
ISO 31000:2018 Checklist |
4 Principles |
When establishing the organization’s risk management framework and processes, how does your organization follow the following principles for managing the Risk a) Integrated b) Structured and comprehensive c) Customized d) Inclusive e) Dynamic f) Best available information g) Human and cultural factors h) Continual improvement |
Is Risk management an integral part of all organizational activities? |
Have your organization taken a structured and comprehensive approach to risk management to get consistent and comparable results? |
Have your organization customized the risk management framework and process proportionate to the organization’s external and internal context related to its objectives? |
How does your organization ensures appropriate and timely involvement of stakeholders so as to consider their knowledge, views and perceptions for improved awareness and informed risk management? |
How does your organization management anticipates, detects, acknowledges and responds to the changes in Risks with the change in the organization’s external and internal context in an appropriate and timely manner? |
Is the input to the risk management are based on historical and current information as well as futuristic expectation and is the Information timely, clear and available to relevant stakeholders? |
At each level and stage , how does influence of human behavior and culture affect the risk Engagement ? |
Is your risk management continually improved upon through learning and experience? |
5 Framework |
5.1 General |
Have you been able to integrate risk management into significant activities and functions of your organization ? Does it includes the governance of the organization, including decision-making? |
Are you able to obtain the support of the stakeholder particularly top management for the same? |
How does your Framework development encompasses integrating, designing, implementing, evaluating and improving risk management across the organization? |
How does your organization evaluates its existing risk management practices and processes, evaluate any gaps and address those gaps within the framework? |
How do you customized the components of the framework and the way in which they work together to the needs of the organization.? |
5.2 Leadership and commitment |
How does the Top management and oversight bodies ensures that risk management is integrated into all organizational activities? |
Does the Top management and oversight bodies demonstrate leadership and commitment by customizing and implementing all components of the framework? |
Does the Top management and oversight bodies demonstrate leadership and commitment by issuing a statement or policy that establishes a risk management approach, plan or course of action? |
Does the Top management and oversight bodies demonstrate leadership and commitment by ensuring that the necessary resources are allocated to managing risk? |
Does the Top management and oversight bodies demonstrate leadership and commitment by assigning authority, responsibility and accountability at appropriate levels within the organization? |
How does the organization align risk management with its objectives, strategy and culture? |
How does the organization recognizes and address all obligations, as well as its voluntary commitments? |
How does the organization establishes the amount and type of risk for the development of risk criteria and ensuring that they are communicated to the organization and its stakeholders? |
How does the organization communicates the value of risk management to the organization and its stakeholders? |
How does the organization promotes systematic monitoring of risks? |
How does the organization ensures that the risk management framework remains appropriate to the context of the organization? |
Is your top management accountable for managing risk and oversight bodies are accountable for overseeing risk management? |
Does your Oversight bodies ensures that risks are adequately considered when setting the organization’s objectives? |
Does your Oversight bodies understands the risks facing the organization in pursuit of its objectives? |
Does your Oversight bodies ensures that systems to manage such risks are implemented and operating effectively? |
Does your Oversight bodies ensures that such risks are appropriate in the context of the organization’s objectives? |
Does your Oversight bodies ensures that information about such risks and their management is properly communicated? |
5.3 Integration |
Do you Integrating risk management s on understanding of organizational context and structures , which depends on the organization’s purpose, goals and complexity? |
How do you ensure that risk is managed in every part of the organization’s structure? |
How do you ensure that everyone in an organization has responsibility for managing risk? |
how do you determine risk management accountability and oversight roles within an organization are integral parts of the organization’s governance. Note: Governance guides the course of the organization, its external and internal relationships, and the rules, processes and practices needed to achieve its purpose. Management structures translate governance direction into the strategy and associated objectives required to achieve desired levels of sustainable performance and long-term viability. |
How do you ensure that integrating risk management into an organization is a dynamic and iterative process? |
How do you ensure that integrating risk management into an organization is customized to the organization’s needs and culture? |
How do you ensure that Risk management is a part of, and not separate from, the organizational purpose, governance, leadership and commitment, strategy, objectives and operations? |
5.4 Design |
5.4.1 Understanding the organization and its context |
When designing the framework for managing risk, how does your organization examines and understands its external and internal context? |
Does examining your external context includes the social, cultural, political, legal, regulatory, financial, technological, economic and environmental factors, whether international, national, regional or local? |
Does examining of your external context includes key drivers and trends affecting the objectives of the organization? |
Does examining of your external context includes external stakeholders’ relationships, perceptions, values, needs and expectations? |
Does examining of your external context includes contractual relationships and commitments? |
Does examining of your external context includes the complexity of networks and dependencies? |
Does examining of your internal context includes vision, mission and values? |
Does examining of your internal context includes governance, organizational structure, roles and accountability? |
Does examining of your internal context includes strategy, objectives and policies? |
Does examining of your internal context includes the organization’s culture? |
Does examining of your internal context includes standards, guidelines and models adopted by the organization? |
Does examining of your internal context includes capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, intellectual property, processes, systems and technologies)? |
Does examining of your internal context includes data, information systems and information flows? |
Does examining of your internal context includes relationships with internal stakeholders, taking into account their perceptions and values? |
Does examining of your internal context includes contractual relationships and commitments? |
Does examining of your internal context includes inter dependencies and interconnections? |
5.4.2 Articulating risk management commitment |
Does the Top management and oversight bodies demonstrates and articulates their continual commitment to risk management through a policy, a statement or other forms that clearly convey an organization’s objectives and commitment to risk management? |
Does commitment to risk management includes the organization’s purpose for managing risk and links to its objectives and other policies? |
Does commitment to risk management includes reinforcing the need to integrate risk management into the overall culture of the organization? |
Does commitment to risk management includes leading the integration of risk management into core business activities and decision-making? |
Does commitment to risk management includes authorities, responsibilities and accountability? |
Does commitment to risk management includes making the necessary resources available? |
Does commitment to risk management includes the way in which conflicting objectives are dealt with? |
Does commitment to risk management includes measurement and reporting within the organization’s performance indicators? |
Does commitment to risk management includes review and improvement? |
How do you communicate the he risk management commitment within an organization and to stakeholders, as appropriate? |
5.4.3 Assigning organizational roles, authorities, responsibilities and accountability |
How does the Top management and oversight bodies ensures that the authorities, responsibilities and accountability for relevant roles with respect to risk management are assigned and communicated at all levels of the organization? |
How is risk management is a core responsibility emphasize? |
How do you identify individuals who have the accountability and authority to manage risk? |
5.4.4 Allocating resources |
How does the Top management and oversight bodies, ensures allocation of appropriate resources for risk management? |
Does the resources for Risk Management includes people, skills, experience and competence? |
Does the resources for Risk Management includes the organization’s processes, methods and tools to be used for managing risk? |
Does the resources for Risk Management includes documented processes and procedures? |
Does the resources for Risk Management includes information and knowledge management systems? |
Does the resources for Risk Management includes professional development and training needs? |
How does the organization considers the capabilities of, and constraints on, existing resources? |
5.4.5 Establishing communication and consultation |
Has your organization established an approved approach to communication and consultation in order to support the framework and facilitate the effective application of risk management? |
Does your organization’s Communication involves sharing information with targeted audiences? |
Does your organization’s Consultation involves participants providing feedback with the expectation that it will contribute to and shape decisions? |
How do you ensure that Communication and consultation methods and content reflects the expectations of stakeholders? |
How do you ensure that Communication and consultation is done timely? |
How do you ensure that relevant information is collected, collated, synthesized and shared, as appropriate, and that feedback is provided and improvements are made.? |
5.5 Implementation |
Does the implementation of the risk management framework involves developing an appropriate plan including time and resources? |
Does the implementation of the risk management framework involves identifying where, when and how different types of decisions are made across the organization, and by whom? |
Does the implementation of the risk management framework involves modifying the applicable decision-making processes where necessary? |
Does the implementation of the risk management framework involves ensuring that the organization’s arrangements for managing risk are clearly understood and practiced? |
For successful implementation of the framework how do you ensure the engagement and awareness of stakeholders? |
How does the organization address uncertainty in decision-making and also ensuring that any new or subsequent uncertainty can be taken into account as it arises? |
How do you ensure that the risk management process is a part of all activities throughout the organization,? |
How do you ensure that decision-making, and that changes in external and internal contexts are adequately captured? |
5.6 Evaluation |
In order to evaluate the effectiveness of the risk management framework does your organization periodically measure risk management framework performance against its purpose, implementation plans, indicators and expected behavior? |
In order to evaluate the effectiveness of the risk management framework does your organization determine whether it remains suitable to support achieving the objectives of the organization? |
5.7 Improvement |
5.7.1 Adapting |
To improve its value, does the organization continually monitors and adapts the risk management framework to address external and internal changes? |
5.7.2 Continually improving |
How does the organization continually improves the suitability, adequacy and effectiveness of the risk management framework? |
How does the organization continually improves the the way the risk management process is integrated? |
As relevant gaps or When improvement opportunities are identified, the organization develop plans and task for implementation? How to they assign them to those accountable for implementation? |
How does the organization ensure these improvements should contribute to the enhancement of risk management? |
6 Process |
6.1 General |
Does your risk management process involves the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk? |
Is your risk management process an integral part of management and decision-making? |
How is your risk management process integrated into the structure, operations and processes of the organization? |
Is your risk management process applied at strategic, operational, program or project levels? |
How do you customize Risk Management Process to achieve objectives ? |
How do you customize Risk Management Process to to suit the external and internal context in which they are applied? |
How do you consider the dynamic and variable nature of human behavior and culture throughout the risk management process.? |
6.2 Communication and consultation |
How does your communication and consultation process assist relevant stakeholders in understanding risk, the basis on which decisions are made and the reasons why particular actions are required? Note: Communication seeks to promote awareness and understanding of risk, whereas consultation involves obtaining feedback and information to support decision-making. |
How do you ensure Close coordination between Communication and consultation process facilitates factual, timely, relevant, accurate and understandable exchange of information, taking into account the confidentiality and integrity of information as well as the privacy rights of individuals? |
How do you ensure that communication and consultation take place with appropriate external and internal stakeholders throughout all steps of the risk management process? |
How do you ensure that communication and consultation bring different areas of expertise together for each step of the risk management process? |
How do you ensure that communication and consultation ensure that different views are appropriately considered when defining risk criteria and when evaluating risks? |
How do you ensure that communication and consultation provide sufficient information to facilitate risk oversight and decision-making? |
How do you ensure that communication and consultation build a sense of inclusiveness and ownership among those affected by risk? |
6.3 Scope, context and criteria |
6.3.1 General |
While establishing the scope, the context and criteria, how do you customize the risk management process to enable effective risk assessment and appropriate risk treatment? Note: Establishing scope, context and criteria involve defining the scope of the process, and understanding the external and internal context. |
6.3.2 Defining the scope |
How do you define the scope of your risk management activities? Note: As the risk management process may be applied at different levels (e.g. strategic, operational, program, project, or other activities), it is important to be clear about the scope under consideration, the relevant objectives to be considered and their alignment with organizational objectives |
While defining the scope of your risk management activities do you consider objectives and decisions that need to be made? |
While defining the scope of your risk management activities do you consider outcomes expected from the steps to be taken in the process? |
While defining the scope of your risk management activities do you consider time, location, specific inclusions and exclusions? |
While defining the scope of your risk management activities do you consider appropriate risk assessment tools and techniques |
While defining the scope of your risk management activities do you consider resources required, responsibilities and records to be kept? |
While defining the scope of your risk management activities do you consider relationships with other projects, processes and activities.? |
6.3.3 External and internal context |
How is the context (external and internal) of the risk management established? Note: The external and internal context is the environment in which the organization seeks to define and achieve its objectives. |
While establishing the context (external and internal) of the risk management, how do you consider the external and internal environment in which the organization operates and how do you reflect the specific environment of the activity to which the risk management process is to be applied? Note: Understanding the context is important because: • risk management takes place in the context of the objectives and activities of the organization; • organizational factors can be a source of risk; • the purpose and scope of the risk management process may be interrelated with the objectives of the organization as a whole. |
6.3.4 Defining risk criteria |
While defining the risk criteria does your organization specify the amount and type of risk that it may or may not take, relative to objectives? |
While defining the risk criteria does your organization evaluate the significance of risk to support decision-making processes? |
How do you ensure that your risk criteria is aligned with the risk management framework? |
How do you customize your risk criteria to the specific purpose and scope of the activity under consideration? |
How do you ensure that your risk criteria reflects the organization’s values, objectives and resources? |
How do you ensure that your risk criteria is consistent with policies and statements about risk management? |
How do you ensure that your risk criteria take into consideration the organization’s obligations and the views of stakeholders? |
How do you ensure that your risk criteria are dynamic and continually reviewed and amended, if necessary? |
To set risk criteria, how do you consider the nature and type of uncertainties that can affect outcomes and objectives (both tangible and intangible)? |
To set risk criteria, how do you consider how consequences (both positive and negative) and likelihood will be defined and measured? |
To set risk criteria, how do you consider time-related factors? |
To set risk criteria, how do you consider consistency in the use of measurements? |
To set risk criteria, how do you consider how the level of risk is to be determined? |
To set risk criteria, how do you consider how combinations and sequences of multiple risks will be taken into account? |
To set risk criteria, how do you consider the organization’s capacity? |
6.4 Risk assessment |
6.4.1 General |
How do you ensure that your Risk assessment is conducted systematically, iteratively and collaboratively, drawing on the knowledge and views of stakeholders? Note: Risk assessment is the overall process of risk identification, risk analysis and risk evaluation. |
How do you ensure that your Risk assessment use the best available information? |
6.4.2 Risk identification |
For identifying risk how do you ensure that relevant, appropriate and up-to-date information is available? Note: The purpose of risk identification is to find, recognize and describe risks that might help or prevent an organization achieving its objectives.The organization can use a range of techniques for identifying uncertainties that may affect one or more objectives. |
For identifying risk how do you consider tangible and intangible sources of risk and the relationship between them? |
For identifying risk how do you consider causes and events and the relationship between them? |
For identifying risk how do you consider threats and opportunities and the relationship between them? |
For identifying risk how do you consider vulnerabilities and capabilities and the relationship between them? |
For identifying risk how do you consider changes in the external and internal context and the relationship between them? |
For identifying risk how do you consider indicators of emerging risks and the relationship between them? |
For identifying risk how do you consider the nature and value of assets and resources and the relationship between them? |
For identifying risk how do you consider consequences and their impact on objectives and the relationship between them? |
For identifying risk how do you consider limitations of knowledge and reliability of information and the relationship between them? |
For identifying risk how do you consider time-related factors and the relationship between them? |
For identifying risk how do you consider biases, assumptions and beliefs of those involved? |
Does your organization identify all risk irrespective whether or not their sources are under its control? Note: Consideration should be given that there may be more than one type of outcome, which may result in a variety of tangible or intangible consequences |
6.4.3 Risk analysis |
During the risk analysis how do you comprehend the nature of risk, its characteristics and the level of risk? |
During the risk analysis how do you consider uncertainties, risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness? Note: An event can have multiple causes and consequences and can affect multiple objectives.Risk analysis can be undertaken with varying degrees of detail and complexity, depending on the purpose of the analysis, the availability and reliability of information, and the resources available. Analysis techniques can be qualitative, quantitative or a combination of these, depending on the circumstances and intended use. |
For Risk analysis how do you consider the likelihood of events and consequences? |
For Risk analysis how do you consider the nature and magnitude of consequences? |
For Risk analysis how do you consider complexity and connectivity? |
For Risk analysis how do you consider time-related factors and volatility? |
For Risk analysis how do you consider the effectiveness of existing controls? |
For Risk analysis how do you consider sensitivity and confidence levels? |
For Risk analysis how do you consider influences such as any divergence of opinions, biases, perceptions of risk and judgments.? . Additional influences that can be considered are the quality of the information used, the assumptions and exclusions made, any limitations of the techniques and how they are executed. |
Are those influences documented and communicated to decision makers? |
Are you using combination of techniques for uncertain events events with severe consequences which are difficult to quantify to get a greater insight? Note: Risk analysis provides an input to risk evaluation, to decisions on whether risk needs to be treated and how, and on the most appropriate risk treatment strategy and methods. The results provide insight for decisions, where choices are being made, and the options involve different types and levels of risk. |
6.4.4 Risk evaluation |
Does your Risk evaluation involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required? Note: The purpose of risk evaluation is to support decisions which can be · do nothing further; · consider risk treatment options; · undertake further analysis to better understand the risk; · maintain existing controls; · reconsider objectives. |
How does your decisions take into account of the wider context and the actual and perceived consequences to external and internal stakeholders? |
Is the outcome of risk evaluation should be recorded and communicated? |
How is the outcome of risk evaluation then validated at appropriate levels of the organization? |
6.5 Risk treatment |
6.5.1 General |
For risk treatment how do you select and implement options for addressing risk? |
How do you formulate and select risk treatment options? |
How do you plan and implement risk treatment? |
How do you assess the effectiveness of that treatment? |
how do you decide whether the remaining risk is acceptable? |
If Risk not acceptable, how do you take further treatment? |
6.5.2 Selection of risk treatment options |
Does your risk treatment options involves one or more of the following: · avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; · taking or increasing the risk in order to pursue an opportunity; · removing the risk source; · changing the likelihood; · changing the consequences; · sharing the risk (e.g. through contracts, buying insurance); · retaining the risk by informed decision. |
Other then economic considerations, does your risk treatment options take into account all of the organization’s obligations, voluntary commitments and stakeholder views? Note: Selecting the most appropriate risk treatment option(s) involves balancing the potential benefits derived in relation to the achievement of the objectives against costs, effort or disadvantages of implementation. |
Do you select risk treatment options accordance with the organization’s objectives, risk criteria and available resources? Note: Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. |
When selecting risk treatment options, does the organization considers the values, perceptions and potential involvement of stakeholders and the most appropriate ways to communicate and consult with them? Note: Though equally effective, some risk treatments can be more acceptable to some stakeholders than to others. |
In spite of carefully designed and implemented, how do you handle when Risk treatments does not produce the expected outcomes and produce unintended consequences? |
How do you ensure that monitoring and review are an integral part of your risk treatment implementation to give assurance that the different forms of treatment become and remain effective.? |
How do you manage new risk introduced by the Risk Treatment? |
Do you record the risk for which no treatment options is available or treatment options do not sufficiently modify the risk? |
Do you keep the risk under ongoing review for which no treatment options is available or treatment options do not sufficiently modify the risk? |
Are the Decision makers and other stakeholders aware of the nature and extent of the remaining risk after risk treatment? |
Are the remaining risk documented and subjected to monitoring, review and, where appropriate, further treatment? |
6.5.3 Preparing and implementing risk treatment plans |
Does your risk treatment plans specifies how the chosen treatment options will be implemented? |
How do you ensure that the arrangements are understood by those involved? |
How do you ensure that the progress against the plan can be monitored? |
Does your risk treatment plan clearly identifies the order in which risk treatment should be implemented? |
How do you ensure that Treatment plans are integrated into the management plans and processes of the organization, in consultation with appropriate stakeholders? |
Does the information provided in the treatment plan includes the rationale for selection of the treatment options, including the expected benefits to be gained? |
Does the information provided in the treatment plan includes those who are accountable and responsible for approving and implementing the plan? |
Does the information provided in the treatment plan includes the proposed actions? |
Does the information provided in the treatment plan includes the resources required, including contingencies? |
Does the information provided in the treatment plan includes the performance measures? |
Does the information provided in the treatment plan includes the constraints? |
Does the information provided in the treatment plan includes the required reporting and monitoring? |
Does the information provided in the treatment plan includes when actions are expected to be undertaken and completed? |
6.6 Monitoring and review |
Does your monitoring and review assures and improves the quality and effectiveness of process design, implementation and outcomes? |
Are ongoing monitoring and periodic review of the risk management process and its outcomes a planned part of the risk management process? |
How do you ensure that monitoring and review should take place in all stages of the process? |
How do you ensure that Monitoring and review includes planning, gathering and analyzing information, recording results and providing feedback? |
How do you ensure that the results of monitoring and review are incorporated throughout the organization’s performance management, measurement and reporting activities? |
6.7 Recording and reporting |
How do you ensure that the risk management process and its outcomes are documented and reported through appropriate mechanisms? |
Does Recording and reporting communicate risk management activities and outcomes across the organization? |
Does Recording and reporting provide information for decision-making? |
Does Recording and reporting improve risk management activities? |
Does Recording and reporting assist interaction with stakeholders, including those with responsibility and accountability for risk management activities? |
How does your decisions concerning the creation, retention and handling of documented information take into account to their use, information sensitivity and the external and internal context? |
Is reporting an integral part of the organization’s governance? |
How does reporting enhance the quality of dialogue with stakeholders and support top management and oversight bodies in meeting their responsibilities? |
How do you consider for reporting differing stakeholders and their specific information needs and requirements? |
How do you consider for reporting cost, frequency and timeliness of reporting? |
How do you consider for reporting method of reporting? |
How do you consider for reporting relevance of information to organizational objectives and decision-making? |