the web “to promote thetimely dissemination of this information in an accurate manner tothe public” .pdf
Importance of effective risk managementPrice-to-book ratio (P/B)Importance of effective riskmanagement for safety risksis evident.3.33.02.52.01.51.00.91st QuartileAvg. P/B 2.65102nd QuartileAvg. P/B 1.715Better203rd QuartileAvg. P/B 1.5253035Risk management score4th QuartileAvg. P/B 1.34045WorseSource: PricewaterhouseCoopers analysis, based on Bloomberg data, 2007Source: PriceWaterhouseCoopers report Seizing opportunity: linking risk and performance, 200950For financial risks, evidenceshows that the financialmarkets value good riskmanagement, and betterratings of risk managementperformance lead to lowercapital costs for firms.
Imagecredits Flower on slide 8: motiqua via flic.kr/p/6mB7up, CC-BY licence Venus flytrap (slide 15): Aurore D via flic.kr/p/5qdqE7, CC BY-NC-NDlicence
FurtherreadingA structured approach to Enterprise Risk Management (ERM) and therequirements of iso 31000, Airmic/Alarm/IRM, 2010, fromtheirm.org/media/886062/ISO3100 doc.pdf La norme iso 31000 en 10 questions, G. Motet, available (in French)from ielle/10-questions-norme-ISO31000/For more free content on risk engineering,visit risk-engineering.org
Feedback welcome!This presentation is distributed under the terms of theCreative Commons Attribution – Share Alike licence@LearnRiskEngfb.me/RiskEngineeringWas some of the content unclear? Which parts were most useful toyou? Your comments to feedback@risk-engineering.org(email) or @LearnRiskEng (Twitter) will help us to improve thesematerials. Thanks!For more free content on risk engineering,visit risk-engineering.org
TheISO31 000standard onriskmanagement EricMarsden ‘‘ Governwellthyappetite,lestSin Surprisethee,andherblackattendantDeath.
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
The DIN Standards corresponding to the International Standards referred to in clause 2 and in the bibliog-raphy of the EN are as follows: ISO Standard DIN Standard ISO 225 DIN EN 20225 ISO 724 DIN ISO 724 ISO 898-1 DIN EN ISO 898-1 ISO 3269 DIN EN ISO 3269 ISO 3506-1 DIN EN ISO 3506-1 ISO 4042 DIN
ISO 10381-1:2002 da ISO 10381-2:2002 da ISO 10381-3:2001 da ISO 10381-4:2003 da ISO 10381-5:2001 da ISO 10381-6:1993 da ISO 10381-7:2005 ne ISO 10381-8:2006 ne ISO/DIS 18512:2006 ne ISO 5667-13 da ISO 5667-15 da Priprema uzoraka za laboratorijske analize u skladu s normama: HRN ISO 11464:2004 ne ISO 14507:2003 ne ISO/DIS 16720:2005 ne
