ISO 31000 Consultant Team

PRIMA’s ERM training program is an industry-changing initiative crafted by world-leaders in risk management. Learn more about the individuals below who helped PRIMA develop this training.

Dorothy Gjerdrum, ARM-P, CIRM 

Jan Mattingly, BA, CRM, RF, CIP, ABCP


Dorothy Gjerdrum, ARM-P, CIRM

Dorothy is the senior managing director of the public sector division of Arthur J. Gallagher and Co. where she is responsible for resource development focusing on risk management, exposure identification, pool operations and enterprise risk management. She leads client outreach activities for more than 300 Gallagher insurance brokers and specialists and provides consulting risk management services for public sector and higher education clients. Dorothy also serves as the chair of PRIMA's ERM faculty. In July 2016, Dorothy redesigned PRIMA's ERM training curriculum to assist with the delivery of PRIMA's current two-day ERM training program.

Her previous experience includes serving as the risk manager for three self-insured pools for the New Mexico Association of Counties (NMAC). While at NMAC, Dorothy’s professional accomplishments included developing loss-sensitive contribution and allocation formulas, providing new coverage programs for members, including injunctive relief, land use and special events, developing the pool’s first coverage document in order to clarify coverage exclusions and conditions of insurance in addition to developing individualized training sessions to address sexual harassment and management.

While at Arthur J. Gallagher and Co. her professional accomplishments include developing and finishing numerous ERM implementation and consulting projects including the Colorado School Districts Self-Insurance Pool, the City-County of San Francisco, the New Mexico Association of Counties Insurance Pool,  the Florida College System Risk Management Consortium, the University of Vermont, the University of North Carolina at Charlotte, Johnson County Community College District in Kansas and Maricopa County Community College District in Arizona.

Dorothy currently serves as the Chair of the US Technical Advisory Group to ISO 31000 and its Implementation Guide, ISO 31004. Dorothy has also served on the RIMS Standards Comparison Committee and as curriculum advisor for the National Alliance. She also served as a founding board member and treasure for County Reinsurance, Limited, a captive excess insurance company formed to provide reinsurance to county association pools nationwide. She is also a founding member of the New Mexico chapter of PRIMA.

Dorothy has a Bachelor of Arts degree from the College of St. Catherine and holds the ARM designation and has RMPE and CIRM certificates.

Any advice on how to get upper-management buy-in for incorporating the standard into an organization’s risk management program?

Find out what upper-management cares about and the “language” they speak.  This might be the language of finance (efficiencies and bond rating) or the language of planning (strategy and risk to achieving it).  If they are reluctant or skeptical, try to elicit support for a pilot project to prove the concept.  That can help build support.  In addition to speaking their language, it would be helpful to know what their priorities are and then find ways that risk management can support those priorities and contribute to their success. 

Other people can help you with this as well.  When you find a “champion” or supporter, be sure you empower them to talk to others about what you’re doing, why it is important and what it can do for your organization.


Jan Mattingly, BA, CRM, RF, CIP, ABCP

Jan is the managing director of RiskResults Consulting,Inc in Ottawa, Canada. She is responsible for advising private and public sector clients on a broad range of industry sectors including transportation, health, chemical, oil and gas, financial services, post-secondary education, social services, utilities, telecommunications and biotechnology.

Jan has been recognized by the Government of Canada for her leadership and contributions to risk management and received a letter of commendation for risk management leadership from the deputy minister in 2010. She is the appointed Canadian ISO project leader and convener of ISO 31004 and the Canadian delegate to the ISO working group on the ISO 31000 standard.

She is a member of RIMS standards and practices committee and lectures at York University and at the Sprott School of Business at Carleton University.

Why is this training important?

  • Because now, decision making is more complex than ever before.

Risk management activity generates only one product: information that supports decision making.  Managing and decision-making as a public entity or higher education institution has never been more challenging given rising stakeholder expectations, the pace, volume, accessibility and complexity of increasing information. Your organization needs to ensure it has the most current, solid approach to managing risk and uncertainty possible so that the best possible decisions can be made for the benefit of your organization and its stakeholders. PRIMA’s ISO 31000 implementation training is the single best place to equip and sharpen your organization’s skills.

  • You need to understand where & how to increase the value of risk management activity in your organization.

It’s our experience that you, public risk managers, want to help their organizations function more effectively and more efficiently.  You may be unclear as to how to incorporate enterprise risk management into your current job; you may also be functioning well but perhaps you would like to be seen as adding more practical value from your activities to the organization.  This training helps you to ensure that everything you do is oriented towards adding value to your organization, focusing ‘risk management’ activity on objectives, showing you how to do that with practical tools and exercises. 

  • To ensure that your risk management activities align with internationally-recognized best practices.

The training is a great way for you to quickly obtain solid foundational practices so that you can begin to landmark and align your current activities in your job or as an organization with the ISO 31000 Standard. This training will teach you where you are strongest and where additional work is needed to bring your organization into alignment with the leading global risk management standard.

  • For professional development; because everyone needs current practical tools and guidance.

This training is extremely rich in content and is hands-on.  It contains actual examples of how other public entities and higher education institutions have used and applied the ISO 31000 Standard to assess, design, and implement a stronger approach to risk management.

How will this training change risk management in the public and higher education sectors?

I think that three major changes will arise in the public and higher education sectors as a result of this training:

  • Public entities and higher education institutions will have risk-aware cultures.

In the ISO 31000 Standard, everyone is expected to know how to assess and manage risk. Managing risk is seen as everyone’s responsibility and becomes a natural way of working together to identify and share risk information in support of decision making. Withholding information becomes culturally unacceptable. This training, suitable to risk managers and decision managers, will evolve public entities and higher education institutions into risk aware organizations where all decisions will be risk-informed.  

  • Public entities and higher education institutions will be healthy, functional organizations.

Every organization has a culture, whether or not it is good or bad.  Every organization has some level of dysfunction in it.  ISO 31000 is not a panacea for organizational ills BUT it is a management tool to help understand, surface and constructively address sensitivities in a positive and results-oriented way. It helps your organization understand how culture affects risk management behavior.  The training will provide you practical tips and techniques that you can implement to improve your organization’s culture and functions.

  • Public entities and higher education institutions will have clearer accountabilities in managing risk across the organization that are focused on enabling business objectives.


In the past, many risk managers have been viewed within their organizations as “the department of No.”  The ISO 31000 Standard helps guides individuals on how to support risk managers and how to transfer the management of risk to “risk owners.”  It also equips business/risk owners with the tools they need to teach these owners to apply risk management to their own needs [departments] on the basis that they know their business best.  This training teaches how to cultivate risk management decision-making with the governance structure of your organization, leaving business owners with clear accountability for managing risks within their level. The ISO 31000 Standard’s “risk manager” is a leader, coordinator, facilitator and supporter of risk management practices that enable business objectives and this training will help you visual and implement these practices.

Any advice on how to get upper-management buy-in for incorporating the standard into an organization’s risk management program?

I am a practical person…everyone who knows me knows that.  My view on ‘getting upper management buy in” is this:

  • If the word “risk” is either in your job description or your job title then you already have the “buy in” to manage risk you need!  Work with what you have and start where you are. If you are at a front line operational level, you are already considering uncertainty in your job – you may do it implicitly or inconsistently or alone. If so, start where you are at, within your own job to learn ISO 31000 and apply it to your work in decisions you support or recommendations you make to others. If you work at a managing or directing level, your accountabilities are already higher than others but so are your strengths and ability to adjust the culture of your organization so that it is risk-aware. You also should know your organization, the decision makers/influencers and how decisions are made. Knowing these things are essential for success in aligning your organization to ISO 31000.


  • Know your organization.  Every organization already has people, processes and systems in place to manage a variety of types of risks.  Understand what those are, where your strengths and weaknesses in managing risk align to ISO 31000 and where they don’t.  List the gaps, prioritize them and get to work.
  • Know your organization’s business strategy. When you apply ISO 31000 to your organization, there is an expectation that you know what the plans and priorities are in your business area or across your organization and how that relates to organizational objectives.  Before asking anyone for any type of resources, mandate or support, make sure you yourself understand how or if improved risk management could help your organization.  Is it a faster return to an operational state following an incident? Is it faster decision making? Think about then set one or two expectations that can be measured in practical terms and directly relate to risk management practices and hold yourself accountable to those performance targets. Any target you set should directly support organizational objectives and the business strategy.