Increasing risk oversight is a priority of boards and management since the global financial crisis, but many are unprepared to do this according to a recent report from the Canadian Institute of Chartered Accountants (CICA). A Framework for Board Oversight of Enterprise Risk presents a nine-step roadmap to help directors identify, understand and address enterprise risk and recognize potential compounding effects when risks collide. The roadmap is sound and also can be a valuable resource for risk management professionals.
The CICA report states “a common concern among boards of directors is the lack of a comprehensive framework and toolsets to assist boards to structure an effective, robust risk oversight process.” Key activities in the CICA framework include: identifying risks; analyzing, validating and prioritizing them; determining risk tolerance and risk appetite; managing risk through various response strategies; and ongoing monitoring. These are similar to recommendations included in ISO’s risk management standard (31000) and their business continuity management system standard (22301). Read More
Since events such as 9/11, Katrina, the SARS (severe acute respiratory syndrome) pandemic of 2002/3, the 2011 Tohaku earthquake in Japan, and others, the field of Business Continuity Management (BCM) has become more formal and taken on greater visibility in overall organizational risk management.
Some of this evolution is seen in the recently published ISO Business Continuity Management System (BCMS) standard, ISO 22301:2012. The ISO Technical Committee (TC) that developed 22301:2012 is ISO/TC 223. This TC’s overall subject area is “Societal Security.” ISO indicates that TC 223 is working on an ISO 22301 companion guidance document that will be called ISO 22313
ISO Focus+ reports that work on ISO 22301 originated in 2006 during a workshop on Emergency Preparedness and that an interim guidance document (ISO/PAS 22399:2007) was prepared that addressed business continuity (BC) and incident preparedness. Read More
At the IOSH Conference in Manchester, England this week, risk- and evidence-based management was a prime topic. During a presentation of particular interest, Steve Flynn, the vice president of health, safety, security, and environment (HSSE) for BP, reported on numerous continual improvement actions that BP has taken since the Deepwater Horizon explosion and oil spill in April 2010.
One of the key lessons learned, Flynn reported, was the need for and value of an integrated risk management approach, embedded throughout the value chain. He spoke of this in terms of a balance between people and systems, pointing to the importance of not only focusing on systems, such as a formal EHS management system, but also on the overall culture and perceptions of employees, including management. His comments reflect BP’s organizational learning, based on the Grangemouth, Forties Alpha, and Texas City accidents, as well as the Deepwater Horizon spill. Read More
As part of my research this summer on relationships between EHS/S and risk management, I interviewed a group of EHS/S and risk management executives about various aspects of their activities. Prior to the interviews, the interviewees were given the Redinger EHS white paper titled, “360 Vision for Environmental Health, and Sustainability: Anticipate and Avoid Black Swan Events.” A series of questions focused on the needs and challenges of EHS/S and risk management departments. Some of the responses included:
- “I need to know as much as I can about the risks my company faces. I wrestle with having confidence that my team and I have a good understanding about risks that will bite us. I am not sure we have a good understanding about our EHS risks.” Read More
It has been a while since I’ve posted. The summer has been full, working on developing the 360 Risk Management Check-Up™, a high-level diagnostic to measure the EHS/S and risk management function in organizations. Associated with this work, I have been conducting research on the evolution of organizational risk management and growing attention on non-financial risk management (NFRM).
Organizational risk management (RM) concepts and practices have been evolving from a singular focus on financial risk to a more broad focus on enterprise-wide and non-financial risks. Approaches such as enterprise risk management, strategic risk management, value risk management, etc. have been evolving into what is being called NFRM. Read More
In my previous post, I briefly discussed the integrated quality, safety, and environmental management system (QSEMS) at the Cannes Convention Center. The trend toward integrated management systems, including ISO’s movement toward a generic management system model for wide application, will provide a new tool for organizational risk management.
As evolved as risk management methods and models are, organizations struggle with integrating risk management practices. A silo phenomenon challenges risk managers as it has EHS managers for many years. In current non-financial risk management writings and research, the need for risk management integration and “silo-busting” is highlighted. An integrated risk management system can provide a way to bust silos in an organization. Read More
The current issue of ISO Focus (February 2011) is dedicated to a wide range of security-related issues and highlights the ISO 28000 series on security risk management.
ISO 28000 was published in 2007 and provides guidance on security management. Its framework follows the ISO 14001 framework closely. 28000 is the core of the family, providing a specification management system standard. ISO 28004 provides implementation guidance in specific areas, such as 28005 (Electronic Port Clearance) and 20858 (Ships and Marine Technology). Read More