STRIMA National Conference September 13 2010 Launching ISO

STRIMA National Conference September 13, 2010 Launching ISO 31000 – The New Risk Management Standard

Agenda • Framing the issue: the need for a broader view of “risk” • Why do we need a standard on risk management? The evolution of ISO 31000 • Overview of ISO 31000 and 31010 • Implementation advice and resources

External Risks Unemployment Credit markets stability Currency & foreign exchange rate fluctuations Unexpected loss Bank failures of revenue Stock market Health care costs Tax caps performance Budget cuts Energy costs Financial reporting Capital availability Unfunded mandates Interest rates Retirement funding Counterparty risk Bond rating Revenue & grant $$ Investment limitations management Financial Risks Building Terrorism Public safety subsidence or Contractual liability collapse Natural events & Workers’ comp Piracy & catastrophes Counterfeiting Student activities Lawsuits Asbestos Pollution Mold exposure Building security Public safety Director & Officer liability Geopolitical risks Disease & Animal or insect epidemics infestation War Hazard & 3 rd Party Risks Typical purview of RM Geopolitical risks Internal Mergers & Acquisitions of key partners or vendors Meeting Public expectations Reputation Public Ethics violations support Risks Strategic Risks Long-term planning vs. Stakeholders’ budget limitations interests Strategy & initiatives Union relations Code of Conduct Governance Public-private partnerships Negative media coverage Aging infrastructure HR & personnel risks Accounting or internal Procurement controls failures Facilities Health & safety violations maintenance Code violations Labor practices Mandated Gov’t sanctions Theft, embezzlement public services IT system failure Quality control Workplace violence Business interruption Utilities failure Compliance Fraud Loss of key suppliers Operational Risks

The Baltimore Sun July 16, 2008 An underground fire shut down power to 30 residential and commercial buildings in Baltimore and took nearly 10 hours to control. Baltimore’s utility lines are part of the city’s aging infrastructure – carrying electricity, cable, telephone, street light and fiber-optic service through 3. 7 million feet of conduits. The cost to update the >100 year-old system is $900 million.

External Risks Unemployment Credit markets stability Currency & foreign exchange rate fluctuations Unexpected loss Bank failures of revenue Stock market Health care costs Tax caps performance Budget cuts Energy costs Financial reporting Capital availability Unfunded mandates Interest rates Retirement funding Counterparty risk Bond rating Revenue & grant $$ Investment limitations management Financial Risks Building Terrorism Public safety subsidence or Contractual liability collapse Natural events & Workers’ comp Piracy & catastrophes Counterfeiting Student activities Lawsuits Asbestos Pollution Mold exposure Building security Public safety Director & Officer liability Geopolitical risks Disease & Animal or insect epidemics infestation War Hazard & 3 rd Party Risks Typical purview of RM Geopolitical risks Internal Mergers & Acquisitions of key partners or vendors Meeting Public expectations Reputation Public Risks Strategic Risks Ethics violations support Long-term planning vs. Stakeholders’ budget limitations interests Strategy & initiatives Union relations Code of Conduct Governance Public-private partnerships Negative media coverage Aging infrastructure HR & personnel risks Accounting or internal Procurement controls failures Facilities Health & safety violations maintenance Code violations Labor practices Mandated Gov’t sanctions Theft, embezzlement public services IT system failure Quality control Workplace violence Business interruption Utilities failure Compliance Fraud Loss of key suppliers Operational Risks

The Emerging Risk Environment Factors Influencing Public Entities (Cities, Counties, Schools, States) Economic • Investment failures • Unfunded mandates • Budgets subject to limited, decreasing revenue streams • Funding retiree health care and pensions Environmental • Climate change • Natural catastrophes • Pollution regulations (e. g GASB 29) • Global pollution • Aging infrastructure Geopolitical • International terrorism • Funding disparities – state to state (e. g. stimulus $$) • Supply chain issues • How will global standard for RM apply to US? Sources of Risk Technological • Breakdown of critical info infrastructure • Public data protection • Pressure to keep up Societal • Pandemics & infectious diseases • Increase in need for social services • Public health demands • Push to improve education • Increased crime & violence

Risk Management is Evolving ate Integr d nal o i t c a ns Tra Advanced Risk Management • Greater use of alternative risk financing techniques Traditional Risk Management • More proactive about • Purchase insurance to cover risks preventing and reducing risks • Hazard-based risk identification and • Integrates claims mgmt, controls contracts review, special event • Compliance issues addressed RM, insurance and risk transfer separately techniques • Safety & emergency mgmt handled • Cost allocation used for separately education and accountability • “Silo” approach – risk mgmt is not • More collaboration – as depts integrated across the organization are willing • Risk Manager is the insurance buyer • Risk Manager may be the risk owner Risk is bad – focus is on transferring risk egic t a r t S Risk is an expense – focus is on reducing cost-of-risk Enterprise-wide Risk Management • A wide range of risks are discussed and reviewed, including reputational, human capital, strategic and operational • Aligns RM process with strategy and mission • May include “upside risks” (opportunities) • Helps manage growth, allocate capital & resources • Risks are owned by all & mitigated at the department level • Many risk mitigation & analytical tools available • Risk Manager is the risk facilitator and leader Risk is uncertainty – focus is on optimizing risk to achieve goals

The Development of RM in the US Finance: PRMIA GRC Audit: IIA COSO Safety: ASSE NASP ASA Risk Mgmt: RIMS PRIMA STRIMA URMIA ASHRM

Global Corporate Governance Models INTERNATIONAL (All countries) - Basel I & II; ISO 31000 France • Vienot Com. • Mrini Report • Levy-Long Com. UK • Cadbury • Turnbull • Greenbury Rpt • BS 31100 RM All EU Countries • Directives on Governance Germany • Bill on The Control and Transparency of organizations • Kon Tra. G Bill US • Business Round Table • NYSE listing Requirements • Blue Ribbon Commission • Sarbanes Oxley Act • COSO ERM Framework Canada • Toronto Stock Exchange Committee • Canadian Securities Committee • Allen committee Report • COCO • CAN/CSA-Q 850 (draft) Developed by Dorothy Gjerdrum , AJG & Mary Peter of Eide Bailly LLP Netherlands • Code Tabaksblatt Italy • Draghi Commission Japan • Corporate Governance Forum of Japan • J-SOX Australia/New Zeal • HB 317 on Risk Communication • Stock Exchange Listing • New Accounting Standards • Best Practice Stmt Mgmt South Africa • Code of Best Practice • King Report I, III • Stakeholder Communication • Public Finance Mgmt Act

A Good Intro to ERM Risk management is an increasingly important businesss driver and stakeholders have become much more concerned about risk. Risk may be: • A driver of strategic decisions • The cause of uncertainty in an organization • Embedded in the activities of the organization An enterprise-wide approach to risk management enables an organization to consider the potential impact of all types of risks on all processes, activities, stakeholders, products and services. Excerpt from the Executive Summary “A Structured Approach to ERM and the Requirements of ISO 31000” published by airmic, alarm and the irm – all based in the U. K.

Evolution of the US TAG • ANSI sought support early in process – no qualified organization stepped up until 2008 • ASSE Council on Practices & Standards agreed to serve as secretary to US TAG • ASSE turned to its membership to recruit Technical Advisory Group (TAG) members

ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards. Established in 1947, ISO is a network of the national standards institutes of 159 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system.

ISO 31000: 2009 • Australia, New Zealand & Japan initiated its creation • 18+ countries participated • 6 meetings over several years • Adopted in November of 2009, now officially the first International Standard on Risk Management • Guide 73 & ISO 31010 quickly followed • Now also the American Standard on RM

ASSE Formed the US TAG Chair: Dorothy Gjerdrum, Arthur J. Gallagher Vice Chair: Wayne Salen, RIMS • • • Consumer/Directly Affected Public (6) General Interest (5) Government Body/Organization (2) Producer/Manufacturer (3) User (4)

US ISO TAG Participants • • • AH & T Insurance AIHA AJ Gallagher ASSE Bayer Materials Brazosport College Eide Bailly, LLP ESIS Mc. Culley Eastham PMMI • • • Pilz Automation Project Mgmt Trust PRIMA RIMS Safety Mgmt Consultants TC 176 TAG Washington Group Woods Hole Wyeth

What’s Next for the US TAG? • Proposal from the UK to develop an international implementation guide – if that proposal is accepted by ISO, we’ll participate • US subcommittee working on a US Implementation Guide • ISO 31000 will be open for revision beginning in 2012 • The US ISO TAG is still open to new members – contact Tim Fisher at ASSE

ISO 31000 – Quick Overview • The basis of ISO 31000 • Overview of the process • Understanding Principles, Framework and Process • Select definitions • Key concepts

It’s a Broad Approach to Risk 1. All organizations exist to achieve their objectives 2. Many internal and external factors affect those objectives, causing uncertainty about whether the organization will achieve its objectives 3. The effect of this uncertainty has on an organization’s objectives is “risk”

Scope of ISO 31000 This international standard provides principles and generic guidelines on risk management… it can be used by any public, private or community enterprise, association, group or individual. Therefore, this standard is not specific to any industry or sector.

ISO 31000 – Highlights Streamlined and easy to understand Proactive approach vs compliance Emphasizes top-down implementation Links risks to strategy & the achievement of objectives • Addresses both upside and downside of risk • Provides a consistent approach that can be tailored to any type of operation in any location and integrated with other standards and guidelines • •

Overview of the Process from ISO 31000 The principles provide the foundation and describe the qualities of effective risk management in an organization The framework manages the overall process and its full integration into the organization The process for managing risk focuses on individual or groups of risks, their identification, analysis, evaluation and treatment Monitoring & review, continual improvement and communication occur throughout

RM Process Mandate & Commitment Establish the context Risk assessment Design framework for managing risk Implement risk management Continually improve the framework Monitor and review the framework Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review • Creates value • Part of org. processes • Part of decision making • Explicitly addresses uncertainty • Systematic, structured & timely • Bsed on best avail info • Tailored • Considers human & cultural factors • Transparent & inclusive • Dynamic, iterative & responsive to change • Continual improvement Framework Communicate and consult Principles

Why ISO Outlines Principles The principles that govern the process: • Establish the values and philosophy of the process • Support a comprehensive and coordinated view of risk that applies to the entire organization • Link the framework and practice of risk management to the strategic goals of the entity • Align risk management to corporate activities

Risk Management Principles Risk Management: • Creates value • Is an integral part of all organizational processes • Is part of decision-making • Explicitly addresses uncertainty • Is systematic, structure and timely • Is based on the best available information

Risk Management Principles (cont’d) Risk Management: • Is tailored • Takes human and cultural factors into account • Is transparent and inclusive • Is dynamic, iterative and responsive to change • Facilitates continual improvement & enhancement of the organization

Why ISO Specifies the Framework • Maps out how the management of risk will be integrated across the organization • Assures that the corporate-wide process is supported, iterative and effective • Details how risk management will be an active component in governance, strategy and planning, management, reporting processes, policies, values and culture • Provides for reporting & accountability

The Framework Includes: • • The organization & its context Risk Management Policy Accountability Integration into organizational processes Resources Communication & reporting – internal Communication & reporting - external

The Risk Management Process – Communication & consultation – Monitoring & review Establish the context Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review Risk assessment Communicate and consult • Applies to portfolio of risks and individual risks • Begins with the context – always tailored to the organizational environment • Emphasizes continual:

RM Process Mandate & Commitment Establish the context Risk assessment Design framework for managing risk Implement risk management Continually improve the framework Monitor and review the framework Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review • Creates value • Part of org. processes • Part of decision making • Explicitly addresses uncertainty • Systematic, structured & timely • Bsed on best avail info • Tailored • Considers human & cultural factors • Transparent & inclusive • Dynamic, iterative & responsive to change • Continual improvement Framework Communicate and consult Principles

Implementation Examples • Community college district wants to review the risk & opportunity of expanding its journalism department (grant money) and sending students into high-conflict, emerging news areas of the world • Individual interviews re risk uncover unsafe money transfer procedures • The “Aha!” moments of realizing crossover risks or cumulative risks

Select Definitions Risk = the effect of uncertainty on objectives An effect is a deviation from the expected – positive or negative. Risks may be described as a combination of likelihood and consequences. Risk management = the coordinated activities to direct and control an organization with regard to risk Risk owner = the person with the accountability and authority to manage the risk

Risk Mgmt & Other Initiatives • RM supports strategic initiatives, mission and goals and links to them • RM can support management processes (e. g. balanced scorecard, performance management measures) • RM will help build success of key initiatives by identifying barriers and risks and ways to mitigate them

Key Concepts of ISO 31000 • Risk Management is about exploiting opportunities as well as preventing problems (upside & downside risks) • It is tied to business objectives and strategies – and supports them • It works within the organization’s culture and will become integral to decision making • It will ensure that Risk Management applies to all levels of the organization and to all activities

ISO 31010 – Risk Assessment Techniques Establish the context Risk identification Risk analysis Risk evaluation Risk treatment Monitor and review Communicate and consult Risk assessment • Risk assessment concepts • Process • Techniques

Implementation Advice • Educate yourself, develop your “elevator speech”, build your network of peers • Create an inventory of risk management practices across all operations; can you build support for integration? • Seek opportunities for a broader approach to risk • Develop tools & resources – and develop your leadership skills • Be patient – it’s a journey, not a destination

Risk Management Standards • COSO ERM Framework (2004) • British Standards Assoc: Risk Management – Code of Practice – BSI 31100: 2008 (under revision) • ISO 31000 – Risk Mgmt Principles and Guidelines • ISO 31010 – Risk Assessment Process • HB 327: 2010 Communicating and Consulting About Risk – from Australia/New Zealand • Canadian Standards Association CAN/CSA-Q 850 Implementation of ISO 31000 – publication pending • US Implementation Guide – publication pending

RM Standards – My Recommendations • Buy the standard – ISO 31000 – Risk Mgmt Principles and Guidelines www. asse. org or www. ansi. org • Download the alarm/airmic/irm handbook (free) • Buy either the Canadian Standards Association CAN/CSA-Q 850 Implementation of ISO 31000 (expected publication in fall of 2010) or the US Implementation Guide – (publication in 2011)

ERM Training – My Recommendations • Canadian Standards Association – Implementing ISO 31000 • Insurance Institutes of America (IIA) training on ERM – ARM 57 • www. theiia. org – online risk management training that includes ERM and ISO 31000 references

Thank You! Dorothy Gjerdrum, ARM-P Executive Director, PESD Arthur J. Gallagher Risk Mgmt Services Dorothy_Gjerdrum@ajg. com 651. 642. 2999