An overview of our endeavors at implementing ISO 31000 enterprise risk management and the importance of establishing good risk culture within the company.
2. “The reason why we want to manage risk is to increase the likelihood of
our Company achieving its project objectives. By managing threats and
adverse situations and remaining aware at all times of potential
opportunities, our success becomes more likely. Risk management
should not discourage growth by trying to totally eliminate risks – all risks
are not ‘evil’. But the reverse should take place, and positive risks should
be embraced. Managing risk is no longer a box ticking exercise that
drains company resources, it is a fundamental competitive advantage if
we successfully implement a sound process.”
Jeff Barnes
Risk Manager, MIESCOR
3. Risk Management Framework
The implementation of a risk management framework and process which
complies with ISO 31000 has been an ongoing activity within MIESCOR
since August 2015.
5. Essential Attributes of an
Effective ERM Framework
• ERM-based approach
• Process management
• Risk appetite management
• Root cause discipline
• Uncovering risks
• Performance management
• Business resiliency and sustainability
- RIMS Risk Maturity Model
• Provide governance over the
integration of other standards which
discuss ‘risk’ and ‘sustainability’
• Increase the likelihood of achieving
objectives
• Encourage proactive management
• Identify and treat risk throughout the
organization
• Improve the identification of
opportunities and threats
• Comply with relevant legal and
regulatory requirements and
international good business practices
• Improve financial reporting
• Improve governance
ISO 31000 Will Help Us
To………
7. Implementing Enterprise Risk
Management Processes
Other sources of reference
are the publications by the
Institute of Risk Management
entitled “A structured
approach to Enterprise Risk
Management (ERM) and the
requirements of ISO 31000”
and “A Risk Practitioners
Guide to ISO 31000:2018”
8. ISO 31004:2013 Guidance
3.3.3.2 Framework design requirements
“The organization should develop, document and communicate how it
will be managing risk. The scale and content of the organization’s
internal standards, guidelines and models related to risk management
should reflect organizational culture and context.”
9. ISO 31004:2013 Guidance
3.3.3.2 Framework design requirements
“The organization should develop, document and communicate how it
will be managing risk. The scale and content of the organization’s
internal standards, guidelines and models related to risk management
should reflect organizational culture and context.”
Our challenge is to infuse risk management into our
company culture, our everyday business operations and
those of our subcontractors, vendors and business
partners.
10. It is worth mentioning that a major hurdle in implementing ISO
31000 is the fact that it is not the only standard in the ISO toolkit
that mentions “risk” and the space around risk management is
becoming rather crowded. There are standards for quality,
performance and risk, supply chain management and risk,
information technology and risk, safety and risk………..in fact the
constellation of standards that overlap ISO 31000's core charter is
utterly incredible.
To confuse matters further, there are numerous audit and
certification companies which also ‘steal the ear’ of company’s
executive officers which adds further complications to a smooth
enterprise wide deployment of ISO 31000.
11. ISO 31000:2018 Risk Management Guidelines provides the umbrella of
oversight for other ISO standards which make reference to managing risk.
ISO/IEC 27005:2018
Information technology -- Security
techniques -- Information security risk
management
ISO/IEC 9001:2015
Quality Management Systems -
Requirements
ISO 14001:2015
-Environmental management systems - A
practical guide for SMEs
ISO 45001
Occupational health and safety
ISO 31004 is intended to be a
guide for implementing an
ISO 31000 enterprise risk
framework in a company and
provides case studies on how
to resolve implementation
conflicts between other ISO
standards which discuss risk
and risk treatment.
12. ISO 31000 Section 2.4 [Risk
management policy]
A policy statement defines a
general commitment, direction,
or intention. A risk management
policy statement expresses an
organization’s commitment to risk
management and clarifies
its general direction or intention.
13. Risk Appetite and Tolerance Statement
ISO 31000 Section 2.4 [Risk
attitude]
An organization’s risk attitude defines
its general approach to risk. An
organization’s risk attitude (and its risk
criteria) influence how risks are
assessed and addressed. An
organization’s attitude towards risk
influences whether or not risks are
taken, tolerated, retained, shared,
reduced, or avoided, and whether or
not risk treatments are
implemented or postponed.
14. Relationship between risk appetite,
tolerance and performance
The diagram below illustrates the range of
performance depending on whether risks
(or opportunities) materialize.
The diagram above demonstrates the difference
between those risks that, if push comes to shove,
the Company might be able to put up with (“risk
tolerance”) and those risks that the Company wish
to engage with (“risk appetite”)
16. Risk Tolerance Matrices
Risk threats
Using a project with a cost of contract at P500M for example, a 3% cost overrun would
be P15M. A 5% cost overrun would be P25M – which is the maximum management
reserve we use as an assumption in our risk register template. (covered later).
19. Strategic and Contextual risks - are addressed by executive
management decisions;
What Key Categories Of Risk Affect Us?
Operational risks - are addressed by the project team who
have the delegated authority to make necessary decisions and
have clear accountability for results.
23. New Way of Thinking:
Becoming comfortable with uncertainty as a source of opportunity to
improve business results.
Becoming comfortable with organization based on risk-driven
competencies.
Becoming comfortable with decisions based on certain estimates.
Becoming comfortable with plans that accept and manage the risks that
are rightfully ours.
Becoming comfortable with an adaptive, flexible management style.
Uncertainty and risk have to be expected and accepted.
Its not sufficient to just look at Operational risk; Strategic / Financial risks
are also important.
25. The Extended Project Risk Model will also allow MIESCOR to provide Meralco
data pertaining to the four (4) main sustainability performance areas which MPIC is
interested in for their Environmental, Sustainability and Governance reporting:
Operational Efficiency (Clean operations, Resource efficiency, Profitability of
projects)
Service Excellence (Customer experience, Service continuity)
Engaged Workforce and Safe Workplaces (DOLE compliance, Occupational
Health and Safety compliance, Employee relations, Competency and skills
development)
Social Responsibility (Community engagement, Green initiatives, Education
and Continued Profession Development support, Disaster relief and response)
26.
27. The overlapping of corporate, project and environmental creates an “ocean”
containing operational, strategic and contextual risk. And in that ‘ocean’ is
what we will call the Bermuda Project Risk Triangle.
28. To navigate the triangle requires new knowledge to take a three legged
journey: Explore, Adapt and Deliver
And new knowledge requires accurate data gathering and reporting
30. Re-Shaping Governance System
Shift In Mindset
Moving from risk aversion to risk navigation
Looking for the opportunities created by uncertainty in decisions
By exploring and capitalizing strategic and contextual risks
To training PMs in risk understanding
To training and empowering PMs in their ability to make good decisions
From viewing projects as just deliverables and seeing them as a means to
enhance project business value
From viewing uncertainties as “evil” and acknowledging the projects as being
unique and uncertain
From viewing projects as known tasks to be accomplished in known
environments and instead embracing a continuum of known-unknown tasks to be
executed in unfamiliar and often turbulent locations and business environments
From viewing deviations from project baselines as inaccurate planning or
inappropriate control to instead acknowledgement of deviations as being the rule
and not the exception.
32. “You know when you’re really getting good at risk management when
the company does its risk assessment at the project kick off rather that
at the end”
- Angela Herrin, Harvard Business Review Analytics Services
33.
34. The 5 X 5 Probability Impact Graphs (PIGs) we
use for risk ratings
35.
36.
37.
38. Our risk register template was using the graph below to compare risk
ratings. But this simplistic look did not account for variability and made it
difficult for us to differentiate between High Impact but Low Probability and
Low Impact but High Probability risks. (i.e. a risk rating of “10” could be
either a probability of 2 and impact of 5, or a probability of 5 and impact of 2)
39. The example below shows the new PIG heat maps that will now be used
on our risk register templates
Monthly audits of a project risk register will produce revised risk ratings
that can be compared to the baselines above.
40.
41. Note: This example data is based on a project with a contract value of P500M
42. These reserves provide you with a cushion against known and unknown risks.
Without contingency and management reserves, you cannot estimate your project
cost and budget. These reserves are an inseparable part of your budget and help
you manage risks.
Keep in mind that contingency reserve and management reserve are not the
same. They are different, calculated with different techniques, and serve
different purposes.
Contingency
Reserve
Management
Reserve$
43. Contingency reserve is not a random reserve; it is an
estimated reserve based on various risk management
techniques. This reserve could be controlled by the project
manager to use it whenever any identified risk occurs.
Expected monetary value is a statistical technique used to
quantify the risks, which helps you calculate the
contingency reserve. This technique is used in medium to
high-cost projects where you have enough resources and
cannot risk the failure of the project because the stakes are
high.
Contingency
Reserve
To find the expected monetary value, you calculate the probability and impact of each
event. Once you calculate this data, you multiply probability and impact together to
generate the EMV of each risk.
Expected Monetary Value (EMV) = Probability * Impact
Once you have calculated the EMV of all identified risks you add them together.
In the data graph on our risk register template, we subdivide the audited probability
cost impact into two buckets: Contingency for operational risks and Scope for
strategic risks.
44. Management
Reserve
Management reserve is the cost or time reserve that is used to manage the
unidentified risks or “unknown-unknown” (unknown = unidentified, unknown = risks).
Management reserve is not a part of the cost baseline, and the project manager
needs management’s permission to use this reserve.
Management reserve is not an estimated reserve. It is a figure which is defined
according to the organization’s policy.
For the data graph on our risk register template, we use 5% of the contract price to
compute the amount of Management Reserve. This is subject to executive
management review and may increase or decrease based on the type of project.
49. Strategic Risks
• Project Delivery Framework (Project Lifecycle)
• Project execution strategy
• Time constraints
• Changes to project objectives
• Organizational alignment
• Joint venture issues We need to develop and
implement clear KPIs and
KRIs (Key Risk Indicators)
for measuring and reporting
on strategic risks
50. Strategic risk management is a crucial but often overlooked
aspect of enterprise risk management (ERM). While ERM
has traditionally focused on financial and, more recently,
operational risk, the fact is that strategic risk is far more
consequential.
51.
52. • Operational Efficiency (Clean operations, Resource efficiency, Profitability of
projects)
• Service Excellence (Customer experience, Service continuity)
• Engaged Workforce and Safe Workplaces (DOLE compliance, Occupational
Health and Safety compliance, Employee relations, Competency and skills
development)
• Social Responsibility (Community engagement, Green initiatives, Education
and Continued Profession Development support, Disaster relief and response)
The 5 steps mentioned earlier need to be applied to the 4 main
ESG reporting categories which MPIC is most interested in
seeing from its operating companies. Whereas this ESG
reporting has not been finalized with Meralco, MIESCOR can stay
ahead of the game by following the 5 steps when implementing its
strategic planning and project execution processes.
54. Contextual Risks
• Capabilities
• Go / No Go decisions
• Business practices
• Market conditions
• Company culture
• Geopolitics
• Public opposition
55. ISO 31000 Section 2.10 [External context]
An organization’s external context includes all of the external
environmental parameters and factors that influence how it manages risk
and tries to achieve its objectives. It includes its external stakeholders, its
local, national, and international environment, as well as key drivers and
trends that influence its objectives. It includes stakeholder values,
perceptions, and relationships, as well as its social, cultural, political,
legal, regulatory, financial, technological, economic, natural, and
competitive environment.
56. ISO 31000 Section 2.11 [Internal context]
An organization’s internal context includes all of the internal
environmental parameters and factors that influence how it manages
risk and tries to achieve its objectives. It includes its internal stakeholders,
its approach to governance, its contractual relationships, and its
capabilities, culture, and standards.
Governance includes the organization’s structure, policies, objectives,
roles, accountabilities, and decision making process, and capabilities
include its knowledge and human, technological, capital, and systemic
resources.
57. ‘Go/No Go’ evaluation as a risk-reduction tool
A proper Go/No Go evaluation, especially if required of and enforced by
the firm’s most senior staff, can help the decision-maker say “no” when
“no” is the correct answer. The process can also help to ensure that no
opportunity that might be viable is missed due to a collection of incorrect
assumptions or a lack of consideration.
A proper Go/No Go evaluation, with a number of relevant staff
participating, could also uncover internal capability hurdles or adverse
external issues before incurring a lot of proposal costs on an opportunity
that the Company should not get involved with.
58. Establishing a proper risk culture throughout the organization is the
necessary foundation for the success of any ERM endeavor.
59.
60. Organizational culture shapes the work
environment in which performance occurs.
Ultimately, not paying attention to culture
undermines sustainability.
A good, well-aligned culture can propel the
organization to success; the wrong culture stifles
its ability to adapt to a fast changing world.
What is organizational culture?
61. The ways the organization conducts its business,
treats its employees, customers, and the wider
community.
The extent to which freedom is allowed in
decision making, developing new ideas, and
personal expression.
How power and information flow through its
hierarchy, and
How committed employees are towards collective
objectives.
Organizational culture is shown in:
64. “a term describing the values, beliefs, knowledge,
attitudes and understanding about risk shared by group
of people with a common purpose.”
People fundamentally want to do the right thing. Therefore,
organizations need to create a decent, open and respectful
culture which allows employees to interact at work as they
would in their home and social environment.
This is the culture which mitigates risk and reputational
damage, encourages higher performance and develops a
sustainable business model.
What is risk culture?
67. Taking the lead in risk culture change
With MIESCOR senior management already in full support of the ERM
initiative, our next presentation in the series will focus on items 2 to 5 above
68. The goal of our ERM endeavors is to help
us ‘get the cheese’
Notes de l'éditeur
It is worth mentioning that a major hurdle in implementing ISO 31000 is the fact that it is not the only standard in the ISO toolkit that mentions “risk” and the space around risk management is becoming rather crowded. There are standards for quality, performance and risk, supply chain management and risk, business continuity management, in fact the constellation of standards that overlap ISO 31000's core charter is utterly incredible. To confuse matters further, there are numerous audit and certification companies which also ‘steal the ear’ of company’s executive officers which adds further complications to a smooth enterprise wide deployment of ISO 31000.