ISO 31000
has introduced some important and more pertinent terms to the risk management
standard and hence helps in better orchestration and implementation of the
process across the organization to yield benefits whilst at the same time
controlling the costs and the overall optimization of resources.
- Risk owner is defined as a “person or entity with the accountability and authority to manage a risk.” This definition will help the risk manager reinforce to management that risk ownership must be with management and not with the risk manager.
- Risk appetite is an area that many organizations struggle with and whilst risk appetite, is not defined in ISO 31000 (it is in ISO Guide 73:2009), the Standard defines risk attitude as the organization’s “approach to assess and eventually pursue, retain, take or turn away from risk”.
- Risk management policy is also defined as a “statement of the overall intentions and direction of an organization related to risk management”.
- The risk management plan should specify the “approach, the management components and resources to be applied to the management of risk.”
ISO has
released ISO Guide 73:2009 Risk management - Vocabulary to provide further
guidance with respect to generic terms and definitions relating to risk
management to support consistency. It contains some of the definitions now
deleted from ISO 31000. The relationships between the various components of
managing risks including the risk management framework is better highlighted
and illustrated in ISO 31000 as shown in the figure below.
Mandate and
commitment:
Risk management is not a one-off project; it is an ongoing activity requiring
ongoing commitment. It must be mandated from the Board (or equivalent),
implemented by senior management and supported by all levels of management and
risk owners to be sustainable.
Design of
framework for managing risk: Like all good projects, processes and strategies, risk management
processes must be well designed to support effective implementation. Defining
the context of risk management framework, formulating
a risk management policy, embedding processes
into practice, assigning resources and determining responsibility are all key
elements of designing an effective framework to manage risk. Well designed
periodic reporting to stakeholders and effective communication mechanisms will
support effective implementation.
Implementing
risk management: Once the framework has been designed, implementation is about putting
the theory into practice and actually bringing the risk management framework to
life. Specifically, this is about ensuring the risk management process is
understood by risk owners (through good communication and training), and risk
management activities actually take place (through risk assessments, risk
workshops, internal controls etc) and decisions and business processes actually
factor in risk thinking.
Monitoring and
review:
Involves confirmation that the various risk management elements and activities
are actually working effectively in line with expectations. Any gaps identified
will need to be documented and remediated.
Integrated
Risk Management Principles, Framework and Processes
Risk Management Process – Explained
ISO
31000 recognizes the importance of feedback by way of two mechanisms. These are
monitoring and review of performance and communication and consultation.
Monitoring and review ensures that the organisation monitors risk performance and
learns from experience. Communication and consultation is presented in ISO
31000 as part of the risk management process, but it may also be considered to
be part of the supporting framework. Reporting and disclosure are only very
briefly mentioned in ISO 31000 and they are not included in the process shown in
the diagram below. Also, the monitoring and review feedback activities set out in
ISO 31000 do not explicitly mention the tasks of monitoring risk performance
and reviewing the risk management framework.
After considering numerous options and
variants, ISO 31000:2009 largely adopted the same broad process as AS/NZS
4360:2004 for managing risk, as shown in the above diagram. While the process
is essentially step like, in practice there is considerably iteration between the
steps and between the continuously applied elements of communication and
consultation and monitoring and review. Drawing a picture of this is obviously
difficult and for this reason, the diagram used in the standard was
deliberately not shown as a flow chart. Its purpose is to show the relationship
between clauses of the standard that describe the process. The standard gives a
set of general options to be considered when risk is treated. The order of the
list reflects preference. Importantly, the options deal with both risks that
have downside and/or upside consequences. The options are:
- Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
- Taking or increasing the risk in order to pursue an opportunity
- Removing the risk source
- Changing the likelihood
- Changing the consequences
- Sharing the risk with another party or parties (including contracts and risk financing)
- Retaining the risk by informed decision.
___________________________________________________________________________________________________
Author - Vijayakumar Reddy, CTO & Lead Trainer, A2A IMTCS Pvt. LTD.
© Copyright 2015 A2A - IMTCS. All rights reserved. www.iimtcs.in
The Swirl logo is a trade mark of AXELOS Limited.
ITIL® is a Registered Trade Mark of AXELOS Limited. www.axelos.com
© Copyright 2015 A2A - IMTCS. All rights reserved. www.iimtcs.in
The Swirl logo is a trade mark of AXELOS Limited.
ITIL® is a Registered Trade Mark of AXELOS Limited. www.axelos.com
M_o_R® is a Registered Trade Mark of AXELOS Limited.
___________________________________________________________________________________________________