Principles of risk management

ISO 31000:2018 20 Minutes
https://preteshbiswas.com/wp-content/uploads/2024/10/Principles-of-Risk-Management_-Biswas-on-ISO-31000.wav

Risk management is the set of activities within an organization undertaken to deliver the most favorable outcome and reduce the volatility or variability of that outcome. ISO Guide 73 BS 31100 defines risks as “Co-ordinated activities to direct and control an organization about risk .” HM Treasury defines risks as “All the processes involved in identifying, assessing and judging risks, assigning ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing progress.”

Risk management has evolved and is used by many different professionals. It became more organized in the 1950s when insurance became too expensive and didn’t cover enough risks. In Europe, by the 1970s, a combined approach to risk control and financing was developed, and the idea of managing the total cost of risk became important. In the U.S., risk management in the 1950s mostly involved buying insurance. During the 1960s, companies started focusing on contingency planning. In the 1970s, businesses began using self-insurance and keeping some risks themselves. In the 1980s, risk management started to be applied more in managing projects. By the 1990s, new financial products combined insurance and derivatives, and corporate governance pushed companies to take enterprise risk management (ERM) more seriously, leading to the first chief risk officers (CROs). In the 2000s, companies, especially in the financial and energy sectors, developed internal risk management systems and hired more CROs. The Sarbanes-Oxley Act of 2002 made U.S. companies focus even more on ERM. However, the 2008 financial crisis raised questions about how much risk management can help businesses, particularly in finance. Today, risk management is a more mature field, with less focus on insurance alone, as risks related to finance, markets, and reputation are now seen as very important and often fall outside of traditional insurance coverage.
One of the most well-known areas of risk management is health and safety at work. Another important area is disaster recovery and business continuity planning. Quality management is also a well-established part of risk management, especially with systems like ISO 9000 being widely recognized. Over the years, other specialized areas of risk management have emerged, such as:

  • Project risk management
  • Clinical/medical risk management
  • Energy risk management
  • Financial risk management
  • IT risk management.

All these specialized areas of risk management have played a big role in developing risk management tools and techniques. Project risk management is especially advanced, focusing on managing uncertainty and controlling risks. Besides project and clinical risk management, these tools have been widely used in industries like finance and energy. In finance, risk management focuses on operational, market, credit, and other financial risks. The title “Chief Risk Officer” first emerged in the finance sector. In the energy sector, risk management often deals with future energy prices and exploration risks, which are similar to treasury functions that use hedging and other financial strategies. Financial risk management has become highly important, particularly in addressing operational risks. However, it also covers credit and market risks. The finance and insurance industries are heavily regulated by global standards like Basel III and Solvency II. IT risk management is another well-established branch, focusing on data management and security. Specific standards, such as COBIT, have been developed to guide IT risk management.

8R and 4T of (hazard) risk management

Risk management follows a series of well-defined steps, which together create an effective process. Each step plays a key role in managing risks. This process is known as the 8R and 4T of hazard risk management. The main activities involved in managing risks are:

  • Recognizing risks
  • Rating the risks
  • Ranking them based on criteria
  • Responding to the most important risks
  • Allocating resources for controls
  • Planning for reactions or events
  • Reporting on risk performance
  • Reviewing the overall risk management system

Here is a simple breakdown of the 8R and 4T of hazard risk management:

  1. Recognize: Identify potential risks.
  2. Rank: Prioritize risks based on their potential impact and likelihood.
  3. Respond: Develop appropriate strategies to address each risk.
    • 4Ts of Risk Response: These represent the specific strategies for handling identified risks.
      • Tolerate: Accept the risk when the cost of mitigation exceeds the benefits.
      • Treat: Take actions to reduce the likelihood or impact of the risk (e.g., controls).
      • Transfer: Shift the risk to another party (e.g., insurance or outsourcing).
      • Terminate: Eliminate the risk by stopping the activity that causes it.
  4. Report: Communicate risk status and strategies to stakeholders.
  5. Review: Continuously monitor and reassess risks.
  6. Reduce: Implement measures to lower the impact or likelihood of a risk.
  7. Recover: Plan how to recover from the impacts if a risk materializes.
  8. Remedy: Correct issues and improve future responses.

Risk management helps improve how an organization handles its main processes by making sure that important factors are analyzed, monitored, and reviewed. Tools and techniques in risk management assist in handling hazard, control, and opportunity risks that could affect these key areas. Organizations should regularly repeat the risk management process to avoid relying on a one-time view of the risks they face. This ensures that risk management stays active and up-to-date.

Enterprise risk management

A newer development in risk management is called enterprise or enterprise-wide risk management (ERM). Enterprise Risk Management (‘ERM’) is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. What makes ERM different from traditional risk management is its more integrated and holistic approach. It brings together the management of all types of risks rather than introducing a completely new method. When an organization looks at all the risks it faces and considers how these risks might affect its strategy, projects, and operations, it is using the ERM approach.

Risk management sophistication

An organization must be both advanced in how it views risk management and mature in how it carries it out. Initially, an organization might not be aware of its legal or contractual responsibilities. In that case, it needs to be informed about its duties regarding risk. As the organization becomes more sophisticated, it will realize the importance of complying with obligations and improving risk management. When the organization understands its responsibilities, it will need to make changes to manage hazard risks better (reform). Next, the organization will work to meet the necessary risk control standards (conform). After reaching this point, the organization may see opportunities within the risks and start to take advantage of them (perform). However, if it becomes overly focused on control, it may stop progressing (deform).

  • Unaware of obligations – INFORM
  • Awareness of non-compliance – REFORM
  • Taking action to comply – CONFORM
  • Seizing opportunities – PERFORM
  • Stalling due to over-focus – DEFORM

The terms “Inform, Reform, Conform, Perform, and Deform” in risk management describe different levels of sophistication or maturity in how organizations handle risk management. Here’s an overview of what they represent:

  1. Inform: At this stage, the organization is primarily focused on gathering and sharing information about risks. The risk management process is basic, often involving simple risk identification and reporting. The organization understands some risks but doesn’t actively manage them in an integrated way. Communication about risks may be limited to compliance or awareness purposes.
    • Situation: A tech start-up is rapidly growing and focusing on product development. However, the founders are unaware of specific legal requirements related to data privacy laws (such as GDPR or CCPA) that apply to their app, which collects user data.
    • Risk Management Action: The start-up is informed by a legal advisor or risk consultant that it needs to comply with data protection laws to avoid penalties and protect customer trust.
    • Outcome: The start-up becomes aware that not addressing these risks could lead to significant financial and reputational damage.
  2. Reform: At this level, the organization starts to improve its risk management practices. There’s an effort to address shortcomings in the current system by revising processes and introducing more structured approaches. Risk management becomes more organized and proactive, aiming to control known risks and better respond to new ones.
    • Situation: After becoming aware of the need for compliance, the start-up realizes that it is currently not meeting these privacy regulations. It has no privacy policy, security measures, or processes to handle customer data safely.
    • Risk Management Action: The start-up begins to reform its processes by introducing proper data protection policies and procedures, hiring a compliance officer, and starting to train staff on data security.
    • Outcome: The company takes the first steps toward rectifying its risk exposure and begins the journey to compliance.
  3. Conform: Here, the organization focuses on adhering to established risk management standards, regulations, and frameworks. It seeks to meet regulatory requirements and industry best practices. Compliance is key, and risk management is typically structured and formalized. However, the focus remains on following the rules rather than integrating risk management into decision-making.
    • Situation: The start-up has implemented new systems and policies to comply with data protection regulations. They ensure customer data is handled correctly, with encryption, regular audits, and privacy policy updates in place.
    • Risk Management Action: The company now regularly monitors its compliance with laws, performs internal audits, and ensures that all new product features meet regulatory standards.
    • Outcome: The start-up meets all necessary compliance requirements and avoids legal risks, fines, or penalties.
  4. Perform: At this more advanced level, the organization uses risk management as a tool for enhancing overall performance. Risk management is integrated into the business’s strategy, operations, and decision-making processes. It helps the organization manage risks effectively while also capitalizing on opportunities, driving growth, and ensuring resilience.
    • Situation: Now that the start-up has a solid risk management framework and is fully compliant, it uses its strong reputation for data security as a competitive advantage. Customers trust the start-up more than its competitors due to its high standards for privacy and security.
    • Risk Management Action: The start-up begins marketing its strong data protection measures as part of its value proposition to attract new customers, including corporate clients who prioritize security.
    • Outcome: The company’s improved risk management not only mitigates risks but also drives business growth, as it can now expand into new markets and partner with larger organizations.
  5. Deform: This stage reflects a situation where risk management practices have weakened or become dysfunctional. The risk management system may be ineffective, overly rigid, or bureaucratic, leading to poor outcomes. Risks may be ignored or mismanaged, and the organization could be vulnerable to unexpected disruptions or failures.
    • Situation: After reaching a high level of compliance and success, the start-up becomes overly focused on minimizing every possible risk. They spend excessive resources on adding layers of protection and compliance, even where it is not needed.
    • Risk Management Action: The company becomes overly risk-averse, avoiding innovation or new opportunities because of fear of potential regulatory or operational risks. This slows down product development and expansion efforts.
    • Outcome: The start-up stalls in its growth as it becomes so obsessed with managing risks that it loses agility and misses out on business opportunities.

These stages help assess how mature an organization’s risk management practices are, ranging from basic information-sharing to highly integrated risk management, or in some cases, a decline in effectiveness.

As organizations and risk management professionals become more advanced, they should recognize and appreciate the value of different methods of managing risks. The development of risk management can be summarized as follows:

  • Compliance management should be done in a unified way, even if the organization already meets high standards.
  • Hazard management specialists may notice a shift toward keeping more risks in-house (instead of relying on insurance) due to a broader approach to risk management.
  • Control management specialists should avoid stifling innovation and creativity within the organization.
  • Strategic planners need to understand that using risk management tools can lead to better decisions and help seize business opportunities.

Another way to view increasing sophistication in risk management is through the FOIL (fragmented, organized, influential, leading) model, which represents different stages of maturity.

PACED Principle of Risk Management

The main idea of risk management is to provide value to the organization. It aims to achieve the best possible results while reducing uncertainty. The principles describe what risk management should look like and what it should accomplish. A successful risk management plan should be:

  • Proportionate to the level of risk faced by the organization
  • Aligned with other business activities
  • Comprehensive, systematic, and structured
  • Embedded in the organization’s procedures
  • Dynamic, meaning it adapts to change and is repeated as needed

These principles form the acronym PACED, providing a solid foundation for effective risk management in any organization, based on the idea that risks can be identified and controlled.

Proportionate: Risk management activities must be proportionate to the level of risk faced by the organization.
Aligned: ERM activities need to be aligned with the other activities in the organization.
Comprehensive: The risk management approach must be comprehensive to be effective.
Embedded: Risk management activities need to be embedded within the organization.
Dynamic:Risk management activities must be dynamic and responsive to emerging and changing risks.

The acronym PACED represents a strong set of principles for effective risk management in any organization. These principles are based on the idea that risks can be identified and managed. The principles describe the key features of risk management in practice. In addition to explaining how risk management should work, some lists also outline what risk management should accomplish. It’s helpful to separate these into two categories:

  1. What risk management should be:
    • Proportionate, Aligned, Comprehensive, Embedded, and Dynamic (PACED)
  2. What risk management should achieve:
    • Meeting mandatory obligations
    • Assuring that significant risks are managed
    • Ensuring decisions consider risks
    • Enhancing the effectiveness and efficiency of core processes

To get the most out of risk management, these principles should guide both the planning and framework of the organization’s risk management activities. The primary goal is to determine what the organization aims to accomplish. Risk management can serve various purposes: compliance, assurance, informed decision-making, and improved efficiency in core processes (MADE2). By applying these principles, risk management reduces disruptions, minimizes uncertainty in tactics, and leads to better decision-making for strategy. A key part of risk management is improving organizational decisions. Since resources for managing risk are limited, the goal is to prioritize and respond to risks in a way that balances the organization’s capacity with the level of risk it faces. The type of response will depend on the nature, size, and complexity of the organization and its risks.

Risk management objectives

  • Mandatory – The basic objective for any risk management initiative is to ensure conformity with applicable rules, regulations and mandatory obligations.
  • Assurance– The board and audit committee of an organization will require assurance that risk management and internal control activities comply with PACED.
  • Decision making-The board and audit committee of an organization will require assurance that risk management and internal control activities comply with PACED.
  • Effective and efficient core The basic objective of any risk management initiative is to ensure conformity with applicable rules, regulations and mandatory obligations.

Risk management has gained more attention recently due to the global financial crisis and many high-profile corporate failures. It has also become more important because of growing stakeholder expectations and the ease of communication. Besides helping organizations make better decisions and operate more efficiently, risk management provides greater assurance to stakeholders. This assurance involves two key elements:

  1. Directors need to be confident that all risks have been identified and managed appropriately.
  2. Organizations must accurately report information, including details on risk management, to meet stakeholder expectations.

The Sarbanes–Oxley Act (SOX) in the U.S. focuses on ensuring accurate financial reporting and full disclosure of all relevant information about the organization. Although SOX only applies in certain situations, its principles are important for all risk management professionals. When implementing risk management, organizations should consider why they are doing so, based on MADE2 (mandatory, assurance, decision making, and effective core processes). These reasons, or “drivers,” can differ for each organization. For example, some companies focus on reducing accidents and damage through a loss control manager, while others aim to improve their reputation through better compliance and ethical behaviour.

Effective and efficient core processes

Insurable or hazardous risks can quickly affect operations, which is why risk management initially focused on keeping normal operations running smoothly. As risk management has evolved, it now also emphasizes improving core business processes through better project and program management. Processes must not only be efficient but also effective in delivering the required results. For example, having an efficient software program is not helpful if it doesn’t provide all the necessary functions. Strategic decisions are the most critical for an organization. Risk management helps by providing better information, allowing for more confident decision-making. The chosen strategy must be capable of delivering the desired outcomes. Many companies have failed because they chose the wrong strategy or couldn’t implement it properly. This is especially challenging when technology or customer expectations change, such as in grocery stores. A good strategy should take advantage of opportunities while considering risks to ensure success. Projects and programs are the tactics used to execute the strategy. Even if an organization has effective operations and compliance, it will still fail if the overall strategy is flawed. More businesses have failed due to poor strategy than due to inefficient operations or tactics, though compliance activities remain crucial.

Benefits of Risk Management

Organizations may see advantages in adopting risk management, but to implement it successfully, it needs to be approached as a project. The key factor is having support from senior management and, ideally, sponsorship from a board member. Additionally, a plan must be created to address the concerns of employees and other stakeholders. Although risk management is crucial for organizational success, many managers might need convincing that the proposed approach is the right one. It’s important to recognize that not all tasks and functions handled by managers should be labeled as risk management. While risk is embedded in every decision, process, and activity, not all of them are driven by risk management principles. Operations are typically affected by hazard risks, so the focus here is often on managing those hazards. To get the most out of risk management in operations, organizations should prioritize loss control, which involves preventing losses, limiting damage, and controlling costs. Projects must be delivered on time, within budget, and meet required quality standards. However, there is always uncertainty with projects. The role of risk management is to reduce these uncertainties. Managing project risks is a form of control management. When it comes to strategy, risk management helps by assessing the risks associated with different strategic options, thus contributing to better decision-making.

Principles of ERM as per COSO ERM structure:

Component 1: Governance & Culture

Risk governance sets the tone and reinforces the importance of ERM oversight. Culture is reflected in decision-making and includes ethical values and responsible business behavior. Both governance and culture are needed for effective ERM. There are five principles for this component.

  • Exercises Board Risk Oversight
  • Establishes Operating Structures
  • Defines Desired Culture
  • Demonstrates Commitment to Core Values
  • Attracts, Develops and Retains Capable Individuals

Principle 1 Exercises Board Risk Oversight – Risk governance and culture start at the top with the influence and oversight of the board. Board members must be accountable and responsible for risk oversight and possess the required skills, experience and business knowledge.

Principle 2 Establishes Operating Structures – Strategy is executed by the organization and execution of day-to-day operations to achieve business objectives. How the operating model is administered and governed can introduce new and different risks or complexities.

Principle 3 Defines Desired Culture – COSO frames desired behaviors within the context of culture, core values and attitudes toward risk. Whether an organization considers itself to be risk-averse, risk-neutral or risk-aggressive, it should have a risk-aware culture.

Principle 4 : Demonstrates Commitment to Core Values – Culture and tone at the top is defined by the operating style and personal conduct of management and the board of directors and it must be driven deep down into the organization.

Principle 5: Attracts, Develops and Retains Capable Individuals – Management must define the knowledge, skills and experience needed to execute strategy; set appropriate performance targets; attract, develop and retain appropriate personnel and strategic partners; and arrange for succession.

Component 2: Strategy & Objective-Setting

ERM, strategy and objective setting work together in the strategic planning process. Risk appetite should be aligned with strategy and business objectives to successfully implement strategy. The updated COSO framework elevates the discussion of strategy and the integration of ERM with strategy by asserting that all aspects and implications of strategy need to be considered when setting strategy. There are four principles for this component.

  • Analyses Business Context
  • Defines Risk Appetite
  • Evaluates Alternative Strategies
  • Formulates Business Objectives

Principle 6: Analyses Business Context – The updated framework considers business context and the role of internal and external stakeholders. The point is that management must consider risk from changes in the business context and adapt accordingly in executing strategy.

Principle 7: Defines Risk Appetite – The organization defines risk appetite in the context of creating, preserving and realizing value. The risk appetite statement is considered during strategy setting, communicated by management, embraced by the board and integrated across the organization.

Principle 8 : Evaluate Alternative Strategies – Alternative strategies are built on different assumptions – and those assumptions may be sensitive to change. The organization evaluates strategic options and sets its strategy to enhance value, considering the risk resulting from the strategy chosen.

Principle 9: Formulates Business Objectives – Management establishes objectives that align with and support the strategy at various levels of the business. These objectives should consider, and be aligned with risk appetite.

Component 3: Performance

Risks that could impact the achievement of strategy and objectives should be identified and assessed. These risks must be prioritized in terms of severity in the context of risk appetite. Risk responses should be selected to form a portfolio view of risk. There are five principles for this component.

  • Identifies Risk
  • Assesses Severity of Risk
  • Priorities Risk
  • Implements Risk Responses
  • Develops a Portfolio View

Principle 10: Identifies Risk – The organization identifies new and emerging risks, as well as changes to known risks to the execution of its strategy. The risk identification process should consider risks arising from a change in business context and risks currently existing but not yet known.

Principle 11: Assesses Severity of Risk – Depending on the anticipated severity of the risk, COSO suggests the use of qualitative and quantitative approaches in assessment processes. Scenario analysis may be appropriate in assessing risks that could have an extreme impact.

Principle 12: Priorities Risk – The organization priorities risks as a basis for selecting risk responses using appropriate
criteria. Risk criteria might include adaptability, complexity, velocity, persistence and recovery, as well as acceptable variation in performance.

Principle 13: Implements Risk Responses – Risk responses may accept, avoid, exploit, reduce and share risk. In selecting risk responses, management considers such factors as the business context, costs and benefits, severity of the risk, and the appetite for risk.

Principle 14: Develops Portfolio View – Portfolio view is a composite view of the risks the organization faces relative to business objectives, which allows management and the board to consider the nature, likelihood, relative size and interdependencies of risks, and how they may affect performance.

Component 4: Review & Revision

The fourth component focuses on monitoring risk management performance. Effective monitoring provides insight into the relationship between risk and performance, how strategic risks are affecting performance, and emerging risks. There are three principles for this component.

  • Assesses Substantial Change
  • Reviews Risk and Performance
  • Pursues Improvement in the ERM

Principle 15: Assesses Substantial Change – Change can create significant competitor performance gaps or invalidate critical assumptions underlying strategy. Monitoring substantial change is built into business processes in the ordinary course of running the business.

Principle 16: Reviews Risk and Performance – Risk responses must be evaluated to ensure they are performing as intended. The task of assessing risk responses is typically owned by those accountable for the effective management of identified risks and by assurance providers.

Principle 17: Pursues Improvement in ERM – ERM should be improved continuously over time. Even mature ERM
processes can become more efficient and effective in increasing its value contributed. Embedding continuous valuations can systematically identify improvements.

Component 5: Information, Communication & Reporting

ERM requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization. The final component recognizes the vital need for a continuous process to obtain and share relevant information. This information for decision-making must flow up, down and across the organization and provide insight to key stakeholders. There are three principles for this component.

  • Leverages Information Systems
  • Communicates Risk Information
  • Reports on Risk, Culture and Performance

Principle 18 : Leverages Information and Technology – Information systems provide the organization with the data and information to support ERM. Factors influencing technology selection include the strategy, marketplace needs, competitive requirements, and the associated costs and benefits.

Principle 19: Communicates Risk Information – The organization reports on risk at multiple levels across the organization. Organizations use different channels to communicate risk data and information to internal and external stakeholders.

Principle 20 Reports on Risk, Culture and Performance – Risk reporting encompasses information required to support decision-making and enable the board and others to fulfill their risk oversight responsibilities. There are many different types of reports on risk, culture and performance.

Principles as per ISO 31001:2018

The principles are:
a) Integrated: Risk management is an integral part of all organizational activities.
b) Structured and comprehensive: A structured and comprehensive approach to risk management contributes to consistent and comparable results.
c) Customized: The risk management framework and process are customized and proportionate to the organization’s external and internal context related to its objectives.
d) Inclusive: Appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions to be considered. This results in improved awareness and informed risk
management.
e) Dynamic: Risks can emerge, change or disappear as an organization’s external and internal context changes. Risk management anticipates, detects, acknowledges and responds to those changes and events in an appropriate and timely manner.
f) Best available information: The inputs to risk management are based on historical and current information, as well as on future expectations. Risk management explicitly takes into account any limitations and uncertainties associated with such information and expectations. Information should be timely, clear and available to relevant stakeholders.
g) Human and cultural factors: Human behaviour and culture significantly influence all aspects of risk management at each level and stage.
h) Continual improvement: Risk management is continually improved through learning and experience.

Principles of ISO 31001

Elaborating it further :

1. Integrated

  • An organization should integrate its risk management efforts into all parts and activities of the organization.
  • Risk management is not separated from the main activities and processes of the organization as it is a part of decision-making in every department.
  • Risk management is embedded into the organization’s processes and is a part of management’s responsibilities

2. Structured and Comprehensive

  • Creating and following a comprehensive, structured risk management approach leads to the most consistent, desirable risk management outcomes.
  • Systematically approaching risk management contributes to efficiency and consistent results within the organization as well as comprehension for everyone involved
  • Risk management is structured with guidelines and procedures to follow to maintain productivity and efficacy

3. Customized

  • An organization’s risk management approach should be customized to its own needs, including the organization’s objectives and the external and internal context in which the organization operates.
  • Risk management processes are not one-size-fits-all and must be tailored to the organization’s external and internal context to reach objectives.
  • When the context is established in both internal and external environments, objectives can be captured and risk management can be customized to the unique organization

4. Inclusive

  • To be most effective, risk management should involve all stakeholders in appropriate and timely ways. This allows the different knowledge sets, views, and perceptions of all stakeholders to be considered and implemented into risk management efforts.
  • The involvement of stakeholders allows their knowledge and views to be considered, guaranteeing that risk management is relevant and up to date
  • Risk management is transparent; it is easy to understand and doesn’t include confusing jargon, allowing stakeholders to be included in the framework

5. Dynamic

  • As the organization changes, including its external and internal context, the organization’s risk management program and efforts should change, too. Change is inevitable and successful organizations know how to work with change. A risk management program should help the organization anticipate, identify, acknowledge, and respond to changes in an appropriate and timely way.
  • Context and knowledge within an organization change constantly and should be acknowledged as they do
  • Risk management must respond to change continually and promptly to maintain efficiency and results
  • Risks emerge, change, and disappear as internal and external events occur, so risk management must be anticipatory

6. Best Available Information

  • An organization will never have all of the information needed, but action must be taken when an organization has the best available data
  • Historical and current information, as well as the limitations of these, must be taken into account
  • All known information should be available to stakeholders
  • Effective risk management is done by considering information from the past and present as well as anticipating the future. Therefore, the information from the past and present must be as reliable as possible, and risk managers must consider the limitations and uncertainties with that past and present information. All relevant stakeholders should receive necessary information in a timely and clear manner.

7. Human and Cultural Factors

  • Risk management is influenced significantly by human behavior and culture
  • The organization’s capabilities, as well as the goals of the people within and around it, must be recognized by risk management to achieve, or inhibit, the goals of the business.
  • Risk management is a human activity and it takes place within one or more cultures (organizational culture, etc.). Risk managers must be aware of the human and cultural factors that the risk management effort takes place in and know the influence that human and cultural factors will place on the risk management effort.

8. Continual Improvement

  • Improving continually through experience ensures the organization’s resiliency
  • PDCA is a risk management process: plan, do, check, adjust. This is a cycle that keeps the organization continually improving while factors change over time
  • Appropriately adapting to results in risk management allows the organization to grow exponentially in every aspect, and continue to do so.
  • Through experience and learning, risk managers must strive to continually improve an organization’s risk management efforts.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply