Capacity Building Toward Enterprise Risk Management Implementation Using ISO 31000
Capacity building to implement Enterprise Risk Management using ISO 31000 may start with building the right understandings about Enterprise Risk Management and ISO 31000 fundamentals, and at the same time to acquire some relevant competencies, both hard competencies and soft competencies for a group of people who will lead Enterprise Risk Management implementation in the organization.
While to build understanding about Enterprise Risk Management using IOS31000 could exercised through self-studying the ISO 31000 official documents, or taking a discussion with risk professionals who have experiences in implementing Enterprise Risk Management using ISO 31000, or through systematic courses of Enterprise Risk Management using ISO 31000; to build the right competencies for a group of people who will lead Enterprise Risk Management implementation using ISO 31000 need more elaborative efforts.
In that regards, ERMA provides a template or standard of ‘competency matrices’, both for hard competency as well as for soft competency. Those matrices can be used by organization as reference to build appropriate competencies for their people who will be involved either directly or indirectly in their Enterprise Risk Management implementation.
Once the understanding of ISO 31000 fundamentals have been in place – and there are sufficient numbers of people have the right competencies, organization may proceed their initial steps to implement ISO 31000 as suggested in ‘getting started – Enterprise Risk Management using ISO 31000 above’.
For the core team members or champions in the Enterprise Risk Management – ISO 31000 implementation, their capacity needs to be enhanced through a mastery of ‘ISO 31000 Risk Assessment Techniques’ as recommended by ISO 31000. There are 31 risk assessment techniques – qualitative, semi quantitative, and quantitative – must to be acquired by them. The details of those techniques are well described in the complimentary documents to ISO 31000, namely ISO31010.
At a later stage, the core team members and the internal auditors – as an independent assurance unit of organization – need to acquire a mastery of ‘Assessing the Adequacy of Enterprise Risk Management using ISO 31000’. For internal auditors, the knowledge and skill is critical to equip them with the right competencies in conducting an independent assurance or review about the adequacy of Enterprise Risk Management in the organization.
Likewise, the core team members would have better understanding about the required documentation need to be in place and available for any independent assessment or review, either conducted by internal audit or other independent assurance providers.