Training objective
The objective of this video is to explain the risk management process as set out in the ISO 31000 international risk standard.
What you’ll learn
The risk management process as set out in the ISO 31000 international risk standard.
Transcript
[Slide 2] Risk management process
The risk management process involves the systematic application of policies, procedures, and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording, and reporting risk.
This process should be an integral part of management and decision-making and integrated into the structure, operations and processes of the organization. It can be applied at strategic, operational, programme or project levels.
There can be many applications of the risk management process within an organization, customized to achieve objectives and to suit the external and internal context in which they are applied.
The dynamic and variable nature of human behaviour and culture should be considered throughout the risk management process.
Although the risk management process is often presented as sequential, in practice it is iterative.
[Slide 3] Key questions to ask
Key processes in risk management are risk assessment and risk treatment; together these comprise the four steps of risk identification, risk analysis and risk evaluation and risk treatment.
Key questions to ask during the risk management process:
- What could happen, where and when?
- Why and how it could happen?
- What could be the consequences if it happened?
- What controls are in place to enhance gains and prevent or minimise adverse impacts?
- How effective are these controls?
- What is the level of risk?
- How do we best treat the risk further?
[Slide 4] Communication and consultation
The purpose of communication and consultation is to assist relevant stakeholders in understanding risk, the basis on which decisions are made and the reasons why particular actions are required.
Communication seeks to promote awareness and understanding of risk, whereas consultation involves obtaining feedback and information to support decision-making. Close coordination between the two should facilitate the factual, timely, relevant, accurate and understandable exchange of information, considering the confidentiality and integrity of information as well as the privacy rights of individuals.
Communication and consultation with appropriate external and internal stakeholders should take place within and throughout all steps of the risk management process.
[Slide 5] Scope, context, and criteria
The purpose of establishing the scope, the context and criteria are to customize the risk management process and enabling effective risk assessment and appropriate risk treatment. Scope, context, and criteria involve defining the scope of the process and understanding the external and internal context.
Define the scope of its risk management activities. As the risk management process may be applied at different levels – for example, strategic, operational, programme, project, or other activities, it is important to be clear about the scope under consideration, the relevant objectives to be considered and their alignment with organizational objectives.
The external and internal context is the environment in which the organization seeks to define and achieve its objectives.
The context of the risk management process should be established from the understanding of the external and internal environment in which the organization operates and should reflect the specific environment of the activity to which the risk management process is to be applied.
Risk management takes place in the context of the objectives and activities of the organization. The purpose and scope of the risk management process may be interrelated with the objectives of the organization.
Specify the amount and type of risk that it may or may not take, relative to objectives. It should also define criteria to evaluate the significance of risk and to support decision-making processes.
Risk criteria should be aligned with the risk management framework and customized to the specific purpose and scope of the activity under consideration. Risk criteria should reflect the organization’s values, objectives and resources and be consistent with policies and statements about risk management. The criteria should be defined taking into consideration the organization’s obligations and the views of stakeholders.
While risk criteria should be established at the beginning of the risk assessment process, they are dynamic and should be continually reviewed and amended, if necessary.
[Slide 6] Risk identification
Risk assessment is the overall process of risk identification, risk analysis and risk evaluation.
Risk assessment should be conducted systematically, iteratively, and collaboratively, drawing on the knowledge and views of stakeholders. It should use the best available information, supplemented by a further enquiry as necessary.
The purpose of risk identification is to find, recognize and describe risks that might help or prevent an organization from achieving its objectives. Relevant, appropriate, and up-to-date information is important in identifying risks.
The organization can use a range of techniques for identifying uncertainties that may affect one or more objectives.
The organization should identify risks, whether their sources are under its control. Consideration should be given that there may be more than one type of outcome, which may result in a variety of tangible or intangible consequences.
[Slide 7] Risk analysis
Risk analysis is about developing an understanding of each risk. It provides input to decisions on whether risks need to be further controlled and the most appropriate and cost-effective treatment actions to take.
Risk analysis involves consideration of the positive and negative consequences and the likelihood that those consequences may occur. Factors that affect consequences and likelihood may be identified. Risk is analysed by combining consequences and likelihood, considering existing controls.
Risk analysis involves a detailed consideration of uncertainties, risk sources, consequences, likelihood, events, scenarios, controls, and their effectiveness. An event can have multiple causes and consequences and can affect multiple objectives.
Risk analysis provides input to risk evaluation, to decisions on whether risk needs to be treated and how, and on the most appropriate risk treatment strategy and methods. The results provide insight for decisions, where choices are being made, and the options involve different types and levels of risk.
[Slide 8] Risk evaluation
The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required.
This can lead to a decision to do nothing further, consider risk treatment options, undertake further analysis to better understand the risk, maintain existing controls, or reconsider objectives.
Decisions should take account of the wider context and the actual and perceived consequences to external and internal stakeholders.
The outcome of risk evaluation should be recorded, communicated, and then validated at appropriate levels of the organization.
[Slide 9] Risk treatment
At its simplest, risk treatment involves a process to modify a risk by changing the consequences that could occur or their likelihood. This process requires creative consideration of options and detailed design, both inputs being necessary to find and select the best risk treatment.
Once implemented, risk treatments will either create new controls or amend existing controls.
The purpose of risk treatment is to select and implement options for addressing risk.
[Slide 10] Risk treatment involves an iterative process
Risk treatment involves an iterative process of:
- Formulating and selecting risk treatment options.
- Planning and implementing risk treatment.
- Assessing the effectiveness of that treatment.
- Deciding whether the remaining risk is acceptable.
- If not acceptable, taking further treatment.
Selecting the most appropriate risk treatment option involves balancing the potential benefits derived concerning the achievement of the objectives against costs, effort or disadvantages of implementation.
[Slide 11] Options for treating risks
Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances.
Options for treating risk may involve one or more of the following:
- Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk.
- Taking or increasing the risk to pursue an opportunity.
- Removing the risk source.
- Changing the likelihood.
- Changing the consequences.
- Sharing the risk – For example, through contracts, buying insurance.
- Retaining the risk by informed decision.
Justification for risk treatment is broader than solely economic considerations and should consider all of the organization’s obligations, voluntary commitments and stakeholder views. The selection of risk treatment options should be made following the organization’s objectives, risk criteria and available resources.
When selecting risk treatment options, the organization should consider the values, perceptions and potential involvement of stakeholders and the most appropriate ways to communicate and consult with them. Though equally effective, some risk treatments can be more acceptable to some stakeholders than to others.
Risk treatments, even if carefully designed and implemented might not produce the expected outcomes and could produce unintended consequences. Monitoring and review need to be an integral part of the risk treatment implementation to give assurance that the different forms of treatment become and remain effective.
Risk treatment can also introduce new risks that need to be managed.
If there are no treatment options available or if treatment options do not sufficiently modify the risk, the risk should be recorded and kept under ongoing review.
Decision-makers and other stakeholders should be aware of the nature and extent of the remaining risk after risk treatment. The remaining risk should be documented and subjected to monitoring, review and, where appropriate, further treatment.
The purpose of risk treatment plans is to specify how the chosen treatment options will be implemented so that arrangements are understood by those involved, and progress against the plan can be monitored. The treatment plan should identify the order in which risk treatment should be implemented.
Treatment plans should be integrated into the management plans and processes of the organization, in consultation with appropriate stakeholders.
[Slide 12] Monitoring and review
The purpose of monitoring and review is to assure and improve the quality and effectiveness of process design, implementation, and outcomes. Ongoing monitoring and periodic review of the risk management process and its outcomes should be a planned part of the risk management process, with responsibilities clearly defined.
Monitoring and review should take place in all stages of the process. Monitoring and review include planning, gathering and analysing information, recording results and providing feedback.
The results of monitoring and review should be incorporated throughout the organization’s performance management, measurement and reporting activities.
[Slide 13] Recording and reporting
The risk management process and its outcomes should be documented and reported through appropriate mechanisms.
Recording and reporting aim to communicate risk management activities and outcomes across the organization, provide information for decision-making, improve risk management activities, and assist interaction with stakeholders, including those with responsibility and accountability for risk management activities.
Reporting is an integral part of the organization’s governance and should enhance the quality of dialogue with stakeholders and support top management and oversight bodies in meeting their responsibilities.