Implementing Enterprise Risk Management With ISO 31000

Implementing Enterprise Risk Management with ISO 31000:2009 1. 1. Implementing Enterprise Risk Management with ISO 31000:2009 Lead by Goutama Bachtiar www.about.me/goudotmobi 2013 2. 2. Introduction 2 Dec 2013 Developed by @goudotmobi

3. 3. Training Lead Profile A seasoned advisor, auditor, consultant, trainer, courseware developer and writer with 15 years of experiences in advisory, consulting, audit, training and education as well as project management. As of now, he has delivered and hosted in 200+ sessions with 7,000+ attendees and 5000+ hours of training, lecture, conference, workshop, seminar across Indonesia and outside the country for around 70 institutions and companies. Today he has written and edited 300+ articles and manuscripts concerning ICT and management in more than 20 local and international leading media, companies, journals and conferences. On top of that, he is a speaker, moderator and panelist in various national and international conference, workshop and seminar with over than 65 international certifications on tech and management spaces are under his belt. A guest lecturer at top-tier Indonesian and American universities for their master and undergraduate programs. 3 Dec 2013 Developed by @goudotmobi 4. 4. Training Agenda Day One – Understanding, Valuing and Raising Risk Management, Enterprise Risk Management and ISO 31000:2009 Awareness Time Topics Opening, SelfIntroduction and Exploring Enterprise Risk Management Delivery 09.30 – 10.00 Understanding ISO 31000:2009 Classical 10.00 – 10.15 First Coffee Break N/A 10.15 – 12.00 Navigating ISO 31000:2009 Principles and Guidelines Classical 12.00 – 13.00 Lunch Break N/A 13.00 – 15.00 Understanding ISO 31000 Clauses – 1st Session Classical 15.00 – 15.15 Second Coffee Break N/A 15.15 – 16.00 Understanding ISO 31000 Clauses – 2nd Session Classical 16.00 – 16.30 Understanding Relationship Between ISO 15378 and ISO 31000 Classical 16.30 – 17.00 Question and Answer, Wrap-Up Day One 09.00 – 09.30 4 Dec 2013 Developed by @goudotmobi Classical Individual Participation 5. 5. Training Agenda (cont’d) Day Two – Exploring and Utilizing Risk Assessment Techniques Time Topics Delivery 09.00 – 09.30 Day One Review Valuing ISO31010: Risk Assessment and its Techniques – 1st Session Classical Classical, Group Discussion 10.00 – 10.15 First Coffee Break N/A 10.15 – 12.00 Valuing ISO31010: Risk Assessment and its Techniques – 2nd Session Classical, Group Discussion 12.00 – 13.00 Lunch Break N/A 13.00 – 14.00 Utilizing Risk Assessment Techniques Workshop, Group Discussion 14.00 – 15.00 Analyzing and Evaluating Risk Assessment Result – 1st Session Group Presentation, Group Discussion 15.00 – 15.15 Second Coffee Break N/A 15.15 – 16.00 Analyzing and Evaluating Risk Assessment Result – 2nd Group Presentation, Session Group Discussion 16.00 – 17.00 Question and Answer, Wrap Up Day Two, Quiz 09.30 – 10.00 5 Dec 2013 Developed by @goudotmobi Individual Participation 6. 6. Training Agenda (cont’d) Day Three – Exploring and Utilizing Risk Registration as well as Monitoring and Managing ERM Time Delivery 09.00 – 09.30 Day Two Review Classical 09.30 – 10.00 Understanding Risk Register Entry Classical 10.00 – 10.15 First Coffee Break N/A 10.15 – 12.00 Utilizing Risk Register Entry Workshop, Group Discussion 12.00 – 13.00 Lunch Break N/A 13.00 – 15.00 Discussing and Implementing Risk Register Workshop, Group Presentation 15.00 – 15.15 Second Coffee Break N/A 15.15 – 16.00 Monitoring and Managing ERM Classical 16.00 – 17.00 6 Topics Post-Test, Training Evaluation, Wrap Up Day Three, Closing Individual Participation Dec 2013 Developed by @goudotmobi

7. 7. Rule of The Game Attendance: Participant is required to attend the training in three full day to attain training certificate Weight for the training mark: - Attendance: 10% - Quiz (Day Two): 40% - Final Test (Day Three): 50% 7 Dec 2013 Developed by @goudotmobi 8. 8. Exploring Enterprise Risk Management 8 Dec 2013 Developed by @goudotmobi 9. 9. What Risk is All About Risks have consequences in terms of societal, environmental, technological, safety and security outcomes; They have commercial, financial and economic results They also have social, cultural and political reputation impacts ISO 31000:2009 helps organizations of all types and sizes to manage risk effectively 9 Dec 2013 Developed by @goudotmobi 10. 10. What Is Risk Management? Risk The effect of uncertainty on the ability of an organisation to meet its objectives Risk Management The range of activities that an organisation intentionally undertakes to understand and reduce these effects Effective Risk Management Executing these activities efficiently and in a way that actually and demonstrably improves the ability of the organisation to meet its objectives in a repeatable fashion 10 Dec 2013 Developed by @goudotmobi 11. 11. Risk Management with ISO ISO 31000:2009 – Principles and Guidelines on Implementation (20 November 2009) ISO/IEC 31010:2009 – Risk Assessment Techniques (1 December 2009) ISO Guide 73:2009 – Vocabulary (15 November 2009) HB 327:2010 – Communicating and consulting about risk (23 February 2010) 11 Dec 2013 Developed by @goudotmobi 12. 12. Risk Management with ISO (cont’d) AS/NZS 5050:2010 Business continuity – Managing disruption-related risk (28 June 2010) HB 266:2010 – Guide for managing risk in not-for-profit organizations (12 August 2010) HB 246:2010 Guidelines for managing risk in sport and recreation organizations (18 August 2010) 12 Dec 2013 Developed by @goudotmobi 13. 13. Understanding ISO 31000 13 Dec 2013 Developed by @goudotmobi 14. 14. Understanding ISO 31000  Provides principles, a framework and a process for managing any form of risk in a transparent, systematic and credible manner within any scope or context  It recommends that organizations develop, implement and continuously improve a risk management framework as an integral component of their management system  In concrete, it’s a practical document that seeks to assist organizations in developing their own approach to the management of risk 14 Dec 2013 Developed by @goudotmobi 15. 15. Understanding ISO 31000 (cont’d)  This is NOT a standard that organizations can seek certification to  Organizations can compare their risk management practices with an internationally recognized benchmark  It provides sound principles for effective management  ISO Guide 73:2009 provide a collection of terms and definitions relating to the management of risk  ISO 31000 is designed to help organizations 15 Dec 2013 Developed by @goudotmobi 16. 16. What Is ISO 31000? ISO 31000:2009: An international standard that provides principles and guidelines for effective risk management Not specific to any industry or sector Able to be applied to any kind of risk Able to be applied to any kind of organisation Intended to be tailored to meet the needs of the organisation “The generic approach described in this

17.

18.

19.

20.

21.

22.

23.

standard provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope and context.” 16 Dec 2013 Developed by @goudotmobi 17. History of ISO 31000  AS/NZS 4360:1999 was developed by Australia and NZ in 1999  Revised and reissued as AS/NZS 4360:2004 in 2004  No agreed de jure or de facto international standard in place at this stage  A small number of competing frameworks which were regarded as unsatisfactory  International Standards Organisation started work on ISO 31000 using AS/NZS 4360:2004 in 2005 as its first draft  ISO 31000 was issued worldwide in 2009 17 Dec 2013 Developed by @goudotmobi 18. What Does ISO 31000 Cover of? ISO 31000:2009 contains: A set of risk management terms and their definitions A set of principles for guiding and informing effective risk management for an enterprise An outline and process for creating a risk management framework An outline and process for creating a risk management process ISO 31000 is: Clear Sensible Brief (34 pages) 18 Dec 2013 Developed by @goudotmobi 19. What Does ISO 31000 Cover of? (cont’d) Scope of this approach is enabling all strategic, management and operational tasks throughout projects, functions, and processes to be aligned to risk management objectives It is intended for stakeholder group like: Executive level Appointment holders in ERM group Risk analysts and management officers Line managers and project managers Compliance and internal auditors Independent practitioners 19 Dec 2013 Developed by @goudotmobi 20. What ISO 31000 Doesn’t Cover? Detailed instructions on how to manage risk A complete risk management framework A complete risk management process Formats or attributes for describing risks Templates Guidance on how to identify risks Advice on how to manage risks for a specific domain 20 Dec 2013 Developed by @goudotmobi 21. ISO 31000 Will Help Us To…  Increase the likelihood of achieving objectives  Encourage proactive management  Identify and treat risk throughout the organization  Improve the identification of opportunities and threats  Comply with relevant legal and regulatory requirements and international norms  Improve financial reporting  Improve governance 21 Dec 2013 Developed by @goudotmobi 22. ISO 31000 Will Help To… (cont’d)  Improve stakeholder confidence and trust  Establish a reliable basis for decision making and planning  Improve controls  Effectively allocate and use resources for risk treatment  Improve operational effectiveness and efficiency  Enhance health and safety performance, as well as environmental protection  Improve loss prevention and incident management  Minimize losses  Improve organizational learning and resilience 22 Dec 2013 Developed by @goudotmobi 23. Why Use ISO 31000? Save ourselves time and effort:  Using the terms, principles and guidelines in ISO 31000 means you don’t have to spend time and effort creating your own.  You can spend time on the things that really add value – managing the actual risks.  Facilitate communication:  Avoid misunderstandings by using concepts and terms that are well known in the risk management community.  Provide higher quality output:  Take advantage of the significant expertise in risk management that the ISO has used in coming

24.

25.

26.

27. 28.

29.

30.

31.

32.

up with the standard.  Ensure you don’t miss out any aspects of risk management by using the standard as a checklist. 23 Dec 2013 Developed by @goudotmobi 24. How Do I Apply ISO 31000? When should I use ISO 31000?  When you are asked to identify or assess risks  When you are asked to manage risks  When you are asked to assess a risk management framework or process How should I use ISO 31000  Use it to frame the scope of the work  Use it to guide the engagement  Use it to create a risk management process 24 Dec 2013 Developed by @goudotmobi 25. ISO 31000 In Short  It gives you a structured, credible foundation for discussions with about risk and risk management  It gives you a starting point for a risk management process if you don’t have one  It gives you a standard vocabulary for talking about risks and risk management  It gives you a baseline for comparisons and assessments of risk management processes 25 Dec 2013 Developed by @goudotmobi 26. ISO 31000 in Diagram Principles guide the creation of the framework Principles The framework defines the process Framework Process The performance of the process feeds back into the framework 26 Dec 2013 Developed by @goudotmobi 27. Navigating ISO 31000 Principles and Guidelines 27 Dec 2013 Developed by @goudotmobi 28. What’s inside ISO 31000:2009 It consists of three major parts 11 principles for managing risk (Clause 3) 5 (five) components to the framework for managing risk (Clause 4) 5 (five) processes for managing risks (Clause 6) 28 Dec 2013 Developed by @goudotmobi 29. ISO 31000 Principles Risk Management Principles Creates and protects value Based on the best information Integral part of organisational processes Tailored Part of decision making Takes human and cultural factors into account Explicitly addresses uncertainty Transparent and inclusive Systematic, structured, and timely Dynamic, iterative and responsive to change Facilitates continual improvement of the organisation 29 Dec 2013 Developed by @goudotmobi 30. Creates and Protects Value Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation. 30 Dec 2013 Developed by @goudotmobi 31. Integral Part of Organizational Processes Risk management is not a stand-alone activity that is separate from the main activities and processes of the organisation. Risk management is part of the responsibilities of management and an integral part of all organisational processes, including strategic planning and all project and change management processes. 31 Dec 2013 Developed by @goudotmobi 32. Part of Decision Making Risk management helps decision makers make informed choices, prioritise actions and distinguish among alternative courses of action. 32 Dec 2013 Developed by @goudotmobi

33. 33. Explicitly Addresses Uncertainty Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed. 33 Dec 2013 Developed by @goudotmobi 34. 34. Systematic, Structured and Timely A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable and reliable results. 34 Dec 2013 Developed by @goudotmobi 35. 35. Based on the Best Information The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts. 35 Dec 2013 Developed by @goudotmobi 36. 36. Tailored Risk management is aligned with the organisation's external and internal context and risk profile. 36 Dec 2013 Developed by @goudotmobi 37. 37. Tailored Risk management is aligned with the organisation's external and internal context and risk profile. 37 Dec 2013 Developed by @goudotmobi 38. 38. Takes Human and Cultural Factors into Account Risk management recognises the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organisation's objectives. 38 Dec 2013 Developed by @goudotmobi 39. 39. Transparent and Inclusive Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organisation, ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria. 39 Dec 2013 Developed by @goudotmobi 40. 40. Dynamic, Iterative and Responsive to Change Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear. 40 Dec 2013 Developed by @goudotmobi 41. 41. Facilitates Continual Improvement of the Organisation Organisations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organisation. 41 Dec 2013 Developed by @goudotmobi 42. 42. Risk Management Framework Set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization The foundations include the policy, objectives, mandate and commitment to manage risk The organizational arrangements include plans, relationships, accountabilities, resources, processes and activities RMF is embedded within the organization's overall strategic and operational policies and practices 42 Dec 2013 Developed by @goudotmobi 43. 43. ISO 31000 Framework Mandate and commitment Design of framework for managing risk Understanding the organisation and its context Establishing risk management policy Accountability Integration into organisational processes Resources Establishing internal communication and reporting mechanisms Establishing external communication and reporting mechanisms Implementing risk management Continual improvement of the

44.

45.

46.

47.

48.

49.

50.

framework Implementing the framework for managing risk Implementing the risk management process Monitoring and review of the framework 43 Dec 2013 Developed by @goudotmobi 44. Mandate and Commitment Introducing risk management and ensuring its ongoing effectiveness require strong and sustained commitment by management, as well as strategic and rigorous planning to achieve commitment at all levels Management should: ⎯ Define and endorse the risk management policy ⎯ Ensure that the organization's culture and risk management policy are aligned ⎯ Determine risk management performance indicators that align with performance indicators of the organization 44 Dec 2013 Developed by @goudotmobi 45. Mandate and Commitment (cont’d) ⎯ Align risk management objectives with the objectives and strategies of the organization ⎯ Ensure legal and regulatory compliance ⎯ Assign accountabilities and responsibilities at appropriate levels within the organization ⎯ Ensure that the necessary resources are allocated to risk management ⎯ Communicate the benefits of risk management to all stakeholders ⎯ Ensure that the framework for managing risk continues to remain appropriate 45 Dec 2013 Developed by @goudotmobi 46. Understanding the Organization and Its Context Evaluating organization's external context may include, but is not limited to: Social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local Key drivers and trends having impact on the objectives of the organization Relationships with, and perceptions and values of, external stakeholders 46 Dec 2013 Developed by @goudotmobi 47. Understanding the Organization and Its Context (cont’d) Evaluating the organization's internal context may include, but is not limited to: ⎯ Governance, organizational structure, roles and accountabilities ⎯ Policies, objectives, and the strategies that are in place to achieve them ⎯ Capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies) 47 Dec 2013 Developed by @goudotmobi 48. Understanding the Organization and Its Context (cont’d) ⎯ Information systems, information flows and decision making processes (both formal and informal) ⎯ Relationships with, and perceptions and values of, internal stakeholders ⎯ Organization's culture ⎯ Standards, guidelines and models adopted by the organization ⎯ The form and extent of contractual relationships 48 Dec 2013 Developed by @goudotmobi 49. Establishing Risk Management Policy It should clearly state organization's objectives for, and commitment to, and addresses: ⎯ the organization's rationale for managing risk ⎯ links between the organization's objectives and policies and the risk management policy ⎯ accountabilities and responsibilities for managing risk ⎯ the way in which conflicting interests are dealt with 49 Dec 2013 Developed by @goudotmobi 50. Establishing Risk Management Policy (cont’d) ⎯ commitment to make the necessary resources available to assist those accountable and responsible for managing risk ⎯ the way in which risk management performance will be measured and reported ⎯ commitment to review and improve the risk management policy and framework periodically and in response to an event or change in circumstances 50 Dec 2013 Developed by @goudotmobi

51. 51. Accountability Accountability, authority and appropriate competence for managing risk which is facilitated by:  Identifying risk owners that have the accountability and authority to manage risks  Identifying who is accountable for development, implementation and maintenance of framework for managing risk  Identifying other responsibilities of people at all levels for risk management process  Establishing performance measurement and external and/or internal reporting and escalation processes  Ensuring appropriate levels of recognition 51 Dec 2013 Developed by @goudotmobi 52. 52. Resources The organization should allocate appropriate resources for risk management such as: ⎯ people, skills, experience and competence ⎯ resources needed for each step of the risk management process ⎯ the organization's processes, methods and tools to be used for managing risk ⎯ documented processes and procedures ⎯ information and knowledge management systems ⎯ training program 52 Dec 2013 Developed by @goudotmobi 53. 53. Establishing Internal Communications and Reporting Mechanisms It is to support and encourage accountability and ownership of risk as well as ensure: Key components of risk management framework, and any subsequent modifications, are communicated appropriately There is adequate internal reporting on framework, its effectiveness and outcomes Relevant information derived from the application of risk management is available at appropriate levels and times There are processes for consultation with internal stakeholders 53 Dec 2013 Developed by @goudotmobi 54. 54. Establishing Internal Communications and Reporting Mechanisms (cont’d) It should involve: Engaging appropriate external stakeholders and ensuring an effective exchange of information External reporting to comply with legal, regulatory, and governance requirements Providing feedback and reporting on communication and consultation Using communication to build confidence Communicating with stakeholders in the event of a crisis or contingency 54 Dec 2013 Developed by @goudotmobi 55. 55. Implementing Framework for Managing Risk In implementing framework for managing risk, the organization should: Define appropriate timing and strategy for implementing the framework Apply risk management policy and process to the organizational processes Comply with legal and regulatory requirements 55 Dec 2013 Developed by @goudotmobi 56. 56. Implementing Framework for Managing Risk (cont’d) Ensure that decision making, including the development and setting of objectives, is aligned with risk management processes outcomes Hold information and training sessions Communicate and consult with stakeholders to ensure that its risk management framework remains appropriate 56 Dec 2013 Developed by @goudotmobi 57. 57. Risk Management Process Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring and reviewing risk 57 Dec 2013 Developed by @goudotmobi 58. 58. Monitoring and Reviewing Framework In order to ensure that risk management is effective and continues to support organizational performance, the organization should: ⎯ Measure risk management performance against indicators, which are periodically reviewed

59.

60.

61.

62.

63.

64.

65.

66.

67. 68. 69.

for appropriateness ⎯ Periodically measure progress against, and deviation from, the risk management plan 58 Dec 2013 Developed by @goudotmobi 59. Monitoring and Reviewing Framework (cont’d) ⎯ Periodically review whether risk management framework, policy and plan are still appropriate, given the organizations' external and internal context ⎯ Report on risk, progress with risk management plan and how well risk management policy is being followed ⎯ Review risk management framework effectiveness 59 Dec 2013 Developed by @goudotmobi 60. ISO 31000 Process Establishing the context Risk assessment Risk identification Communication and consultation Risk analysis Risk evaluation Risk treatment 60 Dec 2013 Developed by @goudotmobi Monitoring and review 61. Risk Management: Establishing the Context Defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the risk management policy. 61 Dec 2013 Developed by @goudotmobi 62. Risk Management: Establishing the Context (cont’d) External context • Legal, Regulatory, Financial • International, National, Regional or Local • Relationships with, perceptions and values of external stakeholders Internal context • Organizational objectives • Project, process, or activity objectives • Policy, standards, guidelines and models adopted by the organization • Contractual relationships 62 Dec 2013 Developed by @goudotmobi 63. Risk Management: Establishing the Context (cont’d) Process context  Objectives, scope, responsibilities, methods  Defining risk criteria - Measures - Tolerance levels - Views of stakeholders 63 Dec 2013 Developed by @goudotmobi 64. Monitoring and Review Ensuring that controls are effective and efficient in both design and operation Obtaining further assessment information to improve risk Analyzing and learning lessons from events (including near-misses), changes, trends, successes and failures Detecting changes in the external and internal context, including changes to risk criteria and the risk itself which can require revision of risk treatments and priorities Identifying emerging risks 64 Dec 2013 Developed by @goudotmobi 65. Recording Risk Management Process Objectives Organization's needs for continuous learning Benefits of re-using information for management purposes Costs and efforts in creating and maintaining records Legal, regulatory and operational needs for records Method of access, ease of retrievability and storage media Retention period Sensitivity of information 65 Dec 2013 Developed by @goudotmobi 66. ISO 31000 Key Success Factors Risk Management (RM) should function within a Risk Management Framework (RMF) The framework provides necessary foundations and organizational arrangements to embed RM throughout all levels within the organization This foundation can assist organizations in managing risk effectively through application of RM process at varying levels and within specific contexts RMF ensure risk information is adequately reported and used as a basis for decision making and accountability at all relevant organizational levels 66 Dec 2013 Developed by @goudotmobi 67. Question and Answer 67 Dec 2013 Developed by @goudotmobi 68. Wrap Up Day One 68 Dec 2013 Developed by @goudotmobi 69. Day One Review 69 Dec 2013 Developed by @goudotmobi

70. 70. Valuing ISO31010: Risk Assessment and its Techniques 70 Dec 2013 Developed by @goudotmobi 71. 71. Rehearsing ISO/IEC 31010: 2009 A supporting standard for AS/NZS ISO 31000:2009 It provides guidance on selection and application of systematic techniques for risk assessment The application of a range of techniques is introduced, with specific references to other international standards Concept and application of techniques are described in greater detail This standard does not provide specific criteria for identifying need for risk analysis It also doesn’t specify type of risk analysis method required for a particular application 71 Dec 2013 Developed by @goudotmobi 72. 72. Rehearsing ISO Guide 73:2009 It provides the definitions of generic terms related to risk management Aimed to encourage a mutual and consistent understanding of, and a coherent approach to, the description of activities relating to the management of risk Aimed to encourage the use of uniform risk management terminology in processes and frameworks dealing with the management of risk 72 Dec 2013 Developed by @goudotmobi 73. 73. Risk Assessment ISO/IEC 31010:2009, Risk assessment techniques, jointly developed by ISO and IEC (International Electrotechnical Commission) A structured process for organizations to identify how objectives may be affected Analyze risk in terms of consequences and their probabilities, before further action taken up Provides better understanding on risks affecting achievement of objectives, as well as adequacy and effectiveness of controls already in place 73 Dec 2013 Developed by @goudotmobi 74. 74. Risk Assessment (cont’d) In short, Risk Assessment is overall process of risk identification, risk analysis and risk evaluation Risk Identification • Process of finding, recognizing and describing risks involving identification of risk sources, events, causes and potential consequences. • It involves historical data, theoretical analysis, informed and expert opinions, and stakeholder's needs. 74 Dec 2013 Developed by @goudotmobi 75. 75. Risk Source and Event Risk Source: element which alone or in combination has the intrinsic potential to give rise to risk (tangible or intangible) Event Occurrence or change of a particular set of circumstances: • It could be one or more occurrences, and can have several causes • It could consist of something not happening • Sometimes be referred to as “incident” or “accident” 75 Dec 2013 Developed by @goudotmobi 76. 76. Consequences Outcome of an event affecting objectives An event can lead to a range of consequences A consequence can be certain or uncertain and can have positive or negative effects on objectives Consequences can be expressed qualitatively or quantitatively Initial consequences can escalate through knock-on effects 76 Dec 2013 Developed by @goudotmobi 77. 77. Risk Analysis Process to comprehend the nature of risk and to determine the level of risk It involves consideration of the causes and sources of risk, their positive and negative consequences, and the likelihood that those consequences can occur Provides the basis for risk evaluation and decisions about risk treatment It includes risk estimation as well 77 Dec 2013 Developed by @goudotmobi 78. 78. Risk Analysis (cont’d) 78 Dec 2013 Developed by @goudotmobi

79. 79. Risk Criteria and Level of Risk Risk criteria Terms of reference against which the significance of a risk is evaluated: • Based on organizational objectives, and external and internal context • It can be derived from standards, laws, policies and other requirements Level of risk Magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood 79 Dec 2013 Developed by @goudotmobi 80. 80. Risk Evaluation Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable. Risk evaluation assists in the decision about risk treatment. 80 Dec 2013 Developed by @goudotmobi 81. 81. Risk Treatment Process to modify risk that can involve: ⎯ avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk ⎯ taking or increasing risk in order to pursue an opportunity ⎯ removing the risk source ⎯ changing the likelihood ⎯ changing the consequences 81 Dec 2013 Developed by @goudotmobi 82. 82. Risk Treatment (cont’d) ⎯ sharing the risk with another party or parties (including contracts and risk financing) ⎯ retaining the risk by informed decision Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction” It can create new risks or modify existing risks 82 Dec 2013 Developed by @goudotmobi 83. 83. Residual Risk Risk remaining after risk treatment It can contain unidentified risk It can also be known as “retained risk” 83 Dec 2013 Developed by @goudotmobi 84. 84. Risk Assessment Three Bands 84 Dec 2013 Developed by @goudotmobi 85. 85. Utilizing Risk Assessment Techniques 85 Dec 2013 Developed by @goudotmobi 86. 86. Risk Assessment Techniques Risk identification Risk analysis – consequence analysis Risk analysis – qualitative, semi-quantitative or quantitative probability estimation Risk analysis – assessing the effectiveness of any existing controls Risk analysis – estimation the level of risk Risk evaluation 86 Dec 2013 Developed by @goudotmobi 87. 87. Factors Influenced The Selection Complexity of the problem and the methods needed to analyze it The nature and degree of uncertainty of the risk assessment based on the amount of Information available and what is required to satisfy objectives The extent of resources required in terms of time and level of expertise, data needs or cost Whether the method can provide a quantitative output 87 Dec 2013 Developed by @goudotmobi 88. 88. Tools used For Risk Assessment Referred to Table A.1 at ISO 31010 on Applicability of tools used for risk assessment Referred to Table A.2 at ISO 31010 on Attributes of risk assessment tools Details at Annex B (Informative) at ISO 31010 88 Dec 2013 Developed by @goudotmobi 89. 89. Analyzing and Evaluating Risk Assessment Result 89 Dec 2013 Developed by @goudotmobi 90. 90. Risk Identification Process of finding, recognizing and describing risks Comprehensive list of risks based on events that might create, enhance, prevent, degrade, accelerate or delay achievement of objectives Identify risks associated with not pursuing an opportunity A risk that is not identified at this stage will not be included in further analysis Identification should include risks whether or not their source is under the control of the organization 90 Dec 2013 Developed by @goudotmobi

91. 91. Risk Evaluation The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation Decisions should take account of the wider context of the risk and include consideration of the tolerance of the risks borne by parties other than the organization that benefits from the risk 91 Dec 2013 Developed by @goudotmobi 92. 92. Risk Evaluation (cont’d) Decisions should be made in accordance with legal, regulatory and other requirements In some circumstances, the risk evaluation can lead to a decision to undertake further analysis The risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing controls 92 Dec 2013 Developed by @goudotmobi 93. 93. Risk Evaluation (cont’d) Decisions should take account of the wider context of the risk and include consideration of the tolerance of the risks borne by parties other than the organization that benefits from the risk Decisions should be made in accordance with legal, regulatory and other requirements The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation 93 Dec 2013 Developed by @goudotmobi 94. 94. Risk Evaluation (cont’d) Decisions should be made in accordance with legal, regulatory and other requirements In some circumstances, the risk evaluation can lead to a decision to undertake further analysis The risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing controls 94 Dec 2013 Developed by @goudotmobi 95. 95. Managing Risk A list in order of preference on how to deal with risk Avoiding by not to start or continue the activity that rise to the risk Accepting or increasing risk in order to pursue an opportunity Removing risk source Changing likelihood and consequences Sharing risk with another party/parties such as contracts and risk financing Retaining risk by informed decision 95 Dec 2013 Developed by @goudotmobi 96. 96. Risk Treatment Risk treatment involves selecting one or more options for modifying risks, and implementing those options Risk treatment options are not necessarily mutually exclusive The options can include the following: - TRANSFER Sharing the risk with another party or parties (including contracts and risk financing) 96 Dec 2013 Developed by @goudotmobi 97. 97. Risk Treatment (cont’d) - AVOID Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk Removing the risk source - MITIGATE Changing the likelihood Changing the consequences (impact) - ACCEPT Retaining the risk by informed decision Taking or increasing the risk in order to pursue an opportunity 97 Dec 2013 Developed by @goudotmobi 98. 98. Risk Treatment (cont’d) Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the natural environment A number of treatment options can be considered and applied either individually or in combination 98 Dec 2013 Developed by @goudotmobi

99. 99. Risk Treatment (cont’d) Risk treatment itself can introduce risks A significant risk can be the failure or ineffectiveness of the risk treatment measures Monitoring needs to be an integral part of the risk treatment plan to give assurance that the measures remain effective 99 Dec 2013 Developed by @goudotmobi 100. 100. Analyzing and Evaluating Risk Assessment Result 100 Dec 2013 Developed by @goudotmobi 101. 101. Question and Answer 101 Dec 2013 Developed by @goudotmobi 102. 102. Wrap Up Day Two 102 Dec 2013 Developed by @goudotmobi 103. 103. Quiz Time 103 Dec 2013 Developed by @goudotmobi 104. 104. Day Two Review 104 Dec 2013 Developed by @goudotmobi 105. 105. Understanding Risk Register Entry 105 Dec 2013 Developed by @goudotmobi 106. 106. What Is Risk Register? Record of information about identified risks 106 Dec 2013 Developed by @goudotmobi 107. 107. Risk Register Should Contain A unique code for each risk A description of each risk and its potential consequences (operational and strategic) Actions and controls that currently exist to mitigate risks Factors that may impact upon the likelihood and consequence of the residual risk Risk grade (priority) Whether the risk grade is acceptable Early warning factors and upward reporting thresholds 107 Dec 2013 Developed by @goudotmobi 108. 108. Risk Treatment Action Shall Include  Planned actions to reduce the likelihood a negative risk will occur and/or reduce the seriousness should it occur (What should you do now?)  Contingency actions - planned actions to reduce the immediate seriousness of a negative risk when it does occur. (What should you do when?)  Recovery actions - planned actions taken once a negative risk has occurred to allow you to move on. (What should you do after?)  Risk Transfer (e.g. Through responsibilities or insurance. assignment of contractual  Actions necessary to ensure the realisation of opportunities (positive risks) 108 Dec 2013 Developed by @goudotmobi 109. 109. Sample of Risk Registers 109 Dec 2013 Developed by @goudotmobi 110. 110. Utilizing Risk Register Entry 110 Dec 2013 Developed by @goudotmobi 111. 111. Discussing and Implementing Risk Register 111 Dec 2013 Developed by @goudotmobi 112. 112. Monitoring and Managing Risk Management 112 Dec 2013 Developed by @goudotmobi 113. 113. Monitoring and Reviewing Risk Monitoring  Continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected  Can be applied to a risk management framework, risk management process, risk or control Reviewing  Activity undertaken to determine suitability, adequacy and effectiveness of subject matter to achieve established objectives  Can be applied to a risk management framework, risk management process, risk or control 113 Dec 2013 Developed by @goudotmobi 114. 114. Monitoring and Reviewing Risk (cont’d) An integral part of the risk management process involving regular checking or surveillance Ensure controls are

effective & efficient Detect change in external or internal context Analysis, lessons learned, continuous improvement Identify emerging risks 114 Dec 2013 Developed by @goudotmobi 115. 115. Post Test 115 Dec 2013 Developed by @goudotmobi 116. 116. 116 Dec 2013 Developed by @goudotmobi 117. 117. Question and Answer 117 Dec 2013 Developed by @goudotmobi