Plain English ISO 31000 2009 Risk Management Dictionary

Risk - Risk Management - Risk Management Framework - Risk Management Policy

Risk Attitude - Risk Management Plan - Risk Owner - Risk Management Process

Establishing Context - External Context - Internal Context - Communication & Consultation

Stakeholder - Risk Assessment - Risk Identification - Risk Source - Event - Consequence

Likelihood - Risk Profile - Risk Analysis - Risk Criteria - Level of Risk - Risk Evaluation

Risk Treatment - Control - Residual Risk - Monitoring - Review

2.1 Risk

According to ISO 31000, risk is the “effect of uncertainty on objectives”
and an effect is a positive or negative deviation from what is expected.
The following two paragraphs will explain what this means.

ISO 31000 recognizes that all of us operate in an uncertain world.
Whenever we try to achieve an objective, there’s always the
chance
that things will not go according
to plan. Every step has an element
of
risk that needs to be managed and every outcome is uncertain.
Whenever we try to achieve an objective, we don't always get the
results we expect. Sometimes we get positive results and sometimes
we get negative results and occasionally we get both. Because of
this, ISO 31000 wants us to reduce uncertainty as much as possible.

Uncertainty (or lack of certainty) is a state or condition that involves
a deficiency of information and leads to inadequate or incomplete
knowledge or understanding. In the context of risk management,
uncertainty exists whenever your knowledge or understanding of
an event, consequence, or likelihood is inadequate or incomplete.

2.2 Risk management

Risk management refers to a coordinated set of activities and
methods that is used to direct an organization and to control
the many risks that can affect its ability to achieve objectives.

According to the Introduction to ISO 31000 2009, the term risk
management also refers to the architecture that is used to manage
risk. This architecture includes risk management principles, a risk
management framework, and a risk management process.

2.3 Risk management framework

According to ISO 31000, a risk management framework is a set of
components that support and sustain risk management throughout
an organization. There are two types of components: foundations
and organizational arrangements. Foundations include your risk
management policy, objectives, mandate, and commitment. And
organizational arrangements include the plans, relationships,
accountabilities, resources, processes, and activities you
use to manage your organization’s risk.

2.4 Risk management policy

A policy statement defines a general commitment, direction,
or intention. A risk management policy statement expresses an
organization’s commitment to risk management and clarifies
its general direction or intention.

2.5 Risk attitude

An organization’s risk attitude defines its general approach to risk.
An organization’s risk attitude (and its risk criteria) influence how risks
are assessed and addressed. An organization’s attitude towards risk
influences whether or not risks are taken, tolerated, retained, shared,
reduced, or avoided, and whether or not risk treatments are
implemented or postponed.

2.6 Risk management plan

An organization’s risk management plan describes how it intends
to manage risk. It describes the management components, the approach,
and the resources that will be used to manage risk. Typical management
components include procedures, practices, responsibilities, and activities
(including their sequence and timing).

Risk management plans can be applied to products, processes,
and projects, or to an entire organization or to any part of it.

2.7 Risk owner

A risk owner is a person or entity that has been given the authority
to manage a particular risk and is accountable for doing so.

2.8 Risk management process

According to ISO 31000, a risk management process is one that
systematically applies management policies, procedures, and
practices to a set of activities intended to establish the context,
communicate and consult with stakeholders, and identify,
analyze, evaluate, treat, monitor, and review risk.

2.9 Establishing the context

To establish the context means to define the external and internal
parameters that organizations must consider when they manage risk.
An organization’s external context includes its external stakeholders,
its local, national, and international environment, as well as any external
factors that influence its objectives. An organization’s internal context
includes its internal stakeholders, its approach to governance, its
contractual relationships, and its capabilities, culture, and standards.

ISO 31000 expects you to consider your organization’s context when you
define the scope of its risk management program,
when you formulate its
risk management policy, and when you establish its risk criteria.

2.10 External context

An organization’s external context includes all of the external
environmental parameters and factors that influence how it manages risk
and tries to achieve its objectives. It includes its external stakeholders, its
local, national, and international environment, as well as key drivers and
trends that influence its objectives. It includes stakeholder values,
perceptions, and relationships, as well as its social, cultural, political,
legal, regulatory, financial, technological, economic, natural, and
competitive environment.

2.11 Internal context

An organization’s internal context includes all of the internal
environmental parameters and factors that influence how it manages
risk and tries to achieve its objectives. It includes its internal stakeholders,
its approach to governance, its contractual relationships, and its
capabilities, culture, and standards.

Governance includes the organization’s structure, policies, objectives,
roles, accountabilities, and decision making process, and capabilities
include its knowledge and human, technological, capital, and systemic
resources.

2.12 Communication and consultation

Communication and consultation is a dialogue between an organization
and its stakeholders. This dialogue is both continual and iterative. It is a
two-way process that involves both sharing and receiving information
about the management of risk. However, this is not joint decision making.
Once communication and consultation is finished, decisions are made
and directions are established by the organization, not by stakeholders.

Discussions could be about the existence of risks, their nature, form,
likelihood, and significance, as well as whether or not risks are acceptable
or should be treated, and what treatment options should be considered.

2.13 Stakeholder

A stakeholder is a person or an organization that can affect or be
affected by a decision or an activity. Stakeholders also include those
who have the perception that a decision or an activity can affect them.
ISO 31000 distinguishes between external and internal stakeholders.

2.14 Risk assessment

Risk assessment is a process that is, in turn, made up of three
processes: risk identification, risk analysis, and risk evaluation.

Risk identification is a process that is used to find, recognize, and
describe the risks that could affect the achievement of objectives.

Risk analysis is a process that is used to understand the nature,
sources, and causes of the risks that you have identified and to
estimate the level of risk. It is also used to study impacts and
consequences and to examine the controls that currently exist.

Risk evaluation is a process that is used to compare risk analysis
results with risk criteria in order to determine whether or not a
specified level of risk is acceptable or tolerable.

2.15 Risk identification

Risk identification is a process that involves finding, recognizing,
and describing the risks that could affect the achievement of an
organization’s objectives. It is used to identify possible sources
of risk in addition to the events and circumstances that could affect
the achievement of objectives. It also includes the identification of
possible causes and potential consequences.

You can use historical data, theoretical analysis, informed opinions,
expert advice, and stakeholder input to identify your organization’s risks.

2.16 Risk source

A risk source has the intrinsic potential to give rise to risk. A risk
sourc
e is where a risk originates. It’s where it comes from. Potential
sources of risk include at least the following: commercial relationships
and obligations, legal expectations and liabilities, economic shifts and
circumstances, technological innovations and upheavals, political
changes and trends, natural events and forces, human frailties and
tendencies, and management shortcomings and excesses. All of these
elements could potentially generate a risk that must be managed.

2.17 Event

An event could be one occurrence, several occurrences, or even a
nonoccurrence (when something doesn’t happen that was supposed
to happen). It can also be a change in circumstances. Events are
sometimes referred to as incidents or accidents.

Events always have causes and usually have consequences.
Events without consequences are sometimes referred to as
near-misses, near-hits, or close-calls.

2.18 Consequence

A consequence is the outcome of an event and has an effect on
objectives. A single event can generate a range of consequences
which can have both positive and negative effects on objectives.
Initial consequences can also escalate through knock-on effects.

2.19 Likelihood

Likelihood is the chance that something might happen. Likelihood can
be defined, determined, or measured objectively or subjectively and can
be expressed either qualitatively or quantitatively (using mathematics).

2.20 Risk profile

A risk profile is a written description of a set of risks. A risk profile can
include the risks that the entire organization must manage or only those
that a particular function or part of the organization must address.

2.21 Risk analysis

Risk analysis is a process that is used to understand the nature, sources,
and causes of the risks that you have identified and to estimate the level
of risk. It is also used to study impacts and consequences and to examine
the controls that currently exist. How detailed your risk analysis ought to
be will depend upon the risk, the purpose of the analysis, the information
you have, and the resources available.

2.22 Risk criteria

Risk criteria are terms of reference and are used to evaluate the
significance or importance of an organization’s risks. They are used
to determine whether a specified level of risk is acceptable or tolerable.

Risk criteria should reflect your organization’s values, policies, and
objectives, should be based on its external and internal context, should
consider the views of stakeholders, and should be derived from
standards, laws, policies, and other requirements.

2.23 Level of risk

The level of risk is its magnitude. It is estimated by considering
and combining consequences and likelihoods. A level of risk
can be assigned to a single risk or to a combination of risks.

A consequence is the outcome of an event and has an effect on
objectives. Likelihood is the chance that something might happen.

2.24 Risk evaluation

Risk evaluation is a process that is used to compare risk analysis
results with risk criteria in order to determine whether or not a specified
level of risk is acceptable or tolerable.

2.25 Risk treatment

Risk treatment is a risk modification process. It involves selecting
and implementing one or more treatment options. Once a treatment
has been implemented, it becomes a control or it modifies existing
controls. You have many treatment options. You can avoid the risk,
you can reduce the risk, you can remove the source of the risk, you
can modify the consequences, you can change the probabilities,
you can share the risk with others, you can simply retain the risk,
or you can even increase the risk in order to pursue an opportunity.

2.26 Control

A control is any measure or action that modifies risk. Controls include any
policy, procedure, practice, process, technology, technique, method, or
device that modifies or manages risk. Risk treatments become controls,
or modify existing controls, once they have been implemented.

2.27 Residual risk

Residual risk is the risk left over after you’ve implemented a risk treatment
option. It’s the risk remaining after you’ve reduced the risk, removed the
source of the risk, modified the consequences, changed the probabilities,
transferred the risk, or retained the risk.

2.28 Monitoring

To monitor means to supervise and to continually check and
critically observe. It means to determine the current status and
to assess whether or not required or expected performance
levels are actually being achieved.

2.29 Review

A review is an activity. Review activities are carried out in order to
determine whether something is a suitable, adequate, and effective
way of achieving established objectives.

In general, ISO 31000 expects you to review your risk management
framework and your risk management process. It specifically expects
you to review your risk management policy and plans as well as your
risks, risk criteria, risk treatments, controls, residual risks, and risk
assessment process.

Our Risk Management Dictionary is based on ISO 31000, section 2,
Terms and Definitions
. We have translated these definitions into
plain English in order to make them easier to understand.

OTHER ISO 31000 PAGES

Introduction to ISO 31000 Risk Management

Overview of ISO 31000 Risk Management Standard

ISO 31000 2009 Standard Translated into Plain English

Plain English ISO 31000 Risk Management Checklist

ISO 31000 Risk Management Audit Tool

Our Plain English Approach


Home Page

Our Libraries

A to Z Index

Customers

How to Order

Our Products

Our Prices

Guarantee

Praxiom Research Group Limited            help@praxiom.com            780-461-4514

Updated on December 21, 2013. First published on August 31, 2010.

 Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use. But, you are not
 legally authorized to print or produce additional copies or to copy and paste
 any of our material onto another web site or to republish it in any way.

Copyright 2010 - 2013 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research Group Limited