ISO31000 - further details Flashcards
Name the ISO31000 principles
8 Principles
Integrated
Structured and comprehensive
Customised
Inclusive
Dynamic
Best available info
Human and cultural factors
Continual improvement
PACED combines eight principals in ISO31000 to provide five ATTRIBUTES of RM - Proportionate, Aligned, Comprehensive, Embedded and Dynamic.
Name the five ATTRIBUTES (Parts) of RM for ISO31000 (Acronym)
PACED - Proportionate, Aligned, Comprehensive, Embedded and Dynamic.
Name 4 OBJECTIVES of RM (Acronym)
MADE2 - mandatory, assurance, decision making, effective and efficient processes
How many ISO31000 Principles are they. Can you name them
ISO31000: 8 principles
1. Framework and processes should be customized and PROPORTIONATE.
2. APPROPRIATE and TIMELY involvement of stakeholders is necessary.
3. Structured and COMPREHENSIVE approach is required.
4. Risk management is an INTEGRAL part of all organisational activities.
5. Risk management anticipates, detects, acknowledges and responds to changes.
- Risk management explicitly considers any limitations of available information.
- Human and cultural factors influence all aspects of risk management.
- Risk management is continually improved through learning and experience.
Summarise the ISO31000 Principals
PACED
What does the P mean in PACED
Proportionate - STRUCTURED approach TAILORED to suit org and activity
One size does not fit all
Consistency in process and language used in org to build common understanding of RM
What does A mean in PACED
Aligned - INTEGRATED with other org activities which allows BAU to continue with ERM as a touchpoint throughout org and an ESCALATION mechanism to allow effective management of REPORTING
What does C mean in PACED
Comprehensive - Process encourages CONSISTENCY in RM PROCESS, and includes risk and controls in org and outside of it.
Gives effective OVERSIGHT OF RISK PROFILE and improves understanding of the existing, new and emerging risks INTERNALLY AND EXTERNALLY
What does the E mean in PACED
Embedded - Embedded in Org - encourages CHANGE in risk attitude, behaviour and culture to progress RM MATURITY and awareness of its value to org.
What does the D mean in PACED
Dynamic - Process doesn’t stop once risk is collated to register. This is only risk register writing.
Needs to continue to invest time in RM to keep process alive for Org so it can continue to support decision making and add value.
How does 31000 help build a RM Framework
Continuous improvement model PIML
What’s the difference between plan–do–check–act (PDCA) and Plan, Implement, Measure and Learn (PIML)
PDCA emanates from QUALITY RM
PIML puts emphasis on measuring and learning and distinguishes RM from quality management.
What’s the planning element of PIML contain
identifying and assess benefits (to new RM process or upgrading of current)
Scoping initiative (develop common taxonomy or improvements needed)
Establishing strategy, FW and R&R’s in a Risk Manual
What’s the implementing element of PIML contain
Produce RM guidelines and classification systems
Risk Protocols - FIRM, PESTLE and SWOT
Risk Assessment workshops - registers etc
Agreeing RA and Tolerance levels
What’s the Measuring element of PIML contain
Evaluate effectiveness of controls (so goes beyond the ‘check’ phase of PDCA as measures existing controls)
Align RM with other activities (and existing process)
Embed risk aware culture
What’s the learning element of PIML contain
Learning from ‘measurement’ activity
Monitor risk perf (KPI’s) - to measure ERM contribution
Internal audit team to review learning from any self assessment or audit reports.
Report in line with obligations - boards etc
What is ISO31000 definition of risk
effect of uncertainty on objectives
What is ISO31000 definition of rM
coordinated activities to direct and control an org about risk
What is ISO31000 definition of Stakeholder Management
person or org that can affect, be affected by, or perceive themselves to be affected by a decision or activity
What is ISO31000 definition of risk source
an element which alone or in combination has the potential to give rise to a risk
What is ISO31000 definition of event
occurrence of change of a particular set of circumstances
What is ISO31000 definition of consequences
outcome of an event affecting objectives
What is ISO31000 definition of likelihood
chance of something happening
What is ISO31000 definition of control
a measure that maintains and or modifies risk
Explain the INTEGRATED Principle
RM is an integral part of all org activities
- integrate into all parts and activities of org
-should not be separate from main activities and processes of org as its part of DECISION MAKING in each dept.
-RM should be embedded into Org processes and is part of the MANAGEMENTS RESPONSIBLITIES.
Explain the STRUCTURED AND COMPREHENSIVE principle
Contributes to consistent and comparable results
- Having comprehensive and structured approach leads to the most consistent, desirable RM OUTCOMES
- SYSTEMATIC approach contributes to efficiency and consistent results and everyone understand the approach
- Structured guidelines and procedures lead to maintain productivity and efficacy
Explain the CUSTOMISED principle
RM FW and Process are customised and proportionate to the org EXTERNAL AND INTERNAL context relating to its OBJECTIVES
- Must be customised to org objectives and internal and external context
- Not one size fits all and must be tailored to EXTERNAL AND INTERNAL context to reach OBJECTIVES
- If EXTERNAL AND INTERNAL context established, we can capture OBJECTIVES and customised our RM to the organisation at a whole.
Explain the INCLUSIVE Principle
Appropriate and timely involvement of SH enables their knowledge, views and perceptions to be considered. This results in improved awareness and informed RM
- MUST INVOLVE ALL STAKEHOLDERS TO BE INCLUSIVE - when appropriate and at right time allowing different knowledge, views and perceptions to be considered and implement in RM efforts
IS TRANSPARENT - easy to understand and doesn’t include confusing JARGON allowing SHs to be included in FW.
Explain the HUMAN AND CULTURAL FACTORS Principle
Human behaviour and culture SIGNIFICANTLY INFLUENCE all aspects of RM at each level and stage.
- RM must recognise the org capabilities as well as the goals of the people to achieve or inhibit the business
- RM is a human activity that takes place within one or more cultures (org culture). So Risk Managers must be aware of the human and cultural factors that RM effort takes place in and know the influence that human and cultural factors will place on the RM effort.
Explain the Dynamic Principle
Risks can emerge, change or disappear and internal and external context changes
RM anticipates, DETECTS, ACKNOWLEDGES AND RESPONDS to those changes and events in an appropriate and timely manner.
Explain the BEST AVAILABLE INFO Principle
INPUTS to RM are based on HISTORICAL AND CURRENT info, as well as on FUTURE expectations.
RM takes into account any limitations and uncertainties associated with such info and expectations. ( you will never have all the info you need, but action must be taken when an org has the best available data)
Info should be TIMELY, CLEAR AND AVAILABLE to relevant SHs
Explain the CONTINUAL IMPROVEMENT Principle
RM is continually improved through LEARNING AND EXPERIENCE- improves org resiliency
- PDCA - plan, do check, act - keeps org continually improving while factors change over time
- Adapts to results in RM allowing org to grow
Through learning and experience Risk Managers must strive to continually improve an org RM efforts.
