Risk Management - ISO 31000 PDF

Preview

Summary

ISO 31000 Prepared by Dr. Mohamed Lashin • Executive Manager – ISC Global – Egypt office • Member of ISO TC 176 (ISO 9001) • Ph.D. in Human resources development • Member of ISO PC 283 (ISO 45001) • The impact of human resources management strategies in supporting total quality management programs •...

Description

ISO 31000

Prepared by Dr. Mohamed Lashin • Executive Manager – ISC Global – Egypt office

• Member of ISO TC 176 (ISO 9001)

• Ph.D. in Human resources development

• Member of ISO PC 283 (ISO 45001)

• The impact of human resources management strategies in supporting total quality management programs

• Member of ISO/CASCO/JWG48 (ISO/IEC TS 17021-10) • QMS ISO 9001 Lead auditor

• Ph.D. In Risk management • Risk management strategies for micro companies

• QMS ISO 29990 Lead auditor

• Lecturer of higher education – Cairo university.

• OHSMS OHSAS 18001 Lead auditor

• Member of the Egyptian Society for Quality (ESQ)

• BCMS ISO 22301 Lead auditor

• Member of the American Society for Quality (ASQ)

• Registered in the International Register of Certified • Member of the American Society for Safety Engineers lead Auditors and trainers (IRCA) (ASSE) • Registered in the organization of certified lead auditors and trainers (Exemplar Global - RABQSA) • Member of the Institute of Risk Management (IRM) Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

2

risk means "effect of uncertainty on objectives" • “uncertainty” is not about how things will happen, but is more about our state of knowledge. It is more about our “lack of knowledge” about how things will turn out. • Events will happen, we just don't know which, how and when.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

3

risk means • Uncertainty is our ignorance. • Uncertainty is "the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or likelihood." • If we replace this meaning of uncertainty in the definition of risk, we come up with:

Risk = the effect of ignorance on objectives.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

4

risk means • But what about "effect"? What does this word mean? • ISO 31000 defines effect as "a deviation from the expected - positive or negative". • So if we use that definition, and insert it into the definition of risk, we get:

Risk = the deviation from the expected, due to our ignorance, on objectives.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

5

what is risk management • Coordinated activities to direct and control an organization with regard to risk. It is an integrated and joined up approach to managing risk across an organisation and its extended networks.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

6

involvement of risk management • Risk is part of all our lives. As a society, we need to take risks to grow and develop. • From energy to infrastructure, supply chains to airport security, hospitals to housing, effectively managed risks help societies achieve. • In our fast paced world, the risks we have to manage evolve quickly. • We need to make sure we manage risks so that we minimise their threats and maximise their potential. • Risk management involves understanding, analysing and addressing risk to make sure organisations achieve their objectives. So it must be proportionate to the complexity and type of organisation involved.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

7

risk management standards • A number of standards have been developed worldwide to help organisations implement risk management systematically and effectively. • Commonly used standards include: • • • •

ISO 31000 2009 – Risk Management Principles and Guidelines A Risk Management Standard – IRM/Alarm/AIRMIC 2002 – UK’s 3 main risk organisations. COSO 2004 - Enterprise Risk Management - Integrated Framework OCEG “Red Book” 2.0: 2009 - a Governance, Risk and Compliance Capability Model

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

8

ISO 31000:2009 Risk Management Principles and Guidelines

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

9

ISO 31000 family • ISO 31000:2009 Risk management - Principles and guidelines • ISO/CD 31000 Risk management - Principles and guidelines

• ISO/TR 31004:2013 Risk management - Guidance for the implementation of ISO 31000 • IEC 31010:2009 Risk management - Risk assessment techniques • ISO/NP 31020 Risk Management - Managing Disruption Related Risk • ISO/AWI 31021 Managing Supply Chain Risk - A Compilation of Best Practices • ISO/AWI 31022 Guidelines for Implementation of Enterprise Legal Risk Management

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

10

executive summary • ISO 31000 is a generic risk management standard, defines a set of guidelines. • We refer to them as guidelines because they’re voluntary. They’re not requirements or contractual obligations. • These risk management guidelines are discussed in the following sections: Clause 3. Risk Management Principles Clause 4. Risk Management Framework Clause 5. Risk Management Process

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

11

contents of ISO 31000 1 Scope

5 Process

2 Terms and definitions 3 Principles 4 Framework 4.1 General 4.2 Mandate and commitment 4.3 Design of framework for managing risk 4.4 Implementing risk management 4.5 Monitoring and review of the framework 4.6 Continual improvement of the framework

5.1 General 5.2 Communication and consultation 5.3 Establishing the context 5.4 Risk assessment 5.5 Risk treatment 5.6 Monitoring and review 5.7 Recording the risk management process

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

12

scope of ISO 31000 • ISO 31000 is an international risk management standard. • It can be used by any organization no matter what size it is or what it does. • It can be used by both public and private organizations and by groups, associations, and enterprises of all kinds. • It is not specific to any sector or industry and can be applied to any type of risk.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

13

scope of ISO 31000 • ISO 31000 can be applied to the achievement of any and all types of objectives at all levels and areas within an organization. • It can be used at a strategic or organizational level to help make decisions and can be applied to all types of activities. • It can be used to help manage processes, operations, functions, projects, programs, products, services, and assets. • However, exactly how the organisation apply ISO 31000 is up to the organisation and will depend on the organization’s needs, objectives, and challenges, and should reflect what it does and how it operates.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

14

who should use ISO 31000? • ISO 31000 can be used by a wide range of stakeholders, including people who need to: • • • • • •

Establish a risk management policy (top management). Evaluate risk management practices and processes (assessors). Manage and control risk within an organization (managers). Explain how risk should be managed and controlled (trainers - consultants). Develop risk management procedures and guides (implementers). Prepare related standards and codes of practice (experts).

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

15

risk management architecture • The standard starts by listing a set of risk management principles. • Use these principles to guide the establishment of the risk management framework. • Then use the framework to guide the establishment of the risk management process. Together these three sections make up what ISO 31000 calls a risk management architecture.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

16

Risk Management Architecture

risk management principles risk management framework risk management process Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

17

the 11 risk management principles 3A. Should create & protect value

3B. Should be part of all processes

3C. Should be part of the decision making

3D. Should be used to handle uncertainty

3E. Should be systematic and timely

3F. Should be based on the best data

3G. Should be tailored to the environment

3H. Should consider human factors

3I. Should be transparent and inclusive

3J. Should be responsive and iterative

3K. Should support continual improvement

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

18

risk management framework 4.2 Make a commitment to risk management

4.6 Improve the risk management framework

4.5 Monitor the risk management framework

4.3 Design the risk management framework

4.4 Implement the approach to risk management

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

19

risk management process 5.3 Establish your unique risk management context 5.4 Carry out your risk assessment process 5.4.1 Identify, analyze, and evaluate risks

5.2 Communicate & Consult with your interested parties

5.4.2 Identify your organisation’s risk

5.6 Monitor & Review your risk management process

5.4.3 Analyse your organisation’s risk

5.4.4 Evaluate your organisation’s risk

5.5 Formulate & Implement your risk treatment plans

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

20

relationships between the risk management principles, framework and process

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

21

4. RISK MANAGEMENT FRAMEWORK

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

22

4.1 establish a risk management framework • Make risk management part of the management system. • Establish an effective risk management framework. • Use the framework to support risk management process.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

23

risk management framework Risk management framework is a set of components that support and sustain risk management throughout an organization. There are two types of components: foundations and organizational arrangements. • Foundations include the risk management policy, objectives, mandate, and commitment. And • Organizational arrangements include the plans, relationships, accountabilities, resources, processes, and activities the organisation use to manage the organization’s risk. Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

24

4.2 make a commitment to risk management • • • • • • •

Define the organization’s risk management policy. Establish risk management performance indicators. Formulate risk management objectives. Assign risk management responsibilities. Allocate risk management resources. Communicate risk management benefits. Support the risk management framework.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

25

4.3 design the risk management framework 4.3.1 understand the organization's context • Evaluate and understand the organization’s external context and then use this knowledge to design the risk management framework. • Evaluate and understand the external environment. • Evaluate and understand the external stakeholders. • Evaluate and understand the external influences.

• Evaluate and understand the organization’s internal context and then use this knowledge to design the risk management framework. • • • • • •

Understand the organization’s internal stakeholders. Understand the organization’s governance. Understand the organization’s capabilities. Understand the organization’s culture. Understand the organization’s standards. Understand the organization’s contracts.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

26

internal context • An organization’s internal context includes all of the internal environmental parameters and factors that influence how it manages risk and tries to achieve its objectives. • It includes its internal stakeholders, its approach to governance, its contractual relationships, and its capabilities, culture, and standards. • Governance includes the organization’s structure, policies, objectives, roles, accountabilities, and decision making process, and capabilities include its knowledge and human, technological, capital, and systemic resources.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

27

external context

• An organization’s external context includes all of the external environmental parameters and factors that influence how it manages risk and tries to achieve its objectives. • It includes its external stakeholders, its local, national, and international environment, as well as key drivers and trends that influence its objectives. • It includes stakeholder values, perceptions, and relationships, as well as its social, cultural, political, legal, regulatory, financial, technological, economic, natural, and competitive environment.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

28

stakeholder • A stakeholder is a person or an organization that can affect or be affected by a decision or an activity. • Stakeholders also include those who have the perception that a decision or an activity can affect them. • ISO 31000 distinguishes between external and internal stakeholders.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

29

4.3 design the risk management framework 4.3.2 formulate the risk management policy • Establish a risk management policy for the organization. • Make a clear commitment to risk management. • Define the risk management objectives. • Explain how the policy will be implemented.

• Communicate the risk management policy.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

30

risk management policy

• A policy statement defines a general commitment, direction, or intention. • A risk management policy statement expresses an organization’s commitment to risk management and clarifies its general direction or intention. Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

31

4.3 design the risk management framework 4.3.3 make people accountable for managing risk • Identify the organization’s risk owners. • Give risk owners the authority to manage risk. • Make risk owners accountable for managing risk. • Establish risk management performance measurement methods. • Develop risk management reporting and escalation processes. Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

32

risk owner • A risk owner is a person or entity that has been given the authority to manage a particular risk and is accountable for doing so.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

33

4.3 design the risk management framework 4.3.4 build risk management into the organization • Make risk management a part of all processes and practices. • Develop an organization-wide risk management plan.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

34

risk management plan • An organization’s risk management plan describes how it intends to manage risk. • It describes the management components, the approach, and the resources that will be used to manage risk. • Typical management components include procedures, practices, responsibilities, and activities (including their sequence and timing). • Risk management plans can be applied to products, processes, and projects, or to an entire organization or to any part of it.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

35

4.3 design the risk management framework 4.3.5 allocate resources for risk management • Allocate appropriate resources to support the organization’s risk management activities. • Consider providing people who can support the organization’s risk management activities. • Consider providing resources needed to support each step of the risk management process. • Consider providing information and knowledge management systems to support risk management. • Consider providing risk management procedures and processes. • Consider providing appropriate risk management methods and tools.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

36

4.3 design the risk management framework 4.3.6 establish internal communication mechanisms • Establish internal risk management communication and reporting processes and mechanisms.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

37

4.3 design the risk management framework 4.3.7 develop an external communication plan • Develop a plan that describes how the organisation intend to communicate with the external stakeholders. • Implement the risk management communication plan.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

38

4.4 implement the approach to risk management 4.4.1 implement the risk management framework • Develop a strategy to implement the organization’s framework. • Implement the organization’s risk management framework.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

39

4.4 implement the approach to risk management 4.4.2 implement the risk management process • Develop a plan that explains how the organisation intend to apply the organization’s risk management process (Part 5). • Use the risk management plan to implement the organization’s risk management process (Part 5).

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

40

4.5 monitor the risk management framework • Evaluate the ongoing effectiveness of the organization’s risk manage ment framework. • Prepare reports on the effectiveness of the organization’s risk manage ment framework.

Risk Management Principles and Guidelines - ISO 31000, Prepared by Dr. Mohamed Lashin

41

4.6 improve the risk management framework • Study the results of the organization’s risk management monitoring and review activities (see Part 4.5, above). • Figure out how the orga...