Lecture 2 - What is the risk management process?

Question 1

What is ISO 31000?

Answer 1

• ISO is the International Standards Organisation. It is one of a number of Standards bodies, others major ones include SA, IEC, ANSI, API, DIN, BSI, ASTM
• These Standards cover
  – Management Systems (e.g. ISO 9001, ISO 14001, BS OHSAS 18001)
  – Technical Processes
• ISO 31000 is the internationally recognised standard for Risk Management. It was updated as ISO 31000:2018, previously 2009.
• ISO 31000:2018 provides more strategic guidance than ISO 31000:2009 and places more emphasis on both the involvement of senior management and the integration of risk management into the organization.

Question 2

What is the applicability of ISO 31000?

Answer 2

• Used by any public, private or community enterprise, association, group or individual
• Applied throughout the life of an organisation, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.
• Applied to any type of risk, whatever its nature, whether having positive or negative consequences.

Question 3

The Risk Management Process - Scope, context and criteria

Answer 3

• Every organization and situation is different, it is vital that the risk
  management (RM) process is fit for purpose and appropriately scoped for the specific context.
• The RM process may be applied at different levels (e.g. strategic, operational, programme, project or other activities).
• Be clear about scope.
• Be clear about the objectives you are seeking to achieve (and their alignment with organizational objectives).
• Defining the external and internal context requires an understanding of the environment in which the organization operates.
• Organizational factors can be a source of risk.
• Organizations need to define criteria to evaluate the significance or risk, these should be customized to the specific purpose and scope of the organization’s activity and reflect their values, objectives and resources.

Question 4

The Risk Management Process - Risk Assessment

Answer 4

• This is the overall process of risk identification, risk analysis and risk evaluation.
• It should be conducted systematically, iteratively and
  collaboratively, drawing on the knowledge and views of stakeholders.

Question 5

The Risk Management Process - Risk Assessment: Risk Identification

Answer 5

• The purpose is to find, recognize and describes risk that might help or prevent and organization achieving its objectives.
• There are a range of techniques for risk identification.
• Factors to consider include:
• Tangible and intangible sources of risk;
• Causes and events;
• Threats and opportunities;
• Vulnerabilities and capabilities;
• Changes in external and internal context;
• Indicators of emerging risks;

Question 6

The Risk Management Process - Risk Assessment: Risk Analysis

Answer 6

• The purpose is to comprehend the nature of risk and its characteristics 4715including, where appropriate, the level of risk.
• Factors to consider include:
• The likelihood of events and consequences;
• The nature and magnitude of consequences;
• Complexity and connectivity;
• Time-related factors and volatility;
• The effectiveness of existing controls;
• Sensitivity and confidence levels.
• Risk analysis may be influenced by any divergence of opinions, biases, perceptions of risk and judgements.
• Additional influences are the quality of information used, the assumptions and
  exclusions made, any limitations of the techniques and how they are executed.
• These influences should be considered, documented and communicated to
  decision makers.

Question 7

The Risk Management Process - Risk Assessment: Risk Evaluation

Answer 7

• The purpose is to support decisions.
• Risk evaluation involves comparing the results of the risk analysis with the
  established risk criteria to determine where action is required.
• This can lead to a decision to:
• Do nothing further;
• Consider risk treatment options;
• Undertake further analysis to better understand the risk;
• Maintain existing controls;
• Reconsider objectives.
• Decisions should take account of the wider context and the actual or perceived
  consequences to external or internal stakeholders.
• The outcome of risk evaluation should be recorded, communicated and then
  validated at appropriate levels of the organization.

Question 8

The Risk Management Process - Risk Treatment

Answer 8

• The purpose is to select and implement options for addressing risk.
• Risk treatment involved an iterative process of:
• Formulating and selecting risk treatment options;
• Planning and implementing risk treatment;
• Assessing the effectiveness of that treatment;
• Deciding whether the remaining (residual) risk is acceptable;
• If not acceptable, taking further treatment.
• Decisions should take account of the wider context and the actual or perceived
  consequences to external or internal stakeholders.
• The outcome of risk evaluation should be recorded, communicated and then validated at appropriate levels of the organization.

Question 9

What are the positive outcome for identifying risks?

Answer 9

• Engage in activity
• Enhance consequence
• Retain residual opportunity
• Enhance likelihood of outcome
  -Share opportunity

Question 10

What are the negative outcome for identifying risks?

Answer 10

• Share risk
• Retain risk
• Change consequence
• Avoid the risk
• Reduce likelihood of outcome4

Question 11

What are risk treatment plans?

Answer 11

• The purpose is to specify how the chosen treatment options will be implemented.
• The information in the plan should include:
• The rationale for selection of the treatment options, including the expected benefits to be gained;
• Those who are accountable and responsible for approving and implementing the plan;
• The proposed actions;
• The resources required, including contingencies;
• The performance measures;
• The constraints;
• The required reporting and monitoring;
• When actions are expected to be undertaken and completed.