In 2009, ISO 31000 was published as a standard and it provides guidance on how risk management should be implemented. It gives overall guidelines for the design, implementation, execution and continuous improvement of risk management processes throughout an organization
ISO 31000:2009 was developed for a wide-ranging stakeholder group including: executive level stakeholders, appointment holders in the enterprise risk management group, risk analysts and management officers, line managers and project managers, compliance and internal auditors, and independent practitioners and it provides a best practice composition and direction to all businesses concerned with risk management.
For risk management to be effective, an organization should at all levels comply with the eleven (11) principles of Risk Management:
- Risk management creates and protects value.
- Risk management is an integral part of all organizational processes.
- Risk management is part of decision making.
- Risk management explicitly addresses uncertainty.
- Risk management is systematic, structured and timely.
- Risk management is based on the best available information.
- Risk management is tailored.
- Risk management takes human and cultural factors into account.
- Risk management is transparent and inclusive.
- Risk management is dynamic, iterative and responsive to change.
- Risk management facilitates continual improvement of the organization.
Benefits of Implementing ISO 31000
By building your Enterprise Risk Management System around ISO 31000:2009, your organisation will be able to reap numerous benefits such as:
- Increase the likelihood of achieving objectives;
- Encourage proactive management;
- Be aware of the need to identify and treat risk throughout the organization;
- Improve the identification of opportunities and threats;
- Comply with relevant legal and regulatory requirements and international norms;
- Improve governance;
- Improve stakeholder confidence and trust;
- Establish a reliable basis for decision making and planning; ⎯ improve controls; ⎯ effectively allocate and use resources for risk treatment;
- Improve operational effectiveness and efficiency;
- Enhance health and safety performance, as well as environmental protection; ⎯ improve loss prevention and incident management;
- Minimize losses;
- Improve organizational learning; and
- Improve organizational resilience.
Our Approach and Methodology
Step 1: Risk Management Process Gap Assessment – We will do audits around your enterprise risks systems against standard requirements for Gap Assessment. These activities will enable us to identify relevant risk management practice already implemented and that not in place. We will also assess the level of maturity of practice using the CMMI (Capability Maturity Model Integration) methodology on a scale of 0 to 5 maturity level.
- 0 = Non-existence
- 1 = Initial
- 2 = Managed
- 3 = Defined
- 4 = Quantitatively Managed
- 5 = Optimised
At the end of the Gap Assessment, a Gap Assessment Report will be produced. This report will present an overview of existing status in relation to best practice. This report will allow for the implementation of corrective and preventive measures for identified gaps. In the long run, the reporting template will keep track of planned measures and the variance analysis carried out emphasizing the implemented continuous improvement of CIGL.
Step 2: We will take a structured approach to assess risks specific to your organisation. This includes the collection, identification, categorization, prioritization, and mapping of risks to align with business objectives and strategy. The result is a strategic organizational risk map.
Step 3: We will better understand the impact risk has on both organisation and business objectives through risk analysis. We strive to understand your risk appetite and developing tolerance thresholds.
We will analyse the projected impact of risks and their mitigation strategies. We will assist you in determining optimal capital allocation; and considering the upside of risk to your business.
Step 4: Through a structured approach, we will analyse and evaluate the possible actions taken with respect to each risk—accepting it, rejecting it, transferring it, mitigate it, or exploiting it. These options typically necessitate an implementation plan.
Also, identification of risk owner, implementation of risk mitigation strategies and the recommendation of tailored solutions appropriate to your business objectives will be offered.
Step 5: Report will be generated for the risk assessment done across the various businesses and risk management functions, so that the right people are given the right information at the right time to make informed business decisions. Our comprehensive approach addresses the needs of board members, senior managers, risk managers, and other internal and external stakeholders.
We will works with you to enhance existing processes or create new ones. As a follow-up to these activities, we provide you with an implementation road-map to assist with organizational change. Instilling a risk-based culture is crucial to realizing the on-going benefits from Enterprise Risk Management.