ISO 31000

AND
INTEGRATED RISK
MANAGEMENT
RIMS Breakfast
Thursday October 16th, 8:30
Earl Grey Room, Minto Suites Hotel
427 Laurier Street
Ottawa
John Lark, Stratos Inc.
 This Presentation
A Global Standard
Integrated Risk Management in Canada
 What is in ISO 31000 ?
 How ISO 31000 can help
 Bringing it to your clients
 Steps to implementing a sustainable and risk based adaptive management regime



2
 Assurance

“a process that provides confidence

that planned objectives will be
achieved within an acceptable
degree of residual risk.”

IIA Professional Practices Framework

After G. Purdy, 2008

3
 Drivers for a Global Standard

 Multinational companies operating in many

countries around the globe
 A need to set priorities and address risks
based on global importance
 Need a “common look and feel”
 Need to demonstrate that effective and
reliable standards have been used.
 Many existing standards are “down in the
weeds” and unsuited to broad application

4
 The Search for a Standard

 AS/NZS 4360 was originally written to guide the

implementation of risk management in Australia
and New Zealand, global leaders in the new
“enterprise risk management” approach.
 Use of AS/NZS 4360 extended globally over a 13
year period.
 It became apparent that the demand of a global
standard was high enough to interest ISO

5
 The Canadian Context

A pivotal point was in 1998, the publication of a

report called “Results for Canadians”. It was the
beginning of a new focus on results, and
eventually things that could impair their
delivery.
In 2000, the first steps towards the development
of a government wide Management
Accountability Framework which would be used
to assess the performance of departments
annually

6
Management Accountability Framework
Performance Indicators
Framework

7
Performance Indicators for IRM

Risk Management
• Key risks identified and
managed
• Risk lens in decision making
• Risk smart culture
• Capacity to communicate
and manage risk in public
context
 In June of 2007
The “Policy for the Management of Projects” was approved by
the Treasury Board Secretariat
5.1 Objective The objective of this policy is to ensure that the appropriate
systems, processes and controls for managing projects are in place, at a
departmental, horizontal or government-wide level, and support the
achievement of project and program outcomes while limiting the risk to
stakeholders and taxpayers.
5.2 Expected results
The expected results of this policy, associated standards and directive are that:
• Projects achieve value for money;
• Sound stewardship of project funds is demonstrated;
• Accountability for project outcomes is transparent; and
• Outcomes are achieved within time and cost constraints.

9
 What the Policy requires

 That each Department or Agency assess its capacity to manage

risks using a specified assessment tool
 That (by April of 2011)the risk of every “project” is assessed
using a standard risk assessment tool and those projects
whose risk level exceed the departmental capacity must come
before Treasury Board Secretariat for assessment

Project– Is an activity or series of activities that has a beginning and an end. A

project is required to produce defined outputs and realize specific outcomes in
support of a public policy objective, within a clear schedule and resource plan. A
project is undertaken within specific time, cost and performance parameters.

10
 Principle On Which ISO 31000 is based

Risk
“the effect of uncertainty on objectives”

ISO 31000 identifies risk as the uncertainty between an

enterprise and its objectives. This approach implies a top-
down approach and risk is neither positive nor negative

Defined in Guide 73

As defined in Guide 73

11
 ISO 31000 Table of Contents

Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Principles for managing risk
5 Framework for managing risk
6 Process for managing risk

12
 Steps to Develop and Sustain a Risk Management Framework

5.2 Mandate and

Commitment

5.3 Designing
the Framework

5.6 Continual 6. Risk

5.4 Implementing
Improvement if Mgmt.
Risk Management
the Framework Process

5.5 Monitoring and

Reviewing the
Framework

13
 Chapter 4 Principles for Managing Risk
To be most effective, an organization’s risk management should adhere to the
following principles.
Risk Management:
a) creates value.
b) is an integral part of organizational processes.
c) is part of decision making.
d) explicitly addresses uncertainty.
e) is systematic, structured and timely.
f) is based on the best available information.
g) is tailored.
h) takes human and cultural factors into account.
i) is transparent and inclusive.
j) is dynamic, iterative and responsive to change.
k) facilitates continual improvement and enhancement of the organization.

14
 Chapter 5 Framework for Managing Risk
5.1 General
5.2 Mandate and commitment
5.3 Design of framework for managing risk
5.3.1 Understanding the organization and its context
5.3.2 Risk management policy
5.3.3 Integration into organizational processes
5.3.4 Accountability
5.3.5 Resources
5.3.6 Establishing internal communication and reporting mechanisms
5.3.7 Establishing external communication and reporting mechanisms
5.4 Implementing risk management
5.4.1 Implementing the framework for managing risk
5.4.2 Implementing the risk management process.
5.5 Monitoring and review of the framework
5.6 Continual improvement of the framework

15
 Chapter 6 Process for Managing Risk
6.1 General
6.2 Communication and consultation
6.3 Establishing the context
6.3.1 General
6.3.2 Establishing the external context
6.3.3 Establishing the internal context
6.3.4 Establishing the context of the risk management process
6.3.5 Developing risk criteria
6.4 Risk assessment
6.4.1 General
6.4.2 Risk identification
6.4.3 Risk analysis
6.4.4 Risk evaluation
6.5 Risk treatment
6.5.1 General
6.5.2 Selection of risk treatment options
6.5.3 Preparing and implementing risk treatment plans
6.6 Monitoring and review
6.7 Recording the risk management process

16
 How Can ISO 31000 Help ?

Risk Practitioners are best placed to make these

assessments based on their experience with clients.
A number of interested Canadian risk practitioners are
working with the Canadian Standards Association
(CSA) to build a bridge between ISO 31000 and the
Canadian condition. A “guide” that will provide more
detail and clarity, and may include examples.
CSA Q850 will be withdrawn

17
 Working With Clients

Adaptive Management

Assess

Design
Adjust

Implement
Evaluate
Monitor

18
Where Integrated Risk Management Fits In

Assess

Design
Adjust
IRM Occurs Here

Evaluate Implement

Monitor

19
 The Assessment Phase

 It is at this stage where the overall goal or

objective of the enterprise is assessed.
 Where:

Activities  Outputs  Outcomes

 Often an evaluation framework or a “results
based management accountability framework”
(RMAF) is a good place to start.
 An RMAF shows how success is measured and
who is accountable

20
 Integrated Risk Management in the Assessment Phase

Integrated Risk Management of negative risks:

 Starts with “what can, and does, go wrong?”
 It looks to similar enterprises and experiences
 Seeks specifics for:
 Causes (risk drivers)
 Remedies (treatment)
 Consequences (if/when the risk expresses)
This can be done for an existing, or proposed, activity

21
 Sample Risk Information Sheet
There is a risk that . . .
Statement of the risk event that, if it materializes, can affect
the achievement of enterprise objectives

Possible
Risk Drivers Current Consequences
• Identifies possible
sources of the risk Risk • Describes possible
• Identifies examples
event, such as Treatment
of current actions,
impacts if the risk
environmental were to fully
processes, controls, express
factors or
etc., that reduce
management
likelihood of risk
framework
occurring, or
weaknesses
severity if it were to
occur
 Activities  Outputs Outcomes
To Meet Legal and Policy Obligations....
Program Components Outputs
•Liaison with federal departments and •Listing of policy and regulatory
agencies (e.g. Interdepartmental Regional requirements
Working Group)
•Ongoing identification and tracking of •Work Plans/procedures to reflect
requirements in each region (tracking requirements
territorial requirements)
•Internal communication of requirements, •Reports on conformance/status of
monitoring and compliance by site (e.g. violations/corrective actions
audits, quarterly reporting)
•Consultations (Local communities and self-
govt requirements, constitutional
requirements, regulatory, …) Outcomes
•Procurement (e.g. FTA, Aboriginal Content
Requirements) •Aware of applicable regulation and
•Transfer resources & responsibilities
policy requirements
•Delivery of DTA obligations
•Applying for permits and licenses •In compliance with all relevant
•Compliance with applicable internal and legislations, regulations, policies and
external regulations and licenses
•Activities to support ISO compliance
procedures
•Ensuring compliance with applicable H&S
•Reports on conformance/status of
regulations 23
violations/corrective actions
Sample Risk One: Logistics
There is a risk that logistics failures or limitations of winter roads, and air, land or
water transportation firms will prevent a Northern program from achieving its
objectives.

Risk Drivers Current Risk Mitigation Possible Consequences

•length including warmer winters limiting
the reliability and capacity of winter •Increased efforts for •Project delays
roads coordination between sites
•Sending goods by ship in the open
water season is unreliable, especially to •Scheduling to account for
•Planning delays
small coastal sites
•Lack of coordination between sites anticipated delays, especially •Increased costs
results in lost opportunities to share or for mobilization
divert transportation resources •Missed milestones
•Limited number of fixed and rotary wing •Communication
aircraft for charter
•High prices for charter because of •Coordination with other users •Injury or death to
competition from other development
(e.g. diamond mines)
of winter roads staff or contractors
•Access to winter roads
•Limited capacity to store fuel at
•Provide opportunity to •Lapsed funds
distribution facilities transportation firms to go on
•Inability to construct linear site visits to determine the •Non-compliance with
infrastructure
•Identification of site pathways for best way to address logistic permits
winter travel across open land has risks constraints
(crossing private land, thin ice)
•Quality of airstrips
•Storms
•Hazards of flying in fixed and rotary
wing aircraft in icy conditions

24
 Large Appetite Plan for All
for Risk Extreme Risks
CEO
Increasing Impact 

Increasing Impact 
Director

Manager

Chief
Increasing Likelihood  Increasing Likelihood 

Standard Risk Averse

Increasing Impact 
Increasing Impact 

Increasing Likelihood  Increasing Likelihood 

 The Profile of One Risk

The Nature Of the Risk

Very High
Impact

Likely
Likelihood
26
Risk Assessment by Strategic Objective

27
 The Next Step is Design

Assess

Design
Adjust
IRM Occurs Here

Evaluate Implement

Monitor

28
 Risk Treatment should be “Designed In”
Risk Event
Toleranc
e Acceptable ? YES Assume
Escalate
NO For information

Can You Act? NO Monitor

Escalate
For action YES

Avoid Treat Share

Specific actions with owner and date

Evaluate the effectiveness of treating risks
The Profile of One Risk
The level of risk before treatment
The level of risk
after treatment
Treatment Very High
t y
c l
a e
p k
i
m
I L
Likelihood

30
 Then Implement

Assess

Design
Adjust
IRM Occurs Here

Evaluate Implement

Monitor

31
 Then Monitor

Assess

Design
Adjust
IRM Occurs Here

Evaluate Implement

Monitor

32
 And, after one cycle, Evaluate

Assess

Design
Adjust
IRM Occurs Here

Evaluate Implement

Monitor

33
 Adjust after Evaluation

In response to the evaluation step

Adjust

To account for risk treatment that has worked,

and to identify treatment that has been
incomplete or ineffective.

34
 Enterprise Wide Evaluation of Treatment
Table showing the effect of risk treatment

35
Questions?

36