The international risk management standard, ISO 31000:2018 Risk management — Guidelines, provides guidelines on managing risk. The ISO 31000 is a generic standard. ISO 31000 can be used by anyone – individuals, groups of people, families, teams, organizations and governments. ISO 31000 defines a set of guidelines. These guidelines can be customized to any situation and applied to any activity, including decision-making. There are referred to as guidelines because there are voluntary. They are recommendations and not requirements. When properly implemented these guidelines will help the organization to:
- Setting objectives and increase the likelihood that these objectives will be achieved.
- Create and protect value by managing risks
- Making decisions.
- improve its ability to identify threats and opportunities.
- Improving performance.
- Improving overall resilience of the organization
- Improving operational efficiency and effectiveness.
- Comply with legal and regulatory requirement
- Encourage personnel to identify and treat risk.
- Improve your risk management controls.
- Comply with legal and regulatory requirements.
- Improve the effectiveness of your governance activities.
- Establish a sound basis for planning and decision making.
- Improve loss prevention and incident management activities.
- Encourage and support continuous organizational learning.
- Improve the trust and confidence of your stakeholders.
- Enhance both mandatory and voluntary reporting.
- Comply with international norms and standards.
Since this standard is all about managing risk, we need to define the term risk. According to ISO 31000 2018, section 3.1, risk is the “effect of uncertainty on objectives“, and an effect is a positive or negative deviation from what is expected. So, risk is the chance that there will be a positive or negative deviation from the objective we expect to achieve. ISO’s definition recognizes that all of us operate in an uncertain world. Whenever we try to achieve an objective, there’s always the chance that things will not go according to plan. Every step has an element of risk that needs to be managed and every outcome is uncertain. Whenever we try to achieve an objective, we don’t always get the results we expect. Sometimes we get positive results and sometimes we get negative results and occasionally we get both. Because of this, we need to reduce uncertainty as much as we possibly can. According to ISO 31000 2018, you can reduce your uncertainty and manage your risk, by using a systematic approach to risk management.
The traditional approach to risk management combines three elements: it starts with a potential event and then combines its probability with its potential severity. A high risk event would have a high likelihood of occurring and a severe impact if it actually occurred. While ISO 31000 defines risk in a new and unusual way, the old and the new definitions are largely compatible. Both definitions talk about the same phenomena but from two different perspectives. ISO thinks of risk in goal-oriented terms. While the traditional definition thinks of risk in event-oriented terms. These two definitions can and do co-exist. They’re simply two different ways of talking about the same phenomena.
The notion of risk is closely linked to uncertainty. Risk can only be meaningfully defined in relation to objectives because it relates to the effect of uncertainty on objectives that have a potential consequence – good or bad – on your success. It cannot exist in a vacuum. It must exist in relation to the achievement of your objectives. The simplest definition of risk is “uncertainty that matters”. Risk can affect one or more of your objectives, or what might happen.. To the extent practicable, your objectives should be:
- measurable either qualitatively or quantitatively;
- achievable within the constraints imposed by the context;
- relevant to the larger goals or context; and
- achievable within a stated time frame.
Organizations of all types and sizes face external and internal factors and influences that make it uncertain whether they will achieve their objectives. Managing risk is iterative. It assists organizations in setting strategy, achieving objectives and making informed decisions. It is part of governance and leadership and is fundamental to how an organization is managed at all levels. The management of risk enables you to, for example:
- increase the likelihood of achieving objectives;
- encourage proactive management;
- be aware of the need to identify and treat risk throughout the organization;
- improve the identification of opportunities and threats;
- comply with relevant legal and regulatory requirements and international norms;
- improve mandatory and voluntary reporting;
- improve governance;
- improve stakeholder confidence and trust;
- establish a reliable basis for decision making and planning;
- improve controls;
- effectively allocate and use resources for risk treatment;
- improve operational effectiveness and efficiency;
- enhance health and safety performance, as well as environmental protection;
- improve loss prevention and incident management;
- minimize losses;
- improve organizational learning; and
- improve organizational resilience.
SCOPE OF ISO 31000:2018
The scope of ISO 31000:2018:
- Provides guidelines in managing risks customized to any organization
- Follows a common approach
- Covers entire lifecycle for organizational risk management
- Applied at all levels and functions
- Decision making
ISO 31000:2018 can be used by any organization no matter what size it is or what it does. It can be used by both public and private organizations and by groups, associations, and enterprises of all kinds. It is not specific to any sector or industry and can be applied to any type of risk. ISO 31000 can be applied to the achievement of any and all types of objectives at all levels and in all areas. It can be used at a strategic level to help make decisions and can be applied to all kinds of activities. It can also be used to help manage and control all kinds of processes, operations, functions, projects, programs, products, services, and assets. However, exactly how you apply ISO 31000 is up to you and will depend on your organization’s needs, objectives, and challenges, and should reflect what it does and how it operates.
ISO 31000 Principles of Risk Management
As per the ISO 31001 this is the principle are:
Risk management is an integral part of all organizational activities.
b) Structured and comprehensive
A structured and comprehensive approach to risk management contributes to consistent and comparable results.
The risk management framework and process are customized and proportionate to the organization’s external and internal context related to its objectives.
Appropriate and timely involvement of stakeholders enables their knowledge, views and
perceptions to be considered. This results in improved awareness and informed risk
Risks can emerge, change or disappear as an organization’s external and internal context
changes. Risk management anticipates, detects, acknowledges and responds to those
changes and events in an appropriate and timely manner.
f) Best available information
The inputs to risk management are based on historical and current information, as well as on
future expectations. Risk management explicitly takes into account any limitations and
uncertainties associated with such information and expectations. Information should be
timely, clear and available to relevant stakeholders.
g) Human and cultural factors
Human behavior and culture significantly influence all aspects of risk management at each
level and stage.
h) Continual improvement
Risk management is continually improved through learning and experience.
Elaborating it further :
- An organization should integrate its risk management efforts into all parts and activities of the organization.
- Risk management is not separated from the main activities and processes of the organization as it is a part of decision-making in every department.
- Risk management is embedded into the organization’s processes and is a part of management’s responsibilities
2. Structured and Comprehensive
- Creating and following a comprehensive, structured risk management approach leads to the most consistent, desirable risk management outcomes.
- Approaching risk management in a systematic way contributes to efficiency and consistent results within the organization as well as a comprehension for everyone involved
- Risk management is structured with guidelines and procedures to follow in order to maintain productivity and efficacy
- An organization’s risk management approach should be customized to their own needs, including the organization’s objectives and the external and internal context in which the organization operates.
- Risk management processes are not one-size-fits-all and must be tailored to the organization’s external and internal context in order to reach objectives.
- When the context is established in both internal and external environments, objectives can be captured and risk management can be customized to the unique organization
- To be most effective, risk management should involve all stakeholders in appropriate and timely ways. This allows the different knowledge sets, views, and perceptions of all stakeholders to be considered and implemented into risk management efforts.
- The involvement of stakeholders allows their knowledge and views to be considered, guaranteeing that risk management is relevant and up to date
- Risk management is transparent; it is easy to understand and doesn’t include confusing jargon, allowing stakeholders to be included in the framework
- As the organization changes, including its external and internal context, the organization’s risk management program and efforts should change, too. Change is inevitable and successful organizations know how to work with change. A risk management program should help the organization anticipate, identify, acknowledge, and respond to changes in an appropriate and timely way.
- Context and knowledge within an organization change constantly and should be acknowledged as they do
- Risk management must respond to change continually and in a timely manner to maintain efficiency and results
- Risks emerge, change, and disappear as internal and external events occur, so risk management must be anticipatory
6. Best Available Information
- An organization will never have all of the information needed, but action must be taken when an organization has the best available data
- Historical and current information, as well as the limitations of these, must be taken into account
- All known information should be available to stakeholders
- Effective risk management is done by considering information from the past and present as well as anticipating the future. Therefore, the information from the past and present must be as reliable as possible, and risk managers must consider the limitations and uncertainties with that past and present information. All relevant stakeholders should receive necessary information in a timely and clear manner.
7. Human and Cultural Factors
- Risk management is influenced significantly by human behavior and culture
- The organization’s capabilities, as well as the goals of the people within and around it, must be recognized by risk management to achieve, or inhibit, the goals of the business.
- Risk management is a human activity and it takes place within one or more culture (organizational culture, etc.). Risk managers must be aware of the human and culture factors that the risk management effort takes place in and know the influence that human and culture factors will place on the risk management effort.
8. Continual Improvement
- Improving continually through experience ensures the organization’s resiliency
- PDCA is a risk management process: plan, do, check, adjust. This is a cycle that keeps the organization continually improving while factors change over time
- Appropriately adapting to results in risk management allows the organization to grow exponentially in every aspect, and continue to do so.
- Through experience and learning, risk managers must strive to continually improve an organization’s risk management efforts.
Risk Management Framework
The purpose of the risk management framework is to assist the organization in integrating risk management into significant activities and functions. The effectiveness of risk management will depend on its integration into the governance of the organization, including decision-making. This requires support from stakeholders, particularly top management. Framework development encompasses integrating, designing, implementing, evaluating and improving risk management across the organization. The organization should evaluate its existing risk management practices and processes, evaluate any gaps and address them within the framework. The components of the framework should be customized to the needs of the organization
Leadership & Commitment
Top management and oversight bodies, where applicable, should ensure that risk management is integrated into all organizational activities and should demonstrate leadership and commitment by:
- customizing and implementing all components of the framework;
- issuing a statement or policy that establishes a risk management approach, plan or course of action;
- ensuring that the necessary resources are allocated to managing risk;
- assigning authority, responsibility and accountability at appropriate levels within the organization.
This will help organization to:
- align risk management with its objectives, strategy and culture;
- recognize and address all obligations, as well as its voluntary commitments;
- establish the amount and type of risk that may or may not be taken to guide the development of risk
- criteria, ensuring that they are communicated to the organization and its stakeholders;
- communicate the value of risk management to the organization and its stakeholders;
- promote systematic monitoring of risks;
- ensure that the risk management framework remains appropriate to the context of the organization.
Top management is accountable for managing risk while oversight bodies are accountable for overseeing risk management. Oversight bodies are often expected or required to:
- ensure that risks are adequately considered when setting the organization’s objectives;
- understand the risks facing the organization in pursuit of its objectives;
- ensure that systems to manage such risks are implemented and operating effectively;
- ensure that such risks are appropriate in the context of the organization’s objectives;
Integrating risk management relies on an understanding of organizational structures and context. Structures differ depending on the organization’s purpose, goals and complexity. Risk is managed in every part of the organization’s structure. Everyone in an organization has responsibility for managing risk. Governance guides the course of the organization, its external and internal relationships, and the rules, processes and practices needed to achieve its purpose. Management structures translate governance direction into the strategy and associated objectives required to achieve desired levels of sustainable performance and long-term viability.
Determining risk management accountability and oversight roles within an organization are integral parts of the organization’s governance. Integrating risk management into an organization is a dynamic and iterative process, and should be customized to the organization’s needs and culture. Risk management should be a part of, and not separate from, the organizational purpose, governance, leadership and commitment, strategy objectives and operations
a) Understanding the organization and its context
When designing risk, the organization must have a proper understanding of its external and internal context. Organization external context should consider:
- the social, cultural, political, legal, regulatory, financial, technological, economic and environmental factors, whether international, national, regional or local;
- key drivers and trends affecting the objectives of the organization;
- external stakeholders’ relationships, perceptions, values, needs and expectations;
- contractual relationships and commitments;
- the complexity of networks and dependencies.
Examining the organization’s internal context may include, but is not limited to:
- vision, mission and values;
- governance, organizational structure, roles and accountabilities;
- strategy, objectives and policies;
- the organization’s culture;
- standards, guidelines and models adopted by the organization;
- capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, intellectual property, processes, systems and technologies);
- data, information systems and information flows;
- relationships with internal stakeholders, taking into account their perceptions and values;
- contractual relationships and commitments;
b) Articulating risk management commitment
The organization’s Top management and oversight bodies must show their commitment to risk management by having a policy, that conveys organization’s objectives and commitment to risk management. The commitment must include at minimum:
- its purpose to managing risk and how it links to its objectives and other policies;
- to integrate risk management into the culture of the organization;
- to the integration of risk management into core business activities and decision making;
- authorities, responsibilities and accountabilities;
- the necessary resources;
- the way in which conflicting objectives are dealt with;
- measurement and reporting within the organization’s performance indicators;
- review and improvement.
The risk management commitment should be communicated within an organization and to the appropriate stakeholders.
c) Assigning organizational roles, authorities, responsibilities and accountabilities
Top management and oversight bodies must ensure that the roles, authorities, responsibilities and accountabilities related risk management are assigned. This must be communicated at all levels of the organization. This must emphasize that risk management is a core responsibility and identify risk owner.
d) Allocating resources
Taking in consideration of the capabilities and constraints of existing resources, Top management and oversight bodies, must allocation appropriate resources for risk management, which may be:
- people, skills, experience and competence;
- the organization’s processes, methods and tools to be used for managing risk;
- documented processes and procedures;
- information and knowledge management systems;
- professional development and training needs.
e) Establishing communication and consultation
To ensure that risk management applied effectively throughout the organization, an approved approach to communication and consultation must be established so as to support the framework. Communication means that the organization is sharing information with targeted audiences. Consultation means that the organization is taking feedback from the participants so that the organization is able to shape proper decision or improve upon the other activities. where appropriate it should reflect the expectations of stakeholders. Communication and consultation should be timely and ensure that relevant information is collected, collated, synthesized and shared and that feedback is provided and improvements are made.
To implement the risk management framework, the organization must:
- establish a proper plan which must also include time and resources;
- there must be absolute clarity across the organization, as when a decision is to be made, how it is to be made , where to be made and by whom its to be be made. This is applicable for all the different types of decisions.
- If necessary the organization may modifying the applicable decision-making processes.
- The processes for managing risk must be clearly understood within the organization and practiced across the organization.
The engagement and awareness of stakeholders are required so as to explicitly address uncertainty in decision-making and also ensuring that any new or subsequent uncertainty can be taken into account if it arises.
Properly designing and implementing the decision-making process will ensure that the changes in external and internal contexts are adequately captured.
To evaluate the effectiveness of the risk management framework, the organization must periodically measure risk management framework performance against its purpose, implementation plans, indicators and expected behavior and then must ensure that it remains suitable to support achieving the objectives of the organization.
To improve it value and to address external and internal changes the organization must always monitor and adapt the risk management framework.
b) Continually improving
Once the risk management framework is established the organization must always look to improve its suitability, adequacy and effectiveness and also how risk management process is integrated. If any gaps or improvement opportunities are identified, the organization must develop plans and tasks and it has to be assigned to those people who are accountable to implement The. Once implemented, these improvements will be able to contribute to the enhancement of risk management.
Risk management process
The risk management process involves the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk. It comprises the activities described in the diagram shown below.
Properly designed and implemented, your risk management framework will ensure that the risk management process is a part of all activities throughout the organization, including decision-making, and that changes in external and internal contexts will be adequately captured. A risk management framework set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization. Your risk management activities should be an integral part of management and decision-making and integrated into the structure, operations and processes of an organization. It can be applied at strategic, operational, program or project levels. There can be many applications of the risk management process. But it must be customized to achieve objectives and to suit the external and internal context in which it is applied. The dynamic and variable nature of human behavior and culture should be considered throughout your risk management process. Although the risk management process is often presented as sequential steps, in practice, they are iterative activities. A summary of the key activities for the risk management process is shown in the table below.
Communication and consultation
Effective communication and consultation are essential to ensure that those responsible for identifying and managing risks and those with a vested interest understand the basis on which risk-informed decisions are made and reasons why particular actions and treatments are selected. The purpose of communication and consultation is to assist relevant stakeholders in understanding risk, the basis on which decisions are made and the reasons why particular actions are required. It is a continual and iterative process to provide, share or obtain information, and to engage in dialogue with stakeholders regarding the management of risk. A stakeholder is a person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity. Communication seeks to promote awareness and understanding of risk, whereas consultation involves obtaining feedback and information to support decision-making. Consultation is a two-way process of informed communication between an individual or organization and its stakeholders on an issue before making a decision or determining a direction on that issue. It is a process which impacts a decision through influence rather than power and an input to decision making, not joint decision making.
Close coordination between two stakeholders should facilitate the factual, timely, relevant, accurate and understandable exchange of information, considering the confidentiality and integrity of information as well as the privacy rights of individuals. The information can relate to the existence, nature, form, likelihood, significance, evaluation, acceptability and treatment of the management of risk. Communication and consultation with appropriate external and internal stakeholders should take place within and throughout all activities of the risk management process. Risk management is enhanced through effective communication and consultation when all parties and stakeholders understand each other’s perspectives and, where appropriate, are actively involved in the decision-making process. A collaborative and consultative approach is more likely to:
- Help establish the context appropriately and ensure that the interests of all stakeholders are understood and considered.
- Ensure that uncertainties, risks, issues and opportunities are adequately identified and managed.
- Bring together different areas of expertise when assessing or analyzing risks to ensure different, and sometimes opposing, views are appropriately considered when defining the risk criteria and when assessing risks.
- Help secure endorsement, support and commitment for a treatment plan.
- Enhance any change management processes associated with making risk-informed decisions.
- Methods of communication and consultation may include meetings, reports, on-line communication systems and learning packages, newsletters and flow charts.
Scope, context and criteria
The purpose of establishing the scope, the context and criteria is to customize the risk management process and enabling effective risk assessment and appropriate risk treatment.
You should define the scope of your risk management activities. As your risk management activities may be applied at different levels (e.g. strategic, operational, program, project, or other activities), it is important to be clear about the scope under consideration, the relevant objectives to be considered and their alignment with your objectives. When planning the approach, considerations include:
b) Defining the scope
- Objectives and decisions that need to be made.
- Outcomes expected from the activities.
- Time, location, specific inclusions and exclusions.
- Appropriate risk assessment tools and techniques.
- Resources required, responsibilities and records to be kept.
- Relationships with other projects, processes and activities.
c) External and internal context
Your external and internal context is the environment in which you seek to define and achieve your objectives. The context of your risk management activities should be established from the understanding of the external and internal environment in which you operate in. It should reflect the specific environment to which the risk management activities are to be applied. Establishing the context sets the structure and foundation within which the risk assessment should be undertaken. It ensures that reasons for carrying out the risk assessment are clear. It also provides the backdrop of circumstances against which risks can be identified and assessed. Understanding the context is important because:
- Risk management takes place in the context of your objectives and activities.
- Your individual, team or organizational factors can be a source of uncertainty, risk and opportunity.
- The purpose and scope of the risk management process may be interrelated with your objectives.
d) Defining risk criteria
You should specify the amount and type of risk that you may or may not take, relative to your objectives. Risk criteria are the terms of reference against which the significance of a risk is determined. It is a set the criteria for:
- Deciding whether a risk or an opportunity can be accepted in pursuit of your objectives.
- Sometimes referred to as risk appetite, it specifies a technique to determine the magnitude of risk, or a parameter related to risk, together with a limit beyond which risk becomes unacceptable.
- The acceptability of risk can also be defined by specifying the acceptable variation in specific performance measures linked to objectives.
- Different criteria might be specified according to the type of consequence. For example, the criteria for accepting financial risk may differ from those defined for risk to human life.
Evaluating the significance of a risk.
An evaluation of the significance of a risk compared to other risks is often based on an estimate of the magnitude of risk compared with criteria which are directly related to thresholds set around your objectives. Comparison with these criteria can inform you which risks should be focused on for treatment, based on their potential to drive outcomes outside of thresholds set around objectives. The magnitude of risk is seldom the only criterion relevant to decisions about the significance of a risk. Other relevant factors can include sustainability (e.g. triple bottom line) and resilience, ethical and legal criteria, the effectiveness of controls, the maximum impact if controls are not present or fail, the timing of the consequences, the costs of controls and stakeholder views.
Deciding between options.
An organization will be faced with many decisions where several, often competing, objectives are potentially affected, and there are both potential adverse outcomes and potential benefits to consider. For such decisions, several criteria might need to be met and trade-offs between competing objectives might be required. Criteria relevant to the decision should be identified. How the criteria are to be weighted or trade-offs made should be decided and accounted for. In setting criteria, the possibility that costs and benefits may differ for different stakeholders should be considered. The way in which different forms of uncertainty are to be taken into account should be decided. This is where your attitude, appetite and tolerance for risk come in.
It is your approach to assess and eventually pursue, retain, take or turn away from risk.
It is the amount and type of risk that you are willing to pursue or retain to achieve our objectives and outcomes.
It is your readiness to bear the risk after risk treatments are implemented to achieve your objectives and outcomes. While criteria should be established at the beginning of the risk assessment process, they are dynamic and should be continually reviewed and amended, if necessary. To set the criteria to evaluate the significance of a risk and to support decision-making processes, the following should be considered:
- The nature and type of uncertainties, risks and opportunities that can affect outcomes and objectives (both tangible and intangible).
- How consequences – both positive and negative – and likelihood will be defined and measured.
- Time-related factors.
- Consistency in the use of measurements.
- How the level of risk is to be determined.
- How combinations and sequences of multiple risks will be taken into account.
- The capacity to manage risks.
Risk assessment is the overall process of:
A process of finding, recognizing and describing risks.
A process to comprehend the nature of risk and to determine the level of risk.
A process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.
Risk assessment should be conducted systematically, iteratively and collaboratively. This activity draws on the knowledge and views of stakeholders. It should use the best available information, supplemented by further enquiry as necessary. Successful risk assessment is dependent on effective communication and consultation with internal and external stakeholders. Involving stakeholders during the risk assessment activity will assist in:
- Ensuring that the interests of stakeholders are well understood and considered.
- Bringing together different areas of expertise for identifying and analyzing risk.
- Ensuring that different views and concerns are appropriately considered when evaluating risks.
- Ensuring that risks, issues and opportunities are adequately identified.
The risk assessment activity provides decision-makers and stakeholders with an understanding of uncertainties, risks and opportunities that could affect the achievement of your objectives and adequacy and effectiveness of controls already in place. Outputs from the risk assessment activity are inputs to decision-making processes and provide the basis for decisions about the most appropriate approach to be used to treat the risks or take advantage of the opportunity.
IEC 31010:2019 Risk management — Risk assessment techniques , an international risk assessment standard, provides further guidance on the selection and application of various techniques that can be used to help you improve the way uncertainty is taken into account and to help you understand uncertainties, risks and opportunities. The techniques described in the standard provide a means to improve understanding of uncertainty and its implications for your decisions and actions. It can assists you in making decisions where there is uncertainty, to provide information about particular risks and as part of a process for managing risk. IEC 31010:2019 categorizes techniques according to their primary application in assessing risk, namely:
- eliciting views from stakeholders and experts,
- identifying risk;
- determining sources and causes (or drivers of risk);
- analyzing existing controls;
- understanding consequences and likelihood;
- analyzing dependencies and interactions;
- providing measures of risk;
- evaluating the significance of a risk;
- selecting between options
- recording and reporting.
b) Risk identification
The purpose of risk identification is to find, recognize and describe risks that might help or prevent you from achieving your objectives. Identifying risk enables uncertainty to be explicitly taken into account. All sources of uncertainty and both beneficial and detrimental effects might be relevant, depending on the context and scope of the assessment. Risk identification involves the identification of risk sources, events, their causes (drivers of risk) and their potential consequences. A risk source is an element which alone or in combination has the intrinsic potential to give rise to risk. An event (or incident or accident) is an occurrence or change of a particular set of circumstances. It can be one or more occurrences and can have several causes. Identify what might happen (known uncertainties) or what situations exist that might affect the achievement of objectives and outcomes. This includes identifying risks that are associated with not pursuing an opportunity. This is the risk of doing nothing and potentially missing out on an opportunity to improve performance. In identifying the risk, consider the following:
- What could happen – What might go wrong? What might prevent the achievement of objectives? What risks could threaten your intended outcomes?
- How could it happen – Is the risk likely to occur at all or happen again? If so, what could cause the risk event from occurring?
- Where could it happen – Is the risk likely to occur anywhere, in any environment or place? Or is it a risk that is dependent on your location, physical area or activity?
- Why might it happen – What factors would need to be present for the risk event to occur again? Understand why a risk event might occur or be repeated.
- What might be the consequence – If the risk event were to eventuate, what consequences would, or might this have on objective and outcome? Will the consequence be felt locally, or will it impact on the whole organization?
- Who does or can influence the outcome – How much is within your control or influence? Make sure that those with delegations, control, influence, resources and budgets are informed. This becomes more important when considering the treatments for the risk.
- Who is the risk owner – A risk owner is a person or entity with the accountability and authority to manage the risk and coordinate activities with control and treatment owners.
Relevant, appropriate and up-to-date information is important in identifying risks. The following factors, and the relationship between these factors, should be considered during the risk identification activity:
- tangible and intangible sources of risk;
- causes (risk drivers) and events;
- threats and opportunities;
- vulnerabilities and capabilities;
- changes in the external and internal context;
- indicators of emerging uncertainties and risks;
- the nature and value of assets and resources;
- consequences and their impact on objectives;
- limitations of knowledge and reliability of information;
- time-related factors; and
- biases, assumptions and beliefs of those involved.
Consideration should be given that there may be more than one type of outcome, which may result in a variety of tangible or intangible consequences. Once a risk is identified, identify any existing controls such as design features, people, processes and systems.
c) Risk analysis
The purpose of risk analysis is to comprehend the nature of the identified risk and its characteristics including, where appropriate, the level of risk. Level of risk, or risk rating, is the magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood. The risk analysis activity involves a detailed consideration of uncertainties, sources, causes (drivers of risk), consequences, likelihood, events, scenarios, controls and their effectiveness. An event can have multiple causes and consequences and can affect multiple objectives. Risk analysis can be undertaken with varying degrees of detail and complexity, depending on the purpose of the analysis, the availability and reliability of the information, and the resources available. Your analysis techniques can be qualitative, quantitative or a combination of these, depending on the circumstances and intended use. Risk analysis should consider factors such as:
- the likelihood of events and consequences;
- the nature and magnitude of consequences;
- complexity and connectivity;
- time-related factors and volatility;
- the effectiveness of existing controls; and
- sensitivity and confidence levels.
Risk can be associated with several different types of consequences, impacting different objectives. Consequences might also change overtime. For example, the adverse impacts of a fault might become more severe the longer the fault exists. Sometimes consequences result from exposures to multiple sources of risk.
Likelihood can refer to the likelihood of an event or the likelihood of a specified consequence. The parameter to which a likelihood value applies should be explicitly stated. The event or consequence whose likelihood is being stated should be clearly and precisely defined.
There are usually many interactions and dependencies between uncertainties, risks and opportunities. For example, multiple consequences can arise from a single cause or a particular consequence might have multiple causes. Existing controls and their effectiveness must be taken into account during this risk analysis activity as the level of risk will depend on theiradequacy and effectiveness. Control is something that is currently in place that is reducing the risk. Itis often brought in as a result of a previous situation or incident. There are three categories of controls:
- Preventative – To reduce the likelihood of a situation occurring including policies and procedures, approvals, authorizations, police checks and training. These controls generally target the causes or drivers of a risk event.
- Detective – To identify failures in the current control environment including performance reviews, reconciliations, audits and investigations.
- Corrective – To reduce the consequence and rectify a failure after it has been discovered including the crisis management and business continuity plans, insurance and disaster recovery plans. These controls generally target the potential consequences of a risk event.
Risk is affected by the overall effectiveness of any controls that are in place. The following aspects of controls should be considered:
- the mechanism by which the controls are intended to modify risk;
- whether the controls are in place, are capable of operating as intended, and are achieving the expected results;
- whether there are shortcomings in the design of controls or the way they are applied;
- whether there are gaps in controls;
- whether controls function independently, or if they need to function collectively to be effective;
- whether there are factors, conditions, vulnerabilities or circumstances that can reduce or eliminate control effectiveness including common cause failures; and
- whether controls themselves introduce additional risks.
Any assumptions made during risk analysis about the actual effect and reliability of controls should be validated where possible, with an emphasis on individual or combinations of controls that are assumed to have a substantial modifying effect. This should consider information gained through routine monitoring and review of controls. In many cases these situations or incidents arise, not because of a lack of controls, but because of failure of existing controls. The real key to managing risks effectively is to ensure that your existing controls are effective by considering the following:
- What are the existing controls for a particular risk event?
- Are those controls capable of adequately managing or treating the risk event so that it is controlled to a level that is tolerable or acceptable?
Your risk analysis activity may be influenced by any divergence of opinions, biases, perceptions of risk and judgements. Additional influences are the quality of the information used, the assumptions and exclusions made, any limitations of the techniques and how they are executed. These influences should be considered, documented and communicated to decision-makers.
The risk analysis activity provides an input to risk evaluation, to decisions on whether risk needs to be treated and how, and on the most appropriate risk treatment strategy and methods. The results provide insight for decisions, where choices are being made, and the options involve different types and levels of risk.
d) Risk evaluation
The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required. This activity uses the understanding of risk obtained during risk analysis to make risk-informed decisions about potential future actions. Ethical, legal, financial and other considerations, including perceptions of risk, are also inputs into the decision-making process. This can lead to a decision to:
- do nothing further;
- consider risk treatment options;
- undertake further analysis to better understand the risk;
- maintain existing controls; or
- reconsider objectives.
The information from risk identification and analysis can be used to conclude whether the risk should be accepted and the comparative significance of the risk relative to the objectives and performance thresholds. This provides input into decisions about whether a risk is acceptable or requires treatment and any priorities for treatment. Decisions should take account of the wider context and the actual and perceived consequences to external and internal stakeholders. A risk may be acceptable or tolerable in the following circumstances:
- no treatment is available;
- treatment costs are prohibitive or uneconomical;
- the level of risk is low and does not warrant using resources to treat the risk;
- opportunities involved significantly outweigh the threats; or
- a conscious decision has been made not to treat it.
Factors other than the magnitude of risk that can be taken into account in deciding priorities include:
- other measures associated with the risk such as the maximum or expected consequences or the effectiveness of controls;
- the qualitative characteristics of events or their possible consequences;
- the views and perceptions of stakeholders;
- the cost and practicability of further treatment compared with the improvement gained; or
- interactions between risks including the effects of treatments on other risks.
The outcome of risk evaluation should be recorded, communicated and then validated at appropriate levels of the organization. Once risks have been evaluated and treatments decided, the risk assessment activity can be repeated to check that proposed treatments have not created additional adverse risks and that the risk remaining after treatment is within your risk appetite.
The purpose of risk treatment is to select and implement options for addressing risk. Having completed a risk assessment, treating a risk involves selecting and implementing one or more treatment options that will change the likelihood of occurrence, the consequences of the risk, or both. Risk treatment involves an iterative process of:
- formulating and selecting risk treatment options;
- planning and implementing risk treatment;
- assessing the effectiveness of that treatment;
- deciding whether the remaining risk is acceptable; and
- if not acceptable, taking further treatment.
b) Selection of risk treatment option
Selecting the most appropriate risk treatment option involves balancing the potential benefits derived in relation to the achievement of the objectives against costs, effort or disadvantages of implementation. Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. Options for treating risk may involve one or more of the following:
- avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
- taking or increasing the risk to pursue an opportunity;
- removing the risk source;
- changing the likelihood;
- changing the consequences;
- sharing the risk (e.g. through contracts, buying insurance); or
- retaining the risk by informed decision.
If the goal is to reduce the likelihood of the risk, then you may need to adjust your approach. Successfully altering the approach will depend on identifying the causes of the risk and causal links between the risk and its consequences, both of which should have been identified in the risk assessment activity.
If the goal is to reduce the consequence of the risk, then a contingency plan might be required to respond to the risk. This planning may be undertaken in combination with other controls. That is, even if steps have been taken to minimize the likelihood of the risk, it may still be worthwhile to have a plan in place to reduce the consequence of the risk. If the goal is to share the risk, then involving another party such as an insurer or contractor may help. Risk can be shared contractually, by mutual agreement, and in a variety of ways that meet all parties’ needs and requirements. Such arrangements should be formally recorded –whether through a contract, agreement or a formal letter. Sharing the risk does not remove the obligation and accountability for managing the risk. A risk cannot be transferred to another party. If the risk is so significant that the goal is to eliminate or avoid it altogether, then the treatment option is to change the project scope or design. Justification for risk treatment is broader than solely economic considerations. It should take into account all obligations, voluntary commitments and stakeholder views. The selection of risk treatment options should be made per your objectives, risk criteria and available resources.
When selecting risk treatment options, consider the values, perceptions and potential involvement of stakeholders and the most appropriate ways to communicate and consult with them. Though equally effective, some risk treatments can be more acceptable to some stakeholders than to others. Risk treatments, even if carefully designed and implemented might not produce the expected outcomes and could produce unintended consequences. Monitoring and review need to be an integral part of the risk treatment implementation to give assurance that the different forms of treatment become and remain effective. Risk treatment can also introduce new risks that need to be managed. If there are no treatment options available or if treatment options do not sufficiently modify the risk, the risk should be recorded and kept under ongoing review. Decision-makers and other stakeholders should be aware of the nature and extent of the remaining risk after risk treatment. The remaining risk should be documented and subjected to monitoring, review and, where appropriate, further treatment.
c) Preparing and implementing risk treatment plans
Once treatment options have been identified and appropriate treatments have been selected for implementation by treatment owners, treatment plans may be prepared to monitor implementation progress. The purpose of risk treatment plans is to specify how the chosen treatment options will be implemented. This is where arrangements are understood by those involved and progress against the plan can be monitored. The treatment plan should identify the order in which risk treatment should be implemented. The plans should be integrated into the management plans and processes, in consultation with appropriate stakeholders. The information provided in the treatment plan should include:
- rationale for selection of the treatment options, including the expected benefits to be gained;
- those who are accountable and responsible for approving and implementing the plan;
- proposed actions;
- resources required, including contingencies;
- performance measures;
- constraints and assumptions;
- reporting and monitoring arrangements; and
- when actions are expected to be undertaken and completed.
In implementing treatments, consider the following questions:
- Do the treatments appear to have the desired effect? Will they stop or reduce what they are meant to stop or reduce?
- Will the controls trigger any other risks? For example, a sprinkler system to counter a fire may cause water damage, presenting a different risk requiring consideration or management (unintended consequences).
- Are the treatments beneficial or cost-efficient? Does the cost of implementing the treatment outweigh the cost attributed to the risk occurring without the control in place? Overall, is the cost of implementing the treatment reasonable for this risk?
Even if existing controls are rated as ‘effective’, you may consider implementing further treatments to further strengthen their effectiveness. Once treatments are implemented, the residual risk rating should generally be lower than the original risk rating. The level of residual risk refers to the likelihood and consequence of the risk occurring after the risk has been treated.
Residual risks should be documented, monitored and reviewed. Where appropriate, further treatments might be prudent. However, even when a risk has been treated and controls are in place, the risk may not be eliminated or could remain high.
Monitoring and review
The purpose of monitoring and review is to assure and improve the quality and effectiveness of process design, implementation and outcomes. The two key actions:
- Monitoring and identifying change from the performance level required or expected.
- Reviewing the suitability, adequacy and effectiveness of the risk management process, risk, controls and treatments to achieve established objectives. This includes determining whether the operating environment has changed and whether new risks have emerged.
Ongoing monitoring and periodic review of the risk management process and its outcomes should be a planned part of your risk management activities, with responsibilities clearly defined.
As part of the risk management process, risks, controls and treatments should be monitored and reviewed regularly to verify that:
- Assumptions about the uncertainties, risks and opportunities remain valid.
- Expected results and performance are being achieved.
- Results of risk assessments are in line with experience or expectations.
- Risk assessment techniques are properly applied and working effectively.
- Risk treatments are effective.
Monitoring and review should take place through your risk management activities. It includes planning, gathering and analyzing information, recording results and providing feedback. The results of monitoring and review should be incorporated in your performance management, measurement and reporting activities.
Recording and reporting
The risk management activities and its outcomes should be documented and reported through appropriate mechanisms. Recording and reporting aim to:
- communicate risk management activities and outcomes across the organization;
- provide information for decision-making;
- improve risk management activities; and
- assist interaction with stakeholders, including those with responsibility and accountability for risk management activities.
Decisions concerning the creation, retention and handling of documented information should consider, but not be limited to, their use, information sensitivity and the external and internal context. Reporting is an integral part of an organization’s governance. It should enhance the quality of dialogue with stakeholders and support top management and oversight bodies in meeting their responsibilities. Factors to consider for reporting include, but are not limited to:
differing stakeholders and their specific information needs and requirements;
- cost, frequency and timeliness of reporting;
- method of reporting; and
- relevance of the information to objectives and decision-making.
The purpose of records is to:
- Communicate information about risk to decision-makers and other stakeholders including regulators.
- Provide a record and justification of the rationale for decisions made.
- Preserve the results of assessment for future use and reference.
- Track performance and trends.
- Provide confidence that uncertainties, risks and opportunities are understood and are being managed appropriately.
- Enable verification of the assessment.
- Provide an audit trail.