ISO 31000

Yeganeh Majidi
Oct. 2015
What is “risk”??
 Risk is present in everything we do.
 ISO 31000, the international standard on
risk management, defines it this way:
Risk = the affect of uncertainty on
your objectives.
 Risk can be a threat or an opportunity
Anything that could harm, prevent, delay or
enhance your ability to achieve your objectives
= risk
Why talk about risk?

 Risk is something that we all face every

day.

 As a company, we have to take risks in

pursuit of our commercial objectives.

 To raise awareness that we all have to

manage risk as part of our daily working
lives as well as personal.
 Environmental
Physical
Environment Sources of Risks

Physical
Economic
Exposures
Environment

Social
Financial Asset
Environment
Exposures

ic e
teg m
Stra a m
Op e gr
Political rati ro Human Asset
Environment ona P Exposures
l
t
Projec
Org. Objectives

Legal
Environment Legal Liability
Exposures

Operational
Moral Liability
Environment
Exposures

Cognitive
Environment
 The Effect of Risk control on
Performance

High

Managing Risk to
Enhance
Performance
Performance Excessive
Exposed & controls
destroying minimise risk
performance and constrain
performance

Low
Ignorant Managing Obsessed

Level of Risk Control

What do we know about Risk
Management?
 RM is part of our every day lives:

 Crossing the road - Risk of getting run-over

 Managing our finances – Risk of going broke
 Purchase of insurance – Risk of fire, theft,
storm
 Choosing to smoke – Risk of cancer
 Going for a swim – Risk of drowning

 The choices we make in choosing to accept these risks is part of

who we are
What is Risk Management?
 Definition of Risk
Management
ISO / IRM:
Coordinated activities to direct and control an organisation with regards
to risk. It generally includes risk:
 assessment,
 treatment,
 acceptance &
 Communication.

Contained in ISO 31,000

RM definition contd…

A process whereby organisations

methodologically address the risks
attaching to their activities with the goal
of achieving sustained benefit within
each activity and across the portfolio of
all activities.

Sustained
Benefit
Risk Identification
 Identifyan organisation’s exposure to
uncertainty
 Widely used approach is to break the
risks down into categories:
 Strategic/commercial risks
 Economic/financial/market risks
 Legal, contractual and regulatory risks
 Organisational management/human factor
 Political/societal factors
 Environmental factors/Acts of God
 Technical/ operational/infrastructural risks
 Risk Analysis

Risk analysis is concerned with the probability

and impact of individual risks, taking into
account any interdependence.
 Probability is the evaluated likelihood of an event
actually happening, including consideration of
frequency of occurrence
 Impact is the evaluated effect or result of a
particular risk actually happening
Risk Treatment

 Can involve:
 Avoiding the risk – not to start or continue an activity

 taking or increasing risk in order to pursue an opportunity

 removing the risk source

 Changing the likelihood

 Changing the consequences

 Transferring the risk or sharing with another party

 Retaining the risk by informed decision

ISO (International Organization for Standardization) is the
world's largest developer and publisher of
International Standards .

Established in 1947, ISO is a network of the national

standards institutes of 159 countries, one member per
country, with a Central Secretariat in Geneva, Switzerland,
that coordinates the system.
ISO 31000:2009 --> ANSI/ASSE/ISO 31000

 Australia, New Zealand & Japan initiated its

creation – based on AS/NZ 4360
 30+ countries participated
 6 meetings over several years
 Adopted in November of 2009, now officially
the first International Standard on Risk
Management
 Guide 73 & ISO 31010 quickly followed
 The American Standard on RM –
ANSI/ASSE/ISO 31000
ISO 31000 - Scope

 Provides principles and generic guidelines on

principles and implementation of risk management.

 Can be applied to any kind of organisation, risk type

and is not specific to any industry or sector.

 Is NOT intended to be used for the purpose of

certification.

Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009 15

ISO 31000 - Users

ISO 31000:2009 is intended to be used by a wide range of stakeholders including:

those responsible for implementing risk management within their
organisation;
those who need to ensure that an organisation manages risk;
those who need to manage risk for the organisation as a whole or within
a specific area or activity;
those needing to evaluate an organisation’s practices in managing risk;
and
developers of standards, guides, procedures, and codes of practice that
in whole or in part set out how risk is to be managed within the specific
context of these documents

Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009 16

ISO 31000: A Business Principles
Approach to Risk Management

Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009 17

Critical Components of ISO 31000

The The process for

The principles framework managing risk
provide the manages the focuses on
foundation and overall individual or
describe the process and groups of risks,
qualities of its full their
effective risk integration identification,
management in into the analysis,
an organization organization evaluation and
treatment

Monitoring & review, continual

improvement and communication occur
From ANSI/ASSE/ISO 31000 throughout
ISO 31000: Key Elements
Principles Framework RM Process
 Creates value
 Integral
part of
organizational Mandate &
processes Establish the
Commitment
 Part
of decision context
making
 Explicitly
addresses
uncertainty Design framework Risk assessment
 Systematic, for managing risk
structured & Risk identification
timely

Communicate and consult

 Basedon best

Monitor and review

available info
 Tailored Continually Implement Risk analysis
improve the risk management
 Takes human &
cultural factors framework
into account
 Transparent
Risk evaluation
&
inclusive
 Dynamic,
iterative & Monitor and review
responsive to the framework Risk treatment
change
 Facilitates
continual
improvement &
enhancement of
the org
Components of the Framework

 Understanding the  Establishing internal

organization & its communication &
context reporting mechanisms
 Establishing RM policy  Establishing external
 Accountability & communication &
Authority reporting mechanisms
 Integration into ISO 31000:2009
Risk management – Principles and guidelines
organizational processes
 Determining appropriate
resources
ISO 31000 & Risk

Project Management
Tactical & Ops
Management Risk (the new definition)
Strategic
Management “effect of uncertainty on objectives”
ISO 31000:2009, ISO/IEC Guide
73:2009

value protection + value creation

Project Management
Tactical & Ops
Risk
Management
Strategic
Management Control (the new definition)
“measure to modify risk”
ISO 31000:2009, ISO/IEC Guide
Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009
73:2009 21
ISO 31000: Benefits

• Strategic, operations, processes, projects, products,

assets, governance, everything
• Proactively create value by treating uncertainty,
while respecting regulations, laws, organization
• Expect better profits, moral, trust, controls,
initiatives, reporting, and corporate culture
• Designed to integrate with existing management–
Build on existing management systems, add
commitment, alignment, IT, stakeholders, ownership
of risk, etc.
• Communication and Consultation as appropriate –
consider the values and perceptions of stakeholders
• Risk in every decision is set in context, assessed,
treated, documented
Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009 22

• Enhance alignment ERM and Project Risk Management

 ISO 31000 & Project Management

• An essential aspect of project management is

controlling the inherent risks of a project.

• Risks arise from uncertainty surrounding project

decisions and outcomes.

• Most individuals associate the concept of risk with

the potential for loss in value, control,
functionality, quality, or timeliness of completion
of a project. However, project outcomes may also
result in failure to maximize gain in an opportunity
and the uncertainties in decision making leading
up to this outcome can also be said to involve an
element
Nicola Crawford, of31000,
IRM IPYD – ISO risk 1 October 2009 23
ISO 31000 & Project Risk
Management Framework

Project Risk
Management
Framework

Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009 24

 What is Different about ISO 31000?
Without risk, there is no reward or progress. Unless risk is managed
effectively, organizations cannot maximize opportunities and
minimize threats. Risk is all about uncertainty, or more importantly,
the effect of uncertainty on the achievement of objectives. This is
where ISO 31000 is clearly different from existing guidelines in that
the emphasis is shifted from something happening – the event – to
the effect on objectives.
Global Survey on ISO 31000

 LinkedIn website on ISO 31000, with >6,500 members since

March of 2009

 Reached out to 100+ associations, members from 74 associations

participated

 1,823 responses from 111 countries

 Largest # of participants from US (20%), UK (10%) and Australia

(10%)

 Primary professions: risk management & IT

Countries with Highest Level
of Awareness of ISO 31000

 Australia (65%)  Spain (21%)

 New Zealand (47%)
 Canada (42%)
 United Arab Emirates (37%)
 Brazil (28%)
 South Africa (26%)
 Netherlands (21%)
 United Kingdom (21%)
 Finland (18%)
 Italy (14%)
 France (13%)
 USA (11%)
ISO 31000 & Project Risk
Management Process

PMBOK vs. ISO 31000 risk process – differences lie in the

framework & context
Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009 28
ISO 31000: The Opportunities
•Better communication - By providing clear, unambiguous
and consistent terms and definitions, ISO 31000 can help to
establish a common understanding of the relevant topics
throughout the entire organization including projects
•Provides a blueprint for organizations / projects aiming at
designing and implementing an effective and efficient risk
management framework - ISO 31000 outlines the essential
principles, components, processes and organizational
structures required
•Provides a benchmark to which organizations / projects
can compare their existing approaches – ISO 31000 can assist
in identification of gaps and weaknesses in current approach
•Contributes to the confidence and trust of internal and
external stakeholders in the risk management abilities of an
organization / project - ISO 31000 allows the transparency
of its organisation’s/ project’s approach to risk management
Nicola Crawford, IRM IPYD – ISO 31000, 1 October 2009 29
Summary

 All entities exist to provide value for it’s stakeholders

 Uncertainty presents risks and opportunities – with

potential to erode / enhance value

 All entities face uncertainty – management’s challenge

“balance the risk and opportunities”

 RM provides management with a framework to

effectively deal with uncertainty – the associated risks
and opportunities – and enhance their capability to
build value.
References:
 http://www.iso-co.ir/products/view/id:64/a:ISO%2031000

 http://soroushdata.com/index.php/%D9%85%D8%AD%D8%B5%D9%88%D9%84%D8%A7%D8%AA?id=116

 https://www.rims.org/RIMS12/Sessions/Pages/SessionsByDay.aspx

 http://www.ucop.edu/enterprise-risk-management/_files/risk-summit-2014-ppts/ERM%20101.pptx

 http://aci-na.org/sites/default/files/files/ERM202%20--%20Are%20Risk%20Management%20Standards%20and%20Practices%20Really%20Necessary

%20(3).ppt

 https://www.britsafe.org/system/files/ISO%2031000%20Safety%20Management%20May.pdf

 https://jakeman.com.au/sitebuilder/.../talbot_g31000_paris_21may12.ppt

 http://slideplayer.com/slide/5918144/

 https://higherlogicdownload.s3.amazonaws.com/RIMS/6dd6d9a4-cb3e-4583-844e-26188e946433/UploadedImages/ISO%2031000%20Presentation.ppt  
 “Organizations make and save money by taking
risks and lose money by not effectively managing
risk”

Thank you!