Risk Management Principles as per ISO 31000 (9)
- Customised: RM process is tailored/customized as per BS objectives
- Human and Cultural Factors
- Integrated: RM process should be an integral part of the organizational process
- Best Available Information: Revelant and clear information about RISKS should be timely communicated to stakeholders
- Value Creation and Protection: RM should create and protect value
- Dynamic: Risk management is responsive to change
- Inclusive: transparent and involves stakeholders on a timely basis
- Structured and Comprehensive
- Continual Improvement; through learning and experience
Risk Management Framework as per ISO 31000: Leadership and Commitment (5)
Management needs to demonstrate strong and sustained committment to Risk management, by defining:
- Risk management policy (apetite)
- Objectives (RM alignment with strategic objectives, culture etc)
- legal and regulatory compliance while managing risk
- resource allocation to manage risk
- Communication of benefits of RM to all stakeholders
Risk Management Framework as per ISO 31000: Integration (5)
- Risk should be managed in every part of organisation’s structure
- Everyone should be responsible to manage and identify risk
- Integrating RM to organisation is dynamic and iterative
- RM should be customized as per organisation’s needs and culture
- RM should be part of: organisational purpose, governance,
leadership and commitment strategy, objectives and operations
Risk Management Framework as per ISO 31000: Design (5)
- Outline specific steps that business will take to manage risk
- such steps should reflect organisation’s core values, bs strategy, regulatory obligations, contractual obligations to 3rd parties
- Understand internal external context
- allocate resources as per steps to manage risk
- facilitate communication and consulting
Risk Management Framework as per ISO 31000: Implementation (4)
- developing an implementation plan including deadlines
- identifying where, when and how different types of decisions are made, and by whom
- modifying the applicable decision-making processes where necessary
- ensuring that the organization’s arrangements for managing risk are clearly understood and practiced.
Risk Management Framework as per ISO 31000: Evaluation (2)
- periodically measure risk management metrics and performance against set goals, the original purpose, implementation plans, indicators and expectations.
- determine whether the current risk management set up is still suitable or needs an update.
Risk Management Framework as per ISO 31000: Improvement (2)
After evaluation, if any deficiencies identified or new risks revealed > introduce new techniques and address new risks in an improved implementation plan
Risk Management Process as per ISO 31000: Communication and Consultation (4)
- Communication: promote understanding of risk
- Consultation: feedback and information from stakeholders
- Purpose of C&C > assist stakeholders in understanding risks and reasons for decisions made
- C&C ensure: factual, timely, relevant, accurate and understandable exchange of information
Risk Management Process as per ISO 31000: Scope, criteria, context (3)
- defining the scope of the process and understanding the external and internal context
- purpose of SCC: customize RM process to enable effective risk assessment and appropriate risk treatment
- Context = External and Internal elements
Risk Management Process as per ISO 31000: Risk assessment (6)
- overall process of risk identification, risk analysis, risk evaluation
- should be conducted systematically, iteratively, collaboratively, drawing on knowledge and views of stakeholders
- should use best available info + further inquiry as necessary
- Risk identification: identifying risks that could prevent us from achieving our objectives
- Risk analysis: understanding sources/causes of identified risks
AND
studying probabilities and consequences given the existing controls, to identify the level of residual risk - Risk evaluation: includes comparing risk analysis results with risk criteria to determine whether the residual risk is tolerable.
Risk Management Process as per ISO 31000: Risk Treatment PROCESS (5)
- formulate and select risk treatment options
- plan and implement risk treatment
- assess effectiveness of that
- decide if remaining risk is acceptable
- if not, further treatment
Risk Management Process as per ISO 31000: Risk Treatment Options (7)
- avoiding the risk by deciding not to start or continue with the activity
- taking or increasing the risk in order to pursue an opportunity;
- removing the risk source
- changing the likelihood
- changing the consequences
- sharing the risk
- retaining the risk by informed decision.
Risk Management Process as per ISO 31000: Monitoring and Review (4)
- planning, gathering and analysing information, recording results and providing feedback.
- to assure and improve the quality and effectiveness of process
- Ongoing monitoring and periodic review of process should be planned with responsibilities defined
- results of monitoring and review incorporated to whole organization’s activities
Risk Management Process as per ISO 31000: Recording and reporting
RM process should be documented and reported through appropriate mechanisms.
Benefits for a business that adopts an effective risk management process (11)
- increased likelihood of achieving objectives
- encouraged proactive management
- awareness of need to identify and treat risk across organization
- improved identification of opportunities and threats (when analysing scope, context, criteria)
- compliance with legal and regulatory requirements (when avoiding legal risk)
- Improved mandatory and voluntary reporting (better reputation among investors)
- improved governance (due to leadership and commitment strategy)
- improved stakeholder confidence and trust (due to communication and consultation)
- establishment of reliable basis for planning and decision making (better reasoning)
- improved controls (due to risk treatment)
- effective allocation of resources for risk treatment
