ISO31000 Integrating Risk Management into Decision Making

Here is an extract from the ISO 31000:2018 risk management standard:

Top management and oversight bodies, where applicable, should ensure that risk management is integrated into all organizational activities and should demonstrate leadership and commitment by:

A1. aligning risk management with the strategy, objectives and culture of the organization;

A2. issuing a statement or policy that establishes a risk management approach, plan or course of action;

A3. ensuring that the necessary resources are allocated to managing risk;

A4. assigning authority, responsibility and accountability at appropriate levels within the organization;

A5. ensuring that risks are adequately considered when setting the organization’s objectives

A6. understanding the risks facing the organization in pursuit of its objectives. Risks are appropriate in the context of the organization’s objectives and risks and their management is properly communicated

A7. ensuring risk management framework is implemented and operating effectively

Risk management should not only help companies to achieve minimum legal compliance requirements but also contribute to the demonstrable achievement of objectives, linking risks with performance. This section is intentionally broad and may mean different things to different organizations, so reviewers need to keep an open mind when reviewing it. Below are some examples that may not be applicable to every single organization, however, are a good starting point. Many mature organizations link risk management to performance management, set up governance structures, implement compliance and adopt a proactive rather than a reactive management that allows timely, structured and transparent communication of risks at all levels of the organization.

Note that achievement of objectives is not, in itself, the measure of risk management effectiveness. Risk management enables intelligent and informed decisions, which will improve but not guarantee the achievement of objectives.

According to ISO31000 standard, integrating risk management into an organization is a dynamic and iterative process, and should be customized to the organization’s needs and culture. Risk management should be a part of, and not separate from, the organizational purpose, governance, leadership and commitment, strategy, objectives and operations.

To assess performance against this criterion, reviewers should discuss with the key stakeholders how they perceive risk management within the organization and what value does the risk management team bring to them and to their decision making and business processes. Various stakeholders may need to be interviewed to determine whether risk management does in fact align with the strategy, objectives and culture of the organization. This is pretty high level and is done more to create a baseline that you will later validate using objective evidence and observations.

Mature organizations establish a risk management policy that clearly states the organization's objectives and commitment to risk management. The risk management policy typically includes:

• the organization's rationale for managing risk;

• links to the organization's objectives and other policies;

• accountabilities and responsibilities;

• risk criteria and guidance for decision makers;

• commitment to make the necessary resources available;

• the way in which conflicting interests are dealt with;

• an escalation process;

• performance measurement and reporting; and

• commitment to review and improve the risk management policy and framework.

Reviewers should check whether the details of the risk management policy were communicated as appropriate within the organization and to the external stakeholders.

Most modern-day risk managers are familiar with developing a risk management framework or procedure documents. These documents capture risk management roles and responsibilities, outline risk management processes as well as other aspects of risk management. Risk management framework documents became so common, that nowadays they don’t require much effort to develop and there are plenty of free templates available online. The only problem is that nobody in the organisation, except the risk manager and the internal auditor, reads them.

Over the years, we have discovered a much better way to document risk management frameworks, procedures and methodologies. Instead of writing a separate risk management framework, companies should upgrade its existing policies and procedures to include elements of risk management where appropriate. One investment company that we interviewed documented risk management methodology in the investment management procedure instead of creating any new risk management documents. This essentially changed how the investment process works, made risk management a critical step in investment decision making, gave investment managers a sense of ownership and had a huge positive impact on the risk culture within the organisation.

The same approach can also be used for any other business process. Instead of creating a single, centralised risk management framework or procedure document, risk managers should review and update existing policies and procedures to include elements of risk management. Some procedures may require a minor update, with only a sentence or two added while others may need whole appendices written to include risk management methodologies. This approach also reinforces the need to create separate risk management tools and methodologies for different business processes.

Resources allocated to risk management should be tailored. While the management needs to ensure that the necessary resources are allocated to the integration of risk management, considerations of the internal and external context should apply, and in particular:

People responsible for managing risk should:

• Have sufficient industry, business, and technical knowledge and experience

• Have strong facilitation, risk perception, psychology and issue resolution skills

• Have corporate finance, financial modelling and statistical skills

Roles and responsibilities of the risk management team may include:

• Methodology support, risk analysis, risk reporting, facilitation, risk management training, awareness building and communication

• Performing independent risk analysis for all significant decisions, in some instances having veto power on risky deals or projects.

Time dedicated to risk management:

• Time dedicated to risk management integration and risk analysis should be considered. It takes time to change current decision-making processes and it takes time to perform risk analysis hence some decisions may need to be delayed or more time should be allocated to decision making.

• Time dedicated by the top management to risk discussion as part of decision making will reflect the belief that risk management increases the likelihood of achieving corporate objectives.

• The distribution of time dedicated to the different risk management activities (e.g. risk analysis versus risk monitoring)

Budget dedicated to risk management:

• As part of the mandate and commitment of the top management, budget is a critical factor and it reflects strength, the commitment, the risk appetite of the senior management regarding the management of risks and the desire to integrate risk management into core business activities and decision making.

• When there is a request for budget in risk management, it should be presented in the form of a cost-benefit analysis.

• Risk owners should have adequate resources to be able to manage the risks associated with their responsibility for achieving objectives and their decisions.

Risk management software (for example software for risk modelling) and other tools may be required to perform risk management activities.

Reviewers should check whether existing risk management team and the resources dedicated to the integration of risk management into decision making are consistent with the organization's external and internal context and the overall risk profile. This can be ascertained through the discussion with the risk management team and a sample of the executives / decision makers.

A critical component of risk management integration is including responsibility and accountability (authority, resources and competence) for managing risks into all business activities. Top management should ensure that the responsibilities and authorities for relevant roles with respect to risk management are assigned and communicated at all levels of the organization.

It is quite common to describe risk management roles and responsibilities in risk management policy or a framework document. This approach seems simple to implement, yet not very effective, as business units often don’t feel the ownership of these documents, instead they consider them irrelevant in everyday business decision making and simply ignore them. Alternative and more effective way is to incorporate risk management roles and responsibilities into existing job descriptions, policies and procedures, various committee charters and working groups.

Risk management roles, responsibilities and competencies must be identified and documented for all levels of management. Some of the common roles and responsibilities include:

Board of directors (if available)

• Provide oversight of the overall risk management effectiveness, including standards and values

• Make Board level decisions with proper consideration to risks and guidance

• Review and establish risk-adjusted appetites/limits for certain business activities, types of risks (usually required by law) or decisions

• Set risk-adjusted performance targets and KPIs for CEO and the management

CEO

• Responsible for establishing the overall risk management framework

• Make decisions with proper consideration to risks and guide whenever necessary

• Approves the strategy, business plans and budgets based on the risk management information

• Set risk-adjusted performance targets and KPIs for senior management

• Provide timely and accurate disclosure risk-adjusted performance, most significant risks and their treatments to the Board of Directors / investors / owners

• Allocate responsibility for effective risk management to risk owners

• Assign responsibility for designing and implementing the risk management framework

• Allocate resources necessary to perform business activities with risks in mind

Risk manager

• Design and implement the risk management framework

• Coordinate risk management activities and provide methodological support for the risk-based decision making

• Participate in the decision-making process (if required)

• Participate in the preparation of management reports, providing relevant information about risks and their treatments

• Coordinate the work of the Risk Management Committee (if applicable)

• Provide risk management training

• Implement activities designed to integrate risk management into the overall culture of the organization

Other business unit heads:

• Identify, assess and treat risks associated with business activities or decision-making within their area of responsibility

• Allocate resources necessary to manage risks within their area of responsibility

• Optimize business processes or decision making based on the information about risks.

Reviewers should check whether risk management roles, responsibilities and competencies are adequately documented and performed at all levels within the organization.

Most mature organizations have already documented their appetites for different risks to objectives. Segregation of duties, financing and deal limits, procurement criteria, investment criteria, zero tolerance to fraud or safety risks – are all examples of how organizations set risk appetites. Sometimes risk appetite is driven by legal or regulatory requirements, industry practices or stakeholder expectations.

Reviewers should check existing Board level (or equivalent) policies and procedures to identify:

• significant decisions / activities that already have their risk appetite set. For example, a company may have a Board level policy that prohibits any business ventures with organizations that utilize child labor. Or it may have a requirement not to invest in high risk ventures above a certain ratio. In cases, where the risk appetite has already been set, reviewers should check with internal auditors to test whether limits are realistic and are in fact adhered to.

• for the decisions / activities where no risk appetite has been set by any of the existing policies or procedures, reviewers should discuss with the process owners to understand risk appetite and see whether it has been incorporated into other existing policies and procedures. Main decisions / activities can be divided into three groups:

• "Zero tolerance"

• Acceptable within quantitative limits

• Acceptable within qualitative limits

Reviewers should also check risk criteria (another example of risk appetite) used in the organization for different risk assessments to make sure they are consistently applied, are up to date and adequately cover business needs.

Independent directors, Board and Audit committee members should receive timely information about:

• Risks associated with the corporate strategy proposed by the management

• Risks associated with key decisions being taken by the Board or Audit committee and how the management proposes to mitigate these risks

• Performance should be adjusted for risk before being presented to the Board or Audit committee and used for remuneration or other purposes

• Risks associated with the achievement of key objectives and the likelihood of achieving them.

Reviewers should check that the risk information presented to the Board or Audit committee is not packaged as a standalone report or presentation, rather it is included into existing decisions and performance reporting. This way when making every decision Board and Audit committee members have all the upside and downside information to make quality decisions.

Mature organizations also present strategies, objectives and targets not as single point forecast but as ranges and scenarios accounting for risk.

According to ISO31000, risk management framework is set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization. Despite common practice, risk management framework is not a single document, rather a set of activities as well as numerous documents driving the risk management integration.

As result, ensuring that the risk management framework remains appropriate does not necessarily imply periodic review of a single document, rather period review of the risk management integration approach in general. This is covered in more details in sections D and E. In the meantime, reviewers should check whether stakeholders believe current risk management framework (in its broad sense) is appropriate for the business and provides sufficient value to them as decision makers.

Test your understanding of this section by completing the following multiple choice questions.

Here is an extract from the ISO 31000:2018 risk management standard:

Organizations should design the risk management framework, including:

B1. Understanding the organization and its context - When designing the framework for managing risk, the organization should examine and understand its external and internal context.

B2. Establishing communication and consultation - The organization should establish an agreed approach to communication and consultation to support the framework and facilitate the effective application of risk management.

The framework and processes to manage risk are tailored to the external environment in which the organization operates. The external context can include:

• the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local;

• key drivers and trends having an impact on the objectives of the organization; and

• relationships with and perceptions and values of external stakeholders.

The framework and processes to manage risk are tailored to the internal environment in which the organization seeks to achieve its objectives. The internal context can include:

• the volatility and magnitude of risk to objectives;

• the sources of risk to objectives;

• governance, organizational structure, roles and accountabilities;

• policies, objectives, and the strategies that are in place to achieve them;

• the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);

• information systems, information flows and decision-making processes (both formal and informal);

• relationships with, and perceptions and values of, internal stakeholders;

• the organization's culture;

• how decisions are made;

• who makes key decisions;

• standards, guidelines and models adopted by the organization; and

• form and extent of contractual relationships.

Reviewers should seek to understand specific industry/regulatory requirements for risk management for a company (many industries have international or national bodies that often impose specific risk management requirements) as well as finding out about any specific stakeholder expectations. Then check whether current risk management practices are adequately addressing these requirements.

Risk management structure can be centralized (group risk management is responsible for coordinating all risk management related activities) or decentralized (each decision maker is responsible for its related risk management activity). Reviewers should note that both structures may be appropriate and check whether existing risk management structure suits the nature of the business, industry best practice and the organizational risk profile.

The design of the risk management framework should facilitate the integration of the risk management process into decision-making and the overall management of the organization. The selection of the risk assessment techniques will depend upon the availability of resources:

• Time constraints, available expertise, human, financial and other resources.

• Quality, quantity, integrity, timeliness, currency, accuracy, reliability, consistency of data and capacity to collect it.

• Complexity of risks, interdependencies and complexity of management decisions.

Some methods and the degree of detail for the analysis may be prescribed by legislation.

Regardless of the risk assessment techniques used, they should satisfy the following criteria:

• risk analysis has to be performed at the time of decision making, not once a quarter

• the results of risk analysis should not be expressed as arbitrary risk levels, rather be expressed as volatility or range or scenarios of the decision / objective itself (with some exceptions in HSE for example)

• the output of risk analysis should have a direct and immediate impact on the decision at hand.

It is also very important to distinguish between 2 types of risk analysis techniques:

techniques to better understand the nature of risk to make a decision how to manage it. Usually used when a specific risk is know and is significant and management needs to deal with it in a cost effective manner:

• bow-tie diagrams

• FMEA / FMECA

• HAZID, HAZMAT, HAZAN

• 5 whys

• influence diagrams

• ICAM, etc.

techniques to better understand how uncertainty affects the decision or objective. Used when making a decision, preparing or approving a strategy, budget, forecast, long term pricing, etc. and the risks are not obvious:

• scoring

• decision trees

• sensitivity analysis

• scenario analysis

• stress testing

• various simulation techniques (agent-based, system dynamics or discrete event).

Mature organizations ensure that appropriate risk assessment and decision-making techniques are used for different purposes, for example:

• The effect of liquidity fluctuations, foreign exchange or other financial risks on objectives may be analyzed using Monte-Carlo simulations, sensitivity analysis or other appropriate metrics.

• Risks associated with contractors and key suppliers may be measured using a risk scoring methodology or a basic qualitative risk assessment technique.

• Risks associated with projects or investments may be also measured using scenario analysis or Monte-Carlo simulation of the net present value or performing Monte-Carlo simulation on the project schedule or budget.

Risk managers must provide full transparency on the tool selection and key assumptions made during the risk assessments. Constraints, uncertainties and assumptions having an impact on the risk assessment should be explicitly considered at each step in the risk assessment and documented in a transparent manner. Decision makers may use information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgment, however they should always capture appropriate explanations to support their and other stakeholder inputs. This may cover:

• Factors they may have included or excluded from their risk assessment.

• Assumptions they have made.

• Divergence on opinions among participants when performing risk assessment.

• How inputs from multiple participants were combined or aggregated.

• Limitations of techniques used and how these were addressed (or not).

• Limitations on reliability or the quality of data used.

Additional caution should be displayed when using and relying on qualitative risk assessment techniques due to the effect of cognitive biases and the fundamental design flaws in the qualitative risk assessments as described by Thomas, Philip & Bratvold, Reidar & Bickel, J. (2013). The Risk of Using Risk Matrices. SPE Economics & Management. 6. 10.2118/166269-MS. Limitations of qualitative risk assessment techniques should be disclosed by the risk managers.

Reviewers should select a sample of past risk assessments to verify that information about the assumptions and limitations of selected risk assessment techniques have been recorded and disclosed to all stakeholders. Reviewers should check whether risk assessment techniques (set out at the risk management framework design stage) are appropriate and suitable for the various types of decisions, the internal and external context of the organization.

Risk management should be inclusive. Appropriate and timely consultation and involvement of stakeholders enables their knowledge, views and perceptions to be taken into account which results in improved awareness and informed risk management and decision making.

Recording and reporting provides a means of communication that facilitates the integration of risk management across organizational boundaries and communicates information concerning risks to stakeholders. Risk communication can be an efficient tool for demonstrating the effect of risk management on organization’s overall objectives.

Mature organizations try to reach consistency in understanding risk management terms and definitions across the business units through awareness campaigns, training and ongoing internal communication.

Reviewers should discuss risk management with several employees with various experiences to assess their level of awareness of risk management objectives, the differences between proactive risk management and crisis management and their level of familiarity with the key terms and definitions.

Reviewers should also check whether risk managers speak the business language, not “risk speak” when engaging senior executives. Terms like risk appetite, risk registers, Monte-Carlo simulations may be fine when talking within the risk team or speaking with the CFO but need to be adjusted when talking to, for example, head of production or marketing team.

Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organization, ensures that risk management remains relevant and up-to date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria. Stakeholders need to get the right information in appropriate and timely manner, to understand the basis on which decisions are made and be secured that their judgment is adequately considered.

An organization might use a responsibility assignment matrix, also known as RACI matrix, which describes the participation by various roles in completing tasks or deliverables for a project or business process. It is especially useful in clarifying roles and responsibilities in cross-functional/departmental projects, tasks and processes. Reviewers should check whether risk management is inclusive of key stakeholders.

Mature organizations integrate risk management information into existing management reporting. Management reports should integrate risk and performance information. For some organizations, it is considered good practice to report not on the risks themselves but the effect they will have on the company objectives. Modern risk assessment techniques allow to quantify the probability of achieving each of the business objectives. Management needs to know the current level of achievement (performance) as well as the current level of risk, so some organizations choose to report key strategic and operational targets adjusted for risk.

Dedicated reports may be prepared for specific significant risks that require urgent or special attention from the senior management or key stakeholders.

Reviewers should check whether risk management information has been appropriately integrated into day-to-day management performance reporting and for any reports dedicated to significant risks. Reviewers should also check whether risk management information is readily available on the company intranet website, newsletters or portal.

Risk management information should also be provided to stakeholders outside the organization. Mature companies include risk management information into the following types of reports:

• Annual report: usually contains information about overall commitment to risk management, risk management principles and how they are applied by the organization, risk management governance structure, risk-adjusted performance metrics, risk management objectives and key risk management related activities undertaken throughout the year. Annual reports may also include information on the actual risks faced by the organization and their treatment. Financial statements should also include disclosures of risks and measures to treat them.

• Corporate website: usually provides Risk Management policy, may describe the risk management governance structure, makes public references to ISO31000:2018 and provide information on any risk related information as per the requirements of the Stock Exchange or regulator.

• Other examples include reports to the regulator, corporate social responsibility reporting, prospectus (if organization is raising funds) and so on.

Reviewers should check whether risk management information is adequately presented in external reporting, is up to date, accurate and refers to ISO31000. Disclosure on the company external website is already covered in A7.

Test your understanding of this section by completing the following multiple choice questions.

Here is an extract from the ISO 31000:2018 risk management standard:

The organization should implement the risk management framework by:

C1. developing an appropriate plan including timing;

C2. identifying where, when and how different types of decisions are made across the organization, and by whom;

C3. modifying the applicable decision-making processes where necessary;

C4. ensuring that the organization's arrangements for managing risk are clearly understood and practiced.

Properly designed and implemented, the risk management framework will ensure that the risk management process is a part of all activities throughout the organization, including decision-making, and that changes in external and internal contexts will be adequately captured.

Successful implementation of the risk management framework requires integration of risk management practices into core organizational processes, key activities, supporting functions, extended supply chain as well as decision making across all levels of the organization.

Reviewers should check whether an organization has an appropriate plan to implement risk management into all activities throughout the organization, including decision-making. Plans should be actionable, realistic, measurable, include responsibilities and timing.

Mature organizations ensure that every significant business decision is supported by appropriate justification and risk assessment. Decision justification should include:

• Appropriate frame of the problem

• Alternatives for the decision. Risk assessment should be performed for every option associated with a particular decision. Risk assessment should be based on relevant and reliable information. Mature organizations use tools like decision trees, Monte-Carlo simulations and others to help identify, assess and document risk associated with every significant decision.

• Clear values and criteria for making the decision, including tolerances to various risk types.

Decision-making can be regarded as a problem-solving activity terminated by a solution deemed to be satisfactory. It is therefore a process which can be rational or irrational and can be based on tacit or explicit knowledge.

Performing risk assessments for all significant business decisions can dramatically raise decision quality and provide management with valuable insight and alternatives. It helps decision-makers to make informed choices, prioritize actions and distinguish among alternative courses of action.

Characteristics of decision-making:

• Objectives must first be established

• Objectives must be classified and placed in order of importance

• Managers having the authority, the resources and the competence to achieve these objectives are considered risk owners

• Decisions are based on perceptions and assumptions which need to be verified

• Decisions are based on the best available information at a given time.

• Alternatives must be developed

• The alternatives must be evaluated against all the objectives

• The alternative that can achieve all the objectives is the tentative decision

• The tentative decision is evaluated for more possible consequences, whether under the control of the decision-maker, or not.

• The decisive actions are taken, and additional actions are taken to prevent any adverse consequences from becoming problems.

Mature organizations perform risk assessments not according to a risk management cycle (monthly, quarterly, every six months or annually) but rather as an integral element in every significant business decision. This involves performing analysis of the consequences associated with budgeting within the existing budgeting cycle and conducting investment risk assessments as part of investment decision making. The timeliness of risk management is driven not by the risk manager but by business requirements.

Mature organizations allocate appropriate time and effort to discussing scenarios, associated risks and treatment strategies associated with each alternative before making the decision. Reviewers should sample meeting minutes / reports to see the level and quality of the discussion associated with significant business decisions. According to the ISO31000 risks associated with the decisions could be:

• avoided by deciding not to start or continue with the activity that gives rise to the risk;

• taken or increased in order to pursue an opportunity;

• removed by addressing the risk source;

• changed in terms of their likelihood;

• changed in terms of their consequences;

• shared with another party or parties (including contracts and risk financing); and

• retained or accepted by informed decision;

• assessed only after getting additional information.

If it is decided to go ahead and accept the risks, that should be recorded so that the decision and the risks associated can be subjected to ongoing review. Reviewers should check to see whether that is in fact how decisions are made and documented by management. Examples include:

• Decisions impacting multiple objectives

• Conflicting objectives

• Decisions having positive consequences for some objectives but negative impacts for other objectives

• Decisions having positive consequences for corporate objectives but negative impacts for personal objectives of the decision-maker and/or his team, department, business unit.

Reviewers should understand which types of decisions and activities are considered key to the achievement of company objectives. Reviewers should select a sample of significant business decisions and check whether justification for these decisions includes appropriate risk analysis. Risk assessments should be performed prior to the decision being made and the documentation supporting the decision should include the outcomes of the risk assessment in some shape or form. This information should be consistently documented using a methodology that is aligned with the ISO31000 principles.

When assessing risks, it’s important to understand the research behind what scientists call “risk perception”, as this knowledge has a significant impact on how reviewers conduct interviews and analyze information during the risk management maturity assessment:

• The study of risk perception arose out of the observation that experts and lay people often disagreed about how risky various technologies and natural hazards were.

• The mid 1960s saw the rapid rise of nuclear technologies and the promise for clean and safe energy. However, public perception shifted against this new technology. Fears of both longitudinal dangers to the environment and immediate disasters creating radioactive wastelands turned the public against this new technology. The scientific and governmental communities asked why public perception was against the use of nuclear energy when all the scientific experts were declaring how safe it really was. The problem, from the perspectives of the experts, was a difference between scientific facts and an exaggerated public perception of the dangers.[1]

• Research began in trying to understand how people process information and make decisions under uncertainty. Early works found that people use cognitive heuristics in sorting and simplifying information which lead to biases in comprehension. Later work built on this foundation and identified numerous factors responsible for influencing individual perceptions of risk, including dread, newness, stigma, cultural completion and other factors.[2] Karen Cerulo suggests that emotions link perception to action and that unrealistic optimism (positive asymmetry) led to a miscalculation of the impact of Katrina on New Orleans vulnerability (Cerulo, 2006, p.62, 239).

• Research also showed that risk perceptions are influenced by the emotional state of the perceiver (Bodenhausen, G.V. (1993). Emotions, arousal, and stereotypic judgments: A heuristic model of affect and stereotyping. In D.M. Mackie & D.L. Hamilton (Eds.), Affect, cognition, and stereotyping: Interactive processes in group perception (pp. 13-37). San Diego, CA: Academic Press.). According to for example valence theory, positive emotions lead to optimistic risk perceptions whereas negative emotions influence a more pessimistic view of risk (Lerner, JS; Keltner, D (2000). "Beyond valence: Toward a model of emotion-specific influences on judgment and choice". Cognition and Emotion. 14: 473–493).

• The earliest psychometric research was done by psychologists Daniel Kahneman (who late went on to win a Nobel prize in economics with Vernon Smith "for having integrated insights from psychological research into economic science, especially concerning human judgment and decision-making under uncertainty") and Amos Tversky, who performed a series of gambling experiments to see how people evaluated probabilities (Kahneman, D. (2003). Maps of bounded rationality: A perspective on intuitive judgment and choice. In T. Frangsmyr (Ed.), Les Prix Nobel 2002 [Nobel Prizes 2002]. Stockholm, Sweden: Almquist & Wiksell International). Their major finding was that people use several heuristics to evaluate information. These heuristics are usually useful shortcuts for thinking, but they may lead to inaccurate judgments in complex business situations of high uncertainty – in which case they become cognitive biases.

Human and cultural factors which could be considered may include, but are not limited to:

• There are commonly known cognitive biases, which may influence the effectiveness of risk assessments and reduce the quality of decision making (https://en.wikipedia.org/wiki/Cognitive_bias); an understated effect on the effectiveness of decision making is narcissism[3].

• In some cases, only a single individual or a small group of individuals may be involved in risk assessment. This may result in any outputs from risk assessment to be influenced by their cognitive biases, perceptions and beliefs or missing significant risks. Reviewers should check to see whether organizations involve a wide and diverse group of individuals within their risk management activities.

• Views and opinions of some individuals may be perceived as more accurate or valid due to their level of experience, job titles, age, association with influential individuals etc. In such cases, the views of such individuals may not be adequately challenged thus impacting the quality of outputs of the risk assessment.

• In certain countries, certain techniques may be preferred over others (for example some European countries lean towards quantitative risk assessments, while Latin American countries prefer qualitative techniques). In such cases, these preferred techniques may be applied to all risks without proper consideration whether the technique is in fact appropriate.

In order to assess level of alignment with this section, reviewers should check whether cognitive biases are accounted for in decision making, risk identification, analysis and mitigation. Reviewers should also check whether risk management experts, stakeholders and risk owners are involved in the decision-making process in situations of high uncertainty and whether decisions and their outcomes are communicated to stakeholders, who may be impacted by the risks associated within these decisions.

[1] Douglas, Mary. Risk Acceptability According to the Social Sciences. Russell Sage Foundation, 1985.

[2] Tversky, Amos; Kahneman, Daniel (1974). "Judgment under Uncertainty: Heuristics and Biases". Science. 185 (4157): 1124–1131. doi:10.1126/science.185.4157.1124. PMID 17835457. Cerulo, Karen A. (2006) . Never Saw It Coming, Cultural Challenges to Envisioning the Worst, f.e. p.212-216, The University of Chicago Presse, Chicago 60637

[3] Rijssenbilt, A. (2011) Thesis: CEO Narcissm, Measurement and Impact, ERIM PhD Series in Research in Management, Rotterdam, juni 2011

Mature organizations should integrate risk management into the planning process both at the strategic and operational levels. Organizations that have successfully implemented risk management into planning would have the following elements:

• Risk assessment is performed as part of the strategy setting and operational planning processes. Risks should be identified, analyzed and evaluated during the formulation of strategic or operational objectives, not as a separate stand-alone activity. Both the positive and the adverse possibilities need to be assessed in determining which objective and strategy to recommend to the Board, and should be discussed as part of the Board’s review.

• Strategic and operational targets / key performance indicators (KPIs) are set based on risk assessment outcomes, for example risk-adjusted return on investment, risk-adjusted sales targets and modified to reflect changes in the risk profile of the organization and/or its internal and external context.

• Information about risks and their treatment is transparent and integrated into strategy planning documentation, including business plans or equivalent.

• Business plans and action plans developed during either strategic or operational planning processes include risk treatment plans.

• Key stakeholders involved in strategy setting or operational planning participate in risk assessment and treatment.

• Risk assessment procedures, criteria, roles and responsibilities are documented with the strategic and / or operational planning policies and procedures and not as stand-alone risk management framework document.

• Top management views risk assessment as a valuable step in the planning process.

Reviewers should check whether elements outlined above can be observed and verified.

Mature organizations should also integrate risk management into corporate performance management processes. Organizations that have successfully implemented risk management into performance management would have the following elements:

• Strategic and operational targets / key performance indicators (KPIs) are set based on risk assessments, for example risk-adjusted return on invested capital, risk-adjusted sales targets or risk management KPIs for individual employees. Using risk-adjusted KPIs also helps to determine the likelihood of achieving, falling short or exceeding targets.

• Business units have risk management targets (risk limits, risk-return ratios) and the performance against them is monitored regularly.

• Performance against risk management targets has a significant impact on the allocation of resources understood in terms of (e.g. capital, time, people, processes, systems and technologies), but also an impact on employee remuneration, annual and individual performance reviews and training needs analysis.

• Information about risks and their treatment is explicitly included into the existing management performance management and reporting.

• Risk management elements are clearly documented within the performance management policies and procedures.

Reviewers should check whether risk management is integrated with performance management systems such as balanced scorecards, key performance indicators (KPIs), rewards and compensation and executive performance assessments. At an individual level, risk management KPIs may be set around risk-based decision making, timely risk treatment, risk management training grades or an internal audit assessment of the effectiveness of risk management in different business units.

Reviewers should check how individual and corporate performance is currently measured and monitored and see whether risks ae adequately considered when assessing and rewarding performance.

Mature organizations should also integrate risk management into the core operational processes. This will be different for every industry, sector and type of organization.

Integrating risk management into core process implies that risk assessments are done at important steps in the process to allow operational decisions to be made with risks in mind, helping decision makers to consider possible consequences for every option. This should be done systematically and appropriately in the operational policies and procedures. For example:

• in a large energy company risk assessment may be integrated into maintenance planning, financial energy transactions or politically-imposed decisions.

• in an airline risk assessments and risk modelling may be integrated into the flight network forecasting, pilot training, maintenance or fuel hedging

• in an investment company risk assessment may be integrated into the strategic asset allocation, investment selection, asset management and funds management.

Top management should ensure allocation of appropriate resources considering policies and processes for risk management including competent and trained people. Mature organizations ensure risk management framework is supported by appropriate tools, people and other resources.

Reviews should seek to understand what business processes are considered key to the organizational performance and determine whether elements of risk management are adequately integrated. In most industries, particularly in high risk activities, elements of risk management are required by law. Reviews need to verify whether existing tools and techniques used to assess risks are adequate and aligned with the principles of ISO31000:2018.

Another quick check may include reviewing existing management systems in the organization (examples include quality management ISO 9001, environmental management ISO14001 and so on) to see whether consistent risk management principles are applied across the different disciplines.

Mature organizations should also integrate risk management into supporting functions (IT, finance, procurement, legal, internal audit, human resources, etc.). The level of integration will depend on the type of the business process; some of the examples include:

• inance: risk assessment may be integrated into budgeting, investment decisions, cash management, hedging and financial planning. Mature organizations may move beyond typical tools like net present value, internal rate of return, scenario analysis and sensitivity analysis to more sophisticated risk management tools like Monte-Carlo simulations using tools like Vose ModelRisk (free), Palisade @Risk (paid) or Oracle Crystal Ball (paid).

• procurement: mature organizations may choose to capture and monitor risks associated with contractors and service providers. Management may then select its pricing strategy, selection criteria, monitoring frequency and reporting requirements based on the contractor risk level. Risk management may be also applied to the procurement decision itself, including consideration for purchasing, renting, outsourcing and so on.

• internal audit: risk assessment may be integrated into audit planning and scheduling as well as audit methodology (risk-based auditing) and reporting audit findings.

Reviewers should check whether elements outlined above can be observed and verified. Policies and procedures covering the supporting functions should clearly document the elements of the risk management framework.

Other examples of integrated risk management may also be present and should be reviewed during the Risk Management maturity model assessment.

Some organizations have numerous subsidiaries or portfolio companies where it may be holding a majority or a minority stake. It is important to implement the same principles of risk management across subsidiaries and portfolio companies.

Mature organizations may have the following in place:

• consistent risk management methodologies available to be integrated into business activities and decision making at key subsidiaries and portfolio companies

• risk management awareness training for key subsidiary or portfolio company management

• performance reporting integrating the outcomes of risk assessments.

Many organizations operate within a potentially complex system of interactions with other organizations and internal and external stakeholders. It is essential to build risk management not only within the organization, but across its networks and in its interactions with others.

Mature organizations should encourage contractors, suppliers and key business partners to adopt risk management and apply the framework outlined in ISO31000:2018. This can be evident through risk management training for contractors, risk management audits performed by the company on its service providers or documented in the contractor management procedures and manuals.

Mature organizations provide risk management training to their staff. All employees should receive risk management training appropriate to their level and risk exposure:

Risk-based decision making in induction training for new employees

New hires come from a variety of education and experience backgrounds and most importantly, each new employee has their own perception of what is an acceptable risk. It is important for risk managers to cooperate with the Human Resources department or any other business unit responsible for training, to jointly carry out training on the basics of risk management for all new employees. Reviewers should check whether risk management is covered in induction training (training for new starters).

Risk-based decision-making training for senior management and the Board

Tone at the top (inclusive leadership) is very important for risk culture development. Executives and Board members play a vital role in driving the risk management agenda. Here are some of the most important messages to be included in risk management training:

• Decision quality and how people make decisions under uncertainty;

• Positioning risk management as a tool to help management make decisions;

• Risk management should be an integral part of existing business processes and regular management reporting, not a stand-alone quarterly or annual activity;

• Risk management is not about avoiding or minimizing risks, it’s about making informed decisions.

Reviewers should check whether risk management training is provided to management and Board members and whether it includes important aspects of risk-based decision making.

Making risk management training competency based

Risk management training needs to show adequate return on investment. Making risk management training competency based and setting KPIs to check for noticeable improvement in the quality of risk based decision making could be a useful way to show return on investment. Each training session could start and end with competency tests. Surveys should also be conducted one month and six months after the training to test for knowledge retention.

Passive, web based and e-learning techniques

Mature organization make sure risk management is readily available to employees either using the internal web-portal or regular information newsletters.

Employees performing high risk activities (manufacturing, maintenance, financial forecasting) could be trained in risk management techniques, as well as basics in risk perception and psychology. Specific training may be provided upon request, for example (web based) collaborative risk assessment techniques, risk-based budgeting, risk-based internal audit, risk-based procurement and so on. Contractors, strategic clients and suppliers may also be trained in risk management.

Reviewers should verify that risk management training is performed regularly, by a competent person and the training materials are aligned with the principles of ISO31000. It is recommended that training be competency based and the new skills are validated, verified after the training.

Mature organizations align individual performance management with risk management. All employees should have individual key performance indicators (KPIs) relating to the management of risks and their participation in the overall risk management framework. Reviewers should check whether risk management performance has noticeable effect on the level or remuneration for staff.

For example, KPIs for the CEO may include:

• an improvement in the risk management culture rating;

• regularity and quality of risk disclosure to shareholders;

• achieving risk-adjusted profitability measures.

For CFO or COO risk management KPIs may include:

• improvement in risk management culture maturity;

• RAROC (risk adjusted return on capital);

• the number of critical operational events and so on.

For the employees, a risk management KPI may include timely and accurate risk analysis during core business processes or significant decisions.

Here is an extract from the ISO 31000:2018 risk management standard:

In order to evaluate the effectiveness of the risk management framework, the organization should:

• periodically measure risk management framework performance against its purpose, implementation plans, indicators and expected behavior;

• determine whether it remains suitable to support achieving the objectives of the organization.

The consideration of risk, when mature, enables the identification of a need to change, including the organization structure, value statement, objectives, strategies, processes, and controls. Risk management may help identify the need for the rest of the organization to adapt to change.

Risk management framework performance should be periodically measured against its purpose, implementation plans, indicators and expected behavior. This can be done internally, by the internal audit department, or externally, by the member of the Audit and Risk Committee, an external certified G31000 Lead Auditor or an external auditor. It is considered good practice to perform reviews of the effectiveness of the risk management framework independently from the risk management function.

Typical review should include the following:

• Assessment of risk management integration into core processes and decision making.

• Assessment of the state of risk management culture within the organization.

• Alignment of risk management framework with the principles of ISO31000.

• Assessment of the risk management team competencies and performance.

Reviewers should discuss with the risk management and internal audit teams when and how evaluations of risk management framework effectiveness were carried out and whether it remains suitable to support achieving the objectives of the organization.

Reviewers should also sample check the quality of risk assessment techniques used by the risk management team using back-testing or other methods and make sure back-testing is carried out for significant decisions on a regular basis.

Here is an extract from the ISO 31000:2018 risk management standard:

E1. The organization should continually monitor and adapt the risk management framework to address external and internal changes. In doing so, the organization can improve its value.

E2. The organization should continually improve the suitability, adequacy and effectiveness of the risk management framework and the way the risk management process is integrated.

As relevant gaps or improvement opportunities are identified, the organization should develop plans and tasks and assign them to those accountable for implementation. Once implemented, these improvements should contribute to the enhancement of risk management.

Risk management continually senses and responds to change. As internal and external events occur, context and knowledge change, monitoring and review of risk-based decisions should take place, new risk emerge, some change and others disappear.

Uncertainties and changes that modify the organization’s objectives, assets, processes or (internal and external) stakeholder needs are integrated into the organization’s change management processes, wherever these processes occur. As the business changes, the level, volatility, or frequency of risk change, or as new sources appear and old ones disappear, the risk framework and processes should be appropriately modified.

Mature organizations continually improve suitability, adequacy and effectiveness of the risk management framework. As gaps or improvements are identified, the organization should develop plans and tasks and assign them to appropriate personnel for implementation. Once implemented, these improvements should contribute to advances in risk maturity.

Reviewers should check whether organization has risk management objectives and targets, which have been set by the senior management or Supervisory Board, risk management improvement plans or roadmaps. These plans should be continuously monitored and updated.

The Global Institute for Risk Management Standards is the international education and certification body for risk management. Our organization sets the standard for professionalism for risk professionals, worldwide. The C31000 designation is the only individual risk management certification designed, developed and verified by international experts knowledgeable in the ISO 31000 risk management standard, many of them, current or former members of the international ISO TC 262 committee or members of their respective, national mirror, risk management committees. This credential ensures employers that prospective candidates have a good knowledge and understanding of the ISO 31000 risk management standard.

The Global Institute organizes major industry events throughout the world. We offer corporate training programs and partnerships with public, private or community enterprises, associations, colleges, universities, groups or individuals. Like the ISO 31000 standard, our focus is not specific to any industry or sector.

The Global Institute certifies individual professionals from more than 100 countries and conducts training in many locations based on demand. We have advised numerous governments and organizations toward the goal of adopting ISO 31000, our recommended national and international risk management standard. We have also worked with private sector leaders and professional associations to promote risk management as a tool for better decision-making. Our international partners help us ensure that best practice is taught and available throughout the world. We currently teach and certify individuals in the following languages: English, French, Spanish, Portuguese and Chinese. The G31000 global platform has the largest, and the most broad-based organization of its kind in the world growing by 500 new members per month.