Add to collection(s) Add to saved
  1. Business
  2. Management

ISO Standards and Risk Management

Leading Risk Management Practices
Global Understanding and Alignment:
A Panel Discussion
SRM 011 - Monday, 28 April 2014
Recording of this session via any media type is strictly prohibited.
Page 1
Who We Are
MODERATOR
Dorothy Gjerdrum, Senior Managing Director of Gallagher Public Sector, and Chair
of the U.S. Technical Advisory Group for ISO 31000 Risk Management Standards
PANELISTS
Vincent Tophoff, Senior Technical Manager, International Federation of Accountants
Sandra Richtermeyer, Associate Dean, Professor and Chair of the Department of
Accountancy and Business Law, Xavier University and COSO Board Member
Jan Mattingly, Convenor of Risk Management Implementation Standard ISO
31004:2013 and ERM practitioner
Gert Cruywagen, Director of Risk, Tsogo Sun Group
Julia Graham, Chief Risk Officer DLA Piper UK LLP and President of FERMA
Carol Fox, Director of Strategic and Enterprise Risk Practice, RIMS
Recording of this session via any media type is strictly prohibited.
Page 2
What to Expect
• Identify industry standards and guidelines.
• Understand how frameworks apply to your
organization.
• Develop ideas for incorporating standard
practices not already employed in your risk
management program.
Recording of this session via any media type is strictly prohibited.
Page 3
Are There Common Leading Risk Management Practices?
THE LANDSCAPE
Recording of this session via any media type is strictly prohibited.
Page 4
Greater Adoption of Enterprise Risk Practices
Q: To what extent has your organization adopted an
enterprise risk management (ERM) program?
Source: 2013 RIMS Enterprise Risk Management (ERM) Survey. All rights reserved.
Recording of this session via any media type is strictly prohibited.
Page 5
Who Is Primarily Responsible for ERM?
Source: 2013 RIMS Enterprise Risk Management (ERM) Survey. All rights reserved.
Recording of this session via any media type is strictly prohibited.
Page 6
Standards or Frameworks Used
Q: Our program is most closely
aligned with …
 ISO 31000 up 5% from 2011
 COSO up 2% from 2011
Source: 2013 RIMS Enterprise Risk Management (ERM) Survey. All rights reserved.
Recording of this session via any media type is strictly prohibited.
Page 7
A Cluttered Landscape?
Bad vs. Good RM/IC Practices
There has been an overwhelming load of bad practice:
•
•
•
•
•
•
•
•
•
•
•
RM/IC as objective in itself
Auditor / staff driven
Rules-based
Of the shelf systems
Focused on loss minimization
Mainly hard controls
Imposed
Stand-alone / “bolt-on”
Static, out-of-date
Seen as overhead
Abandoned
vs.
vs.
vs.
vs.
vs.
vs.
vs.
vs.
vs.
vs.
vs.
RM/IC to help achieve objectives
Driven from top down
Performance and principles-based
Tailored to the organization
Also focused on creation of value
Social / human aspects
Organically implemented
Integrated / ”built-in”
Dynamic, evolving
Seen as a sound investment
Integrated in system of management
Recording of this session via any media type is strictly prohibited.
Page 8
Identify Industry Standards and Frameworks
DESCRIBE YOUR ORGANIZATION AND ITS
RISK MANAGEMENT ACTIVITIES
Recording of this session via any media type is strictly prohibited.
Page 9
International Federation of Accountants
The International Federation of Accountants (IFAC):
• The global organization of the accountancy profession
• 164 member bodies and associates in 125 countries
• 2.5 million professional accountants in public practice,
commerce, industry, financial services, the public
sector, education, and the not-for-profit sector
• Public interest focused
Recording of this session via any media type is strictly prohibited.
Page 10
What IFAC does:
• Establish and promote adherence to high quality professional
standards
• Further adoption and implementation of standards
• Support the global development of the accountancy
profession
• Provides a global voice and promotes the value of
professional accountants worldwide
• Helps its members support professional accountants in
business and small and medium practices
Recording of this session via any media type is strictly prohibited.
Page 11
Risk Management Activities:
• “Evaluating & Improving Governance in
Organizations”
• “Evaluating & Improving Internal Control in
Organizations”
• “Integrating Governance for Sustainable Success”
• Survey on International Alignment of Risk
Management and Internal Control
• IFAC’s Knowledge Gateway http://www.ifac.org/globalknowledge-gateway/risk-management-internal-control/bolt-built-integrating-riskmanagement
Recording of this session via any media type is strictly prohibited.
Page 12
About COSO
Formed in 1985 to sponsor a group to make
recommendations on Fraudulent Financial Reporting
A joint initiative of five private sector organizations:
•
•
•
•
•
American Accounting Association (AAA)
American Institute of Certified Public Accountants (AICPA)
Financial Executives International (FEI)
Institute of Management Accountants (IMA)
The Institute of Internal Auditors (IIA)
Recording of this session via any media type is strictly prohibited.
Page 13
Risk is Addressed in these Publications:
• “Internal Control Integrated Framework”
(2013 Edition)
• “Internal Control over External Finance
Reporting: A Compendium of Approaches and
Examples” (2013)
• “Enterprise Risk Management – Integrated
Framework” (2004)
Recording of this session via any media type is strictly prohibited.
Page 14
International Organization of
Standardization (ISO)
• World’s largest developer of voluntary International
Standards
• Founded in 1947
• More than 19,500 International Standards covering
almost all aspects of technology and business
• Members from 162 countries
• Central Secretariat located in Geneva, Switzerland
Recording of this session via any media type is strictly prohibited.
Page 15
ISO and Risk Management
Technical Committee established in 2012 by ISO’s Technical
Management Board.
Liaisons established with some other ISO committees to help
harmonize risk management expectations, etc.
• Publication of ISO 31000 in 2009 – Risk Management Principles
and Guidelines
o
o
Globally popular
Early feedback that it has helped
• Update of Guide 73 – Risk Management Terminology in 2009
• Publication of ISO 31004 – Guidance for Implementation of ISO
31000: 2013
Recording of this session via any media type is strictly prohibited.
Page 16
ISO 31000 can be used by any type of entity…
ISO 31000
• International Standards Organization (ISO) developed the
standard ISO 31000:2009 Risk Management
• ISO’s Rationale:
o All of an organization’s activities involve risk
o Organizations need to manage this risk
o ISO 31000 describes how to do this in a systematic & logical
way
o ISO 31000 offers a series of principles, a framework & a
process to manage risk effectively
… And can be applied to any type of risk
Recording of this session via any media type is strictly prohibited.
Page 17
The King III Corporate Governance Code
• What is King III?
• Standard or Code or Guideline?
• What is the difference between the Management of Risk and
the Governance of Risk?
• What is the difference between King III and (other) Risk
Management Standards?
• What is the relevance of something like King III?
Recording of this session via any media type is strictly prohibited.
Page 18
The King III Corporate Governance Code
• What is in King III?
•
•
•
•
•
•
•
•
•
Chapter 1- Ethical leadership and corporate citizenship
Chapter 2 – Boards and Directors
Chapter 3 – Audit Committees
Chapter 4 – The governance of risk
Chapter 5 – The governance of Information Technology
Chapter 6 – Compliance with laws, codes, rules and standards
Chapter 7 – Internal audit
Chapter 8 – Governing stakeholder relationships
Chapter 9 - Integrated reporting and disclosure
Recording of this session via any media type is strictly prohibited.
Page 19
4.1 The Board should be responsible for the
governance of risk
•
•
•
•
Formal process
Board should be able to demonstrate comprehensiveness.
Responsibility in board charter
Risk policy and plan
o Documented
o Widely distributed
o Risk Structure
o Framework (any one, or combination, of many different ones
available)
o Regular review
Recording of this session via any media type is strictly prohibited.
Page 20
4.2 The Board should determine the levels of risk
tolerance
•
•
•
•
Board should set limits annually
Review limits during times of uncertainty / adverse changes
Internal and external factors
Where risk appetite is different from risk tolerance – should be
disclosed
• Board should monitor significant risk taken by management
• Board should ensure that it understands risk implications, also
on shareholders and other stakeholders
Recording of this session via any media type is strictly prohibited.
Page 21
4.3 The risk committee (or audit committee) should
assist the board in carrying out its risk responsibilities
• Board should appoint a risk committee to review:
o Risk management progress and maturity of company
o Effectiveness of risk management activities
o Key risks
o Responses to address risks
• Board may assign this to the audit committee:
o However, must carefully consider audit committee’s resources to
adequately deal with risk governance in addition to its audit
responsibilities
• Terms of reference and consideration of policy and plan
• Meet 2x per year, be provided with sufficient information
• Should be annually assessed by the Board for effectiveness
Recording of this session via any media type is strictly prohibited.
Page 22
Risk Management!
4.4 The Board should delegate to management the
responsibility to design, implement and monitor the risk
management plan
4.5 The board should ensure that risk assessments are
performed on a continual basis
4.6 The board should ensure that frameworks and
methodologies are implemented to increase the probability
of anticipating unpredictable risks
4.7 The board should ensure that management considers and
implements appropriate risk responses
4.8 The board should ensure continual risk monitoring by
management
Recording of this session via any media type is strictly prohibited.
Page 23
4.9 The board should receive assurance regarding the
effectiveness of the risk management process
•
•
•
•
•
Management is accountable to the board regarding assurance
Any risk response failings or weaknesses should be disclosed
Should report on maturity
Independent provider of assurance – internal audit
IA does not assume the functions, systems and processes of risk
management, but provides independent assurance to the board
on the integrity and robustness of the risk management process.
• IA should provide an annual written assessment on effectiveness
• External audit may consult with risk committee, CRO and IA for
an understanding of the company’s risk management activities.
Recording of this session via any media type is strictly prohibited.
Page 24
4.10 The board should ensure that there are processes in place
enabling complete, timely, relevant, accurate and accessible risk
disclosure to stakeholders
• Major departure from before.
• Board should disclose, in annual integrated report, any
undue, unexpected or unusual risks it has taken in the pursuit
of reward.
• Should disclose any material losses and their causes.
• NOT compromise sensitive information.
• Should disclose any current, imminent or envisaged risk that
threaten long-term sustainability.
• Board should disclose its views on effectiveness of risk
management processes
Recording of this session via any media type is strictly prohibited.
Page 25
No Risk Manager is an island
(John Donne, 1619)
Recording of this session via any media type is strictly prohibited.
Page 26
Purpose
Co-ordinate, promote and
support the development
and use of risk management,
insurance and risk financing
in Europe
Be a significant stakeholder
in the decision making
process at the European
level on risk management,
insurance and risk financing
We go where others cannot
easily go
Focus for 2014 and 2015:
• Profession
• Innovation
• Diversity
Leading risk management
and insurance across Europe
Recording of this session via any media type is strictly prohibited.
Page 27
22 member associations in 20 countries
Presence
4336 individual
members who are
responsible for risk
management and / or
insurance in their
organisations
Recording of this session via any media type is strictly prohibited.
Page 28
FERMA Member Associations
Recording of this session via any media type is strictly prohibited.
Page 29
The FERMA Board
Julia Graham
President
Alessandro
de Felice
Vice President
Michel Dennery
Vice President
Peter Den Dekker
Director
Anders
Esbjörnsson
Director
Jorge Luzzi
Director
Cristina Martinez
Director
Jo Willaert
Vice President
Helle Friberg
Director
Isabel Martínez
Director
Carl Leeman
Director
Edwin V. Meyer
Director
Recording of this session via any media type is strictly prohibited.
Page 30
Accreditation and Certification
FERMA
Application to become
a FERMA accredited
organization
Application to
become FERMA
certified
FERMA
ACCREDITATION
DECISION
Educational
Bodies
FERMA
CERTIFICATION
DECISION
Educational relationship
Risk Managers
(member associations,
professional organizations,
universities and schools)
Recording of this session via any media type is strictly prohibited.
Page 31
RIMS Mission
To advance risk management for your organization’s success
Collaborating with other associations
and SDOs on standards development
As the preeminent organization dedicated to
advancing the practice of risk management,
RIMS, the risk management society™, is a
global not-for-profit organization representing
more than 3,500 industrial, service, nonprofit,
charitable and government entities throughout
the world. Founded in 1950, RIMS brings
networking, professional development and
education opportunities to its membership of
more than 11,000 risk management
professionals located in over 60 countries. For
more information on RIMS, visit www.RIMS.org.
Recording of this session via any media type is strictly prohibited.
Page 32
RIMS Risk Maturity Model™
www.rims.org/resources/ERM/Pages/RiskMaturityModel.aspx
Attributes
• Seven core areas of ERM that drive effectiveness
• Compatible with various specialized frameworks
Risk competency measurement
• 25 factors and 68 indicators
• Objective evaluation criteria
• Key issues that differentiate maturity levels
Maturity levels
• Five maturity levels
• Detailed descriptions unique for each attribute
• Measure to help reach goals for improvement
Benchmarking with more than 2,000 organizations
• Standing in peer group
• Highlights ERM trends and priorities
Complements
multiple
Recording of this session
via any media type
is strictlystandards
prohibited.
and frameworks
Page 33
RIMS Risk Management Resources
•
•
•
•
•
•
Surveys and publications
Risk Maturity Model
Research and case studies
Webcasts, course casts and workshops
Tools and templates
Web-based resources and communities
Recording of this session via any media type is strictly prohibited.
Page 34
First Poll
Is your organization required (e.g., as a part of a
governance code, listing rules, sector regulation or law)
to have a formal risk management and/or internal
control system?
1.
2.
3.
4.
Yes, for both risk management and internal control
Yes – for risk management only
Yes – for internal control system only
No
Recording of this session via any media type is strictly prohibited.
Page 35
Second Poll
Which of these does your organization use to guide risk
management activities?
1.
2.
3.
4.
5.
6.
Association guidance (FERMA, IFRMA, CROGB, RIMS)
COSO
Financial standards such as Basel or Solvency II
ISO 31000
KING III – or other corporate governance code
Hybrid – using more than one source
Recording of this session via any media type is strictly prohibited.
Page 36
Understand How Frameworks Apply
WHERE IS YOUR ORGANIZATION HEADED?
WHAT IS COMING NEXT?
Recording of this session via any media type is strictly prohibited.
Page 37
What is coming next?
• Thought leadership paper: From Bolt-on to Built-in—
Managing Risk as Part of an Organization’s System of
Management
• Aims to address perceived complexity of risk management and
bring it back to where it primarily belongs: not as a separate
unit but as a strategic, managerial, and operational tool for all
those involved (boards, managers, other employees) to set
and achieve the organization’s objectives.
• A preview can be found in the IFAC Knowledge Gateway
Recording of this session via any media type is strictly prohibited.
Page 38
ISO Standards and Risk Management
The ISO community is very gradually moving towards
harmonization in risk management expectations, terminology
but progress is slow, still fragmented
ISO 31010
o Guide 73
o ISO 22301
o Etc.
o
Within the ISO context Technical Committee 262 is seen as a
natural home for risk management but it is only one ISO home.
ISO is at the early stage of harmonization on risk management
activity.
Recording of this session via any media type is strictly prohibited.
Page 39
ISO Standards and Risk Management
• ISO 31004 – Technical Report on implementing ISO
31000 recently published
• Limited revision of ISO 31000 – ongoing work
Meeting in Turkey in September
o Meeting in March of 2015
o Expected publication – ?
o
Recording of this session via any media type is strictly prohibited.
Page 40
Diversity
Recording of this session via any media type is strictly prohibited.
Page 41
Risk Management is Evolving into Risk Leadership
• Risk management will continue to assume a higher priority
• Strong board involvement required to facilitate strategic and
enterprise- risk
• More energy devoted to risk appetite, tracking, measuring and
analysing
Position
Challenges
Opportunities
• Risk ownership and communication at all levels
• Links between risk management, strategic planning and management
• Communication between the board and risk management
• Risk-based incentives
• Risk management talent pool with the right talent
• Risk forecasting
• Evidence that well risk managed businesses are more resilient and
profitable
• Risk management will be viewed as a profession
• Predicted that there will be fewer but more senior professionals
• Risk management will mature and move towards first line
management
• Professional certification
• Knowledge
• Experience
• Ethics
Recording of this session
via any media
type is strictly
prohibited.
• Continuing
professional
development
Profession is Hard to
Define – Similarities to
Non-executive Directors
Page 42
FERMA Survey 2014
The FERMA Risk Management Benchmarking Survey 2014 will
 Benchmark the risk management practices in Europe
 Provide a tangible basis for reporting to senior management
 Track trends over time
 Set up a tool to serve as basis of current relevant knowledge.
 To be the referenced survey developed by risk managers for risk
managers in Europe
Part 1
 Reinforce the understanding of the position of the risk and insurance
management role
 Support the development of the risk and insurance management
profession
Part 2
 Identify FERMA priorities to support member associations and risk
and insurance professionals
Part 3
 Compare and position the organization’s insurance program against
peer groups to support and improve decision making
English, French, Italian, Spanish, German, Polish and Turkish.
FERMA 40th Anniversary Seminar
Brussels 20 and 21 October 2014
Presentation of results and discussion
Publication of the first European Risk and
Insurance Report
Recording of this session via any media type is strictly prohibited.
Page 43
RIMS Strategic Risk Management Framework
Strategic risk management (“SRM”) is a business
discipline that drives deliberation and action regarding
uncertainties and untapped opportunities that affect
an organization’s strategy and strategy execution.
Also complements multiple
Recordingstandards
of this session and
via anyframeworks
media type is strictly prohibited.
Page 44
Research
Using RIMS Risk Maturity Model







Non
Existent
Ad hoc
Initial
ERM-based approach
ERM process management
Risk appetite management
Root cause discipline
Uncovering risks
Performance management
Resiliency and sustainability
Repeatable
Managed
Leadership
Recording of this session via any media type is strictly prohibited.
Page 45
Ideas for Incorporating Practices
KEY ISSUES AND CHALLENGES
Recording of this session via any media type is strictly prohibited.
Page 46
Challenges
Understanding who our primary audience is and is not
Communicating the value of the risk management standard
Streamlining standards development processes
Applying good practices in engaging and monitoring stakeholders
throughout development
Promoting regional cooperation
Varying capacities of standards bodies
Risk management as leverage for innovation
Recording of this session via any media type is strictly prohibited.
Page 47
Understanding Expectations
Q: What are the top two
areas of improvement to
help senior management
and board more fully
understand the risk
landscape of your
organization?
Source: Marsh/RIMS Excellence in Risk Management 10
Recording of this session via any media type is strictly prohibited.
Page 48
Ideas for Incorporating Practices
NEXT STEPS
Recording of this session via any media type is strictly prohibited.
Page 49
Third Poll
How important is it to seek better alignment of risk
management terms and concepts – among the
panelists organizations, for example?
1.
2.
3.
4.
Very important – “This would make a big difference”
Somewhat important – “Nice but not necessary”
Not important – “Let’s go out for coffee”
No opinion
Recording of this session via any media type is strictly prohibited.
Page 50
Emerging Trends
Respondents to the IFAC Global Survey on Risk Management &
Internal Control recommended the following :
• Emphasize the benefits of (more integrated) risk management and
internal control
• Bring various risk management and internal control standard
setting organizations (e.g., COSO, ISO 31000, the Risk Oversight &
Governance Board, etc.) and their guidelines closer together
• Collaborate with experts on developing practical application
guidance for (integration of) risk management & internal control
Recording of this session via any media type is strictly prohibited.
Page 51
Framework Design: Clarifying Who Does What
(Based on the Institute of Internal Auditors
Position Paper www.theiia.org)
(Sample Organization)
Legend
Core internal audit roles in regard to ERM
Proposed Planning role
Proposed ERM Leadership Roles
Legitimate internal audit roles with safeguards
Audit/evaluation Role
Proposed Business Unit Role
Roles internal audit should not undertake
Risk Oversight Role
Legal
The adaptation and use of this graphic as a tool for ERM design and implementation is copyrighted to RiskResults Consulting Inc. 2010 ©
Recording of this session via any media type is strictly prohibited.
Page 52
Discover Where Practices Do Align
Recording of this session via any media type is strictly prohibited.
Page 53
Looking Ahead –
Exploring Shared Perspectives
1. Coherent expectations: Would it be helpful to organizations
to have a coherent understanding of what is expected as
part of ‘good risk management practice’?
2. Better practice in risk management: can we share and
consolidate our knowledge to help organizations?
3. Roles/Responsibilities: can we help organizations with a
common approach to establishing who does what?
Recording of this session via any media type is strictly prohibited.
Page 54
Contact Information
Vincent Tophoff
International Federation of Accountants
vincenttophoff@ifac.org | www.ifac.org
Julia Graham
FERMA
julia.graham@dlapiper.com www.ferma.eu
Sandra Richtermeyer
COSO
srichtermeyer@coso.org | www.coso.org
Carol Fox
RIMS, the Risk Management Society™
cfox@rims.org | www.rims.org
Jan Mattingly
Dorothy Gjerdrum
U.S. Technical Advisory Group for 31000
Dorothy_Gjerdrum@ajg.com | www.ansi.org
President, RiskResults | ISO 31004 Convenor
jmattingly@riskresults.com | www.iso.org
Gert Cruywagen
King Code of Governance Principles
Gert.Cruywagen@tsogosun.com | http://www.library.up.ac.za/law/docs/king111report.pdf
Recording of this session via any media type is strictly prohibited.
Page 55
Not Done Yet …
Downloading the RIMS '14 mobile app is easy!
For iPhone (plus iPad & iPod Touch) and Android phones: visit your App Store
or Google Play on your device and search for “RIMS 2014.”
For All Other Phone Types (including BlackBerry and all other web browserenabled phones): While on your smartphone, point your mobile browser to
http://m.core-apps.com/rims2014 From there you will be directed to
download the proper version of the app for your particular device, or on
some phones, bookmark this page for future reference.
The app is available on iPhone (including iPad and iPod Touch), BlackBerry and Android mobile devices.
Please complete the session survey on the RIMS14 mobile application.
Recording of this session via any media type is strictly prohibited.
Page 56
Related documents
protecting your brand and reputation: update on insurance and best
protecting your brand and reputation: update on insurance and best
CONFIDENTIALITY REQUIREMENTS FOR OBSERVATION
CONFIDENTIALITY REQUIREMENTS FOR OBSERVATION
Technology Advancements Impacting Risk Management Today
Technology Advancements Impacting Risk Management Today
EMP202: The Risk Manager`s Role in Mitigating Employment
EMP202: The Risk Manager`s Role in Mitigating Employment
RIMS Supply Chain Brain
RIMS Supply Chain Brain
M&A Insurance
M&A Insurance
Protection of Crisis-Related Reputational Risks
Protection of Crisis-Related Reputational Risks
RIMS ppt - selling risk management program_final_no notes
RIMS ppt - selling risk management program_final_no notes
Download