|
According to ISO
31000, risk
is the “effect of uncertainty on
objectives”,
and an effect
is a positive or negative deviation from what is expected.
So,
risk
is the chance that there will be a positive or negative deviation
from the objective you
expect to achieve.
ISO 31000 recognizes that organizations
operate in an uncertain
world. Whenever you try to achieve an objective, there’s always the
chance that things
will not go according to plan.
There’s always
the chance
that you will not achieve what you expect to achieve. Every
step you take to achieve an
objective
involves uncertainty. Every step
has an
element of risk
that needs
to be managed. According to ISO 31000,
you can reduce your uncertainty and manage your
risk, by using a
systematic approach to risk management.
Uncertainty
(or lack of certainty) is a state of being that involves
a deficiency of information and
leads to inadequate or incomplete
knowledge or understanding. In the context of risk
management,
uncertainty
exists whenever your knowledge or understanding of
an event, consequence, or
likelihood is inadequate or incomplete.
So, you can reduce your uncertainty by getting
better information
and
improving your knowledge and understanding.
|
|
Risk management refers to a
coordinated set of activities and
methods that is
used to direct an organization and to control
the many risks
that can affect its ability to achieve objectives.
According to
the Introduction to ISO 31000, the term risk
management also
refers to the architecture that is used to manage
risk.
This architecture includes risk management principles, a risk
management framework, and a risk
management process.
|
|
According to ISO 31000, a risk
management framework is a set of
components that support and sustain risk
management throughout
an organization. There are two types of components: foundations
and organizational
arrangements. Foundations include your risk
management policy, objectives, mandate, and
commitment. And
organizational arrangements include the plans, relationships,
accountabilities, resources, processes, and
activities you
use to
manage your organization’s risk.
|
|
A policy statement defines a
general commitment, direction,
or intention. A risk management
policy statement expresses an
organization’s commitment to risk
management and clarifies
its general direction or intention.
|
|
An organization’s risk attitude
defines its general approach to risk.
An organization’s risk
attitude (and its risk criteria) influence how risks
are
assessed and addressed. An organization’s attitude towards risk
influences whether or not risks are taken, tolerated, retained, shared,
reduced, or avoided, and whether or not risk treatments are
implemented or postponed.
|
|
An organization’s risk management
plan describes how it intends
to manage risk.
It describes the management components, the approach,
and the
resources that will be used to manage risk. Typical management
components include procedures, practices, responsibilities, and
activities
(including their sequence and timing).
Risk management plans can be
applied to products, processes,
and projects, or to an entire
organization or to any part of it.
|
|
A risk owner is a person or
entity that has been given the authority
to manage a particular risk
and is accountable for doing so.
|
|
According to ISO 31000, a risk
management process is one that
systematically applies management
policies, procedures, and
practices to
a set of activities intended to establish the context,
communicate
and consult with stakeholders, and identify,
analyze, evaluate,
treat, monitor, and review risk.
|
|
To establish the context means
to define the external and internal
parameters that organizations
must consider when they manage risk.
An organization’s external
context includes its external stakeholders,
its local,
national, and international environment, as well as any external
factors that
influence its objectives. An organization’s internal context
includes its internal stakeholders,
its approach to
governance, its
contractual
relationships, and its capabilities, culture, and standards.
ISO 31000 expects you to consider your
organization’s context when you
define the scope of its risk
management program, when you formulate its
risk
management policy, and when you establish its risk criteria.
|
|
An organization’s external context
includes all of the external
environmental parameters and factors
that influence how it manages risk
and tries to achieve its
objectives. It includes its
external stakeholders, its
local, national, and international
environment, as well as key drivers and
trends that
influence its objectives. It includes
stakeholder values,
perceptions,
and relationships, as well
as its social, cultural, political,
legal, regulatory, financial,
technological, economic,
natural, and
competitive environment.
|
|
An organization’s internal context
includes all of the internal
environmental parameters and factors
that influence how it
manages
risk and tries to achieve
its objectives. It includes
its internal stakeholders,
its approach
to governance, its contractual relationships, and its
capabilities,
culture, and standards.
Governance includes the
organization’s structure, policies, objectives,
roles,
accountabilities, and decision making process, and capabilities
include its
knowledge and human, technological, capital, and systemic
resources.
|
|
Communication and consultation is a
dialogue between an organization
and its stakeholders. This dialogue
is both continual and iterative. It is a
two-way process that
involves both sharing and receiving information
about the management
of risk. However, this is not joint decision making.
Once
communication and consultation is finished, decisions are made
and
directions are established by the organization, not by stakeholders.
Discussions could be about the existence of
risks, their nature, form,
likelihood, and significance, as well as
whether or not risks are acceptable
or should be treated, and what
treatment options should be considered.
|
|
A stakeholder is a person or an
organization that can affect or be
affected by a decision or an activity. Stakeholders also
include those
who have the perception that a decision or an activity
can affect them.
ISO 31000 distinguishes between external and
internal stakeholders.
|
|
Risk assessment is a process that is,
in turn, made up of three
processes: risk identification, risk
analysis, and risk evaluation.
Risk identification is a process that
is used to find, recognize, and
describe the risks that could affect
the achievement of objectives.
Risk analysis is a process that is
used to understand the nature,
sources, and causes of the risks that
you have identified and to
estimate the level of risk. It is also
used to study impacts and
consequences and to examine the controls
that currently exist.
Risk evaluation is a process that is
used to compare risk analysis
results with risk criteria in order to
determine whether or not a
specified level of risk is acceptable or
tolerable.
|
|
Risk identification is a
process that involves finding, recognizing,
and
describing the risks that could affect the
achievement of an
organization’s objectives.
It is used to identify possible
sources
of risk in addition to the
events and circumstances that could affect
the achievement of
objectives. It also includes the identification of
possible causes and potential
consequences.
You can use historical data, theoretical
analysis, informed opinions,
expert advice, and
stakeholder input to identify your
organization’s risks.
|
|
A risk source has the intrinsic
potential to give rise to risk. A risk
source is where a risk originates. It’s
where it comes from. Potential
sources of risk include at
least the following: commercial relationships
and obligations, legal
expectations and liabilities, economic
shifts and
circumstances, technological
innovations and
upheavals, political
changes and
trends, natural
events and forces, human frailties
and
tendencies, and management shortcomings and excesses. All of
these
elements could potentially generate a risk that must be
managed.
|
|
An event could be one
occurrence, several occurrences, or even a
nonoccurrence (when something
doesn’t happen that was supposed to
happen). It can also be a change
in circumstances. Events always have
causes and usually have
consequences. Events without consequences
are often referred to as
near-misses, near-hits,
close-calls, or incidents.
|
|
A consequence is the outcome of
an event and has an effect on
objectives. A single event can generate
a range of consequences
which can have both
positive and negative effects on
objectives.
Initial consequences can also escalate through knock-on
effects.
|
|
Likelihood is the chance that
something might happen. Likelihood can
be defined,
determined, or measured objectively or subjectively and
can
be expressed either qualitatively or quantitatively (using
mathematics).
|
|
A risk profile is a written
description of a set of risks. A risk profile can
include
the risks that the entire organization must manage or only those
that
a particular function or part of the organization must address.
|
|
Risk analysis
is a process that is used to understand the nature, sources,
and
causes of the risks that you have identified and to estimate the level
of risk. It is also used to study impacts and consequences and to
examine
the controls that currently exist. How detailed your risk
analysis ought to
be will depend upon the risk, the purpose of the
analysis, the information
you have, and the resources available.
|
|
Risk criteria
are terms of reference and are used to evaluate the
significance or
importance of your organization’s risks. They are used
to determine
whether a specified level of risk is acceptable or tolerable.
Risk criteria
should reflect your organization’s values, policies,
and
objectives, should be based
on its external and internal context, should
consider the views of
stakeholders, and should be
derived from
standards, laws, policies, and other requirements.
|
|
The level of risk is its
magnitude. It is estimated by considering
and combining consequences
and likelihoods. A level of risk
can be assigned to a single risk or to a
combination of risks.
A consequence is the outcome of
an event and has an effect on
objectives. Likelihood is the
chance that something might happen.
|
|
Risk evaluation
is a process that is used to compare risk analysis
results with risk
criteria in order to determine whether or not a specified
level of
risk is acceptable or tolerable.
|
|
Risk treatment
is a risk modification process. It involves selecting
and
implementing one or more treatment options. Once a treatment
has
been implemented, it becomes a control or
it modifies existing
controls. You have many treatment options. You
can avoid the risk,
you can reduce the risk, you can remove the
source of the risk, you
can modify the
consequences, you can change the
probabilities,
you can share the
risk with others, you can simply
retain the risk,
or you can even
increase the risk in order to pursue an opportunity.
|
|
A control is
any measure or action
that modifies risk. Controls include
any
policy, procedure, practice, process,
technology, technique, method, or
device that modifies or manages
risk. Risk treatments become controls,
or modify existing controls,
once they have been implemented.
|
|
Residual risk is
the risk left over after
you’ve implemented a risk treatment
option. It’s the risk remaining after
you’ve reduced the risk, removed the
source of the risk, modified the
consequences, changed the probabilities,
transferred the risk, or
retained the risk.
|
|
To monitor means to supervise
and to continually check and
critically observe. It means to
determine the current status and
to assess whether or not required
or expected performance
levels are actually being achieved.
|
|
A review is an activity.
Review activities are carried out in order to
determine whether
something is a suitable, adequate, and effective
way of achieving
established objectives.
In general, ISO 31000 expects you to
review your risk management
framework and your risk management
process. It specifically expects
you to review your risk management
policy and plans as well as your
risks, risk criteria, risk
treatments, controls, residual risks, and risk
assessment
process.
|
