Unit 2 - ISO 31000: 2018

Question 1

What does ISO stand for?

Answer 1

International Standards Organisation

Question 2

What does Annex SL describe?

Answer 2

Seven substantive components of a mgmt system standard

Question 3

What does ISO 31000 provide detailed guidelines on?

Answer 3

PIML - Plan, Implement, Measure and Learn

Question 4

What does ISO 31000 provide less explicit info on?

Answer 4

The context, leadership and support features required of a mgmt system standard

Question 5

What is a mgmt system?

Answer 5

Framework of policies, processes and procedures employed by an org to ensure it can fulfil tasks required to achieve its purpose and objectives

Question 6

What are the Scope and Design components of mgmt systems?

Answer 6

1. Context
2. Support
3. Leadership

Question 7

What are the Control and Develop components of mgmt systems?

Answer 7

PIML:-

1. Plan
2. Implement
3. Measure
4. Learn

(Also known as Plan, Do, Check, Act)

Question 8

What do we mean by “Context” within mgmt systems?

Answer 8

Organisation, stakeholder expectations and scope of the mgmt system.

More specifically for risk management…
- To define internal and external parameters that organisations must consider when managing risk.

The purpose is to customise the risk mgmt process, enabling effective risk assessment and appropriate risk treatment.

Question 9

What do we mean by “Support” within mgmt systems?

Answer 9

Resources, competence, awareness, communication and documentation

Question 10

What do we mean by “Leadership” within mgmt systems?

Answer 10

Commitment, policy and organisational roles and responsibilities

Question 11

What do we mean by “Plan” within mgmt systems?

Answer 11

Mgmt system objectives and planning to achieve them

Question 12

What do we mean by “Implement” within mgmt systems?

Answer 12

Operational planning, implementation and control

Question 13

What do we mean by “Measure” within mgmt systems?

Answer 13

Monitoring, measurement, analysis, evaluation, audit and review

Question 14

What do we mean by “Learn” within mgmt systems?

Answer 14

Non-conformity, corrective action and continual improvement

Question 15

What do formal mgmt systems have?

Answer 15

Defined, documented procedures intended to implicitly manage processes.

Auditable stds developed for each activity or process

Question 16

What do informal mgmt systems have?

Answer 16

Implicit and may incl roles and responsibilities, audits and mgmt of change

Question 17

Due to ‘disruption’, what does the World Economic Forum (WEF) say doesn’t work any more?

Answer 17

Ideas of incremental progress, continuous improvement and process optimisation

Question 18

What is meant by ‘disruption ‘?

Answer 18

The current competitive landscape

Question 19

What 4 areas for improvement come from proactive approach to risk

Answer 19

1. Strategy - risks fully analysed, better strategic decisions
2. Tactics - consideration of risk in the selection of tactics
3. Operations - ID of events that can cause disruption, taking action to reduce
4. Compliance - enhanced due to recognition of risks associated with failure to comply

Question 20

What six areas of risk do most organisations need to manage?

Answer 20

• Variable cost or availability of raw materials
• Cost of retirement / pension / social benefits
• Increasing importance of intellectual Property (IP)
• Greater supply chain and joint venture dependency and complexity
• Reputation becoming more important and more vulnerable
• Regulatory pressures and legislative requirements increasing

Question 21

What info on risk mgmt do Boards expect to see?

Answer 21

• Governance and Culture
• Strategy and Objective setting
• Performance
• Information
• Communications and Reporting
• Review and Revision of practices to enhance org performance

Question 22

What is a danger of implementing ISO 31000?

Answer 22

That output forms a stream of mgmt info separate from other info reqd to successfully run the org

Question 23

What is the definition of ‘Risk’?

Answer 23

The effect of uncertainty on objectives.

Usually expressed in terms of risk sources, potential events, their consequences and their likelihood

Question 24

What does ISO 31000 consist of?

Answer 24

• Risk Mgmt Principles
• Risk Mgmt Framework
• Risk Mgmt Process

Question 25

What are the eight ISO 31000 Risk Mgmt Principles?

N.B. The first five align to ‘PACED’, and relate to how a risk mgmt initiative should be designed. The final three relate to how it should operate.

Answer 25

Value Creation and Protection via:

• Integrated into all activities
• Structured and Comprehensive
• Customised and proportionate
• Inclusive - stakeholder engagement
• Dynamic - anticipates, detects, acknowledges and responds to chg
• Considers limitations on Available Info
• Human and Cultural Factors
• Continual Improvement through learning and experience

Question 26

What are the components of the ISO 31000 Risk Mgmt Framework?

Answer 26

Leadership and Commitment is central, in conjunction with:

• Integration
• Design
• Implementation
• Evaluation
• Improvement

Question 27

What are the components of the ISO 31000 Risk Mgmt Process?

Answer 27

Scope, Context (objectives and internal, external and risk mgmt), Criteria (risk appetite), then…

Risk Assessment through:

• Risk Identification
• Risk Analysis
• Risk Evaluation, then…

Risk Treatment

Surrounded by…

• Communication and Consultation
• Monitoring and Review
• Recording and Reporting

Question 28

What is the purpose of risk mgmt according to ISO 31000?

Answer 28

The creation and protection of Value

Question 29

What is ‘PACED’?I

Principles of Risk Mgmt

Answer 29

Proportionate
Aligned
Comprehensive
Embedded
Dynamic

Question 30

What is the purpose of ISO 31000?

Answer 30

Integrating the mgmt of risk into a strategic and operational mgmt system

Question 31

What is the focus of the 2017 COSO (Committee of Sponsoring Organisations of the Treadway Commission) Double Helix?

Answer 31

• Governance and Culture
• Strategy and Objective setting (incl Risk Appetite)
• Performance
• Review and Revision
• Information, Communication and Reporting

Question 32

What are four established methods of Risk Assessment?

Answer 32

1) Checklists and Questionnaires
2) Workshops and Brainstorming
3) Inspections and Audit
4) Flowcharts and Dependency Analysis

Question 33

What is ‘Risk Perception’?

Answer 33

Bias in the identification of risks by our perceptions. One may view as significant, another not.

Based on our ‘World View’ of risk - how individuals view the reality of a given situation.

Question 34

What are the objective and subjective realities of risks?

Answer 34

Objective - likelihood it will rain tomorrow

Subjective - human perception of the risk, shaped by psychological factors, cultural factors, which may result in over/under statement of the severity

Question 35

What are some of the problems with different risk perceptions?

Answer 35

• Differing perceptions on what a risk is (risk ID)
• People hide or falsify risks for self-interest (risk ID)
• Differing views on likelihood (risk analysis)
• Different knowledge (risk analysis)
• Deliberate under/over statement of severity for self-interest (risk analysis)
• Differing views on what acceptable (risk evaluation)
• Incorrect or inconsistent data collection for assessment and treatment
• Some risks are ‘unknown unknowns’

Question 36

What are two real dangers that may result from differing risk perceptions?

Answer 36

1) Organisations mge same risks very inconsistently depending upon the individual managing it
2) Risk Mgrs may seek to achieve greater kudos through focus of efforts on managing stakeholders fears of perceived greatest risks, rather than those that are actually the most significant