REPORT POLITECNICO DI MILANO 2016
Molto spesso i top manager delle aziende associano ad uno strumento/sistema di Governance, Risk and Compliance management (GRC) primariamente una sensazione di grande complessità. In realtà, la complessità è insita nella situazione in cui le aziende operano, e non necessariamente nello strumento/sistema; se è vero che è buona norma adottare strumenti semplici, è vero anche che essi non devono “semplificare” i problemi al punto tale da renderli di fatto dei problemi “diversi” – e, quindi, non rappresentativi – da quelli che le aziende devono realmente affrontare.
Unforeseeable and unexpected event, (generally geopolitical or environmental) with catastrophic consequences such as to jeopardize the trends (planned) of a company.
The cogency is an obligation without exception, this is which must be absolutely respected.
From Latin: cogens, present participle of cogere > compel.
The sorting uses this term to refer to those standards which can not be derogated by the parties, because of their importance.
Requirement that an organization is subject (laws or regulations), or who decided to subscribe voluntarily (such as guidelines, contractual relationships, best practices and ethical codes, etc.).
The term Corporate Governance defines the set of rules, procedures, performances and virtuous practices necessary for managing the enterprise in every sector or level. All in a transparent, profitable and lawful manner.Central banks are the rules governing the relationship between managers, controlling bodies, shareholders and stakeholders. Last but not least, the system of internal controls of the company.
The structure of the standard has been modified to comply with the parameters dictated by High Level Structure for the homogenization of standards ISO. In order to ensure homogeneity between the different standards for management systems and, therefore, to improve the integration and usability of the users. In 2012, ISO has established a unique pattern to which future revisions will have to comply with all regulations. This will allow easier integration during the implementation process of multiple management systems. The High Level Structure consists of the following 10 sections:
Guideline ISO 31000 proposes a model of risk management and its integration into the business management system. It is applicable to all types of risk: strategic risks, operational, currency, market, compliance, country, etc.
The structure of ISO 31000 is divided into the following chapters: Purpose, Terms and Definitions, Principles, Reference Structure, Process.
The new ISO 31000:2018 version develops the concepts of Risk and Integration differently from the previous version and in line with other standards such as ISO 9001 and ISO 14001. The current meaning of the word Risk is due to "the effect of uncertainty on the objectives", highlighting the opportunities that can derive from the risk itself. The meaning of the term is no longer exclusively negative. The concept of Integration becomes central: the analysis of the external context is now fundamental in order to guarantee continuous improvement over time; at the same time the internal context must be permeable at every level by Risk Management. In fact, the Risk Management process will have to be increasingly integrated in every business area, up to the total involvement in the decision making process.
Founded February 23, 1947, the ISO (International Organization for Standardization) has its headquarters in Geneva, Switzerland and is the most authoritative body in the world for the determination of technical requirements, evaluation, inspection and standardization of quality processes in environments productive.
The International Organization for Standardization has decided not to use an acronym to sum up the name of your organization, as it would be different in different languages. Instead, he used the term “ISO”, which derives from the greek “isos” meaning “equal”. The rules act as an equalizer for companies that operate across global boundaries.
The ISO was established within the Community sphere as a system of certification of compliance on a voluntary basis and the competitive characteristics and quality of processes and products.
Bodies in ISO flow of legislation in 158 industrialized and developing around the world. For Italy to ISO globally and CEN (European Committee for Standardization) in Europe are represented by the private consortium nonprofit UNI (Italian National Standards) that deals in the industrial, commercial and service sectors of regulatory activity. In particular the tasks of UNI are, among others to draw up new rules in collaboration with all stakeholders, disseminate technical standards and support the balance of the rules.
Confirmed through a specific requirement (Ch. 5.1), that leadership and commitment of the top management (top management) are essential to ensure the effective application and the improvement of the Company Management System. Senior management must demonstrate that commitment:
Group, company, firm, enterprise, authority or institution, or part or combination thereof, whether incorporated or not, public or private, that has its own functions and administration.
The process approach, their management and interaction, should target the achievement of expected results in accordance with the quality policy and strategic direction of organization.
The overall management of the processes and the system of quality management, can be achieved through the methodology of the Plan-Do-Check-Act (PDCA) with a focus on “Risk-based thinking” aimed at preventing possible side effects.
In the process approach is to consider the requirements and expectations of the relevant stakeholders.
“Effect of the uncertainty with respect to the objective (Negative or positive)”
The “risk” associated with Threats and Opportunities is a “new” element to be considered in the planning phase (see. 6.1.4) for:
For “Risk appetite”, propensity to risk, we mean a decision taken by the Summit relating to degree of risk that the organization is able to take in pursuit of its strategic objectives.
The new ISO 9001: 2015 / ISO 14001: 2015 / ISO 45001: 2016, to be published, made explicit and incorporated the concept of risk in a system approach, where it is necessary to do an analysis threats-opportunities.
As part of the QMS, the risk is related to the desire to realize a opportunities and concerns everything that can facilitate or impede the achievement of objectives related to that opportunity.
As part of the Business Management System is the risk associated dealing threats and opportunities in a planned manner, so as to prevent or reduce the effects generated by environmental risks, security risks and internal, to / from the outside.
The maximum level of assumable risk. The issuer is able to assume, without incurring in crisis situations, bankruptcy or failure to respect the constraints imposed by shareholders or other stakeholders. As well as requests / imposition of supervisory bodies.
Preventive and corrective measures to reduce the negative impact on the objectives (precautionary, maintenance, growth, etc.) due to adverse and / or unexpected events.
The nature and level of risk, at a given moment, net of the effect of the countermeasures existing.
The objective level of risk (optimal). What the issuer intends to take to achieve its strategic objectives, taking into account the size and complexity of the organization / structure, as well as the organizational model adopted.
The risk threshold tolerated. Maximum permitted deviation from the level of risk, which should then define the more specific risk limits and the related escalation procedures, in case of exceeding.
Risk management has shifted from the risk of occurrence of an event, the risk effect of uncertainty on objectives.
The purpose of risk management is to help managers consider more effective decisions on actual risks and weighted in order to reach their goals in an uncertain environment.
The concept of “risk” in the context of ISO 9001, is related to the uncertainty in achieving the objectives defined by organization.
The concept of opportunity, in the context of ISO 9001, is in relation to exceeding the expectations of customers and the objectives defined by the organization.
Documents produced by consensus, (that is, not in an authoritarian manner) and approved by a recognized body (standardization body), that provides for common and repeated use: rules, guidelines or characteristics relating to certain activities or their results, in order to get the best order in a given context.
The application of a rule can be mandatory or result from a free choice.
Norma compelling: it is a rule that the organization is obliged to adopt such a rule being issued by an entity that can legally and criminally punish the organization, if they refuse observation of the rule.
Voluntary standard is a standard that an organization is free to adopt or not to adopt internally.
Guarantee of continuity in productive life due to the adequate identification, management and risk protection (ISO 31000).
Support for secure management of the company (ISO 9001 ISO-14001 ISO-45001). It is provided to third parties internal (employees and shareholders) and external (suppliers, customers, institutions, public authorities, etc.) An image of security (ISO-9001 ISO-14001 ISO 45001- ISO 22301- ISO 27000). Creation of value (long-term objective) since, if the company were to adopt a short-term, it could deteriorate the foundations of its long-term success (ISO-9001 ISO 14001 ISO-45001). All this by contributing to the maximization of profit through cost minimization within the parameters and business objectives.