SlideShare a Scribd company logo
1 of 117
Implementing
Enterprise Risk Management
with ISO 31000:2009
Lead by Goutama Bachtiar
www.about.me/goudotmobi

2013
Introduction

2

Dec 2013

Developed by @goudotmobi
Training Lead Profile
A seasoned advisor, auditor, consultant, trainer, courseware developer and
writer with 15 years of experiences in advisory, consulting, audit, training and
education as well as project management.
As of now, he has delivered and hosted in 200+ sessions with 7,000+ attendees
and 5000+ hours of training, lecture, conference, workshop, seminar across
Indonesia and outside the country for around 70 institutions and companies.
Today he has written and edited 300+ articles and manuscripts concerning ICT
and management in more than 20 local and international leading media,
companies, journals and conferences.
On top of that, he is a speaker, moderator and panelist in various national and
international conference, workshop and seminar with over than 65 international
certifications on tech and management spaces are under his belt.

A guest lecturer at top-tier Indonesian and American universities for their master
and undergraduate programs.
3

Dec 2013

Developed by @goudotmobi
Training Agenda
Day One – Understanding, Valuing and Raising Risk Management,
Enterprise Risk Management and ISO 31000:2009 Awareness
Time

Topics
Opening, Self-Introduction and Exploring Enterprise Risk
Management

Delivery

09.30 – 10.00

Understanding ISO 31000:2009

Classical

10.00 – 10.15

First Coffee Break

N/A

10.15 – 12.00

Navigating ISO 31000:2009 Principles and Guidelines

Classical

12.00 – 13.00

Lunch Break

N/A

13.00 – 15.00

Understanding ISO 31000 Clauses – 1st Session

Classical

15.00 – 15.15

Second Coffee Break

N/A

15.15 – 16.00

Understanding ISO 31000 Clauses – 2nd Session

Classical

16.00 – 16.30

Understanding Relationship Between ISO 15378 and ISO 31000 Classical

16.30 – 17.00

Question and Answer, Wrap-Up Day One

09.00 – 09.30

4

Dec 2013

Developed by @goudotmobi

Classical

Individual
Participation
Training Agenda (cont’d)
Day Two – Exploring and Utilizing Risk Assessment Techniques
Time

Topics

Delivery

09.00 – 09.30

Day One Review
Valuing ISO31010: Risk Assessment and its
Techniques – 1st Session

Classical
Classical, Group
Discussion

10.00 – 10.15

First Coffee Break

N/A

10.15 – 12.00

Valuing ISO31010: Risk Assessment and its
Techniques – 2nd Session

Classical, Group
Discussion

12.00 – 13.00

Lunch Break

N/A

13.00 – 14.00

Utilizing Risk Assessment Techniques

Workshop, Group
Discussion

14.00 – 15.00

Analyzing and Evaluating Risk Assessment Result – 1st
Session

Group Presentation,
Group Discussion

15.00 – 15.15

Second Coffee Break

N/A

15.15 – 16.00

Analyzing and Evaluating Risk Assessment Result – 2nd Group Presentation,
Session
Group Discussion

16.00 – 17.00

Question and Answer, Wrap Up Day Two, Quiz

09.30 – 10.00

5

Dec 2013

Developed by @goudotmobi

Individual Participation
Training Agenda (cont’d)
Day Three – Exploring and Utilizing Risk Registration as well as
Monitoring and Managing ERM
Time

Delivery

09.00 – 09.30

Day Two Review

Classical

09.30 – 10.00

Understanding Risk Register Entry

Classical

10.00 – 10.15

First Coffee Break

N/A

10.15 – 12.00

Utilizing Risk Register Entry

Workshop,
Group Discussion

12.00 – 13.00

Lunch Break

N/A

13.00 – 15.00

Discussing and Implementing Risk Register

Workshop, Group
Presentation

15.00 – 15.15

Second Coffee Break

N/A

15.15 – 16.00

Monitoring and Managing ERM

Classical

16.00 – 17.00

6

Topics

Post-Test, Training Evaluation, Wrap Up Day Three,
Closing

Individual
Participation

Dec 2013

Developed by @goudotmobi
Rule of The Game

Attendance: Participant is required to attend the training
in three full day to attain training certificate
Weight for the training mark:
- Attendance: 10%
- Quiz (Day Two): 40%
- Final Test (Day Three): 50%

7

Dec 2013

Developed by @goudotmobi
Exploring Enterprise Risk
Management

8

Dec 2013

Developed by @goudotmobi
What Risk is All About

Risks have consequences in terms of societal,
environmental, technological, safety and security
outcomes;
They have commercial, financial and economic results
They also have social, cultural and political reputation
impacts
ISO 31000:2009 helps organizations of all types and
sizes to manage risk effectively

9

Dec 2013

Developed by @goudotmobi
What Is Risk Management?
Risk
The effect of uncertainty on the ability of an organisation
to meet its objectives
Risk Management
The range of activities that an organisation intentionally
undertakes to understand and reduce these effects

Effective Risk Management
Executing these activities efficiently and in a way that
actually and demonstrably improves the ability of the
organisation to meet its objectives in a repeatable
fashion
10

Dec 2013

Developed by @goudotmobi
Risk Management with ISO

ISO 31000:2009 – Principles and Guidelines on
Implementation (20 November 2009)
ISO/IEC 31010:2009 – Risk Assessment Techniques (1
December 2009)
ISO Guide 73:2009 – Vocabulary (15 November 2009)
HB 327:2010 – Communicating and consulting about
risk (23 February 2010)

11

Dec 2013

Developed by @goudotmobi
Risk Management with ISO (cont’d)

AS/NZS 5050:2010 Business continuity – Managing
disruption-related risk (28 June 2010)
HB 266:2010 – Guide for managing risk in not-for-profit
organizations (12 August 2010)
HB 246:2010 Guidelines for managing risk in sport and
recreation organizations (18 August 2010)

12

Dec 2013

Developed by @goudotmobi
Understanding ISO 31000

13

Dec 2013

Developed by @goudotmobi
Understanding ISO 31000

 Provides principles, a framework and a process for
managing any form of risk in a transparent, systematic and
credible manner within any scope or context
 It recommends that organizations develop, implement and
continuously improve a risk management framework as an
integral component of their management system
 In concrete, it’s a practical document that seeks to assist
organizations in developing their own approach to the
management of risk

14

Dec 2013

Developed by @goudotmobi
Understanding ISO 31000 (cont’d)

 This is NOT a standard that organizations can seek
certification to
 Organizations can compare their risk management
practices with an internationally recognized benchmark
 It provides sound principles for effective management
 ISO Guide 73:2009 provide a collection of terms and
definitions relating to the management of risk
 ISO 31000 is designed to help organizations

15

Dec 2013

Developed by @goudotmobi
What Is ISO 31000?
ISO 31000:2009:
An international standard that provides principles and
guidelines for effective risk management
Not specific to any industry or sector
Able to be applied to any kind of risk
Able to be applied to any kind of organisation
Intended to be tailored to meet the needs of the
organisation
“The generic approach described in this standard provides
the principles and guidelines for managing any form of risk
in a systematic, transparent and credible manner and
within any scope and context.”
16

Dec 2013

Developed by @goudotmobi
History of ISO 31000

 AS/NZS 4360:1999 was developed by Australia and NZ in
1999
 Revised and reissued as AS/NZS 4360:2004 in 2004
 No agreed de jure or de facto international standard in
place at this stage
 A small number of competing frameworks which were
regarded as unsatisfactory
 International Standards Organisation started work on ISO
31000 using AS/NZS 4360:2004 in 2005 as its first draft
 ISO 31000 was issued worldwide in 2009

17

Dec 2013

Developed by @goudotmobi
What Does ISO 31000 Cover of?
ISO 31000:2009 contains:
A set of risk management terms and their definitions
A set of principles for guiding and informing effective
risk management for an enterprise
An outline and process for creating a risk management
framework
An outline and process for creating a risk management
process
ISO 31000 is:
Clear
Sensible
Brief (34 pages)
18

Dec 2013

Developed by @goudotmobi
What Does ISO 31000 Cover of? (cont’d)
Scope of this approach is enabling all strategic,
management and operational tasks throughout projects,
functions, and processes to be aligned to risk management
objectives
It is intended for stakeholder group like:
Executive level
Appointment holders in ERM group
Risk analysts and management officers
Line managers and project managers
Compliance and internal auditors
Independent practitioners
19

Dec 2013

Developed by @goudotmobi
What ISO 31000 Doesn’t Cover?

Detailed instructions on how to manage risk

A complete risk management framework
A complete risk management process
Formats or attributes for describing risks

Templates
Guidance on how to identify risks
Advice on how to manage risks for a specific domain

20

Dec 2013

Developed by @goudotmobi
ISO 31000 Will Help Us To…

 Increase the likelihood of achieving objectives

 Encourage proactive management
 Identify and treat risk throughout the organization
 Improve the identification of opportunities and threats
 Comply with relevant legal and regulatory requirements
and international norms
 Improve financial reporting
 Improve governance

21

Dec 2013

Developed by @goudotmobi
ISO 31000 Will Help To… (cont’d)
 Improve stakeholder confidence and trust
 Establish a reliable basis for decision making and planning
 Improve controls
 Effectively allocate and use resources for risk treatment
 Improve operational effectiveness and efficiency
 Enhance health and safety performance, as well as
environmental protection
 Improve loss prevention and incident management
 Minimize losses

 Improve organizational learning and resilience
22

Dec 2013

Developed by @goudotmobi
Why Use ISO 31000?
Save ourselves time and effort:
 Using the terms, principles and guidelines in ISO 31000
means you don’t have to spend time and effort creating
your own.
 You can spend time on the things that really add value
– managing the actual risks.
 Facilitate communication:
 Avoid misunderstandings by using concepts and terms
that are well known in the risk management community.
 Provide higher quality output:
 Take advantage of the significant expertise in risk
management that the ISO has used in coming up with
the standard.
 Ensure you don’t miss out any aspects of risk
management by using the standard as a checklist.
23

Dec 2013

Developed by @goudotmobi
How Do I Apply ISO 31000?
When should I use ISO 31000?
 When you are asked to identify or assess risks
 When you are asked to manage risks
 When you are asked to assess a risk management
framework or process
How should I use ISO 31000

 Use it to frame the scope of the work
 Use it to guide the engagement
 Use it to create a risk management process

24

Dec 2013

Developed by @goudotmobi
ISO 31000 In Short

 It gives you a structured, credible foundation for
discussions with about risk and risk management
 It gives you a starting point for a risk management
process if you don’t have one
 It gives you a standard vocabulary for talking about
risks and risk management
 It gives you a baseline for comparisons and
assessments of risk management processes

25

Dec 2013

Developed by @goudotmobi
ISO 31000 in Diagram
Principles guide
the creation of the
framework

Principles

The framework
defines the
process

Framework

Process

The performance of the process
feeds back into the framework
26

Dec 2013

Developed by @goudotmobi
Navigating ISO 31000
Principles and Guidelines

27

Dec 2013

Developed by @goudotmobi
What’s inside ISO 31000:2009

It consists of three major parts
11 principles for managing risk (Clause 3)
5 (five) components to the framework for managing
risk (Clause 4)

5 (five) processes for managing risks (Clause 6)

28

Dec 2013

Developed by @goudotmobi
ISO 31000 Principles
Risk Management Principles
Creates and protects value

Based on the best information

Integral part of organisational
processes

Tailored

Part of decision making

Takes human and cultural factors
into account

Explicitly addresses uncertainty

Transparent and inclusive

Systematic, structured, and timely

Dynamic, iterative and responsive to
change

Facilitates continual improvement of
the organisation

29

Dec 2013

Developed by @goudotmobi
Creates and Protects Value

Risk management contributes to the
demonstrable achievement of objectives and
improvement of performance in, for example,
human health and safety, security, legal and
regulatory compliance, public acceptance,
environmental protection, product quality,
project management, efficiency in
operations, governance and reputation.
30

Dec 2013

Developed by @goudotmobi
Integral Part of Organizational Processes

Risk management is not a stand-alone
activity that is separate from the main
activities and processes of the organisation.
Risk management is part of the
responsibilities of management and an
integral part of all organisational processes,
including strategic planning and all project
and change management processes.
31

Dec 2013

Developed by @goudotmobi
Part of Decision Making

Risk management helps decision makers
make informed choices, prioritise actions
and distinguish among alternative courses of
action.

32

Dec 2013

Developed by @goudotmobi
Explicitly Addresses Uncertainty

Risk management explicitly takes
account of uncertainty, the nature of that
uncertainty, and how it can be addressed.

33

Dec 2013

Developed by @goudotmobi
Systematic, Structured and Timely

A systematic, timely and structured approach
to risk management contributes to efficiency
and to consistent, comparable and reliable
results.

34

Dec 2013

Developed by @goudotmobi
Based on the Best Information

The inputs to the process of managing risk
are based on information sources such as
historical data, experience, stakeholder
feedback, observation, forecasts and expert
judgement. However, decision makers
should inform themselves of, and should
take into account, any limitations of the data
or modelling used or the possibility of
divergence among experts.
35

Dec 2013

Developed by @goudotmobi
Tailored

Risk management is aligned with the
organisation's external and internal context
and risk profile.

36

Dec 2013

Developed by @goudotmobi
Tailored

Risk management is aligned with the
organisation's external and internal context
and risk profile.

37

Dec 2013

Developed by @goudotmobi
Takes Human and Cultural Factors into Account

Risk management recognises the
capabilities, perceptions and intentions of
external and internal people that can
facilitate or hinder achievement of the
organisation's objectives.

38

Dec 2013

Developed by @goudotmobi
Transparent and Inclusive

Appropriate and timely involvement of stakeholders and,
in particular, decision makers at all levels of the
organisation, ensures that risk management remains
relevant and up-to-date. Involvement also allows
stakeholders to be properly represented and to have their
views taken into account in determining risk criteria.

39

Dec 2013

Developed by @goudotmobi
Dynamic, Iterative and Responsive to Change

Risk management continually senses and
responds to change. As external and internal
events occur, context and knowledge
change, monitoring and review of risks take
place, new risks emerge, some change, and
others disappear.

40

Dec 2013

Developed by @goudotmobi
Facilitates Continual Improvement of the Organisation

Organisations should develop and
implement strategies to improve their risk
management maturity alongside all other
aspects of their organisation.

41

Dec 2013

Developed by @goudotmobi
Risk Management Framework
Set of components that provide the foundations and
organizational arrangements for designing, implementing,
monitoring, reviewing and continually improving risk
management throughout the organization
The foundations include the policy, objectives, mandate
and commitment to manage risk

The organizational arrangements include plans,
relationships, accountabilities, resources, processes
and activities
RMF is embedded within the organization's overall
strategic and operational policies and practices
42

Dec 2013

Developed by @goudotmobi
ISO 31000 Framework
Mandate and commitment

Design of framework for managing risk
Understanding the organisation and
its context

Establishing risk management policy

Accountability

Integration into organisational
processes

Resources

Establishing internal communication
and reporting mechanisms

Establishing external communication and
reporting mechanisms

Implementing risk management
Continual improvement of the
framework

Implementing the framework for
managing risk
Implementing the risk management
process

Monitoring and review of the
framework
43

Dec 2013

Developed by @goudotmobi
Mandate and Commitment
Introducing risk management and ensuring its ongoing
effectiveness require strong and sustained commitment
by management, as well as strategic and rigorous
planning to achieve commitment at all levels
Management should:
⎯ Define and endorse the risk management policy

⎯ Ensure that the organization's culture and risk
management policy are aligned
⎯ Determine risk management performance indicators
that align with performance indicators of the organization
44

Dec 2013

Developed by @goudotmobi
Mandate and Commitment (cont’d)
⎯ Align risk management objectives with the objectives
and strategies of the organization
⎯ Ensure legal and regulatory compliance
⎯ Assign accountabilities and responsibilities at
appropriate levels within the organization
⎯ Ensure that the necessary resources are allocated to
risk management
⎯ Communicate the benefits of risk management to all
stakeholders

⎯ Ensure that the framework for managing risk continues
to remain appropriate
45

Dec 2013

Developed by @goudotmobi
Understanding the Organization and Its Context
Evaluating organization's external context may include,
but is not limited to:
Social and cultural, political, legal, regulatory, financial,
technological, economic, natural and competitive
environment, whether international, national, regional or
local

Key drivers and trends having impact on the objectives
of the organization
Relationships with, and perceptions and values of,
external stakeholders
46

Dec 2013

Developed by @goudotmobi
Understanding the Organization and Its Context (cont’d)
Evaluating the organization's internal context may
include, but is not limited to:
⎯ Governance, organizational structure, roles and
accountabilities
⎯ Policies, objectives, and the strategies that are in place
to achieve them

⎯ Capabilities, understood in terms of resources and
knowledge (e.g. capital, time, people, processes,
systems and technologies)

47

Dec 2013

Developed by @goudotmobi
Understanding the Organization and Its Context (cont’d)
⎯ Information systems, information flows and decision
making processes (both formal and informal)
⎯ Relationships with, and perceptions and values of,
internal stakeholders
⎯ Organization's culture
⎯ Standards, guidelines and models adopted by the
organization
⎯ The form and extent of contractual relationships

48

Dec 2013

Developed by @goudotmobi
Establishing Risk Management Policy

It should clearly state organization's objectives for, and
commitment to, and addresses:
⎯ the organization's rationale for managing risk
⎯ links between the organization's objectives and policies
and the risk management policy
⎯ accountabilities and responsibilities for managing risk
⎯ the way in which conflicting interests are dealt with

49

Dec 2013

Developed by @goudotmobi
Establishing Risk Management Policy (cont’d)

⎯ commitment to make the necessary resources available
to assist those accountable and responsible for managing
risk
⎯ the way in which risk management performance will be
measured and reported

⎯ commitment to review and improve the risk
management policy and framework periodically and in
response to an event or change in circumstances

50

Dec 2013

Developed by @goudotmobi
Accountability
Accountability, authority and appropriate competence for
managing risk which is facilitated by:
 Identifying risk owners that have the accountability and
authority to manage risks
 Identifying who is accountable for development,
implementation and maintenance of framework for
managing risk
 Identifying other responsibilities of people at all levels for
risk management process
 Establishing performance measurement and external
and/or internal reporting and escalation processes
 Ensuring appropriate levels of recognition
51

Dec 2013

Developed by @goudotmobi
Resources
The organization should allocate appropriate resources
for risk management such as:
⎯ people, skills, experience and competence
⎯ resources needed for each step of the risk
management process
⎯ the organization's processes, methods and tools to be
used for managing risk
⎯ documented processes and procedures
⎯ information and knowledge management systems

⎯ training program
52

Dec 2013

Developed by @goudotmobi
Establishing Internal Communications and Reporting
Mechanisms

It is to support and encourage accountability and
ownership of risk as well as ensure:
Key components of risk management framework, and
any subsequent modifications, are communicated
appropriately
There is adequate internal reporting on framework, its
effectiveness and outcomes
Relevant information derived from the application of risk
management is available at appropriate levels and times

There are processes for consultation with internal
stakeholders
53

Dec 2013

Developed by @goudotmobi
Establishing Internal Communications and Reporting
Mechanisms (cont’d)

It should involve:
Engaging appropriate external stakeholders and
ensuring an effective exchange of information
External reporting to comply with legal, regulatory, and
governance requirements
Providing feedback and reporting on communication
and consultation
Using communication to build confidence
Communicating with stakeholders in the event of a crisis
or contingency
54

Dec 2013

Developed by @goudotmobi
Implementing Framework for Managing Risk

In implementing framework for managing risk, the
organization should:
Define appropriate timing and strategy for implementing
the framework
Apply risk management policy and process to the
organizational processes
Comply with legal and regulatory requirements

55

Dec 2013

Developed by @goudotmobi
Implementing Framework for Managing Risk (cont’d)

Ensure that decision making, including the development
and setting of objectives, is aligned with risk
management processes outcomes
Hold information and training sessions
Communicate and consult with stakeholders to ensure
that its risk management framework remains
appropriate

56

Dec 2013

Developed by @goudotmobi
Risk Management Process

Systematic application of management
policies, procedures and practices to the
activities of communicating, consulting,
establishing the context, and identifying,
analyzing, evaluating, treating, monitoring
and reviewing risk

57

Dec 2013

Developed by @goudotmobi
Monitoring and Reviewing Framework

In order to ensure that risk management is effective and
continues to support organizational performance, the
organization should:
⎯ Measure risk management performance against
indicators, which are periodically reviewed for
appropriateness
⎯ Periodically measure progress against, and deviation
from, the risk management plan

58

Dec 2013

Developed by @goudotmobi
Monitoring and Reviewing Framework (cont’d)

⎯ Periodically review whether risk management
framework, policy and plan are still appropriate, given the
organizations' external and internal context
⎯ Report on risk, progress with risk management plan
and how well risk management policy is being followed
⎯ Review risk management framework effectiveness

59

Dec 2013

Developed by @goudotmobi
ISO 31000 Process

Establishing the context

Risk assessment
Risk identification
Communication
and
consultation

Risk analysis

Risk evaluation

Risk treatment

60

Dec 2013

Developed by @goudotmobi

Monitoring and
review
Risk Management: Establishing the Context

Defining the external and internal
parameters to be taken into account when
managing risk, and setting the scope and
risk criteria for the risk management policy.

61

Dec 2013

Developed by @goudotmobi
Risk Management: Establishing the Context (cont’d)
External context
• Legal, Regulatory, Financial
• International, National, Regional or Local
• Relationships with, perceptions and values of external
stakeholders
Internal context

• Organizational objectives
• Project, process, or activity objectives
• Policy, standards, guidelines and models adopted by the
organization
• Contractual relationships
62

Dec 2013

Developed by @goudotmobi
Risk Management: Establishing the Context (cont’d)
Process context
 Objectives, scope, responsibilities, methods
 Defining risk criteria
- Measures
- Tolerance levels
- Views of stakeholders

63

Dec 2013

Developed by @goudotmobi
Monitoring and Review
Ensuring that controls are effective and efficient in both
design and operation
Obtaining further
assessment

information

to

improve

risk

Analyzing and learning lessons from events (including
near-misses), changes, trends, successes and failures

Detecting changes in the external and internal context,
including changes to risk criteria and the risk itself which
can require revision of risk treatments and priorities
Identifying emerging risks
64

Dec 2013

Developed by @goudotmobi
Recording Risk Management Process
Objectives
Organization's needs for continuous learning

Benefits of re-using information for management
purposes
Costs and efforts in creating and maintaining records
Legal, regulatory and operational needs for records
Method of access, ease of retrievability and storage
media
Retention period

Sensitivity of information
65

Dec 2013

Developed by @goudotmobi
ISO 31000 Key Success Factors

Risk Management (RM) should function within a Risk
Management Framework (RMF)
The framework provides necessary foundations and
organizational arrangements to embed RM throughout
all levels within the organization
This foundation can assist organizations in managing
risk effectively through application of RM process at
varying levels and within specific contexts
RMF ensure risk information is adequately reported and
used as a basis for decision making and accountability
at all relevant organizational levels
66

Dec 2013

Developed by @goudotmobi
Question and Answer

67

Dec 2013

Developed by @goudotmobi
Wrap Up Day One

68

Dec 2013

Developed by @goudotmobi
Day One Review

69

Dec 2013

Developed by @goudotmobi
Valuing ISO31010: Risk
Assessment and its Techniques

70

Dec 2013

Developed by @goudotmobi
Rehearsing ISO/IEC 31010: 2009

A supporting standard for AS/NZS ISO 31000:2009
It provides guidance on selection and application of
systematic techniques for risk assessment
The application of a range of techniques is introduced,
with specific references to other international standards
Concept and application of techniques are described in
greater detail
This standard does not provide specific criteria for
identifying need for risk analysis

It also doesn’t specify type of risk analysis method
required for a particular application
71

Dec 2013

Developed by @goudotmobi
Rehearsing ISO Guide 73:2009

It provides the definitions of generic terms related to risk
management
Aimed to encourage a mutual and consistent
understanding of, and a coherent approach to, the
description of activities relating to the management of
risk

Aimed to encourage the use of uniform risk
management terminology in processes and frameworks
dealing with the management of risk

72

Dec 2013

Developed by @goudotmobi
Risk Assessment

ISO/IEC 31010:2009, Risk assessment techniques,
jointly developed by ISO and IEC (International
Electrotechnical Commission)
A structured process for organizations to identify how
objectives may be affected
Analyze risk in terms of consequences and their
probabilities, before further action taken up
Provides better understanding on risks affecting
achievement of objectives, as well as adequacy and
effectiveness of controls already in place
73

Dec 2013

Developed by @goudotmobi
Risk Assessment (cont’d)
In short, Risk Assessment is overall process of risk
identification, risk analysis and risk evaluation
Risk Identification
• Process of finding, recognizing and describing risks
involving identification of risk sources, events,
causes and potential consequences.

• It involves historical data, theoretical analysis,
informed and expert opinions, and stakeholder's
needs.

74

Dec 2013

Developed by @goudotmobi
Risk Source and Event
Risk Source: element which alone or in combination has
the intrinsic potential to give rise to risk (tangible or
intangible)
Event
Occurrence or change of a particular set of
circumstances:

• It could be one or more occurrences, and can have
several causes
• It could consist of something not happening

• Sometimes be referred to as “incident” or “accident”
75

Dec 2013

Developed by @goudotmobi
Consequences

Outcome of an event affecting objectives

An event can lead to a range of consequences
A consequence can be certain or uncertain and can
have positive or negative effects on objectives
Consequences can be expressed qualitatively or
quantitatively
Initial consequences can escalate through knock-on
effects

76

Dec 2013

Developed by @goudotmobi
Risk Analysis

Process to comprehend the nature of risk and to
determine the level of risk
It involves consideration of the causes and sources of
risk, their positive and negative consequences, and the
likelihood that those consequences can occur
Provides the basis for risk evaluation and decisions
about risk treatment
It includes risk estimation as well

77

Dec 2013

Developed by @goudotmobi
Risk Analysis (cont’d)

78

Dec 2013

Developed by @goudotmobi
Risk Criteria and Level of Risk
Risk criteria
Terms of reference against which the significance of a
risk is evaluated:
• Based on organizational objectives, and external and
internal context
• It can be derived from standards, laws, policies and
other requirements
Level of risk
Magnitude of a risk or combination of risks, expressed in
terms of the combination of consequences and their
likelihood
79

Dec 2013

Developed by @goudotmobi
Risk Evaluation

Process of comparing the results of risk
analysis with risk criteria to determine
whether the risk and/or its magnitude is
acceptable or tolerable.
Risk evaluation assists in the decision about
risk treatment.

80

Dec 2013

Developed by @goudotmobi
Risk Treatment

Process to modify risk that can involve:

⎯ avoiding the risk by deciding not to start or continue
with the activity that gives rise to the risk
⎯ taking or increasing risk in order to pursue an
opportunity
⎯ removing the risk source
⎯ changing the likelihood
⎯ changing the consequences

81

Dec 2013

Developed by @goudotmobi
Risk Treatment (cont’d)

⎯ sharing the risk with another party or parties (including
contracts and risk financing)
⎯ retaining the risk by informed decision
Risk treatments that deal with negative consequences
are sometimes referred to as “risk mitigation”, “risk
elimination”, “risk prevention” and “risk reduction”
It can create new risks or modify existing risks

82

Dec 2013

Developed by @goudotmobi
Residual Risk

Risk remaining after risk treatment
It can contain unidentified risk
It can also be known as “retained risk”

83

Dec 2013

Developed by @goudotmobi
Risk Assessment Three Bands

84

Dec 2013

Developed by @goudotmobi
Utilizing Risk Assessment
Techniques

85

Dec 2013

Developed by @goudotmobi
Risk Assessment Techniques

Risk identification
Risk analysis – consequence analysis
Risk analysis – qualitative, semi-quantitative or
quantitative probability estimation
Risk analysis – assessing the effectiveness of any
existing controls
Risk analysis – estimation the level of risk
Risk evaluation

86

Dec 2013

Developed by @goudotmobi
Factors Influenced The Selection
Complexity of the problem and the methods needed to
analyze it
The nature and degree of uncertainty of the risk
assessment based on the amount of
Information available and what is required to satisfy
objectives

The extent of resources required in terms of time and
level of expertise, data needs or cost
Whether the method can provide a quantitative output

87

Dec 2013

Developed by @goudotmobi
Tools used For Risk Assessment

Referred to Table A.1 at ISO 31010 on
Applicability of tools used for risk
assessment
Referred to Table A.2 at ISO 31010 on
Attributes of risk assessment tools
Details at Annex B (Informative) at ISO
31010
88

Dec 2013

Developed by @goudotmobi
Analyzing and Evaluating
Risk Assessment Result

89

Dec 2013

Developed by @goudotmobi
Risk Identification

Process of finding, recognizing and describing risks
Comprehensive list of risks based on events that might
create, enhance, prevent, degrade, accelerate or delay
achievement of objectives
Identify risks associated with not pursuing an
opportunity

A risk that is not identified at this stage will not be
included in further analysis
Identification should include risks whether or not their
source is under the control of the organization
90

Dec 2013

Developed by @goudotmobi
Risk Evaluation

The purpose of risk evaluation is to assist in making
decisions, based on the outcomes of risk analysis,
about which risks need treatment and the priority for
treatment implementation
Decisions should take account of the wider context of
the risk and include consideration of the tolerance of the
risks borne by parties other than the organization that
benefits from the risk

91

Dec 2013

Developed by @goudotmobi
Risk Evaluation (cont’d)

Decisions should be made in accordance with legal,
regulatory and other requirements
In some circumstances, the risk evaluation can lead to a
decision to undertake further analysis
The risk evaluation can also lead to a decision not to
treat the risk in any way other than maintaining existing
controls

92

Dec 2013

Developed by @goudotmobi
Risk Evaluation (cont’d)
Decisions should take account of the wider context of
the risk and include consideration of the tolerance of the
risks borne by parties other than the organization that
benefits from the risk
Decisions should be made in accordance with legal,
regulatory and other requirements

The purpose of risk evaluation is to assist in making
decisions, based on the outcomes of risk analysis,
about which risks need treatment and the priority for
treatment implementation

93

Dec 2013

Developed by @goudotmobi
Risk Evaluation (cont’d)

Decisions should be made in accordance with legal,
regulatory and other requirements
In some circumstances, the risk evaluation can lead to a
decision to undertake further analysis
The risk evaluation can also lead to a decision not to
treat the risk in any way other than maintaining existing
controls

94

Dec 2013

Developed by @goudotmobi
Managing Risk

A list in order of preference on how to deal with risk
Avoiding by not to start or continue the activity that rise
to the risk
Accepting or increasing risk in order to pursue an
opportunity
Removing risk source
Changing likelihood and consequences
Sharing risk with another party/parties such as contracts
and risk financing

Retaining risk by informed decision
95

Dec 2013

Developed by @goudotmobi
Risk Treatment

Risk treatment involves selecting one or more options
for modifying risks, and implementing those options
Risk treatment options are not necessarily mutually
exclusive
The options can include the following:

- TRANSFER
Sharing the risk with another party or parties (including
contracts and risk financing)

96

Dec 2013

Developed by @goudotmobi
Risk Treatment (cont’d)
- AVOID
Avoiding the risk by deciding not to start or
continue with the activity that gives rise to the risk
Removing the risk source
- MITIGATE
Changing the likelihood
Changing the consequences (impact)
- ACCEPT
Retaining the risk by informed decision

Taking or increasing the risk in order to pursue an
opportunity
97

Dec 2013

Developed by @goudotmobi
Risk Treatment (cont’d)

Selecting the most appropriate risk treatment option
involves balancing the costs and efforts of
implementation against the benefits derived, with regard
to legal, regulatory, and other requirements such as
social responsibility and the protection of the natural
environment
A number of treatment options can be considered and
applied either individually or in combination

98

Dec 2013

Developed by @goudotmobi
Risk Treatment (cont’d)

Risk treatment itself can introduce risks
A significant risk can be the failure or ineffectiveness of
the risk treatment measures

Monitoring needs to be an integral part of the risk
treatment plan to give assurance that the measures
remain effective

99

Dec 2013

Developed by @goudotmobi
Analyzing and Evaluating
Risk Assessment Result

100

Dec 2013

Developed by @goudotmobi
Question and Answer

101

Dec 2013

Developed by @goudotmobi
Wrap Up Day Two

102

Dec 2013

Developed by @goudotmobi
Quiz Time

103

Dec 2013

Developed by @goudotmobi
Day Two Review
104

Dec 2013

Developed by @goudotmobi
Understanding Risk Register
Entry

105

Dec 2013

Developed by @goudotmobi
What Is Risk Register?
Record of information about identified risks

106

Dec 2013

Developed by @goudotmobi
Risk Register Should Contain
A unique code for each risk
A description of each risk and its potential
consequences (operational and strategic)
Actions and controls that currently exist to mitigate risks
Factors that may impact upon the likelihood and
consequence of the residual risk
Risk grade (priority)
Whether the risk grade is acceptable
Early warning factors and upward reporting thresholds

107

Dec 2013

Developed by @goudotmobi
Risk Treatment Action Shall Include
 Planned actions to reduce the likelihood a negative risk will
occur and/or reduce the seriousness should it occur (What
should you do now?)

 Contingency actions - planned actions to reduce the immediate
seriousness of a negative risk when it does occur. (What should
you do when?)
 Recovery actions - planned actions taken once a negative risk
has occurred to allow you to move on. (What should you do
after?)
 Risk Transfer (e.g. Through
responsibilities or insurance.

assignment

of

contractual

 Actions necessary to ensure the realisation of opportunities
(positive risks)
108

Dec 2013

Developed by @goudotmobi
Sample of Risk Registers

109

Dec 2013

Developed by @goudotmobi
Utilizing Risk Register Entry

110

Dec 2013

Developed by @goudotmobi
Discussing and
Implementing Risk Register

111

Dec 2013

Developed by @goudotmobi
Monitoring and Managing
Risk Management

112

Dec 2013

Developed by @goudotmobi
Monitoring and Reviewing Risk
Monitoring
 Continual checking, supervising, critically observing or
determining the status in order to identify change from the
performance level required or expected
 Can be applied to a risk management framework, risk
management process, risk or control

Reviewing
 Activity undertaken to determine suitability, adequacy and
effectiveness of subject matter to achieve established
objectives

 Can be applied to a risk management framework, risk
management process, risk or control
113

Dec 2013

Developed by @goudotmobi
Monitoring and Reviewing Risk (cont’d)

An integral part of the risk management
process involving regular checking or
surveillance
Ensure controls are effective & efficient
Detect change in external or internal context

Analysis, lessons learned, continuous
improvement
Identify emerging risks
114

Dec 2013

Developed by @goudotmobi
Post Test

115

Dec 2013

Developed by @goudotmobi
116

Dec 2013

Developed by @goudotmobi
Question and Answer

117

Dec 2013

Developed by @goudotmobi

More Related Content

What's hot

Strategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightStrategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightProformative, Inc.
 
Iso 31000 Risk management Principles and guidelines
Iso 31000 Risk management Principles and guidelinesIso 31000 Risk management Principles and guidelines
Iso 31000 Risk management Principles and guidelinesMohsen Gharakhani
 
127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0Rachael Phelan
 
Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000Continuity and Resilience
 
Introduction to Risk Management ISO31000:2009
Introduction to Risk Management ISO31000:2009Introduction to Risk Management ISO31000:2009
Introduction to Risk Management ISO31000:2009Ahmad Azwang Aisram Omar
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Andrew Smart
 
Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides SlideTeam
 
ISO 31000 risk management process
ISO 31000 risk management processISO 31000 risk management process
ISO 31000 risk management processMuizz Anibire
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkColleen Beck-Domanico
 
ERM Presentation
ERM PresentationERM Presentation
ERM PresentationH Contrex
 
Managing with KPI's and KRI's
Managing with KPI's and KRI's Managing with KPI's and KRI's
Managing with KPI's and KRI's Andrew Smart
 
ISO 31000 Risk Management
ISO 31000 Risk ManagementISO 31000 Risk Management
ISO 31000 Risk ManagementRamiro Cid
 
ISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationAlvin Integrated Services [AIS]
 
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Diane Christina
 
Enterprise Risk Management and Sustainability
Enterprise Risk Management and SustainabilityEnterprise Risk Management and Sustainability
Enterprise Risk Management and SustainabilityJeff B
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditManoj Agarwal
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesCapgemini
 

What's hot (20)

Strategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightStrategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management Right
 
Iso 31000 Risk management Principles and guidelines
Iso 31000 Risk management Principles and guidelinesIso 31000 Risk management Principles and guidelines
Iso 31000 Risk management Principles and guidelines
 
127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0127017438_RMA_OperationalRiskAppetite_v1.0
127017438_RMA_OperationalRiskAppetite_v1.0
 
Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000
 
Introduction to Risk Management ISO31000:2009
Introduction to Risk Management ISO31000:2009Introduction to Risk Management ISO31000:2009
Introduction to Risk Management ISO31000:2009
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite
 
Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides
 
Coso erm
Coso ermCoso erm
Coso erm
 
ISO 31000 risk management process
ISO 31000 risk management processISO 31000 risk management process
ISO 31000 risk management process
 
ERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementERM-Enterprise Risk Management
ERM-Enterprise Risk Management
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management Framework
 
ERM Presentation
ERM PresentationERM Presentation
ERM Presentation
 
Managing with KPI's and KRI's
Managing with KPI's and KRI's Managing with KPI's and KRI's
Managing with KPI's and KRI's
 
ISO 31000 Risk Management
ISO 31000 Risk ManagementISO 31000 Risk Management
ISO 31000 Risk Management
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 
ISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and Implementation
 
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)
 
Enterprise Risk Management and Sustainability
Enterprise Risk Management and SustainabilityEnterprise Risk Management and Sustainability
Enterprise Risk Management and Sustainability
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance Services
 

Viewers also liked

How to apply and benefit from the new risk management guide ISO/TR 31004:2013...
How to apply and benefit from the new risk management guide ISO/TR 31004:2013...How to apply and benefit from the new risk management guide ISO/TR 31004:2013...
How to apply and benefit from the new risk management guide ISO/TR 31004:2013...Risk Management Institution of Australasia
 
Financial risk management
Financial risk managementFinancial risk management
Financial risk managementNam Ngo
 
Clinical Risk Management
Clinical Risk ManagementClinical Risk Management
Clinical Risk Managementlimgengyan
 
Risk Management and Healthcare Organizations
Risk Management and Healthcare OrganizationsRisk Management and Healthcare Organizations
Risk Management and Healthcare OrganizationsJohn Cousins
 
Risk management in Healthcare
Risk management in HealthcareRisk management in Healthcare
Risk management in HealthcareNadeem Baig
 
Financial risk management
Financial risk managementFinancial risk management
Financial risk managementGAURAV SHARMA
 
Risk & Risk Management
Risk & Risk ManagementRisk & Risk Management
Risk & Risk Managementansula
 
Financial risk management ppt @ mba finance
Financial risk management  ppt @ mba financeFinancial risk management  ppt @ mba finance
Financial risk management ppt @ mba financeBabasab Patil
 
Risk Management
Risk ManagementRisk Management
Risk Managementcgeorgeo
 

Viewers also liked (20)

Iso 31000
Iso 31000Iso 31000
Iso 31000
 
How to apply and benefit from the new risk management guide ISO/TR 31004:2013...
How to apply and benefit from the new risk management guide ISO/TR 31004:2013...How to apply and benefit from the new risk management guide ISO/TR 31004:2013...
How to apply and benefit from the new risk management guide ISO/TR 31004:2013...
 
2009 irmcaug iso31000
2009 irmcaug iso310002009 irmcaug iso31000
2009 irmcaug iso31000
 
ISO 31000:2009 GESTION DE RIESGO
ISO 31000:2009 GESTION DE RIESGOISO 31000:2009 GESTION DE RIESGO
ISO 31000:2009 GESTION DE RIESGO
 
Matriz de comunicación
Matriz de comunicaciónMatriz de comunicación
Matriz de comunicación
 
Credit Risk FRM Part II
Credit Risk FRM Part IICredit Risk FRM Part II
Credit Risk FRM Part II
 
Financial risk management
Financial risk managementFinancial risk management
Financial risk management
 
Financial Risk Mangment (FRM)
Financial Risk Mangment (FRM)Financial Risk Mangment (FRM)
Financial Risk Mangment (FRM)
 
Clinical Risk Management
Clinical Risk ManagementClinical Risk Management
Clinical Risk Management
 
Risk management in healthcare
Risk management in healthcareRisk management in healthcare
Risk management in healthcare
 
Risk Management and Healthcare Organizations
Risk Management and Healthcare OrganizationsRisk Management and Healthcare Organizations
Risk Management and Healthcare Organizations
 
Risk management in Healthcare
Risk management in HealthcareRisk management in Healthcare
Risk management in Healthcare
 
Financial risk management
Financial risk managementFinancial risk management
Financial risk management
 
Introduction to Risk Management
Introduction to Risk ManagementIntroduction to Risk Management
Introduction to Risk Management
 
Risk & Risk Management
Risk & Risk ManagementRisk & Risk Management
Risk & Risk Management
 
Financial risk management ppt @ mba finance
Financial risk management  ppt @ mba financeFinancial risk management  ppt @ mba finance
Financial risk management ppt @ mba finance
 
Risk types
Risk  typesRisk  types
Risk types
 
The Purpose And Goals Of Risk Management
The Purpose And Goals Of Risk ManagementThe Purpose And Goals Of Risk Management
The Purpose And Goals Of Risk Management
 
Risk management
Risk managementRisk management
Risk management
 
Risk Management
Risk ManagementRisk Management
Risk Management
 

Similar to Implementing Enterprise Risk Management with ISO 31000:2009

Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...
Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...
Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...International Federation of Accountants
 
M6 CSR - CSR Adopting a CSR Framework to Mitigate Risk and Impact.pptx
M6 CSR - CSR Adopting a CSR Framework to Mitigate Risk and Impact.pptxM6 CSR - CSR Adopting a CSR Framework to Mitigate Risk and Impact.pptx
M6 CSR - CSR Adopting a CSR Framework to Mitigate Risk and Impact.pptxcaniceconsulting
 
Understandiing ISO 31000-2009
Understandiing ISO 31000-2009Understandiing ISO 31000-2009
Understandiing ISO 31000-2009Ridwan Ibrahim
 
ISO+31000+2009+Understanding
ISO+31000+2009+UnderstandingISO+31000+2009+Understanding
ISO+31000+2009+UnderstandingSetiono Winardi
 
M6 CSR - CSR Adopting a CSR Framework to Mitigate Risk and Impact.pptx
M6 CSR - CSR Adopting a CSR Framework to Mitigate Risk and Impact.pptxM6 CSR - CSR Adopting a CSR Framework to Mitigate Risk and Impact.pptx
M6 CSR - CSR Adopting a CSR Framework to Mitigate Risk and Impact.pptxcaniceconsulting
 
Project Risk Management Guideline - Victorian Department of Treasury
Project Risk Management Guideline - Victorian Department of TreasuryProject Risk Management Guideline - Victorian Department of Treasury
Project Risk Management Guideline - Victorian Department of TreasuryTurlough Guerin GAICD FGIA
 
Як долучити команду до роботи з проєктними ризиками | Презентація до вебінару
Як долучити команду до роботи з проєктними ризиками | Презентація до вебінаруЯк долучити команду до роботи з проєктними ризиками | Презентація до вебінару
Як долучити команду до роботи з проєктними ризиками | Презентація до вебінаруE-5
 
Dr hatem el bitar quality text (17)د حاتم البيطار #دحاتم_البيطار #timodent...
Dr hatem el bitar quality text (17)د حاتم البيطار  #دحاتم_البيطار   #timodent...Dr hatem el bitar quality text (17)د حاتم البيطار  #دحاتم_البيطار   #timodent...
Dr hatem el bitar quality text (17)د حاتم البيطار #دحاتم_البيطار #timodent...د حاتم البيطار
 

Similar to Implementing Enterprise Risk Management with ISO 31000:2009 (20)

Brochure iso 31000 conference may2013-toronto-l
Brochure iso 31000 conference may2013-toronto-lBrochure iso 31000 conference may2013-toronto-l
Brochure iso 31000 conference may2013-toronto-l
 
Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...
Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...
Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...
 
ISO 31000
ISO 31000ISO 31000
ISO 31000
 
#corpriskforum2016 - Alex Dali
#corpriskforum2016 - Alex Dali#corpriskforum2016 - Alex Dali
#corpriskforum2016 - Alex Dali
 
M6 CSR - CSR Adopting a CSR Framework to Mitigate Risk and Impact.pptx
M6 CSR - CSR Adopting a CSR Framework to Mitigate Risk and Impact.pptxM6 CSR - CSR Adopting a CSR Framework to Mitigate Risk and Impact.pptx
M6 CSR - CSR Adopting a CSR Framework to Mitigate Risk and Impact.pptx
 
Understandiing ISO 31000-2009
Understandiing ISO 31000-2009Understandiing ISO 31000-2009
Understandiing ISO 31000-2009
 
ISO+31000+2009+Understanding
ISO+31000+2009+UnderstandingISO+31000+2009+Understanding
ISO+31000+2009+Understanding
 
M6 CSR - CSR Adopting a CSR Framework to Mitigate Risk and Impact.pptx
M6 CSR - CSR Adopting a CSR Framework to Mitigate Risk and Impact.pptxM6 CSR - CSR Adopting a CSR Framework to Mitigate Risk and Impact.pptx
M6 CSR - CSR Adopting a CSR Framework to Mitigate Risk and Impact.pptx
 
Exploring Common Paths in Risk Management by Jan Mattingly
Exploring Common Paths in Risk Management by Jan MattinglyExploring Common Paths in Risk Management by Jan Mattingly
Exploring Common Paths in Risk Management by Jan Mattingly
 
Risk management
Risk managementRisk management
Risk management
 
Employable Knowledge
Employable KnowledgeEmployable Knowledge
Employable Knowledge
 
Essay On Risk Management
Essay On Risk ManagementEssay On Risk Management
Essay On Risk Management
 
[G31000] – Riyadh, Saudi Arabia - Next ISO 31000 risk management course & cer...
[G31000] – Riyadh, Saudi Arabia - Next ISO 31000 risk management course & cer...[G31000] – Riyadh, Saudi Arabia - Next ISO 31000 risk management course & cer...
[G31000] – Riyadh, Saudi Arabia - Next ISO 31000 risk management course & cer...
 
Project Risk Management Guideline - Victorian Department of Treasury
Project Risk Management Guideline - Victorian Department of TreasuryProject Risk Management Guideline - Victorian Department of Treasury
Project Risk Management Guideline - Victorian Department of Treasury
 
Rational Risk and Crisis Management Course
Rational Risk and Crisis Management CourseRational Risk and Crisis Management Course
Rational Risk and Crisis Management Course
 
Як долучити команду до роботи з проєктними ризиками | Презентація до вебінару
Як долучити команду до роботи з проєктними ризиками | Презентація до вебінаруЯк долучити команду до роботи з проєктними ризиками | Презентація до вебінару
Як долучити команду до роботи з проєктними ризиками | Презентація до вебінару
 
Iso 31000
Iso 31000Iso 31000
Iso 31000
 
Dr hatem el bitar quality text (17)د حاتم البيطار #دحاتم_البيطار #timodent...
Dr hatem el bitar quality text (17)د حاتم البيطار  #دحاتم_البيطار   #timodent...Dr hatem el bitar quality text (17)د حاتم البيطار  #دحاتم_البيطار   #timodent...
Dr hatem el bitar quality text (17)د حاتم البيطار #دحاتم_البيطار #timodent...
 
[G31000] – Bucharest, Romania–First ISO 31000 risk management course & certif...
[G31000] – Bucharest, Romania–First ISO 31000 risk management course & certif...[G31000] – Bucharest, Romania–First ISO 31000 risk management course & certif...
[G31000] – Bucharest, Romania–First ISO 31000 risk management course & certif...
 
Riskpro iso 31000 services 2013
Riskpro iso 31000 services 2013Riskpro iso 31000 services 2013
Riskpro iso 31000 services 2013
 

More from Goutama Bachtiar

Crypto Currency, Bitcoin and Blockchain
Crypto Currency, Bitcoin and BlockchainCrypto Currency, Bitcoin and Blockchain
Crypto Currency, Bitcoin and BlockchainGoutama Bachtiar
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Goutama Bachtiar
 
Blockchain Essentials - Harnessing the Technology for Banking Industry
Blockchain Essentials - Harnessing the Technology for Banking IndustryBlockchain Essentials - Harnessing the Technology for Banking Industry
Blockchain Essentials - Harnessing the Technology for Banking IndustryGoutama Bachtiar
 
Leveraging Agile Project Management with Scrum
Leveraging Agile Project Management with ScrumLeveraging Agile Project Management with Scrum
Leveraging Agile Project Management with ScrumGoutama Bachtiar
 
Library of Information Technology Icons
Library of Information Technology IconsLibrary of Information Technology Icons
Library of Information Technology IconsGoutama Bachtiar
 
Dealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereDealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereGoutama Bachtiar
 
IS and IT Auditor Roles in Today's New Economy
IS and IT Auditor Roles in Today's New EconomyIS and IT Auditor Roles in Today's New Economy
IS and IT Auditor Roles in Today's New EconomyGoutama Bachtiar
 
Conducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and FraudConducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and FraudGoutama Bachtiar
 
Utilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and InvestigationUtilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and InvestigationGoutama Bachtiar
 
Managing IT Risks in Internet Banking
Managing IT Risks in Internet BankingManaging IT Risks in Internet Banking
Managing IT Risks in Internet BankingGoutama Bachtiar
 
Electronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment IndustryElectronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment IndustryGoutama Bachtiar
 
State of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsState of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsGoutama Bachtiar
 
The State of ERP in Indonesia: Trends, Opportunities and Challenges
The State of ERP in Indonesia: Trends, Opportunities and ChallengesThe State of ERP in Indonesia: Trends, Opportunities and Challenges
The State of ERP in Indonesia: Trends, Opportunities and ChallengesGoutama Bachtiar
 
Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)Goutama Bachtiar
 
Implementing BPMN 2.0 with Microsoft Visio
Implementing BPMN 2.0 with Microsoft VisioImplementing BPMN 2.0 with Microsoft Visio
Implementing BPMN 2.0 with Microsoft VisioGoutama Bachtiar
 
Understanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor RelationshipsUnderstanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor RelationshipsGoutama Bachtiar
 
Valuing Information Management and IT Architecture
Valuing Information Management and IT ArchitectureValuing Information Management and IT Architecture
Valuing Information Management and IT ArchitectureGoutama Bachtiar
 
Riding and Capitalizing the Next Wave of Information Technology
Riding and Capitalizing the Next Wave of Information TechnologyRiding and Capitalizing the Next Wave of Information Technology
Riding and Capitalizing the Next Wave of Information TechnologyGoutama Bachtiar
 

More from Goutama Bachtiar (20)

Crypto Currency, Bitcoin and Blockchain
Crypto Currency, Bitcoin and BlockchainCrypto Currency, Bitcoin and Blockchain
Crypto Currency, Bitcoin and Blockchain
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
 
Blockchain Essentials - Harnessing the Technology for Banking Industry
Blockchain Essentials - Harnessing the Technology for Banking IndustryBlockchain Essentials - Harnessing the Technology for Banking Industry
Blockchain Essentials - Harnessing the Technology for Banking Industry
 
Delving into Fintech
Delving into FintechDelving into Fintech
Delving into Fintech
 
Leveraging Agile Project Management with Scrum
Leveraging Agile Project Management with ScrumLeveraging Agile Project Management with Scrum
Leveraging Agile Project Management with Scrum
 
Library of Information Technology Icons
Library of Information Technology IconsLibrary of Information Technology Icons
Library of Information Technology Icons
 
PMBOK 6th vs 5th Edition
PMBOK 6th vs 5th EditionPMBOK 6th vs 5th Edition
PMBOK 6th vs 5th Edition
 
Dealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereDealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking Sphere
 
IS and IT Auditor Roles in Today's New Economy
IS and IT Auditor Roles in Today's New EconomyIS and IT Auditor Roles in Today's New Economy
IS and IT Auditor Roles in Today's New Economy
 
Conducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and FraudConducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and Fraud
 
Utilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and InvestigationUtilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and Investigation
 
Managing IT Risks in Internet Banking
Managing IT Risks in Internet BankingManaging IT Risks in Internet Banking
Managing IT Risks in Internet Banking
 
Electronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment IndustryElectronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment Industry
 
State of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsState of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and Solutions
 
The State of ERP in Indonesia: Trends, Opportunities and Challenges
The State of ERP in Indonesia: Trends, Opportunities and ChallengesThe State of ERP in Indonesia: Trends, Opportunities and Challenges
The State of ERP in Indonesia: Trends, Opportunities and Challenges
 
Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)
 
Implementing BPMN 2.0 with Microsoft Visio
Implementing BPMN 2.0 with Microsoft VisioImplementing BPMN 2.0 with Microsoft Visio
Implementing BPMN 2.0 with Microsoft Visio
 
Understanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor RelationshipsUnderstanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor Relationships
 
Valuing Information Management and IT Architecture
Valuing Information Management and IT ArchitectureValuing Information Management and IT Architecture
Valuing Information Management and IT Architecture
 
Riding and Capitalizing the Next Wave of Information Technology
Riding and Capitalizing the Next Wave of Information TechnologyRiding and Capitalizing the Next Wave of Information Technology
Riding and Capitalizing the Next Wave of Information Technology
 

Recently uploaded

Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteMavein
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSedrianrheine
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpressssuser166378
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSlesteraporado16
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Shubham Pant
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024Jan Löffler
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdfShreedeep Rayamajhi
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfmchristianalwyn
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilitiesalihassaah1994
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxnaveenithkrishnan
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsRoxana Stingu
 

Recently uploaded (12)

Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a Website
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpress
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilities
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptx
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
 

Implementing Enterprise Risk Management with ISO 31000:2009

  • 1. Implementing Enterprise Risk Management with ISO 31000:2009 Lead by Goutama Bachtiar www.about.me/goudotmobi 2013
  • 3. Training Lead Profile A seasoned advisor, auditor, consultant, trainer, courseware developer and writer with 15 years of experiences in advisory, consulting, audit, training and education as well as project management. As of now, he has delivered and hosted in 200+ sessions with 7,000+ attendees and 5000+ hours of training, lecture, conference, workshop, seminar across Indonesia and outside the country for around 70 institutions and companies. Today he has written and edited 300+ articles and manuscripts concerning ICT and management in more than 20 local and international leading media, companies, journals and conferences. On top of that, he is a speaker, moderator and panelist in various national and international conference, workshop and seminar with over than 65 international certifications on tech and management spaces are under his belt. A guest lecturer at top-tier Indonesian and American universities for their master and undergraduate programs. 3 Dec 2013 Developed by @goudotmobi
  • 4. Training Agenda Day One – Understanding, Valuing and Raising Risk Management, Enterprise Risk Management and ISO 31000:2009 Awareness Time Topics Opening, Self-Introduction and Exploring Enterprise Risk Management Delivery 09.30 – 10.00 Understanding ISO 31000:2009 Classical 10.00 – 10.15 First Coffee Break N/A 10.15 – 12.00 Navigating ISO 31000:2009 Principles and Guidelines Classical 12.00 – 13.00 Lunch Break N/A 13.00 – 15.00 Understanding ISO 31000 Clauses – 1st Session Classical 15.00 – 15.15 Second Coffee Break N/A 15.15 – 16.00 Understanding ISO 31000 Clauses – 2nd Session Classical 16.00 – 16.30 Understanding Relationship Between ISO 15378 and ISO 31000 Classical 16.30 – 17.00 Question and Answer, Wrap-Up Day One 09.00 – 09.30 4 Dec 2013 Developed by @goudotmobi Classical Individual Participation
  • 5. Training Agenda (cont’d) Day Two – Exploring and Utilizing Risk Assessment Techniques Time Topics Delivery 09.00 – 09.30 Day One Review Valuing ISO31010: Risk Assessment and its Techniques – 1st Session Classical Classical, Group Discussion 10.00 – 10.15 First Coffee Break N/A 10.15 – 12.00 Valuing ISO31010: Risk Assessment and its Techniques – 2nd Session Classical, Group Discussion 12.00 – 13.00 Lunch Break N/A 13.00 – 14.00 Utilizing Risk Assessment Techniques Workshop, Group Discussion 14.00 – 15.00 Analyzing and Evaluating Risk Assessment Result – 1st Session Group Presentation, Group Discussion 15.00 – 15.15 Second Coffee Break N/A 15.15 – 16.00 Analyzing and Evaluating Risk Assessment Result – 2nd Group Presentation, Session Group Discussion 16.00 – 17.00 Question and Answer, Wrap Up Day Two, Quiz 09.30 – 10.00 5 Dec 2013 Developed by @goudotmobi Individual Participation
  • 6. Training Agenda (cont’d) Day Three – Exploring and Utilizing Risk Registration as well as Monitoring and Managing ERM Time Delivery 09.00 – 09.30 Day Two Review Classical 09.30 – 10.00 Understanding Risk Register Entry Classical 10.00 – 10.15 First Coffee Break N/A 10.15 – 12.00 Utilizing Risk Register Entry Workshop, Group Discussion 12.00 – 13.00 Lunch Break N/A 13.00 – 15.00 Discussing and Implementing Risk Register Workshop, Group Presentation 15.00 – 15.15 Second Coffee Break N/A 15.15 – 16.00 Monitoring and Managing ERM Classical 16.00 – 17.00 6 Topics Post-Test, Training Evaluation, Wrap Up Day Three, Closing Individual Participation Dec 2013 Developed by @goudotmobi
  • 7. Rule of The Game Attendance: Participant is required to attend the training in three full day to attain training certificate Weight for the training mark: - Attendance: 10% - Quiz (Day Two): 40% - Final Test (Day Three): 50% 7 Dec 2013 Developed by @goudotmobi
  • 8. Exploring Enterprise Risk Management 8 Dec 2013 Developed by @goudotmobi
  • 9. What Risk is All About Risks have consequences in terms of societal, environmental, technological, safety and security outcomes; They have commercial, financial and economic results They also have social, cultural and political reputation impacts ISO 31000:2009 helps organizations of all types and sizes to manage risk effectively 9 Dec 2013 Developed by @goudotmobi
  • 10. What Is Risk Management? Risk The effect of uncertainty on the ability of an organisation to meet its objectives Risk Management The range of activities that an organisation intentionally undertakes to understand and reduce these effects Effective Risk Management Executing these activities efficiently and in a way that actually and demonstrably improves the ability of the organisation to meet its objectives in a repeatable fashion 10 Dec 2013 Developed by @goudotmobi
  • 11. Risk Management with ISO ISO 31000:2009 – Principles and Guidelines on Implementation (20 November 2009) ISO/IEC 31010:2009 – Risk Assessment Techniques (1 December 2009) ISO Guide 73:2009 – Vocabulary (15 November 2009) HB 327:2010 – Communicating and consulting about risk (23 February 2010) 11 Dec 2013 Developed by @goudotmobi
  • 12. Risk Management with ISO (cont’d) AS/NZS 5050:2010 Business continuity – Managing disruption-related risk (28 June 2010) HB 266:2010 – Guide for managing risk in not-for-profit organizations (12 August 2010) HB 246:2010 Guidelines for managing risk in sport and recreation organizations (18 August 2010) 12 Dec 2013 Developed by @goudotmobi
  • 13. Understanding ISO 31000 13 Dec 2013 Developed by @goudotmobi
  • 14. Understanding ISO 31000  Provides principles, a framework and a process for managing any form of risk in a transparent, systematic and credible manner within any scope or context  It recommends that organizations develop, implement and continuously improve a risk management framework as an integral component of their management system  In concrete, it’s a practical document that seeks to assist organizations in developing their own approach to the management of risk 14 Dec 2013 Developed by @goudotmobi
  • 15. Understanding ISO 31000 (cont’d)  This is NOT a standard that organizations can seek certification to  Organizations can compare their risk management practices with an internationally recognized benchmark  It provides sound principles for effective management  ISO Guide 73:2009 provide a collection of terms and definitions relating to the management of risk  ISO 31000 is designed to help organizations 15 Dec 2013 Developed by @goudotmobi
  • 16. What Is ISO 31000? ISO 31000:2009: An international standard that provides principles and guidelines for effective risk management Not specific to any industry or sector Able to be applied to any kind of risk Able to be applied to any kind of organisation Intended to be tailored to meet the needs of the organisation “The generic approach described in this standard provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope and context.” 16 Dec 2013 Developed by @goudotmobi
  • 17. History of ISO 31000  AS/NZS 4360:1999 was developed by Australia and NZ in 1999  Revised and reissued as AS/NZS 4360:2004 in 2004  No agreed de jure or de facto international standard in place at this stage  A small number of competing frameworks which were regarded as unsatisfactory  International Standards Organisation started work on ISO 31000 using AS/NZS 4360:2004 in 2005 as its first draft  ISO 31000 was issued worldwide in 2009 17 Dec 2013 Developed by @goudotmobi
  • 18. What Does ISO 31000 Cover of? ISO 31000:2009 contains: A set of risk management terms and their definitions A set of principles for guiding and informing effective risk management for an enterprise An outline and process for creating a risk management framework An outline and process for creating a risk management process ISO 31000 is: Clear Sensible Brief (34 pages) 18 Dec 2013 Developed by @goudotmobi
  • 19. What Does ISO 31000 Cover of? (cont’d) Scope of this approach is enabling all strategic, management and operational tasks throughout projects, functions, and processes to be aligned to risk management objectives It is intended for stakeholder group like: Executive level Appointment holders in ERM group Risk analysts and management officers Line managers and project managers Compliance and internal auditors Independent practitioners 19 Dec 2013 Developed by @goudotmobi
  • 20. What ISO 31000 Doesn’t Cover? Detailed instructions on how to manage risk A complete risk management framework A complete risk management process Formats or attributes for describing risks Templates Guidance on how to identify risks Advice on how to manage risks for a specific domain 20 Dec 2013 Developed by @goudotmobi
  • 21. ISO 31000 Will Help Us To…  Increase the likelihood of achieving objectives  Encourage proactive management  Identify and treat risk throughout the organization  Improve the identification of opportunities and threats  Comply with relevant legal and regulatory requirements and international norms  Improve financial reporting  Improve governance 21 Dec 2013 Developed by @goudotmobi
  • 22. ISO 31000 Will Help To… (cont’d)  Improve stakeholder confidence and trust  Establish a reliable basis for decision making and planning  Improve controls  Effectively allocate and use resources for risk treatment  Improve operational effectiveness and efficiency  Enhance health and safety performance, as well as environmental protection  Improve loss prevention and incident management  Minimize losses  Improve organizational learning and resilience 22 Dec 2013 Developed by @goudotmobi
  • 23. Why Use ISO 31000? Save ourselves time and effort:  Using the terms, principles and guidelines in ISO 31000 means you don’t have to spend time and effort creating your own.  You can spend time on the things that really add value – managing the actual risks.  Facilitate communication:  Avoid misunderstandings by using concepts and terms that are well known in the risk management community.  Provide higher quality output:  Take advantage of the significant expertise in risk management that the ISO has used in coming up with the standard.  Ensure you don’t miss out any aspects of risk management by using the standard as a checklist. 23 Dec 2013 Developed by @goudotmobi
  • 24. How Do I Apply ISO 31000? When should I use ISO 31000?  When you are asked to identify or assess risks  When you are asked to manage risks  When you are asked to assess a risk management framework or process How should I use ISO 31000  Use it to frame the scope of the work  Use it to guide the engagement  Use it to create a risk management process 24 Dec 2013 Developed by @goudotmobi
  • 25. ISO 31000 In Short  It gives you a structured, credible foundation for discussions with about risk and risk management  It gives you a starting point for a risk management process if you don’t have one  It gives you a standard vocabulary for talking about risks and risk management  It gives you a baseline for comparisons and assessments of risk management processes 25 Dec 2013 Developed by @goudotmobi
  • 26. ISO 31000 in Diagram Principles guide the creation of the framework Principles The framework defines the process Framework Process The performance of the process feeds back into the framework 26 Dec 2013 Developed by @goudotmobi
  • 27. Navigating ISO 31000 Principles and Guidelines 27 Dec 2013 Developed by @goudotmobi
  • 28. What’s inside ISO 31000:2009 It consists of three major parts 11 principles for managing risk (Clause 3) 5 (five) components to the framework for managing risk (Clause 4) 5 (five) processes for managing risks (Clause 6) 28 Dec 2013 Developed by @goudotmobi
  • 29. ISO 31000 Principles Risk Management Principles Creates and protects value Based on the best information Integral part of organisational processes Tailored Part of decision making Takes human and cultural factors into account Explicitly addresses uncertainty Transparent and inclusive Systematic, structured, and timely Dynamic, iterative and responsive to change Facilitates continual improvement of the organisation 29 Dec 2013 Developed by @goudotmobi
  • 30. Creates and Protects Value Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation. 30 Dec 2013 Developed by @goudotmobi
  • 31. Integral Part of Organizational Processes Risk management is not a stand-alone activity that is separate from the main activities and processes of the organisation. Risk management is part of the responsibilities of management and an integral part of all organisational processes, including strategic planning and all project and change management processes. 31 Dec 2013 Developed by @goudotmobi
  • 32. Part of Decision Making Risk management helps decision makers make informed choices, prioritise actions and distinguish among alternative courses of action. 32 Dec 2013 Developed by @goudotmobi
  • 33. Explicitly Addresses Uncertainty Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed. 33 Dec 2013 Developed by @goudotmobi
  • 34. Systematic, Structured and Timely A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable and reliable results. 34 Dec 2013 Developed by @goudotmobi
  • 35. Based on the Best Information The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts. 35 Dec 2013 Developed by @goudotmobi
  • 36. Tailored Risk management is aligned with the organisation's external and internal context and risk profile. 36 Dec 2013 Developed by @goudotmobi
  • 37. Tailored Risk management is aligned with the organisation's external and internal context and risk profile. 37 Dec 2013 Developed by @goudotmobi
  • 38. Takes Human and Cultural Factors into Account Risk management recognises the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organisation's objectives. 38 Dec 2013 Developed by @goudotmobi
  • 39. Transparent and Inclusive Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organisation, ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria. 39 Dec 2013 Developed by @goudotmobi
  • 40. Dynamic, Iterative and Responsive to Change Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear. 40 Dec 2013 Developed by @goudotmobi
  • 41. Facilitates Continual Improvement of the Organisation Organisations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organisation. 41 Dec 2013 Developed by @goudotmobi
  • 42. Risk Management Framework Set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization The foundations include the policy, objectives, mandate and commitment to manage risk The organizational arrangements include plans, relationships, accountabilities, resources, processes and activities RMF is embedded within the organization's overall strategic and operational policies and practices 42 Dec 2013 Developed by @goudotmobi
  • 43. ISO 31000 Framework Mandate and commitment Design of framework for managing risk Understanding the organisation and its context Establishing risk management policy Accountability Integration into organisational processes Resources Establishing internal communication and reporting mechanisms Establishing external communication and reporting mechanisms Implementing risk management Continual improvement of the framework Implementing the framework for managing risk Implementing the risk management process Monitoring and review of the framework 43 Dec 2013 Developed by @goudotmobi
  • 44. Mandate and Commitment Introducing risk management and ensuring its ongoing effectiveness require strong and sustained commitment by management, as well as strategic and rigorous planning to achieve commitment at all levels Management should: ⎯ Define and endorse the risk management policy ⎯ Ensure that the organization's culture and risk management policy are aligned ⎯ Determine risk management performance indicators that align with performance indicators of the organization 44 Dec 2013 Developed by @goudotmobi
  • 45. Mandate and Commitment (cont’d) ⎯ Align risk management objectives with the objectives and strategies of the organization ⎯ Ensure legal and regulatory compliance ⎯ Assign accountabilities and responsibilities at appropriate levels within the organization ⎯ Ensure that the necessary resources are allocated to risk management ⎯ Communicate the benefits of risk management to all stakeholders ⎯ Ensure that the framework for managing risk continues to remain appropriate 45 Dec 2013 Developed by @goudotmobi
  • 46. Understanding the Organization and Its Context Evaluating organization's external context may include, but is not limited to: Social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local Key drivers and trends having impact on the objectives of the organization Relationships with, and perceptions and values of, external stakeholders 46 Dec 2013 Developed by @goudotmobi
  • 47. Understanding the Organization and Its Context (cont’d) Evaluating the organization's internal context may include, but is not limited to: ⎯ Governance, organizational structure, roles and accountabilities ⎯ Policies, objectives, and the strategies that are in place to achieve them ⎯ Capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies) 47 Dec 2013 Developed by @goudotmobi
  • 48. Understanding the Organization and Its Context (cont’d) ⎯ Information systems, information flows and decision making processes (both formal and informal) ⎯ Relationships with, and perceptions and values of, internal stakeholders ⎯ Organization's culture ⎯ Standards, guidelines and models adopted by the organization ⎯ The form and extent of contractual relationships 48 Dec 2013 Developed by @goudotmobi
  • 49. Establishing Risk Management Policy It should clearly state organization's objectives for, and commitment to, and addresses: ⎯ the organization's rationale for managing risk ⎯ links between the organization's objectives and policies and the risk management policy ⎯ accountabilities and responsibilities for managing risk ⎯ the way in which conflicting interests are dealt with 49 Dec 2013 Developed by @goudotmobi
  • 50. Establishing Risk Management Policy (cont’d) ⎯ commitment to make the necessary resources available to assist those accountable and responsible for managing risk ⎯ the way in which risk management performance will be measured and reported ⎯ commitment to review and improve the risk management policy and framework periodically and in response to an event or change in circumstances 50 Dec 2013 Developed by @goudotmobi
  • 51. Accountability Accountability, authority and appropriate competence for managing risk which is facilitated by:  Identifying risk owners that have the accountability and authority to manage risks  Identifying who is accountable for development, implementation and maintenance of framework for managing risk  Identifying other responsibilities of people at all levels for risk management process  Establishing performance measurement and external and/or internal reporting and escalation processes  Ensuring appropriate levels of recognition 51 Dec 2013 Developed by @goudotmobi
  • 52. Resources The organization should allocate appropriate resources for risk management such as: ⎯ people, skills, experience and competence ⎯ resources needed for each step of the risk management process ⎯ the organization's processes, methods and tools to be used for managing risk ⎯ documented processes and procedures ⎯ information and knowledge management systems ⎯ training program 52 Dec 2013 Developed by @goudotmobi
  • 53. Establishing Internal Communications and Reporting Mechanisms It is to support and encourage accountability and ownership of risk as well as ensure: Key components of risk management framework, and any subsequent modifications, are communicated appropriately There is adequate internal reporting on framework, its effectiveness and outcomes Relevant information derived from the application of risk management is available at appropriate levels and times There are processes for consultation with internal stakeholders 53 Dec 2013 Developed by @goudotmobi
  • 54. Establishing Internal Communications and Reporting Mechanisms (cont’d) It should involve: Engaging appropriate external stakeholders and ensuring an effective exchange of information External reporting to comply with legal, regulatory, and governance requirements Providing feedback and reporting on communication and consultation Using communication to build confidence Communicating with stakeholders in the event of a crisis or contingency 54 Dec 2013 Developed by @goudotmobi
  • 55. Implementing Framework for Managing Risk In implementing framework for managing risk, the organization should: Define appropriate timing and strategy for implementing the framework Apply risk management policy and process to the organizational processes Comply with legal and regulatory requirements 55 Dec 2013 Developed by @goudotmobi
  • 56. Implementing Framework for Managing Risk (cont’d) Ensure that decision making, including the development and setting of objectives, is aligned with risk management processes outcomes Hold information and training sessions Communicate and consult with stakeholders to ensure that its risk management framework remains appropriate 56 Dec 2013 Developed by @goudotmobi
  • 57. Risk Management Process Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring and reviewing risk 57 Dec 2013 Developed by @goudotmobi
  • 58. Monitoring and Reviewing Framework In order to ensure that risk management is effective and continues to support organizational performance, the organization should: ⎯ Measure risk management performance against indicators, which are periodically reviewed for appropriateness ⎯ Periodically measure progress against, and deviation from, the risk management plan 58 Dec 2013 Developed by @goudotmobi
  • 59. Monitoring and Reviewing Framework (cont’d) ⎯ Periodically review whether risk management framework, policy and plan are still appropriate, given the organizations' external and internal context ⎯ Report on risk, progress with risk management plan and how well risk management policy is being followed ⎯ Review risk management framework effectiveness 59 Dec 2013 Developed by @goudotmobi
  • 60. ISO 31000 Process Establishing the context Risk assessment Risk identification Communication and consultation Risk analysis Risk evaluation Risk treatment 60 Dec 2013 Developed by @goudotmobi Monitoring and review
  • 61. Risk Management: Establishing the Context Defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the risk management policy. 61 Dec 2013 Developed by @goudotmobi
  • 62. Risk Management: Establishing the Context (cont’d) External context • Legal, Regulatory, Financial • International, National, Regional or Local • Relationships with, perceptions and values of external stakeholders Internal context • Organizational objectives • Project, process, or activity objectives • Policy, standards, guidelines and models adopted by the organization • Contractual relationships 62 Dec 2013 Developed by @goudotmobi
  • 63. Risk Management: Establishing the Context (cont’d) Process context  Objectives, scope, responsibilities, methods  Defining risk criteria - Measures - Tolerance levels - Views of stakeholders 63 Dec 2013 Developed by @goudotmobi
  • 64. Monitoring and Review Ensuring that controls are effective and efficient in both design and operation Obtaining further assessment information to improve risk Analyzing and learning lessons from events (including near-misses), changes, trends, successes and failures Detecting changes in the external and internal context, including changes to risk criteria and the risk itself which can require revision of risk treatments and priorities Identifying emerging risks 64 Dec 2013 Developed by @goudotmobi
  • 65. Recording Risk Management Process Objectives Organization's needs for continuous learning Benefits of re-using information for management purposes Costs and efforts in creating and maintaining records Legal, regulatory and operational needs for records Method of access, ease of retrievability and storage media Retention period Sensitivity of information 65 Dec 2013 Developed by @goudotmobi
  • 66. ISO 31000 Key Success Factors Risk Management (RM) should function within a Risk Management Framework (RMF) The framework provides necessary foundations and organizational arrangements to embed RM throughout all levels within the organization This foundation can assist organizations in managing risk effectively through application of RM process at varying levels and within specific contexts RMF ensure risk information is adequately reported and used as a basis for decision making and accountability at all relevant organizational levels 66 Dec 2013 Developed by @goudotmobi
  • 67. Question and Answer 67 Dec 2013 Developed by @goudotmobi
  • 68. Wrap Up Day One 68 Dec 2013 Developed by @goudotmobi
  • 69. Day One Review 69 Dec 2013 Developed by @goudotmobi
  • 70. Valuing ISO31010: Risk Assessment and its Techniques 70 Dec 2013 Developed by @goudotmobi
  • 71. Rehearsing ISO/IEC 31010: 2009 A supporting standard for AS/NZS ISO 31000:2009 It provides guidance on selection and application of systematic techniques for risk assessment The application of a range of techniques is introduced, with specific references to other international standards Concept and application of techniques are described in greater detail This standard does not provide specific criteria for identifying need for risk analysis It also doesn’t specify type of risk analysis method required for a particular application 71 Dec 2013 Developed by @goudotmobi
  • 72. Rehearsing ISO Guide 73:2009 It provides the definitions of generic terms related to risk management Aimed to encourage a mutual and consistent understanding of, and a coherent approach to, the description of activities relating to the management of risk Aimed to encourage the use of uniform risk management terminology in processes and frameworks dealing with the management of risk 72 Dec 2013 Developed by @goudotmobi
  • 73. Risk Assessment ISO/IEC 31010:2009, Risk assessment techniques, jointly developed by ISO and IEC (International Electrotechnical Commission) A structured process for organizations to identify how objectives may be affected Analyze risk in terms of consequences and their probabilities, before further action taken up Provides better understanding on risks affecting achievement of objectives, as well as adequacy and effectiveness of controls already in place 73 Dec 2013 Developed by @goudotmobi
  • 74. Risk Assessment (cont’d) In short, Risk Assessment is overall process of risk identification, risk analysis and risk evaluation Risk Identification • Process of finding, recognizing and describing risks involving identification of risk sources, events, causes and potential consequences. • It involves historical data, theoretical analysis, informed and expert opinions, and stakeholder's needs. 74 Dec 2013 Developed by @goudotmobi
  • 75. Risk Source and Event Risk Source: element which alone or in combination has the intrinsic potential to give rise to risk (tangible or intangible) Event Occurrence or change of a particular set of circumstances: • It could be one or more occurrences, and can have several causes • It could consist of something not happening • Sometimes be referred to as “incident” or “accident” 75 Dec 2013 Developed by @goudotmobi
  • 76. Consequences Outcome of an event affecting objectives An event can lead to a range of consequences A consequence can be certain or uncertain and can have positive or negative effects on objectives Consequences can be expressed qualitatively or quantitatively Initial consequences can escalate through knock-on effects 76 Dec 2013 Developed by @goudotmobi
  • 77. Risk Analysis Process to comprehend the nature of risk and to determine the level of risk It involves consideration of the causes and sources of risk, their positive and negative consequences, and the likelihood that those consequences can occur Provides the basis for risk evaluation and decisions about risk treatment It includes risk estimation as well 77 Dec 2013 Developed by @goudotmobi
  • 78. Risk Analysis (cont’d) 78 Dec 2013 Developed by @goudotmobi
  • 79. Risk Criteria and Level of Risk Risk criteria Terms of reference against which the significance of a risk is evaluated: • Based on organizational objectives, and external and internal context • It can be derived from standards, laws, policies and other requirements Level of risk Magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood 79 Dec 2013 Developed by @goudotmobi
  • 80. Risk Evaluation Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable. Risk evaluation assists in the decision about risk treatment. 80 Dec 2013 Developed by @goudotmobi
  • 81. Risk Treatment Process to modify risk that can involve: ⎯ avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk ⎯ taking or increasing risk in order to pursue an opportunity ⎯ removing the risk source ⎯ changing the likelihood ⎯ changing the consequences 81 Dec 2013 Developed by @goudotmobi
  • 82. Risk Treatment (cont’d) ⎯ sharing the risk with another party or parties (including contracts and risk financing) ⎯ retaining the risk by informed decision Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction” It can create new risks or modify existing risks 82 Dec 2013 Developed by @goudotmobi
  • 83. Residual Risk Risk remaining after risk treatment It can contain unidentified risk It can also be known as “retained risk” 83 Dec 2013 Developed by @goudotmobi
  • 84. Risk Assessment Three Bands 84 Dec 2013 Developed by @goudotmobi
  • 85. Utilizing Risk Assessment Techniques 85 Dec 2013 Developed by @goudotmobi
  • 86. Risk Assessment Techniques Risk identification Risk analysis – consequence analysis Risk analysis – qualitative, semi-quantitative or quantitative probability estimation Risk analysis – assessing the effectiveness of any existing controls Risk analysis – estimation the level of risk Risk evaluation 86 Dec 2013 Developed by @goudotmobi
  • 87. Factors Influenced The Selection Complexity of the problem and the methods needed to analyze it The nature and degree of uncertainty of the risk assessment based on the amount of Information available and what is required to satisfy objectives The extent of resources required in terms of time and level of expertise, data needs or cost Whether the method can provide a quantitative output 87 Dec 2013 Developed by @goudotmobi
  • 88. Tools used For Risk Assessment Referred to Table A.1 at ISO 31010 on Applicability of tools used for risk assessment Referred to Table A.2 at ISO 31010 on Attributes of risk assessment tools Details at Annex B (Informative) at ISO 31010 88 Dec 2013 Developed by @goudotmobi
  • 89. Analyzing and Evaluating Risk Assessment Result 89 Dec 2013 Developed by @goudotmobi
  • 90. Risk Identification Process of finding, recognizing and describing risks Comprehensive list of risks based on events that might create, enhance, prevent, degrade, accelerate or delay achievement of objectives Identify risks associated with not pursuing an opportunity A risk that is not identified at this stage will not be included in further analysis Identification should include risks whether or not their source is under the control of the organization 90 Dec 2013 Developed by @goudotmobi
  • 91. Risk Evaluation The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation Decisions should take account of the wider context of the risk and include consideration of the tolerance of the risks borne by parties other than the organization that benefits from the risk 91 Dec 2013 Developed by @goudotmobi
  • 92. Risk Evaluation (cont’d) Decisions should be made in accordance with legal, regulatory and other requirements In some circumstances, the risk evaluation can lead to a decision to undertake further analysis The risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing controls 92 Dec 2013 Developed by @goudotmobi
  • 93. Risk Evaluation (cont’d) Decisions should take account of the wider context of the risk and include consideration of the tolerance of the risks borne by parties other than the organization that benefits from the risk Decisions should be made in accordance with legal, regulatory and other requirements The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation 93 Dec 2013 Developed by @goudotmobi
  • 94. Risk Evaluation (cont’d) Decisions should be made in accordance with legal, regulatory and other requirements In some circumstances, the risk evaluation can lead to a decision to undertake further analysis The risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing controls 94 Dec 2013 Developed by @goudotmobi
  • 95. Managing Risk A list in order of preference on how to deal with risk Avoiding by not to start or continue the activity that rise to the risk Accepting or increasing risk in order to pursue an opportunity Removing risk source Changing likelihood and consequences Sharing risk with another party/parties such as contracts and risk financing Retaining risk by informed decision 95 Dec 2013 Developed by @goudotmobi
  • 96. Risk Treatment Risk treatment involves selecting one or more options for modifying risks, and implementing those options Risk treatment options are not necessarily mutually exclusive The options can include the following: - TRANSFER Sharing the risk with another party or parties (including contracts and risk financing) 96 Dec 2013 Developed by @goudotmobi
  • 97. Risk Treatment (cont’d) - AVOID Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk Removing the risk source - MITIGATE Changing the likelihood Changing the consequences (impact) - ACCEPT Retaining the risk by informed decision Taking or increasing the risk in order to pursue an opportunity 97 Dec 2013 Developed by @goudotmobi
  • 98. Risk Treatment (cont’d) Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the natural environment A number of treatment options can be considered and applied either individually or in combination 98 Dec 2013 Developed by @goudotmobi
  • 99. Risk Treatment (cont’d) Risk treatment itself can introduce risks A significant risk can be the failure or ineffectiveness of the risk treatment measures Monitoring needs to be an integral part of the risk treatment plan to give assurance that the measures remain effective 99 Dec 2013 Developed by @goudotmobi
  • 100. Analyzing and Evaluating Risk Assessment Result 100 Dec 2013 Developed by @goudotmobi
  • 101. Question and Answer 101 Dec 2013 Developed by @goudotmobi
  • 102. Wrap Up Day Two 102 Dec 2013 Developed by @goudotmobi
  • 104. Day Two Review 104 Dec 2013 Developed by @goudotmobi
  • 105. Understanding Risk Register Entry 105 Dec 2013 Developed by @goudotmobi
  • 106. What Is Risk Register? Record of information about identified risks 106 Dec 2013 Developed by @goudotmobi
  • 107. Risk Register Should Contain A unique code for each risk A description of each risk and its potential consequences (operational and strategic) Actions and controls that currently exist to mitigate risks Factors that may impact upon the likelihood and consequence of the residual risk Risk grade (priority) Whether the risk grade is acceptable Early warning factors and upward reporting thresholds 107 Dec 2013 Developed by @goudotmobi
  • 108. Risk Treatment Action Shall Include  Planned actions to reduce the likelihood a negative risk will occur and/or reduce the seriousness should it occur (What should you do now?)  Contingency actions - planned actions to reduce the immediate seriousness of a negative risk when it does occur. (What should you do when?)  Recovery actions - planned actions taken once a negative risk has occurred to allow you to move on. (What should you do after?)  Risk Transfer (e.g. Through responsibilities or insurance. assignment of contractual  Actions necessary to ensure the realisation of opportunities (positive risks) 108 Dec 2013 Developed by @goudotmobi
  • 109. Sample of Risk Registers 109 Dec 2013 Developed by @goudotmobi
  • 110. Utilizing Risk Register Entry 110 Dec 2013 Developed by @goudotmobi
  • 111. Discussing and Implementing Risk Register 111 Dec 2013 Developed by @goudotmobi
  • 112. Monitoring and Managing Risk Management 112 Dec 2013 Developed by @goudotmobi
  • 113. Monitoring and Reviewing Risk Monitoring  Continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected  Can be applied to a risk management framework, risk management process, risk or control Reviewing  Activity undertaken to determine suitability, adequacy and effectiveness of subject matter to achieve established objectives  Can be applied to a risk management framework, risk management process, risk or control 113 Dec 2013 Developed by @goudotmobi
  • 114. Monitoring and Reviewing Risk (cont’d) An integral part of the risk management process involving regular checking or surveillance Ensure controls are effective & efficient Detect change in external or internal context Analysis, lessons learned, continuous improvement Identify emerging risks 114 Dec 2013 Developed by @goudotmobi
  • 117. Question and Answer 117 Dec 2013 Developed by @goudotmobi

Editor's Notes

  1. There should be an organization-wide risk management plan to ensure that the risk management policy isimplemented and that risk management is embedded in all of the organization's practices and processes. Therisk management plan can be integrated into other organizational plans, such as a strategic plan.
  2. Risk management should be implemented by ensuring that the risk management process outlined in Clause 5is applied through a risk management plan at all relevant levels and functions of the organization as part of itspractices and processes.
  3. Image credit: 123RF.com
  4. Image credit: spanishdict.com
  5. Image credit: penpaperinkletter.com
  6. Image credit: lensbury.com
  7. Image credit: Extendedthinking.com
  8. Image credit: locallawyerseo.com
  9. Image credit: lifehack.org