ISO 31000

AND
INTEGRATED RISK
MANAGEMENT
RIMS Breakfast
Thursday October 16th, 8:30
Earl Grey Room, Minto Suites Hotel
427 Laurier Street
Ottawa
John Lark, Stratos Inc.
 This Presentation

 A Global Standard
 Integrated Risk Management in Canada
 What is in ISO 31000 ?
 How ISO 31000 can help
 Bringing it to your clients
 Steps to implementing a sustainable and
risk based adaptive management regime

2
 Assurance

“a process that provides confidence

that planned objectives will be
achieved within an acceptable
degree of residual risk.”

IIA Professional Practices Framework

After G. Purdy, 2008

3
 Drivers for a Global Standard

 Multinational companies operating in many

countries around the globe
 A need to set priorities and address risks
based on global importance
 Need a “common look and feel”
 Need to demonstrate that effective and
reliable standards have been used.
 Many existing standards are “down in the
weeds” and unsuited to broad application

4
 The Search for a Standard

 AS/NZS 4360 was originally written to guide

the implementation of risk management in
Australia and New Zealand, global leaders in
the new “enterprise risk management”
approach.
 Use of AS/NZS 4360 extended globally over
a 13 year period.
 It became apparent that the demand of a
global standard was high enough to interest
ISO

5
 The Canadian Context

A pivotal point was in 1998, the publication of

a report called “Results for Canadians”. It
was the beginning of a new focus on results,
and eventually things that could impair their
delivery.
In 2000, the first steps towards the
development of a government wide
Management Accountability Framework
which would be used to assess the
performance of departments annually

6
Management Accountability Framework
Performance Indicators
Framework

7
Performance Indicators for IRM

Risk Management
• Key risks identified and
managed
• Risk lens in decision making
• Risk smart culture
• Capacity to communicate
and manage risk in public
context
 In June of 2007
The “Policy for the Management of Projects” was
approved by the Treasury Board Secretariat
5.1 Objective The objective of this policy is to ensure that the
appropriate systems, processes and controls for managing
projects are in place, at a departmental, horizontal or
government-wide level, and support the achievement of
project and program outcomes while limiting the risk to
stakeholders and taxpayers.
5.2 Expected results
The expected results of this policy, associated standards and
directive are that:
• Projects achieve value for money;
• Sound stewardship of project funds is demonstrated;
• Accountability for project outcomes is transparent; and
• Outcomes are achieved within time and cost constraints.
9
 What the Policy requires

 That each Department or Agency assess its capacity

to manage risks using a specified assessment tool
 That (by April of 2011)the risk of every “project” is
assessed using a standard risk assessment tool and
those projects whose risk level exceed the
departmental capacity must come before Treasury
Board Secretariat for assessment

Project– Is an activity or series of activities that has a beginning and an

end. A project is required to produce defined outputs and realize
specific outcomes in support of a public policy objective, within a clear
schedule and resource plan. A project is undertaken within specific
time, cost and performance parameters.

10
 Principle On Which ISO 31000 is based

Risk
“the effect of uncertainty on objectives”

ISO 31000 identifies risk as the uncertainty

between an enterprise and its objectives.
This approach implies a top-down approach
and risk is neither positive nor negative

Defined in Guide 73

11
 ISO 31000 Table of Contents

Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Principles for managing risk
5 Framework for managing risk
6 Process for managing risk

12
 Steps to Develop and Sustain a Risk Management Framework

5.2 Mandate and

Commitment

5.3 Designing
the Framework

5.6 Continual 6. Risk

5.4 Implementing
Improvement if Mgmt.
Risk Management
the Framework Process

5.5 Monitoring and

Reviewing the
Framework

13
 Chapter 4 Principles for Managing Risk
To be most effective, an organization’s risk management should adhere
to the following principles.
Risk Management:
a) creates value.
b) is an integral part of organizational processes.
c) is part of decision making.
d) explicitly addresses uncertainty.
e) is systematic, structured and timely.
f) is based on the best available information.
g) is tailored.
h) takes human and cultural factors into account.
i) is transparent and inclusive.
j) is dynamic, iterative and responsive to change.
k) facilitates continual improvement and enhancement of the
organization.

14
 Chapter 5 Framework for Managing Risk
5.1 General
5.2 Mandate and commitment
5.3 Design of framework for managing risk
5.3.1 Understanding the organization and its context
5.3.2 Risk management policy
5.3.3 Integration into organizational processes
5.3.4 Accountability
5.3.5 Resources
5.3.6 Establishing internal communication and reporting mechanisms
5.3.7 Establishing external communication and reporting mechanisms
5.4 Implementing risk management
5.4.1 Implementing the framework for managing risk
5.4.2 Implementing the risk management process.
5.5 Monitoring and review of the framework
5.6 Continual improvement of the framework

15
 Chapter 6 Process for Managing Risk
6.1 General
6.2 Communication and consultation
6.3 Establishing the context
6.3.1 General
6.3.2 Establishing the external context
6.3.3 Establishing the internal context
6.3.4 Establishing the context of the risk management process
6.3.5 Developing risk criteria
6.4 Risk assessment
6.4.1 General
6.4.2 Risk identification
6.4.3 Risk analysis
6.4.4 Risk evaluation
6.5 Risk treatment
6.5.1 General
6.5.2 Selection of risk treatment options
6.5.3 Preparing and implementing risk treatment plans
6.6 Monitoring and review
6.7 Recording the risk management process

16
 How Can ISO 31000 Help ?

Risk Practitioners are best placed to make

these assessments based on their experience
with clients.
A number of interested Canadian risk
practitioners are working with the Canadian
Standards Association (CSA) to build a
bridge between ISO 31000 and the Canadian
condition. A “guide” that will provide more
detail and clarity, and may include examples.
CSA Q850 will be withdrawn

17
 Working With Clients

Adaptive Management

Assess

Design
Adjust

Implement
Evaluate
Monitor

18
Where Integrated Risk Management Fits In

Assess

Design
Adjust
IRM Occurs Here

Evaluate Implement

Monitor

19
 The Assessment Phase

 It is at this stage where the overall goal or

objective of the enterprise is assessed.
 Where:

Activities  Outputs  Outcomes

 Often an evaluation framework or a “results
based management accountability
framework” (RMAF) is a good place to start.
 An RMAF shows how success is measured
and who is accountable

20
 Integrated Risk Management in the Assessment Phase

Integrated Risk Management of negative risks:

 Starts with “what can, and does, go wrong?”
 It looks to similar enterprises and
experiences
 Seeks specifics for:
 Causes (risk drivers)
 Remedies (treatment)
 Consequences (if/when the risk expresses)
This can be done for an existing, or proposed,
activity
21
 Sample Risk Information Sheet
There is a risk that . . .

Statement of the risk event that, if it materializes, can affect

the achievement of enterprise objectives

Risk Drivers Current Risk Possible Consequences

• Identifies possible
sources of the risk event, Treatment • Describes possible
• Identifies examples of impacts if the risk were
such as environmental
current actions, to fully express
factors or management
processes, controls, etc.,
framework weaknesses
that reduce likelihood of
risk occurring, or severity
if it were to occur
 Activities  Outputs Outcomes
To Meet Legal and Policy Obligations....
Program Components
•Liaison with federal departments and
agencies (e.g. Interdepartmental Regional
Working Group)
•Ongoing identification and tracking of
requirements in each region (tracking
territorial requirements)
•Internal communication of requirements,
monitoring and compliance by site (e.g.
audits, quarterly reporting)
•Consultations (Local communities and self-
govt requirements, constitutional
requirements, regulatory, …)
•Procurement (e.g. FTA, Aboriginal Content
Requirements)
•Transfer resources & responsibilities
•Delivery of DTA obligations
•Applying for permits and licenses
•Compliance with applicable internal and
external regulations and licenses
•Activities to support ISO compliance
•Ensuring compliance with applicable H&S
regulations
Outputs
•Listing of policy and regulatory
requirements
•Work Plans/procedures to reflect
requirements
•Reports on conformance/status of
violations/corrective actions
Outcomes
•Aware of applicable regulation and
policy requirements
•In compliance with all relevant
legislations, regulations, policies and
procedures
•Reports on conformance/status of
23
violations/corrective actions
Sample Risk One: Logistics
There is a risk that logistics failures or limitations of winter roads, and air, land
or water transportation firms will prevent a Northern program from achieving its
objectives.

Risk Drivers Current Risk Mitigation Possible Consequences

• length including warmer winters
limiting the reliability and capacity • Increased efforts for •Project delays
of winter roads coordination between sites
• Sending goods by ship in the open
water season is unreliable, • Scheduling to account for
•Planning delays
especially to small coastal sites
• Lack of coordination between sites
anticipated delays, •Increased costs
results in lost opportunities to share especially for mobilization
or divert transportation resources •Missed milestones
• Limited number of fixed and rotary • Communication
wing aircraft for charter
• High prices for charter because of • Coordination with other •Injury or death to
competition from other users of winter roads staff or contractors
development (e.g. diamond mines)
• Access to winter roads • Provide opportunity to •Lapsed funds
• Limited capacity to store fuel at
distribution facilities
transportation firms to go
• Inability to construct linear on site visits to determine •Non-compliance
infrastructure
• Identification of site pathways for
the best way to address with permits
winter travel across open land has logistic constraints
risks (crossing private land, thin
ice)
• Quality of airstrips
• Storms
• Hazards of flying in fixed and rotary
wing aircraft in icy conditions

24
 Large Appetite Plan for All
for Risk Extreme Risks
CEO
Increasing Impact 

Increasing Impact 
Director

Manager

Chief
Increasing Likelihood  Increasing Likelihood 

Standard Risk Averse

Increasing Impact 
Increasing Impact 

Increasing Likelihood  Increasing Likelihood 

 The Profile of One Risk

The Nature Of the Risk

Impact

Very High

Likely
Likelihood
26
Risk Assessment by Strategic Objective

27
 The Next Step is Design

Assess

Design
Adjust
IRM Occurs Here

Evaluate Implement

Monitor

28
 Risk Treatment should be “Designed In”
Risk Event
Tolerance
Acceptable ? YES Assume
Escalate
NO For information

Can You Act? NO Monitor

Escalate
For action YES

Avoid Treat Share

Specific actions with owner and date

Evaluate the effectiveness of treating risks
The Profile of One Risk
The level of risk before treatment
The level of risk
after treatment
Treatment Very High
Impact

Likelihood Likely

30
 Then Implement

Assess

Design
Adjust
IRM Occurs Here

Evaluate Implement

Monitor

31
 Then Monitor

Assess

Design
Adjust
IRM Occurs Here

Evaluate Implement

Monitor

32
 And, after one cycle, Evaluate

Assess

Design
Adjust
IRM Occurs Here

Evaluate Implement

Monitor

33
 Adjust after Evaluation

In response to the evaluation step

Adjust

To account for risk treatment that has worked,

and to identify treatment that has been
incomplete or ineffective.

34
 Enterprise Wide Evaluation of Treatment
Table showing the effect of risk treatment

35
Questions?

36