OVERVIEW OF PART 3: RISK
MANAGEMENT PRINCIPLES
Part 3 of ISO 31000 discusses
risk management principles. These
principles provide a pragmatic
conceptual foundation for the rest of the
standard. Part 3 says that your
approach to risk management should be
an integral part of your organization’s
processes (especially its decision
making process), should be tailored to
its environment, should create and
protect value, and should support and
encourage continual improvement.
It also says that your approach should
not only be structured, systematic,
and
iterative, it should also be
dynamic,
responsive,
and inclusive. In
addition, your approach should not only
address the human and cultural
factors that influence the achievement
of your organization’s objectives,
it should also deal with the many
uncertainties that threaten your
organization’s success.
In general, these risk
management principles should influence how
you design and implement your
organization’s risk management
framework (Part 4) and process (Part 5).
|
OVERVIEW OF PART 4: RISK
MANAGEMENT FRAMEWORK
Part 4 discusses ISO’s risk
management framework. It starts by
asking you to make risk management part
of your organization’s general
management system and to use this risk
management framework to support
your risk management process (Part 5).
Then, in Part 4.2, it asks you to make
a commitment to risk management by
establishing a risk management policy,
by formulating risk management
objectives, and by assigning risk
management responsibilities.
Part 4 is an iterative
(cyclical) process. This iterative process starts by
asking you to make a commitment to risk
management. It then asks you to
design, implement, monitor, and improve
your risk management framework,
and to do it in that order. Repeat this
iterative process whenever you need
to change your risk management policy,
modify your risk management
objectives, or improve your framework.
|
OVERVIEW OF PART 5: RISK
MANAGEMENT PROCESS
Part 5 explains how to apply a
risk management process. It starts by
asking you to make risk management an
integral part of your organization’s
management approach. It then emphasizes
the need to communicate and
consult with both external and internal
stakeholders and to continuously
monitor and review your organization’s
risk management process.
The risk management process
itself starts by establishing your
organization’s unique context. Once you
understand both your external
and internal context, you’re ready to
carry out your risk assessment process,
which involves identifying, analyzing,
and evaluating risks. Once you know
what your risks are, you’re ready to
formulate and implement risk treatment
plans. Repeat this process every time
you have a risk that needs to be
assessed and controlled.
|
