ISO 31000: The challenges of implementing a new approach

Professor Martin Loosemore FRICS, FCIOB

WHY ARE WE HERE?

High risk (and opportunity) environment - large, high-value, innovative projects with long risk exposure. Rapid growth (skills shortages and capacity problems). Working overseas (culture, pressures, everything is new) Surge in risk-related legislation. Penalties for non-compliance becoming increasingly severe. Customer base changing. Pre-qualification requiring a demonstrable capability in risk management. Corporate responsibility and citizenship evolving fast. Protect and enhance our reputation Risk and opportunity management is our core business

COMPETITIVE ADVANTAGE
38% Directors were not confident in their risk management systems. 59% Companies did not review risks on a regular basis. 57% Regularly declined tenders due to a lack of confidence in managing high risks OR added too large contingency and lost the job as a result.

22 COMMON PROBLEMS
1. COMPLIANCE
CSA 1997 1. 2. Initiation Preliminary analysis 3. 4. 5. 6. 7. Estimation Evaluation Control Action/monitor Communicate BS6079-3 (2000) 1. 2. 3. 4. 5. 6. 7. Context Identification Analysis Evaluation Treatment Communicate 4. IRGC 2004 1. 2. 3. Pre-assessment Appraisal Tolerability and acceptability judgement

RATHER THAN BEST PRACTICE.

COSO (2004) 1. 2. 3. 4. 5. Environment Objectives Identification Assessment Response Control Communicate Monitoring 7. AS/NZS4360 (2004) 1. 2. 3. 4. 5. 6. Context Identification Analysis Evaluation Treatment Communicate/ consult 2. 3. 4. 5. 6. ISO 31000 (2008) 1. Mandate/ commitment Context Identification Analysis Evaluation Treatment Communicate/ consult Monitor/review

Risk management 6. Communicate 7. 8.

Review/update 5.

Monitor/review 7. 8. 9.

Key: CSA Canadian Standards Association; IRGC International Risk Governance Council; COSO Committee of Sponsoring Organizations; ISO International Standards Organisation; AS/NZ Standards Australia and Standards New Zealand; BS British Standards

22 COMMON PROBLEMS

2. HUNGER FOR PROFIT

WITHOUT A RISK APPETITE.

3. FROM THE BOTTOM

RATHER THAN THE TOP.

4. CRISIS MANAGEMENT

RATHER THAN RISK MANAGEMENT.

22 COMMON PROBLEMS

5. RISK TRANSFER

RATHER THAN RISK MANAGEMENT.

6. SELFISH

RATHER THAN COOPERATIVE.

7. INCESTUOUS

RATHER THAN CONSULTATIVE.

8. NEGATIVE

RATHER THAN POSITIVE.

22 COMMON PROBLEMS
Consequence Likelihood

Insignificant

Minor

Moderate

Major

Catastrophic

Almost certain

Very likely

Likely

Unlikely

Rare

E = Extreme, H = High, M = Medium, L = Low

22 COMMON PROBLEMS
9. PROJECT-BASED RATHER THAN PORTFOLIO-BASED. 10. UNSYSTEMATIC RATHER THAN CONSISTENT.

11. SILO MENTALITY.

12. BUCK-PASSING

RATHER THAN TAKE RESPONSIBILITY.

22 COMMON PROBLEMS
13. COMPLEX RATHER THAN SIMPLE.

14. CENTRALISED

RATHER THAN DECENTRALISED.

15. PERIODIC

RATHER THAN CONTINUOUS.

16. COMMERCIAL RISKS RISKS.

RATHER THAN OPERATIONAL

22 COMMON PROBLEMS
17. QUANTITATIVE RATHER THAN QUALITATIVE. 18. ANALYSIS RATHER THAN IDENTIFICATION.

19. PERIPHERAL

RATHER THAN CORE ACTIVITY.

20. ONE DIMENSIONAL

RATHER THAN 3 D.

22 COMMON PROBLEMS

21. PAPER-BASED

RATHER THAN MULTIMEDIA.

22. TECHNOLOGY

RATHER THAN PEOPLE.

RISK MANAGEMENT MATURITY

RMMT - www.synergymcg.com Awareness Application Skills

Resources

Culture

Confidence Processes

Image

RISK MANAGEMENT MATURITY

Risk management maturity

Corporate social responsibility Systems phase Hardware phase Ignorance phase Time

People phase

STEP ONE

UNDERSTAND WHY YOU WANT A NEW APPROACH

FOR MULTIPLEX?
End of supply chain and being passed a lot of risk. Very big risky projects one problem can wipe out margins or company. Rapid growth was stretching existing systems. New legislation was requiring it Customers becoming more risk averse. Pre-qualification requiring a demonstrable capability in risk management. Risk and opportunity was seen as essential to protect and enhance reputation.

STEP TWO

UNDERSTAND YOUR PHILOSOPHY AND MATURITY

FOR MULTIPLEX: A NEW WAY TO MANAGE RISK

Risk seen as an asset Risk portfolios Breaking down barriers Pro-activity

Project life cycle
Cost of risk/opportunity management Benefits of risk/opportunity management

A NEW WAY TO MANAGE RISK

Taking responsibility Meaningful consultation Simple

RISK MANAGEMENT MATURITY AUDIT

Awareness
4

Application 4
3 2 1

3 2 1 1 1 1 2 3 4 1 2 3 2 3 3 2

Skills

Resources

1 1 2

Culture

Confidence

Image

Processes

STEP THREE

DEVELOP THE SYSTEM

Development and implementation process

FOCUS GROUPS WITH KEY STAKEHOLDERS. DOCUMENT THE SYSTEM PILOT THE SYSTEM, COLLECT FEEDBACK AND REFINE IT.

THE END RESULT

2008 Beijing Olympics

www.risk-opportunity.com

Companies using multimedia to manage risks include

STEP FOUR

IMPLEMENT THE SYSTEM

Lessons
Easy to change behaviour but difficult to keep it changed! Need to educate your employees, clients and business partners about their role in the process

Lessons
Effective support is crucial
External specialist consultants. Risk Manager

Intranet Manager (Maintain MFMs web site.)

Information manager (Collection, storage, maintenance and dissemination of risk-related information.)

Risk analysts. (Assistance in statistical risk analysis using MRI, Pinnacle, @Risk, Cougar and RCM Turbo)

Technical advisers. (Advice on contractual, legal, insurance, safety, environmental matters etc.)

Human Resources (Selection, training, appraisal, rewards etc)

Lessons
People find the concept of risk difficult to understand many need help Be patient its takes more time than you think (5% rule!) Expect resistance from strange places

Lessons
Senior management leadership and commitment is crucial

Expect knock-on effects Manage the risks of risk management!