|
According to ISO
31000, risk is the “effect of uncertainty on
objectives”
and an effect is a positive or
negative deviation from what is expected.
The following two paragraphs will explain what this means.
This definition recognizes that all of us
operate in an uncertain world.
Whenever we try to achieve an objective, there’s always the chance
that things will not go according to
plan. Every step has
an element
of risk that needs
to be managed and every
outcome is uncertain.
Whenever we try to achieve
an objective, we don't
always get the
results we expect. Sometimes we get positive results and
sometimes
we get negative results and
occasionally we get both.
Because of
this, we need to reduce uncertainty as much as possible.
Uncertainty (or lack of
certainty) is a state or condition that involves
a deficiency
of information and leads to inadequate or incomplete
knowledge or
understanding. In the context of risk
management,
uncertainty exists whenever the knowledge
or understanding of an
event, consequence, or likelihood
is inadequate or incomplete.
|
|
Risk management refers to a
coordinated set of activities and
methods that is used to
direct an organization and to control
the many risks that can
affect its ability to achieve objectives.
According to the
Introduction to ISO 31000 2009, the term risk
management also
refers to the architecture that is used to manage
risk. This architecture
includes risk management principles, a risk
management framework, and a
risk management process.
|
|
According to ISO 31000, a
risk management framework is a set of
components that support and sustain risk
management throughout
an organization. There are two types of
components: foundations
and organizational arrangements. Foundations
include your risk
management policy, objectives, mandate,
and commitment. And
organizational arrangements
include the plans, relationships,
accountabilities, resources, processes,
and activities you
use to manage your organization’s risk.
|
|
A policy statement defines a
general commitment, direction,
or intention. A risk management policy statement
expresses an
organization’s commitment to risk management and clarifies
its general direction or intention.
|
|
An organization’s risk attitude
defines its general approach to risk.
An organization’s risk attitude (and its risk
criteria) influence how risks
are assessed and addressed. An organization’s attitude towards
risk
influences whether or not risks are taken, tolerated, retained,
shared,
reduced, or avoided, and whether or not risk treatments are
implemented or postponed.
|
|
An organization’s risk
management plan describes how it intends
to manage risk. It describes
the management components, the approach,
and the resources that will be used to manage risk. Typical
management
components include procedures, practices, responsibilities,
and activities
(including their sequence and timing).
Risk management plans
can be applied to products, processes,
and projects, or to an entire organization or to any part of it.
|
|
A risk owner is a person or
entity that has been given the authority
to manage a particular risk and is accountable for doing so.
|
|
According to ISO 31000, a risk
management process is one that
systematically applies management policies,
procedures, and
practices to a set of activities intended to establish the
context,
communicate and consult with stakeholders, and identify,
analyze, evaluate, treat, monitor, and review risk.
|
|
To establish the context means
to define the external and internal
parameters that organizations must consider when they manage
risk.
An organization’s external context includes its
external stakeholders,
its local, national, and international environment, as well as
any external
factors that influence its objectives. An organization’s internal
context
includes its internal stakeholders,
its approach to governance, its
contractual relationships, and its capabilities, culture, and
standards.
ISO 31000 expects you to consider your
organization’s context when you
define the scope of its risk management program, when
you formulate its
risk management policy, and when you establish its risk
criteria.
|
|
An organization’s external
context includes all of the external
environmental parameters and factors that influence how it
manages risk
and tries to achieve its objectives. It includes its external
stakeholders, its
local, national, and international environment, as well as key
drivers and
trends that influence its objectives.
It includes stakeholder values,
perceptions, and relationships, as well as its social,
cultural, political,
legal, regulatory, financial, technological, economic,
natural, and
competitive environment.
|
|
An organization’s
internal context includes all of the internal
environmental parameters and factors that influence how it
manages
risk and tries to achieve its
objectives. It includes its
internal stakeholders,
its approach to governance, its contractual relationships, and its
capabilities, culture, and standards.
Governance includes the
organization’s structure, policies, objectives,
roles, accountabilities, and decision making process, and capabilities
include its knowledge and human, technological, capital,
and systemic
resources.
|
|
Communication and consultation is
a dialogue between an organization
and its stakeholders. This dialogue
is both continual and iterative. It is a
two-way process that involves both
sharing and receiving
information
about the management of risk. However, this is not joint
decision making.
Once communication and
consultation is finished, decisions are made
and directions are established by the organization, not by
stakeholders.
Discussions could be about the existence
of risks, their nature, form,
likelihood, and significance, as well as whether or not risks
are acceptable
or should be treated, and what treatment options should be
considered.
|
|
A stakeholder is a person or an
organization that can affect or be
affected by a decision or an activity. Stakeholders also include
those
who have the perception that a decision or an activity can
affect them.
ISO 31000 distinguishes between external and internal
stakeholders.
|
|
Risk assessment is a process that
is, in turn, made up of three
processes: risk identification, risk analysis, and risk
evaluation.
Risk identification is a process
that is used to find, recognize, and
describe the risks that could affect the achievement of
objectives.
Risk analysis is a process that
is used to understand the nature,
sources, and causes of the risks that you have identified and to
estimate the level of risk. It is also used to study impacts and
consequences and to examine the controls that currently exist.
Risk evaluation is a process that
is used to compare risk analysis
results with risk criteria in order to determine whether or not
a
specified level of risk is acceptable or tolerable.
|
|
Risk identification is a process
that involves finding, recognizing,
and describing the risks that
could affect the achievement of an
organization’s objectives. It is
used to identify possible sources
of risk in addition to the events and circumstances that could
affect
the achievement of objectives. It also includes the
identification of
possible causes and potential consequences.
You can use historical data, theoretical
analysis, informed opinions,
expert advice, and stakeholder
input to identify your
organization’s risks.
|
|
A risk source has the intrinsic
potential to give rise to risk. A risk
source is where a risk originates. It’s where it comes
from. Potential
sources of risk include at least the following:
commercial relationships
and obligations, legal expectations and liabilities,
economic shifts and
circumstances, technological innovations and
upheavals, political
changes and trends,
natural events and forces, human frailties and
tendencies, and management shortcomings and excesses. All of
these
elements could potentially generate a risk that must be managed.
|
|
An event could be one
occurrence, several occurrences, or even a
nonoccurrence (when something doesn’t happen that was supposed
to happen). It can also be a change in circumstances. Events
are
sometimes referred to as incidents or accidents.
Events always have causes and usually have
consequences.
Events without consequences are sometimes referred to as
near-misses, near-hits, or close-calls.
|
|
A consequence is the outcome of
an event and has an effect on
objectives. A single event can generate a range of consequences
which can have both positive and
negative effects on objectives.
Initial consequences can also escalate through knock-on effects.
|
|
Likelihood is the chance that
something might happen. Likelihood can
be defined, determined, or measured objectively or subjectively
and can
be expressed either qualitatively or quantitatively (using
mathematics).
|
|
A risk profile is a written
description of a set of risks. A risk profile can
include the risks that the entire organization must manage or
only those
that a particular function or part of the organization must
address.
|
|
Risk analysis
is a process that is used to understand the nature, sources,
and causes of the risks that you have identified and to estimate
the level
of risk. It is also used to study impacts and consequences and
to examine
the controls that currently exist. How detailed your risk
analysis ought to
be will depend upon the risk, the purpose of the analysis, the
information
you have, and the resources available.
|
|
Risk criteria
are terms of reference and are used to evaluate the
significance or importance of an organization’s risks. They are
used
to determine whether a specified level of risk is acceptable or
tolerable.
Risk
criteria should reflect your
organization’s values, policies, and
objectives, should be based on its external and internal
context, should
consider the views of stakeholders, and should be derived from
standards, laws, policies, and other requirements.
|
|
The level of risk is its
magnitude. It is estimated by considering
and combining consequences and likelihoods. A level of risk
can be assigned to a single risk or to a combination of risks.
A consequence is the outcome of
an event and has an effect on
objectives. Likelihood is the chance that something
might happen.
|
|
Risk evaluation
is a process that is used to compare risk analysis
results with risk criteria in order to determine whether or not
a specified
level of risk is acceptable or tolerable.
|
|
Risk treatment
is a risk modification process. It involves selecting
and implementing one or more treatment options. Once a treatment
has been implemented, it becomes a control
or it modifies existing
controls. You have many treatment options. You can avoid the
risk,
you can reduce the risk, you can remove the source of the risk,
you
can modify the consequences, you
can change the probabilities,
you can share the risk
with others, you can simply retain
the risk,
or you can even increase the risk in order to pursue an
opportunity.
|
|
A control is any
measure or action that modifies
risk. Controls include any
policy, procedure, practice, process, technology, technique,
method, or
device that modifies or manages risk. Risk treatments become
controls,
or modify existing controls, once they have been implemented.
|
|
Residual risk is the
risk left over after you’ve
implemented a risk treatment
option. It’s the risk remaining
after you’ve reduced the risk, removed the
source of the risk, modified the consequences, changed the
probabilities,
transferred the risk, or retained the risk.
|
|
To monitor means to supervise
and to continually check and
critically observe. It means to determine the current status and
to assess whether or not required or expected performance
levels are actually being achieved.
|
|
A review is an activity.
Review activities are carried out in order to
determine whether something is a suitable, adequate, and
effective
way of achieving established objectives.
In general, ISO 31000 expects you to
review your risk management
framework and your risk management process. It specifically
expects
you to review your risk management policy and plans as well as
your
risks, risk criteria, risk treatments, controls, residual risks,
and risk
assessment process.
|
