A structured approach to Enterprise Risk Management …

1 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 Executive summaryIntroduction Acknowledgements Part 1: Risk, risk Management and ISO 310001 Nature and impact of risk 2 Principles of risk Management 3 Review of ISO 31000 4 Achieving the benefits of ERM Part 2: Enterprise risk Management 5 Planning and designing 6 Implementing and benchmarking 7 Measuring and monitoring 8 Learning and reporting AppendicesARisk Management checklist BImplementation summary List of figures 1 Risk architecture, strategy and protocols 2 Framework for managing risk (based on ISO 31000 ) 3 Risk Management process (based on ISO 31000 ) 4 Risk architecture of a large PLC 5 Drivers of risk Management List of tables 1 Detailed risk description 2 Contents of risk Management policy 3 Risk Management responsibilities 4 Risk assessment techniques 1 AIRMIC, Alarm, IRM: 2010 ContentsRisk Management is an increasingly importantbusiness driver and stakeholders have becomemuch more concerned about risk.

2 Risk may be adriver of strategic decisions, it may be a cause ofuncertainty in the organisation or it may simply beembedded in the activities of the organisation. Anenterprise-wide approach to risk managementenables an organisation to consider the potentialimpact of all types of risks on all processes,activities, stakeholders, products and a comprehensive approach willresult in an organisation benefiting from what isoften referred to as the upside of risk . The global financial crisis in 2008 demonstratedthe importance of adequate risk that time, new risk Management standardshave been published, including the internationalstandard, ISO 31000 Risk Management Principles and guidelines . This guide drawstogether these developments to provide astructured approach to implementing enterpriserisk Management (ERM). Intended benefits of risk Management For all types of organisations, there is a need tounderstand the risks being taken when seeking toachieve objectives and attain the desired level ofreward.

3 Organisations need to understand theoverall level of risk embedded within theirprocesses and activities. It is important fororganisations to recognise and prioritise significantrisks and identify the weakest critical controls. When setting out to improve risk managementperformance, the expected benefits of the riskmanagement initiative should be established inadvance. The outputs from successful riskmanagement include compliance, assurance andenhanced decision-making. These outputs willprovide benefits by way of improvements in theefficiency of operations, effectiveness of tactics(change projects) and the efficacy of the strategyof the of this guide A successful Enterprise risk Management (ERM)initiative can affect the likelihood andconsequences of risks materialising, as well asdeliver benefits related to better informed strategicdecisions, successful delivery of change andincreased operational efficiency.

4 Other benefitsinclude reduced cost of capital, more accuratefinancial reporting, competitive advantage,improved perception of the organisation, bettermarketplace presence and, in the case of publicservice organisations, enhanced political andcommunity support. This guide provides a brief commentary on ISO31000 as well as setting out advice on theimplementation of an ERM initiative. The purposeof the guide is to: describe the principles and processes ofrisk Management provide a brief overview of therequirements of ISO 31000 give practical guidance on designing asuitable framework give practical advice on implementingenterprise risk Management 2A structured approach to Enterprise Risk ManagementExecutive summary This guide is the result of work by a team drawnfrom the main risk Management organisations inthe UK the Association of Insurance and RiskManagers (AIRMIC), the public sector riskmanagement association (Alarm) and the Instituteof Risk Management (IRM).

5 The guide is intendedto be applicable to all types of the guide, the word Board is used tosignify the decision-making body within anorganisation. In the public sector, this body maybe referred to as the Council, Executive orAuthority. There are many opinions regarding what riskmanagement involves, how it should beimplemented and what it can Organisation for Standardisation (ISO)standard 31000 was published in 2009 and seeksto answer these questions. This guide includes abrief commentary on ISO 31000 , as well asproviding further information on the successfulimplementation of risk Management . Importantly,this guide recognises that risk has both an upsideand downside. Risk Management principles Risk Management is a process that is under-pinned by a set of principles. Also, it needs to besupported by a structure that is appropriate to theorganisation and its external environment orcontext.

6 A successful risk Management initiativeshould be proportionate to the level of risk in theorganisation (as related to the size, nature andcomplexity of the organisation), aligned with othercorporate activities, comprehensive in its scope,embedded into routine activities and dynamic bybeing responsive to changing circumstances. This approach will enable a risk managementinitiative to deliver outputs, including compliancewith applicable governance requirements,assurance to stakeholders regarding themanagement of risk and improved decision-making. The impact or benefits associated withthese outputs include more efficient operations,effective tactics and efficacious strategy. Thesebenefits need to be measurable and A provides a checklist of actions thatshould be completed in order to fully satisfy riskmanagement requirements. COSO ERM framework and ISO 31000 The Committee of Sponsoring Organizations ofthe Treadway Commission (COSO) published anEnterprise Risk Management (ERM) standard in2004.

7 The COSO ERM cube is well known to riskmanagement practitioners and it provides aframework for undertaking ERM. It has gainedconsiderable influence because it is linked to theSarbanes-Oxley requirements for companies listedin the United States. ISO 31000 was published in2009 as an internationally agreed standard for theimplementation of risk Management principles. This guide provides a structured approach toimplementing risk Management on an Enterprise -wide basis that is compatible with both COSOERM and ISO 31000 . However, the guide placesmore emphasis on ISO 31000 because it is aninternational standard and many organisationshave international operations. At the same time aspublishing ISO 31000 , ISO also produced Guide73 Risk Management Vocabulary Guidelinesfor use in standards . Acknowledgements Permission to reproduce extracts from ISO 31000 Risk Management Code of practice is grantedby the BSI.

8 British Standards can be obtained inPDF or hard copy formats from the BSI onlineshop: by contactingBSI Customer Services for hardcopies only: Tel:+44 (0)20 8996 9001, 1, Figure 4, Table 2, Table 3 and Table 4 arereproduced with kind permission of Kogan PageLimited from Fundamentals of Risk Management (2010) ISBN 978 0 7494 5942 0 3A structured approach to Enterprise Risk ManagementIntroduction Part 1 provides an overview of risk and riskmanagement with particular reference to ISO31000. The terminology used to describe thesteps in the risk Management process is notconsistent and this part reflects on thesedifficulties. A summary of the risk managementrequirements that should be in place in order toensure good standards of risk governance arepresented by way of a checklist in Appendix A. 1. Nature and impact of risk risks can impact an organisation in the short,medium and long term.

9 These risks are related tooperations, tactics and strategy, sets out the long-term aims of theorganisation, and the strategic planning horizonfor an organisation will typically be 3, 5 or moreyears. Tactics define how an organisation intendsto achieve change. Therefore, tactical risks aretypically associated with projects, mergers,acquisitions and product are the routine activities of of risk There are many definitions of risk and riskmanagement. The definition set out in ISO Guide73 is that risk is the effect of uncertainty onobjectives . In order to assist with the applicationof this definition, Guide 73 also states that aneffect may be positive, negative or a deviationfrom the expected, and that risk is often describedby an event, a change in circumstances or aconsequence. This definition links risks to objectives. Therefore,this definition of risk can most easily be appliedwhen the objectives of the organisation arecomprehensive and fully stated.

10 Even when fullystated, the objectives themselves need to bechallenged and the assumptions on which theyare based should be tested, as part of the riskmanagement structured approach to Enterprise Risk ManagementPart 1: Risk, risk Management and ISO 31000 For example, consider the infrastructure of an organisation and the implementation of a new ITsystem. The choice of hardware and software are strategic decisions. If these choices areincorrect, the consequences will not be obvious for some time. The associated risks are strategicrisks and these risks will be taken with the intention of achieving benefits. Correct strategicdecisions deliver benefits that result in achievement of the upside of project to install the new hardware and software will be a change initiative that represents thetactics by which strategy will be implemented. risks within the project need to be managed, sothat the project is delivered on time, within budget and to specification.