ISO31000 - further details

Question 1

Name the ISO31000 principles

Answer 1

8 Principles
Integrated
Structured and comprehensive
Customised
Inclusive
Dynamic
Best available info
Human and cultural factors
Continual improvement

PACED combines eight principals in ISO31000 to provide five ATTRIBUTES of RM - Proportionate, Aligned, Comprehensive, Embedded and Dynamic.

Question 2

Name the five ATTRIBUTES (Parts) of RM for ISO31000 (Acronym)

Answer 2

PACED - Proportionate, Aligned, Comprehensive, Embedded and Dynamic.

Question 3

Name 4 OBJECTIVES of RM (Acronym)

Answer 3

MADE2 - mandatory, assurance, decision making, effective and efficient processes

Question 4

How many ISO31000 Principles are they. Can you name them

Answer 4

ISO31000: 8 principles
1. Framework and processes should be customized and PROPORTIONATE.
2. APPROPRIATE and TIMELY involvement of stakeholders is necessary.
3. Structured and COMPREHENSIVE approach is required.
4. Risk management is an INTEGRAL part of all organisational activities.
5. Risk management anticipates, detects, acknowledges and responds to changes.

6. Risk management explicitly considers any limitations of available information.
7. Human and cultural factors influence all aspects of risk management.
8. Risk management is continually improved through learning and experience.

Question 5

Summarise the ISO31000 Principals

Answer 5

PACED

Question 6

What does the P mean in PACED

Answer 6

Proportionate - STRUCTURED approach TAILORED to suit org and activity
One size does not fit all
Consistency in process and language used in org to build common understanding of RM

Question 7

What does A mean in PACED

Answer 7

Aligned - INTEGRATED with other org activities which allows BAU to continue with ERM as a touchpoint throughout org and an ESCALATION mechanism to allow effective management of REPORTING

Question 8

What does C mean in PACED

Answer 8

Comprehensive - Process encourages CONSISTENCY in RM PROCESS, and includes risk and controls in org and outside of it.
Gives effective OVERSIGHT OF RISK PROFILE and improves understanding of the existing, new and emerging risks INTERNALLY AND EXTERNALLY

Question 9

What does the E mean in PACED

Answer 9

Embedded - Embedded in Org - encourages CHANGE in risk attitude, behaviour and culture to progress RM MATURITY and awareness of its value to org.

Question 10

What does the D mean in PACED

Answer 10

Dynamic - Process doesn’t stop once risk is collated to register. This is only risk register writing.
Needs to continue to invest time in RM to keep process alive for Org so it can continue to support decision making and add value.

Question 11

How does 31000 help build a RM Framework

Answer 11

Continuous improvement model PIML

Question 12

What’s the difference between plan–do–check–act (PDCA) and Plan, Implement, Measure and Learn (PIML)

Answer 12

PDCA emanates from QUALITY RM
PIML puts emphasis on measuring and learning and distinguishes RM from quality management.

Question 13

What’s the planning element of PIML contain

Answer 13

identifying and assess benefits (to new RM process or upgrading of current)
Scoping initiative (develop common taxonomy or improvements needed)
Establishing strategy, FW and R&R’s in a Risk Manual

Question 14

What’s the implementing element of PIML contain

Answer 14

Produce RM guidelines and classification systems
Risk Protocols - FIRM, PESTLE and SWOT
Risk Assessment workshops - registers etc
Agreeing RA and Tolerance levels

Question 15

What’s the Measuring element of PIML contain

Answer 15

Evaluate effectiveness of controls (so goes beyond the ‘check’ phase of PDCA as measures existing controls)
Align RM with other activities (and existing process)
Embed risk aware culture

Question 16

What’s the learning element of PIML contain

Answer 16

Learning from ‘measurement’ activity
Monitor risk perf (KPI’s) - to measure ERM contribution
Internal audit team to review learning from any self assessment or audit reports.
Report in line with obligations - boards etc

Question 17

What is ISO31000 definition of risk

Answer 17

effect of uncertainty on objectives

Question 18

What is ISO31000 definition of rM

Answer 18

coordinated activities to direct and control an org about risk

Question 19

What is ISO31000 definition of Stakeholder Management

Answer 19

person or org that can affect, be affected by, or perceive themselves to be affected by a decision or activity

Question 20

What is ISO31000 definition of risk source

Answer 20

an element which alone or in combination has the potential to give rise to a risk

Question 21

What is ISO31000 definition of event

Answer 21

occurrence of change of a particular set of circumstances

Question 22

What is ISO31000 definition of consequences

Answer 22

outcome of an event affecting objectives

Question 23

What is ISO31000 definition of likelihood

Answer 23

chance of something happening

Question 24

What is ISO31000 definition of control

Answer 24

a measure that maintains and or modifies risk

Question 25

Explain the INTEGRATED Principle

Answer 25

RM is an integral part of all org activities - integrate into all parts and activities of org -should not be separate from main activities and processes of org as its part of DECISION MAKING in each dept. -RM should be embedded into Org processes and is part of the MANAGEMENTS RESPONSIBLITIES.

Question 26

Explain the STRUCTURED AND COMPREHENSIVE principle

Answer 26

Contributes to consistent and comparable results - Having comprehensive and structured approach leads to the most consistent, desirable RM OUTCOMES - SYSTEMATIC approach contributes to efficiency and consistent results and everyone understand the approach - Structured guidelines and procedures lead to maintain productivity and efficacy

Question 27

Explain the CUSTOMISED principle

Answer 27

RM FW and Process are customised and proportionate to the org EXTERNAL AND INTERNAL context relating to its OBJECTIVES - Must be customised to org objectives and internal and external context - Not one size fits all and must be tailored to EXTERNAL AND INTERNAL context to reach OBJECTIVES - If EXTERNAL AND INTERNAL context established, we can capture OBJECTIVES and customised our RM to the organisation at a whole.

Question 28

Explain the INCLUSIVE Principle

Answer 28

Appropriate and timely involvement of SH enables their knowledge, views and perceptions to be considered. This results in improved awareness and informed RM - MUST INVOLVE ALL STAKEHOLDERS TO BE INCLUSIVE - when appropriate and at right time allowing different knowledge, views and perceptions to be considered and implement in RM efforts IS TRANSPARENT - easy to understand and doesn't include confusing JARGON allowing SHs to be included in FW.

Question 29

Explain the HUMAN AND CULTURAL FACTORS Principle

Answer 29

Human behaviour and culture SIGNIFICANTLY INFLUENCE all aspects of RM at each level and stage. - RM must recognise the org capabilities as well as the goals of the people to achieve or inhibit the business - RM is a human activity that takes place within one or more cultures (org culture). So Risk Managers must be aware of the human and cultural factors that RM effort takes place in and know the influence that human and cultural factors will place on the RM effort.

Question 29

Explain the Dynamic Principle

Answer 29

Risks can emerge, change or disappear and internal and external context changes RM anticipates, DETECTS, ACKNOWLEDGES AND RESPONDS to those changes and events in an appropriate and timely manner.

Question 30

Explain the BEST AVAILABLE INFO Principle

Answer 30

INPUTS to RM are based on HISTORICAL AND CURRENT info, as well as on FUTURE expectations. RM takes into account any limitations and uncertainties associated with such info and expectations. ( you will never have all the info you need, but action must be taken when an org has the best available data) Info should be TIMELY, CLEAR AND AVAILABLE to relevant SHs

Question 31

Explain the CONTINUAL IMPROVEMENT Principle

Answer 31

RM is continually improved through LEARNING AND EXPERIENCE- improves org resiliency - PDCA - plan, do check, act - keeps org continually improving while factors change over time - Adapts to results in RM allowing org to grow Through learning and experience Risk Managers must strive to continually improve an org RM efforts.

Question 32

Question 34

What is the central purpose of RM

Answer 34

Creation and protection of value