This presentation slides is intended for the training-workshop lead as well as the participants.
Developed based on ISO 31000:2009 – Principles and Guidelines on Implementation, ISO/IEC 31010:2009 – Risk Assessment Techniques, ISO Guide 73:2009 – Vocabulary.
3. Training Lead Profile
A seasoned advisor, auditor, consultant, trainer, courseware developer and
writer with 15 years of experiences in advisory, consulting, audit, training and
education as well as project management.
As of now, he has delivered and hosted in 200+ sessions with 7,000+ attendees
and 5000+ hours of training, lecture, conference, workshop, seminar across
Indonesia and outside the country for around 70 institutions and companies.
Today he has written and edited 300+ articles and manuscripts concerning ICT
and management in more than 20 local and international leading media,
companies, journals and conferences.
On top of that, he is a speaker, moderator and panelist in various national and
international conference, workshop and seminar with over than 65 international
certifications on tech and management spaces are under his belt.
A guest lecturer at top-tier Indonesian and American universities for their master
and undergraduate programs.
3
Dec 2013
Developed by @goudotmobi
4. Training Agenda
Day One – Understanding, Valuing and Raising Risk Management,
Enterprise Risk Management and ISO 31000:2009 Awareness
Time
Topics
Opening, Self-Introduction and Exploring Enterprise Risk
Management
Delivery
09.30 – 10.00
Understanding ISO 31000:2009
Classical
10.00 – 10.15
First Coffee Break
N/A
10.15 – 12.00
Navigating ISO 31000:2009 Principles and Guidelines
Classical
12.00 – 13.00
Lunch Break
N/A
13.00 – 15.00
Understanding ISO 31000 Clauses – 1st Session
Classical
15.00 – 15.15
Second Coffee Break
N/A
15.15 – 16.00
Understanding ISO 31000 Clauses – 2nd Session
Classical
16.00 – 16.30
Understanding Relationship Between ISO 15378 and ISO 31000 Classical
16.30 – 17.00
Question and Answer, Wrap-Up Day One
09.00 – 09.30
4
Dec 2013
Developed by @goudotmobi
Classical
Individual
Participation
5. Training Agenda (cont’d)
Day Two – Exploring and Utilizing Risk Assessment Techniques
Time
Topics
Delivery
09.00 – 09.30
Day One Review
Valuing ISO31010: Risk Assessment and its
Techniques – 1st Session
Classical
Classical, Group
Discussion
10.00 – 10.15
First Coffee Break
N/A
10.15 – 12.00
Valuing ISO31010: Risk Assessment and its
Techniques – 2nd Session
Classical, Group
Discussion
12.00 – 13.00
Lunch Break
N/A
13.00 – 14.00
Utilizing Risk Assessment Techniques
Workshop, Group
Discussion
14.00 – 15.00
Analyzing and Evaluating Risk Assessment Result – 1st
Session
Group Presentation,
Group Discussion
15.00 – 15.15
Second Coffee Break
N/A
15.15 – 16.00
Analyzing and Evaluating Risk Assessment Result – 2nd Group Presentation,
Session
Group Discussion
16.00 – 17.00
Question and Answer, Wrap Up Day Two, Quiz
09.30 – 10.00
5
Dec 2013
Developed by @goudotmobi
Individual Participation
6. Training Agenda (cont’d)
Day Three – Exploring and Utilizing Risk Registration as well as
Monitoring and Managing ERM
Time
Delivery
09.00 – 09.30
Day Two Review
Classical
09.30 – 10.00
Understanding Risk Register Entry
Classical
10.00 – 10.15
First Coffee Break
N/A
10.15 – 12.00
Utilizing Risk Register Entry
Workshop,
Group Discussion
12.00 – 13.00
Lunch Break
N/A
13.00 – 15.00
Discussing and Implementing Risk Register
Workshop, Group
Presentation
15.00 – 15.15
Second Coffee Break
N/A
15.15 – 16.00
Monitoring and Managing ERM
Classical
16.00 – 17.00
6
Topics
Post-Test, Training Evaluation, Wrap Up Day Three,
Closing
Individual
Participation
Dec 2013
Developed by @goudotmobi
7. Rule of The Game
Attendance: Participant is required to attend the training
in three full day to attain training certificate
Weight for the training mark:
- Attendance: 10%
- Quiz (Day Two): 40%
- Final Test (Day Three): 50%
7
Dec 2013
Developed by @goudotmobi
9. What Risk is All About
Risks have consequences in terms of societal,
environmental, technological, safety and security
outcomes;
They have commercial, financial and economic results
They also have social, cultural and political reputation
impacts
ISO 31000:2009 helps organizations of all types and
sizes to manage risk effectively
9
Dec 2013
Developed by @goudotmobi
10. What Is Risk Management?
Risk
The effect of uncertainty on the ability of an organisation
to meet its objectives
Risk Management
The range of activities that an organisation intentionally
undertakes to understand and reduce these effects
Effective Risk Management
Executing these activities efficiently and in a way that
actually and demonstrably improves the ability of the
organisation to meet its objectives in a repeatable
fashion
10
Dec 2013
Developed by @goudotmobi
11. Risk Management with ISO
ISO 31000:2009 – Principles and Guidelines on
Implementation (20 November 2009)
ISO/IEC 31010:2009 – Risk Assessment Techniques (1
December 2009)
ISO Guide 73:2009 – Vocabulary (15 November 2009)
HB 327:2010 – Communicating and consulting about
risk (23 February 2010)
11
Dec 2013
Developed by @goudotmobi
12. Risk Management with ISO (cont’d)
AS/NZS 5050:2010 Business continuity – Managing
disruption-related risk (28 June 2010)
HB 266:2010 – Guide for managing risk in not-for-profit
organizations (12 August 2010)
HB 246:2010 Guidelines for managing risk in sport and
recreation organizations (18 August 2010)
12
Dec 2013
Developed by @goudotmobi
14. Understanding ISO 31000
Provides principles, a framework and a process for
managing any form of risk in a transparent, systematic and
credible manner within any scope or context
It recommends that organizations develop, implement and
continuously improve a risk management framework as an
integral component of their management system
In concrete, it’s a practical document that seeks to assist
organizations in developing their own approach to the
management of risk
14
Dec 2013
Developed by @goudotmobi
15. Understanding ISO 31000 (cont’d)
This is NOT a standard that organizations can seek
certification to
Organizations can compare their risk management
practices with an internationally recognized benchmark
It provides sound principles for effective management
ISO Guide 73:2009 provide a collection of terms and
definitions relating to the management of risk
ISO 31000 is designed to help organizations
15
Dec 2013
Developed by @goudotmobi
16. What Is ISO 31000?
ISO 31000:2009:
An international standard that provides principles and
guidelines for effective risk management
Not specific to any industry or sector
Able to be applied to any kind of risk
Able to be applied to any kind of organisation
Intended to be tailored to meet the needs of the
organisation
“The generic approach described in this standard provides
the principles and guidelines for managing any form of risk
in a systematic, transparent and credible manner and
within any scope and context.”
16
Dec 2013
Developed by @goudotmobi
17. History of ISO 31000
AS/NZS 4360:1999 was developed by Australia and NZ in
1999
Revised and reissued as AS/NZS 4360:2004 in 2004
No agreed de jure or de facto international standard in
place at this stage
A small number of competing frameworks which were
regarded as unsatisfactory
International Standards Organisation started work on ISO
31000 using AS/NZS 4360:2004 in 2005 as its first draft
ISO 31000 was issued worldwide in 2009
17
Dec 2013
Developed by @goudotmobi
18. What Does ISO 31000 Cover of?
ISO 31000:2009 contains:
A set of risk management terms and their definitions
A set of principles for guiding and informing effective
risk management for an enterprise
An outline and process for creating a risk management
framework
An outline and process for creating a risk management
process
ISO 31000 is:
Clear
Sensible
Brief (34 pages)
18
Dec 2013
Developed by @goudotmobi
19. What Does ISO 31000 Cover of? (cont’d)
Scope of this approach is enabling all strategic,
management and operational tasks throughout projects,
functions, and processes to be aligned to risk management
objectives
It is intended for stakeholder group like:
Executive level
Appointment holders in ERM group
Risk analysts and management officers
Line managers and project managers
Compliance and internal auditors
Independent practitioners
19
Dec 2013
Developed by @goudotmobi
20. What ISO 31000 Doesn’t Cover?
Detailed instructions on how to manage risk
A complete risk management framework
A complete risk management process
Formats or attributes for describing risks
Templates
Guidance on how to identify risks
Advice on how to manage risks for a specific domain
20
Dec 2013
Developed by @goudotmobi
21. ISO 31000 Will Help Us To…
Increase the likelihood of achieving objectives
Encourage proactive management
Identify and treat risk throughout the organization
Improve the identification of opportunities and threats
Comply with relevant legal and regulatory requirements
and international norms
Improve financial reporting
Improve governance
21
Dec 2013
Developed by @goudotmobi
22. ISO 31000 Will Help To… (cont’d)
Improve stakeholder confidence and trust
Establish a reliable basis for decision making and planning
Improve controls
Effectively allocate and use resources for risk treatment
Improve operational effectiveness and efficiency
Enhance health and safety performance, as well as
environmental protection
Improve loss prevention and incident management
Minimize losses
Improve organizational learning and resilience
22
Dec 2013
Developed by @goudotmobi
23. Why Use ISO 31000?
Save ourselves time and effort:
Using the terms, principles and guidelines in ISO 31000
means you don’t have to spend time and effort creating
your own.
You can spend time on the things that really add value
– managing the actual risks.
Facilitate communication:
Avoid misunderstandings by using concepts and terms
that are well known in the risk management community.
Provide higher quality output:
Take advantage of the significant expertise in risk
management that the ISO has used in coming up with
the standard.
Ensure you don’t miss out any aspects of risk
management by using the standard as a checklist.
23
Dec 2013
Developed by @goudotmobi
24. How Do I Apply ISO 31000?
When should I use ISO 31000?
When you are asked to identify or assess risks
When you are asked to manage risks
When you are asked to assess a risk management
framework or process
How should I use ISO 31000
Use it to frame the scope of the work
Use it to guide the engagement
Use it to create a risk management process
24
Dec 2013
Developed by @goudotmobi
25. ISO 31000 In Short
It gives you a structured, credible foundation for
discussions with about risk and risk management
It gives you a starting point for a risk management
process if you don’t have one
It gives you a standard vocabulary for talking about
risks and risk management
It gives you a baseline for comparisons and
assessments of risk management processes
25
Dec 2013
Developed by @goudotmobi
26. ISO 31000 in Diagram
Principles guide
the creation of the
framework
Principles
The framework
defines the
process
Framework
Process
The performance of the process
feeds back into the framework
26
Dec 2013
Developed by @goudotmobi
28. What’s inside ISO 31000:2009
It consists of three major parts
11 principles for managing risk (Clause 3)
5 (five) components to the framework for managing
risk (Clause 4)
5 (five) processes for managing risks (Clause 6)
28
Dec 2013
Developed by @goudotmobi
29. ISO 31000 Principles
Risk Management Principles
Creates and protects value
Based on the best information
Integral part of organisational
processes
Tailored
Part of decision making
Takes human and cultural factors
into account
Explicitly addresses uncertainty
Transparent and inclusive
Systematic, structured, and timely
Dynamic, iterative and responsive to
change
Facilitates continual improvement of
the organisation
29
Dec 2013
Developed by @goudotmobi
30. Creates and Protects Value
Risk management contributes to the
demonstrable achievement of objectives and
improvement of performance in, for example,
human health and safety, security, legal and
regulatory compliance, public acceptance,
environmental protection, product quality,
project management, efficiency in
operations, governance and reputation.
30
Dec 2013
Developed by @goudotmobi
31. Integral Part of Organizational Processes
Risk management is not a stand-alone
activity that is separate from the main
activities and processes of the organisation.
Risk management is part of the
responsibilities of management and an
integral part of all organisational processes,
including strategic planning and all project
and change management processes.
31
Dec 2013
Developed by @goudotmobi
32. Part of Decision Making
Risk management helps decision makers
make informed choices, prioritise actions
and distinguish among alternative courses of
action.
32
Dec 2013
Developed by @goudotmobi
33. Explicitly Addresses Uncertainty
Risk management explicitly takes
account of uncertainty, the nature of that
uncertainty, and how it can be addressed.
33
Dec 2013
Developed by @goudotmobi
34. Systematic, Structured and Timely
A systematic, timely and structured approach
to risk management contributes to efficiency
and to consistent, comparable and reliable
results.
34
Dec 2013
Developed by @goudotmobi
35. Based on the Best Information
The inputs to the process of managing risk
are based on information sources such as
historical data, experience, stakeholder
feedback, observation, forecasts and expert
judgement. However, decision makers
should inform themselves of, and should
take into account, any limitations of the data
or modelling used or the possibility of
divergence among experts.
35
Dec 2013
Developed by @goudotmobi
36. Tailored
Risk management is aligned with the
organisation's external and internal context
and risk profile.
36
Dec 2013
Developed by @goudotmobi
37. Tailored
Risk management is aligned with the
organisation's external and internal context
and risk profile.
37
Dec 2013
Developed by @goudotmobi
38. Takes Human and Cultural Factors into Account
Risk management recognises the
capabilities, perceptions and intentions of
external and internal people that can
facilitate or hinder achievement of the
organisation's objectives.
38
Dec 2013
Developed by @goudotmobi
39. Transparent and Inclusive
Appropriate and timely involvement of stakeholders and,
in particular, decision makers at all levels of the
organisation, ensures that risk management remains
relevant and up-to-date. Involvement also allows
stakeholders to be properly represented and to have their
views taken into account in determining risk criteria.
39
Dec 2013
Developed by @goudotmobi
40. Dynamic, Iterative and Responsive to Change
Risk management continually senses and
responds to change. As external and internal
events occur, context and knowledge
change, monitoring and review of risks take
place, new risks emerge, some change, and
others disappear.
40
Dec 2013
Developed by @goudotmobi
41. Facilitates Continual Improvement of the Organisation
Organisations should develop and
implement strategies to improve their risk
management maturity alongside all other
aspects of their organisation.
41
Dec 2013
Developed by @goudotmobi
42. Risk Management Framework
Set of components that provide the foundations and
organizational arrangements for designing, implementing,
monitoring, reviewing and continually improving risk
management throughout the organization
The foundations include the policy, objectives, mandate
and commitment to manage risk
The organizational arrangements include plans,
relationships, accountabilities, resources, processes
and activities
RMF is embedded within the organization's overall
strategic and operational policies and practices
42
Dec 2013
Developed by @goudotmobi
43. ISO 31000 Framework
Mandate and commitment
Design of framework for managing risk
Understanding the organisation and
its context
Establishing risk management policy
Accountability
Integration into organisational
processes
Resources
Establishing internal communication
and reporting mechanisms
Establishing external communication and
reporting mechanisms
Implementing risk management
Continual improvement of the
framework
Implementing the framework for
managing risk
Implementing the risk management
process
Monitoring and review of the
framework
43
Dec 2013
Developed by @goudotmobi
44. Mandate and Commitment
Introducing risk management and ensuring its ongoing
effectiveness require strong and sustained commitment
by management, as well as strategic and rigorous
planning to achieve commitment at all levels
Management should:
⎯ Define and endorse the risk management policy
⎯ Ensure that the organization's culture and risk
management policy are aligned
⎯ Determine risk management performance indicators
that align with performance indicators of the organization
44
Dec 2013
Developed by @goudotmobi
45. Mandate and Commitment (cont’d)
⎯ Align risk management objectives with the objectives
and strategies of the organization
⎯ Ensure legal and regulatory compliance
⎯ Assign accountabilities and responsibilities at
appropriate levels within the organization
⎯ Ensure that the necessary resources are allocated to
risk management
⎯ Communicate the benefits of risk management to all
stakeholders
⎯ Ensure that the framework for managing risk continues
to remain appropriate
45
Dec 2013
Developed by @goudotmobi
46. Understanding the Organization and Its Context
Evaluating organization's external context may include,
but is not limited to:
Social and cultural, political, legal, regulatory, financial,
technological, economic, natural and competitive
environment, whether international, national, regional or
local
Key drivers and trends having impact on the objectives
of the organization
Relationships with, and perceptions and values of,
external stakeholders
46
Dec 2013
Developed by @goudotmobi
47. Understanding the Organization and Its Context (cont’d)
Evaluating the organization's internal context may
include, but is not limited to:
⎯ Governance, organizational structure, roles and
accountabilities
⎯ Policies, objectives, and the strategies that are in place
to achieve them
⎯ Capabilities, understood in terms of resources and
knowledge (e.g. capital, time, people, processes,
systems and technologies)
47
Dec 2013
Developed by @goudotmobi
48. Understanding the Organization and Its Context (cont’d)
⎯ Information systems, information flows and decision
making processes (both formal and informal)
⎯ Relationships with, and perceptions and values of,
internal stakeholders
⎯ Organization's culture
⎯ Standards, guidelines and models adopted by the
organization
⎯ The form and extent of contractual relationships
48
Dec 2013
Developed by @goudotmobi
49. Establishing Risk Management Policy
It should clearly state organization's objectives for, and
commitment to, and addresses:
⎯ the organization's rationale for managing risk
⎯ links between the organization's objectives and policies
and the risk management policy
⎯ accountabilities and responsibilities for managing risk
⎯ the way in which conflicting interests are dealt with
49
Dec 2013
Developed by @goudotmobi
50. Establishing Risk Management Policy (cont’d)
⎯ commitment to make the necessary resources available
to assist those accountable and responsible for managing
risk
⎯ the way in which risk management performance will be
measured and reported
⎯ commitment to review and improve the risk
management policy and framework periodically and in
response to an event or change in circumstances
50
Dec 2013
Developed by @goudotmobi
51. Accountability
Accountability, authority and appropriate competence for
managing risk which is facilitated by:
Identifying risk owners that have the accountability and
authority to manage risks
Identifying who is accountable for development,
implementation and maintenance of framework for
managing risk
Identifying other responsibilities of people at all levels for
risk management process
Establishing performance measurement and external
and/or internal reporting and escalation processes
Ensuring appropriate levels of recognition
51
Dec 2013
Developed by @goudotmobi
52. Resources
The organization should allocate appropriate resources
for risk management such as:
⎯ people, skills, experience and competence
⎯ resources needed for each step of the risk
management process
⎯ the organization's processes, methods and tools to be
used for managing risk
⎯ documented processes and procedures
⎯ information and knowledge management systems
⎯ training program
52
Dec 2013
Developed by @goudotmobi
53. Establishing Internal Communications and Reporting
Mechanisms
It is to support and encourage accountability and
ownership of risk as well as ensure:
Key components of risk management framework, and
any subsequent modifications, are communicated
appropriately
There is adequate internal reporting on framework, its
effectiveness and outcomes
Relevant information derived from the application of risk
management is available at appropriate levels and times
There are processes for consultation with internal
stakeholders
53
Dec 2013
Developed by @goudotmobi
54. Establishing Internal Communications and Reporting
Mechanisms (cont’d)
It should involve:
Engaging appropriate external stakeholders and
ensuring an effective exchange of information
External reporting to comply with legal, regulatory, and
governance requirements
Providing feedback and reporting on communication
and consultation
Using communication to build confidence
Communicating with stakeholders in the event of a crisis
or contingency
54
Dec 2013
Developed by @goudotmobi
55. Implementing Framework for Managing Risk
In implementing framework for managing risk, the
organization should:
Define appropriate timing and strategy for implementing
the framework
Apply risk management policy and process to the
organizational processes
Comply with legal and regulatory requirements
55
Dec 2013
Developed by @goudotmobi
56. Implementing Framework for Managing Risk (cont’d)
Ensure that decision making, including the development
and setting of objectives, is aligned with risk
management processes outcomes
Hold information and training sessions
Communicate and consult with stakeholders to ensure
that its risk management framework remains
appropriate
56
Dec 2013
Developed by @goudotmobi
57. Risk Management Process
Systematic application of management
policies, procedures and practices to the
activities of communicating, consulting,
establishing the context, and identifying,
analyzing, evaluating, treating, monitoring
and reviewing risk
57
Dec 2013
Developed by @goudotmobi
58. Monitoring and Reviewing Framework
In order to ensure that risk management is effective and
continues to support organizational performance, the
organization should:
⎯ Measure risk management performance against
indicators, which are periodically reviewed for
appropriateness
⎯ Periodically measure progress against, and deviation
from, the risk management plan
58
Dec 2013
Developed by @goudotmobi
59. Monitoring and Reviewing Framework (cont’d)
⎯ Periodically review whether risk management
framework, policy and plan are still appropriate, given the
organizations' external and internal context
⎯ Report on risk, progress with risk management plan
and how well risk management policy is being followed
⎯ Review risk management framework effectiveness
59
Dec 2013
Developed by @goudotmobi
60. ISO 31000 Process
Establishing the context
Risk assessment
Risk identification
Communication
and
consultation
Risk analysis
Risk evaluation
Risk treatment
60
Dec 2013
Developed by @goudotmobi
Monitoring and
review
61. Risk Management: Establishing the Context
Defining the external and internal
parameters to be taken into account when
managing risk, and setting the scope and
risk criteria for the risk management policy.
61
Dec 2013
Developed by @goudotmobi
62. Risk Management: Establishing the Context (cont’d)
External context
• Legal, Regulatory, Financial
• International, National, Regional or Local
• Relationships with, perceptions and values of external
stakeholders
Internal context
• Organizational objectives
• Project, process, or activity objectives
• Policy, standards, guidelines and models adopted by the
organization
• Contractual relationships
62
Dec 2013
Developed by @goudotmobi
63. Risk Management: Establishing the Context (cont’d)
Process context
Objectives, scope, responsibilities, methods
Defining risk criteria
- Measures
- Tolerance levels
- Views of stakeholders
63
Dec 2013
Developed by @goudotmobi
64. Monitoring and Review
Ensuring that controls are effective and efficient in both
design and operation
Obtaining further
assessment
information
to
improve
risk
Analyzing and learning lessons from events (including
near-misses), changes, trends, successes and failures
Detecting changes in the external and internal context,
including changes to risk criteria and the risk itself which
can require revision of risk treatments and priorities
Identifying emerging risks
64
Dec 2013
Developed by @goudotmobi
65. Recording Risk Management Process
Objectives
Organization's needs for continuous learning
Benefits of re-using information for management
purposes
Costs and efforts in creating and maintaining records
Legal, regulatory and operational needs for records
Method of access, ease of retrievability and storage
media
Retention period
Sensitivity of information
65
Dec 2013
Developed by @goudotmobi
66. ISO 31000 Key Success Factors
Risk Management (RM) should function within a Risk
Management Framework (RMF)
The framework provides necessary foundations and
organizational arrangements to embed RM throughout
all levels within the organization
This foundation can assist organizations in managing
risk effectively through application of RM process at
varying levels and within specific contexts
RMF ensure risk information is adequately reported and
used as a basis for decision making and accountability
at all relevant organizational levels
66
Dec 2013
Developed by @goudotmobi
71. Rehearsing ISO/IEC 31010: 2009
A supporting standard for AS/NZS ISO 31000:2009
It provides guidance on selection and application of
systematic techniques for risk assessment
The application of a range of techniques is introduced,
with specific references to other international standards
Concept and application of techniques are described in
greater detail
This standard does not provide specific criteria for
identifying need for risk analysis
It also doesn’t specify type of risk analysis method
required for a particular application
71
Dec 2013
Developed by @goudotmobi
72. Rehearsing ISO Guide 73:2009
It provides the definitions of generic terms related to risk
management
Aimed to encourage a mutual and consistent
understanding of, and a coherent approach to, the
description of activities relating to the management of
risk
Aimed to encourage the use of uniform risk
management terminology in processes and frameworks
dealing with the management of risk
72
Dec 2013
Developed by @goudotmobi
73. Risk Assessment
ISO/IEC 31010:2009, Risk assessment techniques,
jointly developed by ISO and IEC (International
Electrotechnical Commission)
A structured process for organizations to identify how
objectives may be affected
Analyze risk in terms of consequences and their
probabilities, before further action taken up
Provides better understanding on risks affecting
achievement of objectives, as well as adequacy and
effectiveness of controls already in place
73
Dec 2013
Developed by @goudotmobi
74. Risk Assessment (cont’d)
In short, Risk Assessment is overall process of risk
identification, risk analysis and risk evaluation
Risk Identification
• Process of finding, recognizing and describing risks
involving identification of risk sources, events,
causes and potential consequences.
• It involves historical data, theoretical analysis,
informed and expert opinions, and stakeholder's
needs.
74
Dec 2013
Developed by @goudotmobi
75. Risk Source and Event
Risk Source: element which alone or in combination has
the intrinsic potential to give rise to risk (tangible or
intangible)
Event
Occurrence or change of a particular set of
circumstances:
• It could be one or more occurrences, and can have
several causes
• It could consist of something not happening
• Sometimes be referred to as “incident” or “accident”
75
Dec 2013
Developed by @goudotmobi
76. Consequences
Outcome of an event affecting objectives
An event can lead to a range of consequences
A consequence can be certain or uncertain and can
have positive or negative effects on objectives
Consequences can be expressed qualitatively or
quantitatively
Initial consequences can escalate through knock-on
effects
76
Dec 2013
Developed by @goudotmobi
77. Risk Analysis
Process to comprehend the nature of risk and to
determine the level of risk
It involves consideration of the causes and sources of
risk, their positive and negative consequences, and the
likelihood that those consequences can occur
Provides the basis for risk evaluation and decisions
about risk treatment
It includes risk estimation as well
77
Dec 2013
Developed by @goudotmobi
79. Risk Criteria and Level of Risk
Risk criteria
Terms of reference against which the significance of a
risk is evaluated:
• Based on organizational objectives, and external and
internal context
• It can be derived from standards, laws, policies and
other requirements
Level of risk
Magnitude of a risk or combination of risks, expressed in
terms of the combination of consequences and their
likelihood
79
Dec 2013
Developed by @goudotmobi
80. Risk Evaluation
Process of comparing the results of risk
analysis with risk criteria to determine
whether the risk and/or its magnitude is
acceptable or tolerable.
Risk evaluation assists in the decision about
risk treatment.
80
Dec 2013
Developed by @goudotmobi
81. Risk Treatment
Process to modify risk that can involve:
⎯ avoiding the risk by deciding not to start or continue
with the activity that gives rise to the risk
⎯ taking or increasing risk in order to pursue an
opportunity
⎯ removing the risk source
⎯ changing the likelihood
⎯ changing the consequences
81
Dec 2013
Developed by @goudotmobi
82. Risk Treatment (cont’d)
⎯ sharing the risk with another party or parties (including
contracts and risk financing)
⎯ retaining the risk by informed decision
Risk treatments that deal with negative consequences
are sometimes referred to as “risk mitigation”, “risk
elimination”, “risk prevention” and “risk reduction”
It can create new risks or modify existing risks
82
Dec 2013
Developed by @goudotmobi
83. Residual Risk
Risk remaining after risk treatment
It can contain unidentified risk
It can also be known as “retained risk”
83
Dec 2013
Developed by @goudotmobi
86. Risk Assessment Techniques
Risk identification
Risk analysis – consequence analysis
Risk analysis – qualitative, semi-quantitative or
quantitative probability estimation
Risk analysis – assessing the effectiveness of any
existing controls
Risk analysis – estimation the level of risk
Risk evaluation
86
Dec 2013
Developed by @goudotmobi
87. Factors Influenced The Selection
Complexity of the problem and the methods needed to
analyze it
The nature and degree of uncertainty of the risk
assessment based on the amount of
Information available and what is required to satisfy
objectives
The extent of resources required in terms of time and
level of expertise, data needs or cost
Whether the method can provide a quantitative output
87
Dec 2013
Developed by @goudotmobi
88. Tools used For Risk Assessment
Referred to Table A.1 at ISO 31010 on
Applicability of tools used for risk
assessment
Referred to Table A.2 at ISO 31010 on
Attributes of risk assessment tools
Details at Annex B (Informative) at ISO
31010
88
Dec 2013
Developed by @goudotmobi
90. Risk Identification
Process of finding, recognizing and describing risks
Comprehensive list of risks based on events that might
create, enhance, prevent, degrade, accelerate or delay
achievement of objectives
Identify risks associated with not pursuing an
opportunity
A risk that is not identified at this stage will not be
included in further analysis
Identification should include risks whether or not their
source is under the control of the organization
90
Dec 2013
Developed by @goudotmobi
91. Risk Evaluation
The purpose of risk evaluation is to assist in making
decisions, based on the outcomes of risk analysis,
about which risks need treatment and the priority for
treatment implementation
Decisions should take account of the wider context of
the risk and include consideration of the tolerance of the
risks borne by parties other than the organization that
benefits from the risk
91
Dec 2013
Developed by @goudotmobi
92. Risk Evaluation (cont’d)
Decisions should be made in accordance with legal,
regulatory and other requirements
In some circumstances, the risk evaluation can lead to a
decision to undertake further analysis
The risk evaluation can also lead to a decision not to
treat the risk in any way other than maintaining existing
controls
92
Dec 2013
Developed by @goudotmobi
93. Risk Evaluation (cont’d)
Decisions should take account of the wider context of
the risk and include consideration of the tolerance of the
risks borne by parties other than the organization that
benefits from the risk
Decisions should be made in accordance with legal,
regulatory and other requirements
The purpose of risk evaluation is to assist in making
decisions, based on the outcomes of risk analysis,
about which risks need treatment and the priority for
treatment implementation
93
Dec 2013
Developed by @goudotmobi
94. Risk Evaluation (cont’d)
Decisions should be made in accordance with legal,
regulatory and other requirements
In some circumstances, the risk evaluation can lead to a
decision to undertake further analysis
The risk evaluation can also lead to a decision not to
treat the risk in any way other than maintaining existing
controls
94
Dec 2013
Developed by @goudotmobi
95. Managing Risk
A list in order of preference on how to deal with risk
Avoiding by not to start or continue the activity that rise
to the risk
Accepting or increasing risk in order to pursue an
opportunity
Removing risk source
Changing likelihood and consequences
Sharing risk with another party/parties such as contracts
and risk financing
Retaining risk by informed decision
95
Dec 2013
Developed by @goudotmobi
96. Risk Treatment
Risk treatment involves selecting one or more options
for modifying risks, and implementing those options
Risk treatment options are not necessarily mutually
exclusive
The options can include the following:
- TRANSFER
Sharing the risk with another party or parties (including
contracts and risk financing)
96
Dec 2013
Developed by @goudotmobi
97. Risk Treatment (cont’d)
- AVOID
Avoiding the risk by deciding not to start or
continue with the activity that gives rise to the risk
Removing the risk source
- MITIGATE
Changing the likelihood
Changing the consequences (impact)
- ACCEPT
Retaining the risk by informed decision
Taking or increasing the risk in order to pursue an
opportunity
97
Dec 2013
Developed by @goudotmobi
98. Risk Treatment (cont’d)
Selecting the most appropriate risk treatment option
involves balancing the costs and efforts of
implementation against the benefits derived, with regard
to legal, regulatory, and other requirements such as
social responsibility and the protection of the natural
environment
A number of treatment options can be considered and
applied either individually or in combination
98
Dec 2013
Developed by @goudotmobi
99. Risk Treatment (cont’d)
Risk treatment itself can introduce risks
A significant risk can be the failure or ineffectiveness of
the risk treatment measures
Monitoring needs to be an integral part of the risk
treatment plan to give assurance that the measures
remain effective
99
Dec 2013
Developed by @goudotmobi
106. What Is Risk Register?
Record of information about identified risks
106
Dec 2013
Developed by @goudotmobi
107. Risk Register Should Contain
A unique code for each risk
A description of each risk and its potential
consequences (operational and strategic)
Actions and controls that currently exist to mitigate risks
Factors that may impact upon the likelihood and
consequence of the residual risk
Risk grade (priority)
Whether the risk grade is acceptable
Early warning factors and upward reporting thresholds
107
Dec 2013
Developed by @goudotmobi
108. Risk Treatment Action Shall Include
Planned actions to reduce the likelihood a negative risk will
occur and/or reduce the seriousness should it occur (What
should you do now?)
Contingency actions - planned actions to reduce the immediate
seriousness of a negative risk when it does occur. (What should
you do when?)
Recovery actions - planned actions taken once a negative risk
has occurred to allow you to move on. (What should you do
after?)
Risk Transfer (e.g. Through
responsibilities or insurance.
assignment
of
contractual
Actions necessary to ensure the realisation of opportunities
(positive risks)
108
Dec 2013
Developed by @goudotmobi
109. Sample of Risk Registers
109
Dec 2013
Developed by @goudotmobi
113. Monitoring and Reviewing Risk
Monitoring
Continual checking, supervising, critically observing or
determining the status in order to identify change from the
performance level required or expected
Can be applied to a risk management framework, risk
management process, risk or control
Reviewing
Activity undertaken to determine suitability, adequacy and
effectiveness of subject matter to achieve established
objectives
Can be applied to a risk management framework, risk
management process, risk or control
113
Dec 2013
Developed by @goudotmobi
114. Monitoring and Reviewing Risk (cont’d)
An integral part of the risk management
process involving regular checking or
surveillance
Ensure controls are effective & efficient
Detect change in external or internal context
Analysis, lessons learned, continuous
improvement
Identify emerging risks
114
Dec 2013
Developed by @goudotmobi
There should be an organization-wide risk management plan to ensure that the risk management policy isimplemented and that risk management is embedded in all of the organization's practices and processes. Therisk management plan can be integrated into other organizational plans, such as a strategic plan.
Risk management should be implemented by ensuring that the risk management process outlined in Clause 5is applied through a risk management plan at all relevant levels and functions of the organization as part of itspractices and processes.