ISO 31000: The challenges of implementing a new approach
P rofe ofessor Mar Martin Loosem oosemor ore e F R ICS IC S , FC FCIOB IOB
WH Y AR ARE E WE W E H ER ERE? E? H igh risk ris k (and opportunity) opp ortunity) e nviron nvironm m e nt - large, highhigh-value, value, innovative innovative projects projects with with long long ris risk k expos exposur ure. e.
Rapid growth (skills shortages and capacity problems). Working overseas (culture, pressures, everything is new) risk -rela t ed legislat legis lat ion io n . Surge in risk Penalties for non-compliance becoming increasingly severe. Cust Cust ome r ba ba se changing. Pre-qualification requiring a demonstrable capability in risk management. Corporat Corporat e responsibi respons ibility lity and citizenship evolving fast.
P rotect rotect and enhance enhance our reputation Risk and opportunity management is our core business
WH Y AR ARE E WE W E H ER ERE? E? H igh risk ris k (and opportunity) opp ortunity) e nviron nvironm m e nt - large, highhigh-value, value, innovative innovative projects projects with with long long ris risk k expos exposur ure. e.
Rapid growth (skills shortages and capacity problems). Working overseas (culture, pressures, everything is new) risk -rela t ed legislat legis lat ion io n . Surge in risk Penalties for non-compliance becoming increasingly severe. Cust Cust ome r ba ba se changing. Pre-qualification requiring a demonstrable capability in risk management. Corporat Corporat e responsibi respons ibility lity and citizenship evolving fast.
P rotect rotect and enhance enhance our reputation Risk and opportunity management is our core business
C O M P E T I T I V E AD A D V A N T A G E
3 8 % Directors were not confident in their risk management systems. 5 9 % Companies did not review risks on a regular basis. 5 7 % Regularly declined tenders due to a lack of confidence in managing high risks OR added too large contingency and lost the job as a result.
2 2 COM M ON PROBLEM S 1. COMPLIANCE
RATHER THAN BEST PRACTICE.
CSA 1997
BS6079-3 (2000)
IRGC 2004
COSO (2004)
AS/NZS4360 (2004) ISO 31000 (2008)
1.
Initiation
1.
Context
1.
Pre-assessment
1.
Environment
1.
Context
2.
Preliminary
2.
Identification
2.
Appraisal
2.
Objectives
2.
Identification
analysis
3.
Analysis
3.
Tolerability and
3.
Identification
3.
Analysis
2.
Context
3.
Estimation
4.
Evaluation
acceptability
4.
Assessment
4.
Evaluation
3.
Identification
4.
Evaluation
5.
Treatment
5.
Response
5.
Treatment
4.
Analysis
5.
Control
6.
Communicate 4.
Risk management 6.
Control
6.
Communicate/
5.
Evaluation
6.
Action/monitor
7.
Review/update 5.
Communicate
7.
Communicate
consult
6.
Treatment
7.
Communicate
8.
Monitoring
judgement
7.
1.
Mandate/ commitment
Monitor/review 7.
Communicate/
8.
consult
9.
Monitor/review
Key : CSA – Canadian Standards Association; IRGC – International Risk Governance Council; COSO – Committee of Sponsoring Organizations; ISO – International Standards Organisation; AS/NZ – Standards Australia and Standards New Zealand; BS – British Standards
2 2 COM M ON PROBLEM S
2. H U N GER FOR PROFI T
3. FROM T HE BOTTOM
4. CRISI S MAN AGEMENT
WITHOUT A RISK APPETITE.
RATHER THAN THE TOP.
RATHER THAN RISK MANAGEMENT.
2 2 COM M ON PROBLEM S
5. RISK TRANSFER
6. SELFISH
7. INCESTUOUS
8. NEGATIVE
RATHER THAN RISK MANAGEMENT.
RATHER THAN COOPERATIVE.
RATHER THAN CONSULTATIVE.
RATHER THAN POSITIVE.
2 2 COM M ON PROBLEM S Consequence L ikelihood
Insignificant
Minor
Moderate
Major
Catastrophic
Almost certain
L
M
H
H
E
Very likely
L
M
M
H
E
Likely
L
L
M
H
E
Unlikely
L
L
M
H
H
Rare
L
L
M
H
H
2 2 COM M ON PROBLEM S
9. PROJECT-BASED RATHER THAN PORTFOLIO-BASED.
10. UNSYSTEMATIC RATHER THAN CONSISTENT.
11. SILO MENTALITY.
12. BUCK-PASSING
RATHER THAN TAKE RESPONSIBILITY.
2 2 COM M ON PROBLEM S
13. COMPLEX
RATHER THAN SIMPLE.
14. CENTRALISED
RATHER THAN DECENTRALISED.
15. PERIODIC
RATHER THAN CONTINUOUS.
16. COMM ERCIAL RISKS RISKS.
RATH ER TH AN OPERATIONAL
2 2 COM M ON PROBLEM S
17. Q U A N T I T A T I V E RATHER THAN QUALITATIVE.
18. AN ALY SI S RATHER THAN IDENTIFICATION.
19. PERIPHERAL
20. ON E DIM ENSIONAL
RATHER THAN CORE ACTIVITY.
RATHER THAN 3 D.
2 2 COM M ON PROBLEM S
21. PAPER-BASED
22. TECHNOLOGY
RATHER THAN MULTIMEDIA.
RATHER THAN PEOPLE.
RI SK M AN AGEM EN T M AT U RI T Y RMMT - www.synergymcg.com Awareness Application
Resources
Confidence
Skills
Culture
Image
RI SK M AN AGEM EN T M AT U RI T Y
y t i r u t a m t n e m e g a n a m k s i R
Corporate social responsibility Systems phase
Hardware phase Ignorance phase
People pha se
ST EP ON E
U N DERST AN D WH Y Y OU WAN T A N EW APPROACH
FOR M U LT I PLEX ? End of supply c ha in and being passed a lot of risk.
Very big risky proje c t s – one problem can wipe out margins or company. Rapid growth was stretching existing systems. N ew legislat ion was requiring it Customers becoming more risk averse. Pre-qualification requiring a demonstrable capability in risk management.
Risk and opportunity was seen as essential to protect and enhance reputation .
ST EP T WO
U N DERST AN D Y OU R PH I LOSOPH Y AN D M AT U RI T Y
FOR MU LTI PLEX: A NEW WAY T O MAN AGE RISK
Risk se e n a s a n a sse t Risk port folios Bre a k ing dow n ba rrie rs Pro-activity Project life cycle Cost of risk/opportunity management
A N EW WAY T O M AN AGE RI SK
T a k ing re sponsibilit y M e a ningful c onsult a t ion Simple
RISK MANAGEMENT MATU RIT Y AUDIT Awareness 4
Application
4
3 3 1
4
3
2
2 3
Confidence
4
2
1 1
1 1
Skills
3
2
2
Resources
4
1 2 1
3
4
Culture
1
2 3 4
Processes
2 3 4
Image
ST EP T H REE
DEV ELOP T H E SY ST EM
Developme nt a nd imple m e nta t ion proc e ss
FOCU S GROU PS WITH KEY STAKEHOLDERS. DOCUMENT THE SYSTEM PILOT THE SYSTEM, COLLECT FEEDBACK AND REFINE IT.
T H E EN D RESU LT
2 0 0 8 Be ijing Olym pic s
Companies using multime dia t o ma nage risks inc lude
ST EP FOU R
I M PLEM EN T T H E SY ST EM
Lessons Easy t o c hange be haviour but diffic ult t o k e e p it c ha nge d! N e e d t o e duc a t e your e m ploye e s, c lie nt s a nd busine ss pa rt ne rs a bout t heir role in the proce ss
Lessons Effec t ive support is c ruc ia l External specialist consultants.
Intranet Manager (Maintain MFM’s web site.)
Information manager (Collection, storage, maintenance and dissemination of risk-related information.)
Risk Manager
Risk analysts. (Assistance in statistical risk analysis – using MRI, Pinnacle, @Risk, Cougar and RCM Turbo)
Technical advisers. (Advice on contractual, legal, insurance, safety, environmental matters etc.)
Human Resources (Selection, training, appraisal, rewards etc)
Lessons People find t he c onc e pt of risk diffic ult t o unde rst a nd – m a ny ne e d help
Be pa t ie nt – it s t a k e s m ore t im e t ha n you t hink (5 % rule !) Ex pe c t re sist a nc e – from st ra nge pla c e s