Transcription

S TA N D A R D S WHITE PAPERStandards: supporting riskmanagement and addingbusiness valueINTRODUCTIONJulia Graham, deputy CEO and technical director,AirmicHOW STANDARDS HELP THE RISK MANAGER:ACHIEVING OBJECTIVESHoward Kerr, CEO, BSI GroupWhen I started my risk management professionaljourney, I searched for tools and techniques tohelp me design a risk management system for myorganisation. There was very little practical helpavailable. Then I discovered the world of standards.Now having been involved in the development of riskmanagement standards for almost 20 years, I remainconvinced that when they are used wisely, thereis and continues to be a place for standards in themanagement activities of organisations - includingthe activities associated with managing risk andinsurance.The international risk management standard ISO31000: 2009 was replaced earlier this year by ISO31000: 2018 Risk management – Guidelines. Thisencouraged Airmic to step back and reflect on howstandards can help organisations to excel and howthey can support risk managers - because thereseems to be a fear that standards add bureaucracyand not value. We believe that, consistently applied,the consensus among stakeholders on good practicerepresented by standards is likely to streamlinesystems.Standards are an important means ofcommunicating to trading partners that our productsand processes follow recognised good practices thatthey can trust in a competitive world, and that thequality of our risk management makes us a desirablepartner.Business standards are essentially agreements toapply best practice and knowledge that has beendeveloped by users and practitioners for their ownuse. They contain the distilled wisdom of peoplewith expertise or an interest in the subject matter:manufacturers, service providers, distributors, tradeassociations, academics, regulators and consumers.They enable real world, peer to peer engagement andensure consistency of output.We know from research that we conducted withthe Centre for Economics and Business Research(Cebr), that standards make a significant, positivecontribution to the success of UK companies, forexample increasing productivity, enhancing thequality of products and efficiency of processes, andpromoting international trade. The full report can befound here: -UK-Economy-UK-EN.pdfThe UK has led the evolution of consensusstandards for more than a century. We havedeveloped from technical product standards andprocess standards to consensus on principles of goodbusiness practice for leadership, governance and risk.Independent research on theeconomic contribution ofstandards to the UK economyand businesses found thatstandards boost productivityand improve performance,kick-start innovation, andsupport domestic andinternational trade.STAN DA R DSStandards help organisations: Remove technical barriers to trade Improve supply chains and create fairand equal competition Provide business credentials Increase consumer protection Give regulatory support Stimulate innovation Manage organisation risk

S TA N D A R D SHOW STANDARDS SUPPORT RISKMANAGEMENTA key aspect of risk is that it is integral to allactivities within an organisation that impact itssustainability, resilience and business excellence.Without an effective analysis of risk, it is impossiblefor an organisation to develop a realistic strategyor achievable objectives. How can an organisationimplement effective information managementsystems or quality systems or plan for organisationalchange without analysing risk?As a discipline, risk management benefits from therigour of the agreed terminology that was developedin the international risk management standardISO 31000 and the associated ISO Guide 73. Thedefinition of risk in this guide and the standard isthat it is “the effect of uncertainty on objectives”– outcomes can be positive or negative. This isthe definition that wide swathes of the businesscommunity acknowledge when speaking about risk.Standards do not function in isolation but areintended to work together. This is why the riskmanagement standard and related managementsystem standards are so important to ensureeffective enterprise governance and operation oforganisations. Some standards that relate closelyto risk management – quality, health and safety,environment, business continuity and informationmanagement – are measurable and auditable and cantherefore form the basis of certifiable schemes.So, while it is not necessary to achieve third partycertification to demonstrate implementation of thesystems outlined by a standard, there is an optionfor organisations to do so, if they think it will benefittheir business. It does this by communicating bestpractice to stakeholders and supply chains and mayalso help to reduce insurance premiums, since theyreflect the organisation’s attitude and exposure torisks.However, within all of this, the risk managementstandard retains its status as an independent andfundamentally flexible tool that can be used in waysthat best suit the organisation – either as the basisof knowledge, or of systems, or as a demonstrablyachieved benchmark.The principles of risk management in ISO31000 are the foundation of the management andoperational systems that all organisations can use tohelp achieve sustained success. WHITE PAPERISO: The International StandardizationOrganisation:www.iso.orgISO is an independent, non-governmentalinternational organisation with a membership of 161national standards bodies.BSI: The British Standards Institution:www.bsigroup.comBSI is the UK’s national standards body,recognised by the UK government.It provides UK interests with a route into formal,consensus standards development. Aims andobjectives include: promoting trade by developingcommon industry standards and encouragingtheir use, showing businesses how to improveperformance, reduce risk and achieve sustainablegrowthTYPES OF STANDARDSInternational standards provide a frameworkof consistent rules, guidelines or characteristicsto help those using them achieve best practiceoutcomes. National standards bodies, with inputfrom professional bodies and other experts, facilitatestandards development for all interested parties toa subject (in International Standards Organisation(ISO), for example). A standard developed nationallymay be considered appropriate as the basis ofan international standard and an industry sectormay decide that specifics of that sector demandsomething more bespoke and tailored.A PAS is a publicly availablespecificationA PAS is a solution that can besponsored by industry leaders, tradebodies, governments or academia tobring innovation or new concepts tomarkets as quickly as possible. Theyare often intended for global marketsfrom their inception. A PAS may alsoprogress to become the basis for anational or international standard.PAS 56 sponsored by the BusinessContinuity Institute helped contributeto British Standard BS25999 whichin turn formed a foundation forInternational Standard ISO22301A I R M I C WHI T E PA PE R

S TA N D A R D S WHITE PAPERFigure 1: The family tree of standardsInternational standards(e.g. ISO IEC)BSI as NationalStadards BoardRegional standardsmanages BS, EN &(e.g. EN)ISO, IEC standardsPAS route to national andNational standards (e.g. Britishinternational standardsStandards (BS))Sponsored standards (e.g. BSI PAS)Private & consortia standardsKEY:BSI as NationalStandards Bodymanages BS, EN &ISO, IEC standardsPrivate & professionalstandards, codes andCorporate technical specificationsguidanceProfessional codes, guidance, best practiceFigure 2: Three main types of standardSource: BSIType 1Type 2Type sManagementsystemsSet out valuesand principlesBetter productsBetter businessprocessesBetter businesspotentialProducts: quality marks (such as the Kitemark)can confirm that a product or service has beenthoroughly tested and checked and is proven tomeet a recognised industry standard or need. It isa voluntary mark that manufacturers and serviceindustries can obtain to demonstrate safety,reliability and quality – for example, for secure digitaltransactions or financial products.Processes: a management system is the way in whichan organisation manages the inter-related parts ofits business in order to achieve its objectives. Theseobjectives can relate, for example, to product orSTAN DA R DSPrivate & professionalstandards codes andguidanceservice quality, operational efficiency, environmentalperformance and health and safety in the workplace.Organisations do not have to seek third partycertification and can do so for business benefits suchas described in this report by Jon Murthy of UKASand Marcus Long of IIOC (“How standards help therisk manager: insurance”). ISO 9001 (quality), ISO14001 (environmental, ISO 27001 (informationsecurity and ISO 22301 (business continuity) areexamples of standards against which certifiableschemes have been developed.Principles: provide frameworks for best practice andguidance ISO 31000 is an example of this type ofstandard.Many ISO management system standardshave the same structure and containmany of the same terms and definitions.This is useful for those organisations thatchoose to operate a single (sometimescalled “integrated”) management systemthat can meet the requirements of twoor more management system standardssimultaneously.

S TA N D A R D SDEVELOPING STANDARDSLike a symphony, it takes a lot of peopleworking together to develop a standard.Anyone can get involved in standardsdevelopment: all you need is a relevant interestand expertise in a particular field. Also, you mustsatisfy the need for balance of representation on thecommittee which develops a standard through anindependently managed process of consensus. Keystakeholders on a committee will typically come fromindustry, government and civil society.The committee begins the process with thedevelopment of a draft that meets a specific marketneed. This is then shared for public commentingand further discussion until the consensus of thecommittee (based on receipt of comments andcanvassing of their own constituents) is that thedocument satisfies current market conditions. Thestandard is monitored and reviewed regularly toensure it remains fit for purpose.HOW STANDARDS HELP THE RISK MANAGERRussell Price, chair of the BSI risk managementworking group RM/1The latest version of the guidance provided bythe International Standard BS ISO 31000:2018, RiskManagement - Guidelines aims to help organisationsrealise the opportunities provided by its frameworkby simplifying and clarifying the guidance originallypublished in 2009. It is suitable for organisationsof all types and sizes. The revised standard is moreeasily integrated into management processes tosupport decision-making at all levels of operation,and it helps develop the understanding of risk acrossthe organisation.Jason Brown, Chair of technical committee ISO/TC 262 on risk management that developed thestandard, says: “The revised version of ISO 31000focuses on the integration with the organizationand the role of leaders and their responsibility.Risk practitioners are often at the margins oforganizational management and this emphasis willhelp them demonstrate that risk management isan integral part of business.”Each section of the standard was reviewed inthe spirit of clarity, using simpler language tofacilitate understanding and make it accessible toall stakeholders. The 2018 version places a greaterfocus on creating and protecting value as the keydriver of risk management and features otherrelated principles such as continual improvement,the inclusion of stakeholders, being customized tothe organization and consideration of human andcultural factors. WHITE PAPERBS ISO 31000:2018 presents management withthe ability to build a good practice framework forrisk management that can be embedded across theorganisation to better understand and manage howthreats and opportunities affect performance. It canbe integrated into processes of all types, includingother management systems. By integrating andembedding the risk management framework, theorganisation can target and prioritise activities thatfocus on the achievement of its objectives.The work involved in producing BS ISO31000:2108 built on the strengths of the originalpublication, but importantly recognises how theworld has changed since then. There was a focus onensuring that any changes improved accessibility andpracticality, and that it was adaptive and agile. Thisflexibility is an essential ingredient in the way BS ISO31000 operates. It not only helps the organisationdevelop better risk management across its internaloperations, but also to deal with risks that arisefrom the more connected and extended modernbusiness practices, such as outsourcing and shared orembedded services.When appropriately applied, BS ISO 31000 canalso support the integration and performance ofother standards across the ISO family, as mostISO standards include references to risk andits management. This latest revision of BS ISO31000 stresses the importance of consistency,communication and information sharing across therange of activities of the organisation. This capabilitycan transform how risk is managed and potentiallyimprove how management prioritises decisions.By focusing on the needs and objectives of theorganisation and its stakeholders, the standardprovides a framework that is completely scalable.The processes and activities described can beapplied at the macro level, addressing key strategicmarket issues, as well as at operational levels wheremanagement must ensure appropriate risk controlsare in place.A I R M I C WHI T E PA PE R

S TA N D A R D S WHITE PAPERHOW STANDARDS HELP THE INSURANCEMANAGERJon Murthy, marketing manager, United KingdomAccreditation Service (UKAS) and Marcus Long,CEO, International Independent Organisation forCertification (IIOC)The insurance sector strives continuously toimprove its management of risk. A significantnumber of existing standards, such as managementsystems, product certification, testing and inspectionstandards, provide insurers with reliable evidence ofaspects of the quality of the risks that they are askedto underwrite. Combined with the insurers’ own duediligence, compliance with such standards can reducepremiums or increase the capacity that insurers areprepared to offer.When underwriting cyber risk, standards likethe UK Government backed scheme CyberEssentials Plus (Cyber Essentials with verificationof cyber security by an assured CertificationBody) and NIST (National Institute of Standardsand Technology, part of the US Departmentof Commerce) can be effective risk controls.Cyber Essentials Plus is a good place to start forSME’s and NIST is especially relevant when youhave high network dependency and resiliencyrequirements.James TuplinHead of Cyber and TMT – International FinancialLines, XL CatlinThese standards may be statutory, regulatory orvoluntary, and they may be self-regulated or havethird-party independent verification and certification.Virtually every sector relies on certification,inspection, testing or measurement services todemonstrate its proficiency on a wide range of issues,such as quality or health and safety.Insurers are interested in the overall managementof risk in the business they are insuring. There isresearch, for example, to show that companies thatconform to ISO 9001 on quality management arelikely to perform better. ISO standard 31000 showsthat an organisation has a methodical approach toits risk management. Technical standards are alreadywidely used to manage risk in areas such as electricalsafety, fire safety and storm water management.STAN DA R DSInsurers, such as Allianz Engineering and ZurichEngineering, have gained UKAS accreditation toISO/IEC 17020, which sets out requirements forthe competence of bodies performing inspections,to ensure that their engineering surveyors cancarry out dynamic and robust risk assessmentsfor any client location. Accreditation requiresthat the continual training and competency oftheir surveyors is maintained and improved, andensures that the insurer has access to reliableinformation on which to manage its risk.Accreditation is internationally recognised as arobust, independent declaration of an organisation’scompetence, the validity and suitability of itsmethods, the appropriateness of its equipment andfacilities, and ongoing assurance through its internalquality control.Accredited certification, inspection, testing ormeasurement services based on standards supportbrokers and underwriters in their management andassessment of risk, as well giving consumers theassurance that the product or service deliveredmeets a certain level of quality and satisfies the legalrequirement. Conformity assessment bodies, whichprovide services such as testing laboratories andinspection facilities, can provide further assurancethat a product, service or system meets the relevantrequirements.In the UK, Howden, an independent Lloyd’sbroker, created a professional indemnity schemefor clients operating under accreditation, whichhelped it gain a full understanding of the client’srisk profile and so obtain more accurate pricingfor the cover required. This scheme also providesinsurers with access to new, potentially profitable,lines of revenue. Those with less long-tailexposure tend to be more willing to look at theriskier lines of business, but they are unlikely toproceed unless there is some tangible evidencethat the sector under consideration has recognisedquality standards. Accreditation provides thisevidence.

S TA N D A R D S WHITE PAPERThere is a family of standards designed to support the management of risk. Figure 3 illustrates how these fit together. Thefigure also describes standards under development that will further add to the family.Figure 2: Key standards for risk managementISO 19600: 2014Compliancemanagement systemsBS 13500: 2013Code for Delivering EffectiveGovernance of OrganizationsISO 37000:Guidance for theGovernance ofOrganizations**ISo 37001: 2016Anti BriberyManagement SystemsISO TC 309 Governance ofOrganizationsNew areas: ISO/NP 37002whistleblowing managementsystems: guidelinesISO 22316: 2017Security & resilienceBS 31111:2018Cyber Risk &resilienceISO 31000: 2018Risk ManagementPAS 1998: 2008Whistleblowing Code ofPracticeISO TC 262 Risk managementNew areas: Legal risks ISO 31000 Managing travelrisks Product safety risks [NB PAS7100 on product recall justreleased] Emerging risks Supply chain riskmanagementBS 65000: 2014Guidance on OrganizationalResilienceISO 22301: 2012Business Continuity ManagementSystems*BS 31100:2011Code of Practiceand Guidance ofImplemetation of ISO31000ISO 45001: 2018Occupational Health & SafetyManagementISO TC 292 Security & resilienceNew areas: BS 67000 on City Resilience ISO TS 18091 CrisisManagement - Strategicissue resolution*ISO/TS 22317: 2015 - Guidelines for business impact analysis (BIA). Also standards on Emergency Management &Community Resilience**Under developmentA I R M I C WHI T E PA PE R

S TA N D A R D S WHITE PAPERHOW STANDARDS HELP THE RISKPROFESSIONALRisk professionals in conversationAirmic Deputy CEO and Technical Director JuliaGraham and Wellcome Foundation Enterprise RiskManager Fiona Davidge talk about the value ofstandards to business generally and ISO 31000 2018.Julia: Airmic is producing a paper to promote thethesis that the use of standards can add value tobusiness. The launch of ISO 31000: 2018 seems agood time to do this because I hear comments thatstandards just add bureaucracy. British Standardsdid research with the consultancy Cebr (now partof Gartner) and they found that organisations thatfollow standards, create greater value than thoseorganisations that don’t. Standards helped to giveorganisations a system and a framework.Fiona: There are different types of standards,and some people believe they are all prescriptive.If they hear the word standard, they think it meansa formulaic, complicated approach and that using astandard will involve a tick box exercise. However,they vary. ISO 31000 provides a set of principles, aframework and a process; it’s not about ticking boxes.Julia: There is a hierarchy of standards and theyexist at international, regional, country, location,sector, profession and individual organisationlevels. ISO 31000: 2018 is strategically positionedand it’s shorter and sharper than its predecessor.It is not designed to be certifiable because it’smeant to provide a generic guide that is helpful fororganisations of all shapes and sizes and to be usedin a way that suits each business. The principles in31000: 2018 are strategically positioned and usefulwhen communicating an organisation’s approach torisk at a board and c-suite level.Fiona: But the principles are not unique to risk.They represent good management.Julia: A big message, however, is that standardsare not a substitute for good risk management. Theyare complementary. In my experience they are oftenwhat your customers and other stakeholders are alsofollowing and may demand that you adopt too incontract terms. They give you a common languageand common approaches into which you can adopt,according to the nature, scale and risk maturity ofyour business.Fiona: When it comes to IT security and theGeneral Data Protection Regulation (GDPR), atWellcome we have said to suppliers that unless youadopt ISO 27001, and are certified for informationsecurity, we won’t enter a contract with you ifthat contract involves data. For us, it provides anindependent view of this organisation.We recently didn’t renew a contract for a verylarge organisation because they had not certifiedthemselves to that standard. We asked thisSTAN DA R DSorganisation, which is global and deals with a lot ofdata, why it didn’t have this certification. They saidtheir standards were higher than that. We said – whyare you making life difficult for yourself by not beingcertified? We had set this criterion that we expectedfrom a supplier with sensitive data. We terminatedthe contract at renewal and they were so shocked.We said – if you’re so good, how do you prove it?Julia: We should never under-estimate the value oflanguage that standards offer. One of the challengesin cyber at the moment is the lack of commonlanguage. A standard can offer a taxonomy and give aconvention, but it doesn’t put you in a straightjacket.You decide how to use it and to apply it consistentlyin a way that is meaningful to your organisation.Fiona: I’ve had external auditors asking if we havebased our risk management policy and approachon 31000. If I can say, yes, it makes things easy,because we have a common understanding. It’s notas clear cut as if it were certified, but people shouldunderstand the approach.Julia: But I don’t think a standard has to becertifiable to be auditable. Audit and certification arenot interchangeable.Fiona: Exactly. If you’re doing a preliminarydebrief with an auditor, the fact that you say – myrisk management process is aligned to ISO 31000 conveys to the auditor that you know the subject. Itdoesn’t matter that you haven’t got a piece of paperto say that it has been certified.Julia: However, if you want a supplier who iscertified to an ISO standard, you want the standardand scope of certification to match what you’relooking for. When I was in the law firm, it wasvery common to have ISO 27001 in our clientagreements, but the clients who really got the valueout of this were the ones who were careful in whatthey specified of us as a supplier and then embeddedthis scope in their terms of business.Fiona: Standards have to be used and relied onwith care and intelligence.Julia: I like that, ‘with care and intelligence’.As we’ve agreed, standards do not replace riskmanagement. They are complementary and theycan contribute to good enterprise risk management(ERM) and ultimately to the success of the business.Julia Graham, deputy CEO andtechnical director, AirmicFiona Davidge, enterprise riskmanager, Wellcome Foundation

S TA N D A R D S WHITE PAPERABOUT AIRMICAirmic is the not-for-profit UK association for risk and insurance professionals, dedicated to shapingthe future of the profession and supporting members in their roles. Airmic is the largest network ofcorporate risk and insurance professionals in the UK, who benefit from industry-shaping thoughtleadership, CPD-accredited events and peer-support networking groups. We support our membersin a range of ways: through training and research; sharing information; through our diverse specialprogramme of events; by encouraging best practice; and by lobbying on subjects that directly affectrisk managers and insurance buyers. We provide a platform for professionals to stay in touch, tocommunicate with each other and share ideas and information. The more people who take part inour activities, the more valuable we become.airmic.comABOUT BSIBSI is the business standards company that enables organisations to turn standards of best practiceinto habits of excellence. For over a century BSI has championed what good looks like and drivenbest practice in organisations around the world. Working with more than 86,000 clients across 193countries, it is a truly international business with skills and experience across a number of sectorsincluding aerospace, automotive, built environment, food and healthcare. Through its expertise instandards development and knowledge solutions, assurance and professional services, BSI improvesbusiness performance to help clients grow sustainably, manage risk and ultimately be more resilient.bsigroup.comABOUT IIOCThe Independent International Organisation for Certification (IIOC) is a trade body for internationalcertification bodies and national and regional certification associations. It represents their views onmanagement system certification issues and provides technical input to influence decision-making inthis field. IIOC also supports the regulatory framework and development of industry-led schemes toensure that management systems deliver improvements in performance expected from third-partycertification.iioc.orgABOUT UKASThe United Kingdom Accreditation Service (UKAS) is the national accreditation body for the UnitedKingdom. It is recognised by the UK government to assess against internationally agreed standards,organisations that provide certification, testing, and inspection and calibration services. Accreditationby UKAS demonstrates the competence, impartiality and performance capability of these evaluators.ukas.comA I R M I C WHI T E PA PE R

called “integrated”) management system that can meet the requirements of two or more management system standards simultaneously. Professional codes, guidance, best practice Private & consortia standards Sponsored standards (e.g. BSI PAS) Regional standards (e.g. EN) National standards (e.g. British Standards (