Asesmen Manajemen Risiko berbasis ISO 31000:2009

“Take calculated risks. That is quite different from being rash.” 

General George Patton

 

Bahasan saya kali ini, merujuk pada asesmen manajemen risiko berbasis ISO 31000:2009 yang agaknya menjadi trending topic di beberapa perusahaan saat ini dan ISO 31000 dianggap bisa mewakili standar manajemen risiko pada beberapa perusahaan di Indonesia.

Pertama, harus dipahami terlebih dahulu mengenai definisi risiko dan manajemen risiko menurut ISO 31000:2009.

  • Definisi risiko adalah dampak dari ketidakpastian terhadap pencapaian obyektif. Dampak menurut ISO 31000 adalah deviasi dari apa yang diharapkan, bisa bersifat positif dan/atau negatif.
  • Definisi manajemen risiko adalah aktivitas yang terkoordinasi untuk mengarahkan
  • dan mengendalikan sebuah organisasi dalam menangani risiko.

Definisi memberikan kita pemahaman awal bagaimana ISO 31000 memberikan arti mengenai keluasan dan kedalaman sebuah risiko yang menjadi obyek sebuah asesmen.

risk management based on ISO 31000

Kedua, pemahaman mengenai pendekatan yang disajikan dalam ISO 31000 terhadap pengelolaan risiko di dalam sebuah organisasi melalui gambaran relasi antara prinsip, kerangka kerja, dan proses pengelolaan risiko.

Prinsip pengelolaan risiko

ISO 31000:2009 mensyaratkan bahwa penerapan manajemen risiko yang efektif harus patuh pada 11 prinsip.

  1. Pengelolaan risiko menciptakan dan melindungi nilai yang dinyatakan dalam obyektif organisasi
  2. Pengelolaan risiko merupakan bagian yang terintegrasi dengan keseluruhan proses dalam organisasi dan menjadi bagian dari tanggung jawab manajemen
  3. Pengelolaan risiko merupakan bagian dari proses pengambilan keputusan melalui peranannya dalam memberikan opsi kepada pengambil keputusan
  4. Pengelolaan risiko secara eksplisit seharusnya memperhitungkan ketidakpastian dan secara sadar harus berusaha mengurangi ketidakpastian dalam setiap aktivitasnya dalam memastikan pencapaian obyektif organisasi
  5. Pengelolaan risiko seharusnya dibangun melalui pendekatan yang sistematis, terstruktur, dan tepat waktu agar dapat berkontribusi secara efisien dan secara konsisten menghasilkan keluaran yang dapat diperbandingkan dan diandalkan
  6. Pengelolaan risiko membutuhkan ketersediaan informasi yang memadai seperti data historis, pengalaman perusahaan, umpan balik dari pemangku kepentingan, observasi, dan penilaian ahli sehingga para pengambil keputusan dapat meyakini bahwa keputusannya telah memperhitungan semua informasi yang tersedia pada waktu keputusan tersebut dibuat
  7. Pengelolaan risiko membutuhkan kustomisasi sesuai dengan konteks -baik internal maupun eksternal- dan profil risiko inheren organisasi tersebut
  8. Pengelolaan risiko seharusnya memperhitungkan faktor manusia dan budaya yang merupakan bentuk kapabilitas dari suatu organisasi dalam mencapai obyektifnya
  9. Pengelolaan risiko seharusnya transparan dan inklusif melibatkan semua pemangku kepentingan dalam menentukan kriteria risiko
  10. Pengelolaan risiko seharusnya dinamis, berulang, dan respons terhadap perubahan kejadian baik internal maupun eksternal
  11. Pengelolaan risiko seharusnya dapat memfasilitasi pengembangan berkelanjutan dari sebuah organisasi  diukur dari tingkat maturitasnya.

risk management framework based on ISO 31000

Kerangka kerja implementasi pengelolaan risiko

ISO 31000 menyediakan kerangka kerja sebagai pedoman dalam implementasi manajemen risiko yang efektif. Tujuan dari kerangka kerja implementasi pengelolaan risiko antara lain:

    • Pemastian bahwa informasi mengenai pengelolaan risiko yang dihasilkan dari proses pengelolaan risiko telah cukup dilaporkan dan digunakan sebagai dasar dalam pengambilan keputusan
    • Pemenuhan akuntabilitas pada setiap tingkatan organisasi yang relevan

risk management process based on ISO 31000

 Proses pengelolaan risiko

Proses pengelolaan risiko menurut ISO 31000 seharusnya merupakan bagian yang terintegrasi, melekat dalam budaya dan praktik manajemen, dan terkustomisasi menurut proses bisnis organisasi. Menurut ISO 31000, asesmen risiko merupakan bagian yang paling penting dan fundamental dalam proses pengelolaan risiko. Oleh karena itu, organisasi perlu melakukan asesmen risiko yang benar agar memperoleh laporan profil risiko yang tepat sehingga organisasi dapat secara cermat mengelola risikonya.

Setelah kita membedah ISO 31000, pertanyaan berikutnya adalah bagaimana metodologi asesmen manajemen risiko berbasis ISO 31000:2009. Sebagai seorang asesor independen atas sistem manajemen korporat, jawaban sederhana yang bisa saya bagi adalah asesor akan melakukan penilaian terhadap kerangka kerja implementasi pengelolaan risiko seperti yang telah dibedah di atas dengan unsur-unsur penilaian antara lain tanggung jawab, akuntabilitas, strategi, dan praktik manajemen risiko. Sistem manajemen risiko yang baik seharusnya dapat memberikan keyakinan bahwa dengan penerapan manajemen risiko, organisasi dapat mengurangi ketidakpastian yang membayangi dalam setiap pengambilan keputusan namun tetap dapat berinovasi sesuai dengan kapabilitas yang dimiliki.

DC|2012


Referensi:

  • ISO Guide 73:2009
  • ISO 31000:2009

 

GETTING OUR RISK MANAGEMENT RIGHT ON TRACK

One of the biggest mistakes of failure in implementing risk management is taking the risk management framework as it is without considering the organization culture

Risk Management is implemented to pursue opportunities and effectively exploit the limited internal capability instead only managing the adverse affects due to uncertainties. It is important to identify up-front the organization expectation when implementing risk management such as improved decision making process in setting corporate strategy, reduced risk exposure in key areas, improve compliance, enhance efficiency on operations and profitability, etc. Organization that is struggling to effectively implement risk management or have not implemented a formal, proactive, structured risk management framework could use ISO 31000 as a useful guidance. ISO 31000 acknowledge the importance of continually enhance the risk management framework using 5 attributes as follows:

  • Continual Improvement
  • Full Accountability for Risks
  • Application of Risk Management in all Decision Making Processes
  • Continual Communications
  • Full Integration in the Organization’s Governance Structure

 

One of the biggest mistakes of failure in implementing risk management is taking the risk management framework as it is without considering the organization culture. In order to enhance or get the risk management right on track using ISO 31000, here is the suggested “to do list” for smooth transition.

the example of transition process on ISO31000

  • Refine the Benefits/Impact of implementing ERM throughout the organization lead by the Boards and ERM Unit/Project Team and create a measurement process to determine to what extent these objectives will be achieved
  • Review and Update the existing risk management framework and amend the documentation to align with prerequisite elements in ISO 31000. Keep a record of enhancement as evidence of continual improvement.
  • Communicate the key changes to all organization personnel and notify them that the organization now follows an international risk management standard
  • Appoint the key risk owner for risk management ‘refresher’ training in order to encourage the risk owners to undertake a review of their risks and update their risk register

 

[slideshare id=6936987&doc=gettingourriskmanagementrightontrack2011dc-110215130318-phpapp01]

 

    Dissecting the Anatomy of ISO 31000

    ISO 31000: The New International Risk Management Standard

    In a world of risk management, many companies juggling on the framework that suitable to their environment for implementing risk management.

    On November 2009, the International Organization for Standardization (ISO) published ISO 31000:2009, Risk Management — Principles and Guidelines, a new management standard intended to help organizations of all types and sizes across the silos/domains of risk scattered across the enterprise. It is just as relevant to areas not only for financial risk but also for also non-financial risk such as legal risk management as it is to information security, quality, or environmental, health & safety.

    THE PORTRAIT OF ISO 31000

    ISO 31000:2009 is the new international standard on risk management and largely foundation on AS/NZS 4360:2004, the Australian standard originally published in 1995. ISO 31000 provides a generic framework for establishing the context of, identifying, analyzing, evaluating, treating, monitoring and communicating risk. It is the first document published in the ISO 31000 Risk Management series, which also includes the following:

    • ISO Guide 73:2009, Risk management — Vocabulary: Provides the definitions of generic terms related to risk management and aims to encourage a consistent understanding of, and a coherent approach to, the description of activities relating to the management of risk, as well as uniform risk management terminology.
    • ISO/IEC 31010, Risk management — Risk assessment techniques: A supporting standard for ISO 31000 offering guidance on the selection and application of systematic techniques for risk assessment.

    THE COMPATIBILITY OF ISO 31000 vs COSO ERM

    The good news is that ISO 31000 is compatible with COSO ERM. It is considered an update to COSO ERM that reflects current risk management thinking internationally. In general, ISO 31000 has some significant advantages over COSO:

    • More practical and less theoretical with detail provided and explicitly defined
    • A concise 24 pages, ISO 31000:2009 is noteworthy for its simplicity and adaptability used by public and private companies, organizations and individuals also applied to a range of activities, from operations and processes to services and assets
    • Plainly written, the document is accessible to Boards (CEOs, CIOs, CROs, Commissioners, Audit Committee, Risk Oversight Committee), risk practitioners, also controllers, to understand how to managing risk whilst exploit opportunity
    • The information in the standard can be adapted to develop guidelines to assess existing risk management methodologies

    The essential  difference between ISO 31000 and COSO ERM is in the focus of assessing and managing risk.

    • ISO 31000 is focused on consequences provides a framework to help consider the ‘flow on’ consequences of an event occurring. It shown through risk definition as the “effect of uncertainty on objectives”
    • COSO ERM is focused more on the events rather the consequences of events. It shown through risk definition as “the possibility that an event will occur and adversely affect the achievement of objectives.”

    THE ANATOMY OF ISO 31000

    The ISO 31000 has three interrelated building block of general principles, framework, and process risk management to be effective implemented.

    The First Building Block of ISO 31000 states that risk management should contain the following principles:

    • Creates value
    • Integral part of organizational processes
    • Part of decision-making
    • Explicitly addresses uncertainty
    • Systematic, structured and timely
    • Based on the best available information
    • Tailored
    • Takes human and cultural factors into account
    • Transparent and inclusive
    • Dynamic, iterative and responsive to change
    • Facilitates continual improvement of the organization

    The Second Building Block of ISO 31000 is having the right risk framework through Boards’ commitment. Once commitment is established, there is a loop of actions that include: 1) design the framework, 2) implement risk management, 3) monitor and review the framework, and 4) continual improvement of the framework.

    The Third Building Block of ISO 31000 is adopted originally from AS/NZS 4360:2004 that assure the communication and monitoring is doing through the process of establishing the context, risk assessment, until risk treatment.

    REMARKS

    ISO 31000 is concise and well-written standard that reflect current international thinking as a very positive development in the risk management standards landscape. It defines risk as the “effect of uncertainty on objectives,” acknowledging both the positive opportunities and negative consequences associated with it.

    In my point of view, as a risk practitioner we should discover on the application of new ISO 31000 standard in the organization to streamlining risk management on a global scale based on 3-prerequsite pillars of effective risk management as illustrated below since “not pursuing an opportunity” is a risk identified in ISO 31000.

    3pillars vs iso31000framework

    A New Horizon in Managing Risks

    What is the mean of Risk Management Standard to your organization?

    In the rising concern of Risk Management today, we have numbers of Risk Management implementation frameworks established by various nationwide bodies. Without one worldwide consensus on standard of Risk Management Implementation, the situation may lead us to various challenging and debating perspectives in deciding the most proper Risk Management implementation standard for our organization. Besides that, International Standard can also help an organization to comply with legal and regulatory requirements and international norms as well. Risk Management standard indeed contribute to the bottom line of organization but Risk Management standard provide only general description of the elements, processes, and activities required for risk management.

    ISO 31000 provides a high level concept of Risk Management implementation that should not be in conflict with the existing and specific frameworks or methods of Risk Management implementation. Existing frameworks or methods may be different particularly in that they may not have as broad a perspective as ISO 31000. The most important thing highlighted in ISO 31000 is corporate culture since risk management cannot be implemented as a template; it goes along with the company’s specific needs and circumstances among others: the industry where they do business, complexity, size, strategy, and governance of the company.

    In that ISO 31000 Seminar held by APB Group-Indonesia on August 6th, all of us were encouraged to have a new horizon in managing risks, means that Standard is a good guidance in implementing risk management and standard contribute in increasing visibility of the balance between opportunities and risk but standard itself is not a one-size-fits-all solution.

    .DC.

    ISO 31000 Risk Management Standard, Jakarta, 06 August 2008

    ISO 31000 Risk Management Standard, Jakarta, 06 August 2008