Global ISO 31000 survey 2011 - Bryan Whitefield Consultant · December 2011. Internet-based survey with 10-15 closed questions + 5 ... Retailing 21 Medical & Hospital 20 Food drink

Global ISO 31000 survey 2011Results & analysis

Survey Background

ISO 31000:2009 Risk management principles and guidelines published in 2009.

ISO 31000 is a voluntary generic guideline.

Internationally recognised reference.

LinkedIn ISO 31000 group founded March 2009

ISO experts are working on the ISO 31004 guide to ISO 31000 due to be published in 2014

© 2012 Copyright of G31000 all rights reserved

How the survey was conducted

Conducted between the 17th of October and the15th of December 2011.

Internet-based survey with 10-15 closed questions + 5 open questions for feedback to ISO PC 262.

Global reach via more than 100 risk management associations and LinkedIn groups in all sectors worldwide.

No sponsors to ensure impartiality.

Managed by a committee of volunteer experts who have large amount of experience using ISO 31000



G31000 Committee in chargeQuestionnaire design : Jacquetta Goy (Canada), Grant Purdy (Australia), Arnold Schanfield (USA), John Lark (Canada), Julian Talbot (Australia), Julian du Plessis (South-Africa), Jeffrey DeRose(USA), Pat Croke (Ireland) and Alex Dali (France)

Participating contacts : one person for each of the 100+ participating associations/LinkedIn groups

IT systems and survey design : Pat Croke

Powerpoints : Pat Croke, Alex Dali

Translation : Angel Escorial Bonet (Spanish), Alex Dali (French)

“We would like to thank all those who co-operated with the conduct this survey. Without their help, this survey could not have been carried out.”

© 2012 Copyright of G31000 all rights reserv.

Survey Objectives

Understand how ISO 31000 is perceived by risk practitioners in all sectors worldwide.

How the ISO 31000 is used by risk practitioners.

Collect questions, comments and input for the future ISO 31004 guide.

Raise awareness about the existence of the ISO 31000 Risk Management standard


People Contacted

Main Source : ISO 31000 LinkedIn discussion group which has participants from over 90 countries.

Additionally 100 risk management associations and other LinkedIn groups, on a voluntary basis representing more than 400.000 people (note 1)

Advertised via a few risk management websites and several risk management magazines

Note 1 – Many people are part of multiple LinkedIn groups and associations


List of associations & LinkedIn groups participating



Survey Population

1823 responses from 111 countries.

Largest Country representation in the surveyUSA 20%

Australia 10%

U.K. 10%

South Africa 8%

India 4%

Canada 4%

France 3%


Survey Population

USA – 20%

France– 3%

111 countries

Australia– 10%

India– 4% Canada– 4%

UK– 10%

South Africa– 10%

(based on 1823 responses)

Word of caution

Some countries are over represented and others under represented relative to their population sizes

USA sample 366 population 314 million ratio 1:1,000,000

Australia sample 176 population 22 million ratio 8:1,000,000

U.K. sample 179 population 62 million ratio 3:1,000,000

South Africa sample 139 population 50 million ratio 3:1,000,000

India sample 78 population 1210 million ratio .06:1,000,000

Canada 76 population 34 million ratio 2:1,000,000

France sample 53 population 65 million ratio .84:1,000,000

New Zealand 43 population 4.5 million ratio: 9.5:1,000,000

UAE 30 population 8 million ratio: 3.75:1,000,000


Word of caution

Some Country samples are too small to be representative.

Self selecting sample likely to more interested in risk management than the normal population.

Likely to be over represented by people interested in ISO 31000.

English speaking countries over represent 50% of sample.

Risk Management departments over represented 41% of sample.

Participating Organizations Size

1-10 252 14%

11-50 121 7%

51-200 174 10%

201-500 165 9%

501-1000 183 10%

1,001-5,000 356 20%

5,001-10,000 163 9%

10,000+ 409 22%

# responses percent



Participation by SectorPublic sector – 211

Management Consulting – 204

Information Technology – 185

Insurance – 134

Financial services – 123

Banking – 90

Manufacturing – 85

Education – 83

Other – 79

Energy – 63

Oil & Gas – 62

Construction – 52

Telecommunications – 52

Computers – 51

Mining & metals – 49

Health products & services - 47

Transport and logistics – 47

Utilities – 32

Aerospace & defense – 28

Chemicals – 23

Retailing – 21

Medical & Hospital – 20

Food drink & tobacco production – 19

Media – 19

Automotive & transport equipment – 17

Not for Profit – 16

Security – 11© 2012 Copyright of G31000 all rights reserved



Participation by Sector



12%

11%

10%

7%

7%5%5%5%

4%

3%3%

Public sectorManagement ConsultingInformation TechnologyInsuranceFinancial servicesBankingManufacturingEducationOtherEnergyOil & GasConstructionTelecommunicationsComputersMining & metalsHealth products & servicesTransport and logisticsUtilitiesAerospace & defenseChemicalsRetailingMedical & HospitalFood drink & tobacco productionMediaAutomotive & transport equipmentNot for ProfitSecurity

Participation by Department Type



41%

12%9%

6%

5%

5%

4%

3%2%2% 2%

2%2% 1%

1%1%

1% 1% Risk ManagementInformation TechnologyAuditOccupational Health & SafetyOperationsOtherAccounting/FinanceBusiness developmentServicesFacility management/SecurityAdministrationInsuranceConsultingLegalSales & marketingQualityProduct developmentProject Management

Participation by Job Type



What is your level of awareness about ISO 31000 ?



25%

35%

26%

14%

I understand ISO 31000 completelyI have some knowledge of ISO 31000I have heard of ISO 31000I dont know what ISO 31000 is

What is your level of awareness about ISO 31000 ? by Country



0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

IndiaUSA

FranceItaly

FinlandUK

NetherlandsSpain

Rest of WorldAll CountriesSouth Africa

BrazilUAE

CanadaNew Zealand

Australia

7

40

7

5

6

37

9

10

104

385

36

11

11

32

20

115

26

133

17

12

23

83

14

18

157

618

46

12

11

17

18

50

29

122

24

13

2

40

11

10

134

476

38

13

5

19

2

8

16

71

5

5

3

19

9

9

89

226

19

3

3

8

3

4

I understand ISO 31000 completely I have some knowledge of ISO 31000I have heard of ISO 31000 I dont know what ISO 31000 is

What is your level of awareness about ISO 31000 ? by Organization Size


0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

10000+

5001-10000

1001-5000

501-1000

201-500

51-200

11-50

1-10

107

39

87

43

37

28

29

80

141

66

128

61

51

59

40

91

112

32

87

54

51

50

30

54

49

26

54

25

26

37

22

27



What is your level of awareness about ISO 31000 ? by Department



0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Risk Management

Information Technology

Occupational Health & Safety

Operations

Audit

Other Departments

All Departments

267

14

16

18

24

111

450

282

63

28

30

62

172

637

133

88

38

34

45

132

470

65

53

26

18

24

80

266


How is risk management mainly used within your organization?



How is risk management mainly used within your organization? by Country



0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

USAFrance

NetherlandsUK

AustraliaBrazil

CanadaIndia

SpainFinland

ItalyNew ZealandSouth Africa

UAERest of WorldAll Countries

1397

54

3332

111

11

4296

3012

2216

46

113

44

412

538

162

7710

1330

198

151013

1012

77

499

334

635

12

20

41

70

70

51

23121

5415

1034

2115

1231

98

3547

6118

388

1291310

86114

936

2213

118

2667

13164

721

Not used Report performance Safety/SecurityInsurance Auditing/Compliance All decisions

How is risk management mainly used within your organization? by Country

18%-Safety/security 7%-Insurance40%-DecisionsAU, 64%NZ, 60%SA, 48%UK, 48%CA, 47%UAE,43%USA,35%FI,32%IN,28%ES,28%FR,25%NL,23%BR,23%IT,23%

IN, 40%BR, 38%SA, 34%FR, 28%FI,24%NL,23%UAE,20%ES,19%UK,19%CA,16%USA,15%AU,12%NZ,12%IT,9%

FR, 17%NL, 16%BR,8%ES,4%CA,4%IN,4%USA,4%UAE,3%FI,3%IT,3%UK,3%NZ,2%AU,2%SA,1%

5%_Not used

IT, 34%NL, 30%FI, 29%ES, 28%USA,21%BR,21%CA,20%FR,19%UK,17%NZ,16%UAE,13%IN,13%AU,11%SA,5%

IT, 20%USA,17%ES, 15%FR,9%CA,5%SA,4%UAE,3%NL,2%IN,1%AU,1%UK,1%FI,0%BR,0%NZ,0%

UAE, 17%IN, 14%UK,12%FI,12%IT,11%BR,10%NZ,9%AU,9%SA,9%USA,8%CA,8%ES,6%NL,5%FR,2%

9%-Reporting21%-Audit/compliance© 2012 Copyright of G31000 all rights reserved


How is risk management mainly used within your organization? by Organization Size



0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

10000+

5001-10000

1001-5000

501-1000

201-500

51-200

11-50

1-10

7

5

12

11

12

13

14

22

44

15

21

18

14

19

8

23

40

30

82

38

31

39

28

46

26

15

28

12

10

15

5

10

101

29

71

38

47

35

20

47

191

69

142

66

51

53

46

103

Not Used Report performance Safety/securityInsurance Auditing/Compliance All decisions

How is risk management mainly used within your organization? by Department



Risk Management

Audit


Operations


Facility management/Security

Other Departments

All Departments

22

4

6

6

21

3

34

96

84

17

5

6

14

0

36

162

114

12

41

27

41

18

81

334

47

11

11

5

5

2

40

121

111

69

12

16

80

8

92

388

368

42

33

40

57

11

170

721

Not used Report performance Safety/SecurityInsurance Auditing/Compliance All decisions

Operations

Audit

Risk Management

Information Technology Health and Safety


How is risk management mainly used within your organization? by Department


How would you compare ISO 31000: Risk Management – Principles and Guidelines (2009) to other risk management references, guidelines and standards?



How would you compare ISO 31000: Risk Management –Principles and Guidelines (2009) to other risk management references, guidelines and standards? By Country


0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

UKUSA

NetherlandsFinland

SpainAustralia

New ZealandFrance

CanadaUAEItaly

IndiaSouth Africa

BrazilRest of WorldAll Countries

65

65

13

12

11

77

16

9

16

11

6

10

30

8

90

439

2

1

0

0

0

4

2

1

4

0

0

0

0

0

9

23

35

59

8

12

12

73

17

11

24

11

9

18

46

13

124

472

18

47

2

5

5

11

3

3

5

0

2

5

7

2

37

152

Similar Worse Better No Opinion


How would you compare ISO 31000: Risk Management –Principles and Guidelines (2009) to other risk management references, guidelines and standards? By Country

BetterBR, 57%SA, 55%IN, 55%IT, 53%UAE, 50%CA, 49%FR,46%NZ,45%AU,44%ES,43%FI,41%NL,35%USA,34%UK,29%

SameNL, 57%UK, 54%UAE, 50%AU, 47%NZ,42%FI,41%ES,39%USA,38%FR,38%SA,36%IT,35%BR,35%CA,33%IN,30%

No OpinionUSA, 27%ES, 18%FI, 17%IN,15%UK,15%FR,13%IT,12%CA,10%BR,9%NL,9%SA,8%NZ,8%AU,7%UAE,0%

WorseNZ, 9%CA, 8%FR,4%AU,2%UK,2%USA,1%BR,0%FI,0%IN,0%IT,0%NL,0%SA,0%ES,0%UAE,0%



How would you compare ISO 31000: Risk Management –Principles and Guidelines (2009) to other risk management references, guidelines and standards? By Department



0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Risk Management

Operations


Audit


Accounting/Finance

Other Departments

All Departments

227

18

29

32

22

15

96

439

15

0

1

2

0

1

4

23

249

23

27

33

17

21

102

472

59

7

20

19

5

8

34

152

Same Worse Better No Opinion

Do you think that the associations you are a member of, should officially recommend that their members use ISO31000?



Do you think that the associations you are a member of, should officially recommend that their members use ISO31000? By Country



0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

BrazilFinland

AustraliaSouth Africa

SpainNew Zealand

IndiaUK

USAFrance

UAEItaly

CanadaNetherlands

Other CountriesAll Countries

6

2

93

31

4

21

6

21

24

2

7

2

15

5

51

290

5

9

37

29

8

7

14

51

59

9

9

8

13

9

94

361

0

0

4

2

1

2

2

10

17

2

3

2

6

3

12

66

1

3

2

2

1

0

1

7

23

1

1

0

4

0

12

58

2

2

10

7

5

3

2

20

32

1

1

2

3

0

25

115

Should strongly endorse Should recommendShould not recommend My association does not recommendNo Opinion

Which of the following definitions of risk best reflects your understanding of the word Risk?

Effect of uncertainty on objectives 528 29% ISO Guide 73:2009

Combination of the probability of an event and its consequences 349 19% ISO Guide 73:2002

Combination of the probability of occurrence of harm and the severity of that harm

295 16% ISO Guide 51:1999 (safety)

Chance of something happening that will have an impact on objectives 320 18% AS/NZ 4360:2004

Event that would have a negative impact on the organization 141 8% COSO ERM:2004

Exposure to the chance of injury or loss 69 4% Webster

Hazard or chance of loss 35 2% Webster

Opportunity to make a profit or increase revenue 27 1%

Amount of money that the organisation company may lose 15 1%

None of the above 33 2%

© 2012 Copyright of G31000 all rights reserved(based on 1822 responses)

Which of the following definitions of risk best reflects your understanding of the word? By Country



0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

ItalySpainIndia

NetherlandsUSA

FranceBrazil

UKSouth Africa

FinlandUAE

CanadaAustralia

New ZealandRest of the World

All Countries

3

6

12

7

75

11

11

56

45

13

12

33

95

32

117

528

5

9

2

4

28

7

1

10

12

2

3

5

4

1

48

141

9

8

13

8

101

9

5

37

23

5

3

13

28

2

85

349

6

9

21

10

34

11

11

43

28

6

7

12

32

6

94

330

6

10

21

9

78

7

6

22

18

5

5

11

10

2

85

295

6

5

9

5

50

8

5

11

13

3

0

2

7

0

55

179

ISO 2009 COSO ERM:2004 ISO 2002 AS/NZS 4360:2004 ISO Safety Other

Which of the following definitions of risk best reflects your understanding of the word ? By Department


0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Risk Management

Audit

Occupational Health &Safety

Operations


Other Departments

All Departments

289

45

10

22

29

133

528

52

18

7

7

20

37

141

75

19

42

26

56

77

295

121

24

22

25

51

106

349

138

40

12

11

42

86

329

71

9

15

8

20

56

179

Effect of uncertainty on objectivesEvent that would have a negative impact on the organizationCombination of the probability of occurrence of harm and the severity of that harmCombination of the probability of an event and its consequencesChance of something happening that will have an impact on objectivesOther Definition


Operations

Audit

Risk Management Information Technology

Health and Safety

© 2012 Copyright of G31000 all rights reserved(based on 1821 responses)

Which of the following definitions of risk best reflects your understanding of the word ? By Department

Which of the following standards/guidelines are used in your organization? (multiple selections allowed)


36%

13%

18%

4%

40%

16%

13%

17%21%

4%

11%

0 5 10 15 20 25 30 35 40 45

ISO 31000

AS/NZS 4360

COSO ERM

FERMA

Inhouse

ISO Guide 73

ISO/IEC 31010

PMBOK

ISO 27005

BS 31100

BASEL


Usage of ISO 31000 by Country

0% 20% 40% 60% 80% 100%

New ZealandAustralia

FinlandCanada

UAEBrazil

South AfricaNetherlands

UKFrance

SpainUSAIndiaItaly

All Countries

37

148

21

36

14

16

53

12

50

14

12

75

11

4

503

6

29

13

40

16

23

86

30

129

39

35

291

67

31

835

YesNo



Usage of AS/NZS 4360 by Country

0% 20% 40% 60% 80% 100%

USAUK

South AfricaAustralia

IndiaCanadaFrance

SpainNetherlands

BrazilItaly

FinlandNew Zealand

UAEAll Countries

15

17

16

85

3

17

1

2

1

3

0

0

20

8

188

351

162

123

92

75

59

52

45

42

36

35

34

23

22

1151

YesNo



Usage of COSO ERM by Country

59

45

20

15

12

12

12

12

11

12

7

5

4

2

228

80

321

159

61

27

66

165

22

36

32

46

25

39

33

1112

0% 20% 40% 60% 80% 100%

South AfricaUSA

UKCanada

BrazilIndia

AustraliaFinland

SpainNetherlands

FranceUAE

New ZealandItaly

All Countries

YesNo



Usage of Self Developed by Country

0% 20% 40% 60% 80% 100%

USAUK

South AfricaCanada

AustraliaIndia

BrazilItaly

FranceSpainUAE

NetherlandsFinland

New ZealandAll Countries

186

93

62

38

38

25

17

17

16

15

14

14

9

5

549

180

86

77

38

139

53

22

18

37

32

16

29

25

38

790

YesNo



Usage of IRM/FERMA/AIRMIC standard by Country

0% 20% 40% 60% 80% 100%

USAAustralia

UKSouth Africa

IndiaCanadaFrance

SpainNetherlands

New ZealandBrazil

FinlandItalyUAE

All Countries

3

0

35

1

2

2

3

3

0

2

0

0

2

0

53

363

177

144

138

76

74

50

44

43

41

39

34

33

30

1286

YesNo



Certification ISO 31000 of your Organization ?

43%

12%

19%

18%

8%

External certification isdesireable

I have no opinion on theissue

External certification is notneeded for other reasons

External certification is notneeded because internalevaluation / audit is sufficient

External certification is notneeded because externalevaluation / audit is sufficient





Certification ISO 31000 of your Organization ? by Country

0% 20% 40% 60% 80% 100%

FranceNew Zealand

UKFinland

All CountriesAustralia

USAItaly

South AfricaCanada

UAENetherlands

IndiaBrazilSpain

External certification isdesireable

I have no opinion on the issue

External certification is notneeded for other reasons

External certification is notneeded because internalevaluation / audit is sufficient

External certification is notneeded because externalevaluation / audit is sufficient

ISO 31000 is a voluntary risk management guideline. Do you believe that organizations



Your Organization – Implementation of ISO 31000



24%

23%33%

20%

No opinion

is going to implement ISO31000 in the future.

has no plans toimplement ISO 31000.

has implemented ISO31000.

Your Organization – Implementation of ISO 31000 by Country



0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

ItalyIndia

FranceSpainUSA

NetherlandsOther Countries

FinlandUK

All CountriesBrazil

South AfricaCanada

UAENew Zealand

Australia

has implemented ISO 31000.is going to implement ISO 31000 in the future.has no plans to implement ISO 31000.No opinion

Your Organization – Implementation of ISO 31000 by Organization Size



0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

10000+

5001-10000

1001-5000

501-1000

201-500

51-200

11-50

1-10

67

33

60

29

26

16

15

55

64

31

62

40

30

27

31

52

115

51

92

54

50

51

30

55

96

19

77

33

26

41

18

52


Your Organization by Department



0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Audit


Operations


Risk Management

Other Departments

All Departments

15

11

13

6

186

70

301

32

32

15

16

158

84

337

47

59

33

34

184

141

498

30

57

18

24

128

105

362


Your Organization – Implementation of ISO 31000, by Department (based on 1498 responses)

Operations

Audit

Risk Management

Information Technology Health and Safety

12%

26%

38%

24%

7%

20%

37%

36%

16%

19%

42%

23%

7%

20%

43%

30%

28%

24%

28%

20%


Does your organization provide you with risk management training?

Yes

No but is planning to…

No and has no plans…

I don't know

55%16%

22%

7%



If yes, which of the following types of training have you received?



Call for sponsorsIf you wish to become a sponsor for the next Global ISO 31000 survey please contact Madeleine at [email protected]

Global ISO 31000 survey 2011Results & analysis

Documents

Global ISO 31000 survey 2011 - Bryan Whitefield Consultant · December 2011. Internet-based survey with 10-15 closed questions + 5 ... Retailing 21 Medical & Hospital 20 Food drink