2. ISO 31000:2018 Risk
Management System,
Framework and
Implementation
27th February 2021 (Saturday)
Time: 09:05 am - 09:30 am IST
ISO 31000:2018 By Sanjay Gore, Principal Consultant,
Alvin Integrated Service [AIS]
3. Speaker Introduction:
Mr. Sanjay Gore hails from Pune, Maharashtra, India, is
a Senior Consultant and Speaker on Information Security, Risk Management and
Privacy.
He has rich experience of 20 years in working with customers in India, Middle East
at top management level, business owners and technical team members for
securing and deploying information security and risk management and privacy
solutions. He holds professional designations such as: ISO-27001-LA, ISO 27005-
RM, CDPSE CPISI, CRMA, CISA, and CRISC. He is certified Trainer in 27001
and 27005.
Connect at LinkedIn: Sanjay Gore – LinkedinProfile
Subscribe at YouTube: Sanjay Gore – youtubechannel
Mr Sanjay Gore
ISO-27001-LA, ISO 27005-
RM, CDPSE CPISI, CRMA,
CISA, and CRISC | Certified
Trainer in 27001 and 27005 |
Pune, Maharashtra – India
4. Risk Opportunity or Threat??
4
Threat
1. Find a way to avoid the risk
2. Find a way to transfer to another
party ( Insurance, Contract
conditions)
3. Find a way to mitigate the risk
reducing probability or severeness
Opportunity
1. Exploit the opportunity
2. Share with another party
3. Enhance by increasing the effect or the
probability
Accept
Do nothing
Risk
5. Edifice of ISO 31000:2018
ISO 31000:2018
The principles
provide the
foundation and
describe the qualities
of effective risk
management in an
organization
Principles
ISO 31000:2018
Framework
The framework
manages the overall
process and its full
integration into the
organization
ISO 31000:2018
Process
The process focuses
on individual or
groups of risks, their
identification,
analysis, evaluation
and treatment
5
6. ISO 31000:2018 Scope of Document
6
1. Managing risk faced by organizations.
2. The application of these guidelines can be customized on any organization and
its context.
3. This document provides a common approach to managing any type of risk and
is not industry or sector specific
4. This document can be used throughout the life of the organization and can be
applied to any activity, including decision making
7. ISO 31000 Concepts, Terms and Definitions-
7
1. Risk is an effect of uncertainty on objectives
2. An effect is a deviation from the expected.
3. It can be positive, negative or both, and can address, create or result in opportunities
and threats.
4. Objectives can have different aspects and categories, and can be applied at different
levels.
5. Risk is usually expressed in terms of
• Risk Sources
• Potential Events
• Their Consequences
• Their Likelihood
Risk
8. ISO 31000 Concepts, Terms and Definitions-
8
• Event occurrence or change of a particular set of circumstances
• An event can have one or more occurrences, and can have several
causes and several consequences
• An event can also be something that is expected which does not
happen, or something that is not expected which does happen.
• An event can be a risk source.
Event
9. ISO 31000 Concepts, Terms Definitions-
9
• Consequence is an outcome of an event affecting objectives
• A consequence can be certain or uncertain and can have positive
or negative direct or indirect effects on objectives.
• Consequences can be expressed qualitatively or quantitatively.
• Any consequence can escalate through cascading and cumulative
effects.
Consequence
10. ISO 31000 Concepts, Terms and Definitions-
10
• Likelihood is chance of something happening
• In risk management terminology, the word “likelihood” is used to refer to the
chance of something happening, whether defined, measured or determined
objectively or subjectively, qualitatively or quantitatively, and described using
general terms or mathematically (such as a probability or a frequency over a
given time period).
The English term “likelihood” does not have a direct equivalent in some languages; instead, the equivalent of the term
“probability” is often used. However, in English, “probability” is often narrowly interpreted as a mathematical term.
Therefore, in risk management terminology, “likelihood” is used with the intent that it should have the same broad
interpretation as the term “probability” has in many languages other than English.
Likelihood
11. ISO 31000 Concepts, Terms and Definitions-
11
Control measure that maintains and/or modifies risk
• Controls include, but are not limited to, any process, policy, device,
practice, or other conditions and/or actions which maintain and/or
modify risk.
• Controls may not always exert the intended or assumed modifying
effect.
Control
12. ISO 31000:2018 Risk Management Principles
12
1. Integrated
2. Structured and comprehensive
3. Customized
4. Inclusive
5. Dynamic
6. Best available information
7. Human and cultural factors
8. Continual improvement
Value Creation and Protection
13. Continuous improvement
Continuous improvement means that organizations are
in a constant state of driving process improvements.
This involves a focus on linear and incremental
improvement within existing processes.
Continual improvement
A continual improvement mean that organizations go
through process improvements in stages. Even and
these stages are separate by a period of time. This
period of time might be necessary to understand if the
improvements did actually help the bottom line! In
some cases, the results might take a while to come to
fruition.
Principles - Continual improvement
13
15. Risk Management Process
15
Scope Context Criteria
Risk Treatment
Recording and Reporting
Communication
and
Consultation
Monitoring
and
Review
Risk Assessment
Risk
Identification
Risk
Analysis
Risk
Evaluation
16. Process Defining Scope
When planning the approach, considerations include
1. Objectives and decisions that need to be made
2. Outcomes expected from the steps to be taken in the process
3. Time, location, specific inclusions and exclusions
4. Appropriate risk assessment tools and techniques
5. Resources required, responsibilities and records to be kept
6. Relationships with other projects, processes and activities.
16
17. Process Defining Risk Criteria
To set risk criteria, the following should be considered
1. The nature and type of uncertainties that can affect outcomes and
objectives (both tangible and intangible)
2. How consequences (both positive and negative) and likelihood will
be defined and measured
3. Time-related factors
4. Consistency in the use of measurements
5. How the level of risk is to be determined
6. How combinations and sequences of multiple risks will be taken
into account
7. The organization’s capacity
17
18. Process Selection of Risk Treatment Options
Depending on the type of risk and its significance to the business,
management and the board may
1. Avoid- e.g., where feasible, choose not to implement certain activities
or processes that would incur risk (i.e., eliminate the risk by eliminating
the cause)
2. Mitigate lessen the probability or impact of the risk by defining,
implementing, and monitoring appropriate controls.
3. Transfer (deflect, or allocate}-e.g.; share risk with partners or transfer
via insurance coverage, contractual agreement, or other means.
4. Accept- formally acknowledge the existence of the risk and monitor it
18
19. A few Risk Assessment Tools/ Techniques
• Brainstorming
• Delphi Technique
• Checklists
• Root Cause Analysis
• Failure Mode Effect
Analysis (FMEA ) And
FMECA
• Fault Tree Analysis
(FTA)
• Hazard Analysis (PHA)
• Scenario analysis
• Layers of protection
analysis (LOPA)
• Decision Tree Analysis
• Monte Carlo simulation
19