How to apply and benefit from the new risk management guide ISO/TR 31004:2013 for implementing ISO 31000
•Download as PPTX, PDF•
3 likes•3,471 views
Jeff Jones, Director, JJ Project Consulting Pty Ltd
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to How to apply and benefit from the new risk management guide ISO/TR 31004:2013 for implementing ISO 31000
Similar to How to apply and benefit from the new risk management guide ISO/TR 31004:2013 for implementing ISO 31000 (20)
More from Risk Management Institution of Australasia
More from Risk Management Institution of Australasia (20)
Recently uploaded
Recently uploaded (18)
How to apply and benefit from the new risk management guide ISO/TR 31004:2013 for implementing ISO 31000
- 2. The aim of the conference is to… • Promote learning at the cutting edge of risk management practice • Foster creative thinking • Network • Have fun! 2
- 3. “How to apply and benefit from the new risk management guide ISO/TR 31004:2013 for implementing ISO 31000.” Jeff Jones CPRM, AFRMIA, RPEQ, MIEAust, Lead Auditor (QMS) 3
- 4. Introductions & Demographic www.jjprojectconsulting.com.au 4
- 5. Introductions & Demographic www.jjprojectconsulting.com.au 5
- 6. Introductions & Demographic www.jjprojectconsulting.com.au 6
- 7. www.jjprojectconsulting.com.au 7 * Subject to Copyright
- 8. www.jjprojectconsulting.com.au 8 * Subject to Copyright
- 13. Implementing 31000 – 3.1 General Methodology A. Comparing current practise with that described in ISO 31000 B. Identifying what needs to change and preparing and implementing a plan for doing so C. Maintaining ongoing monitoring and review to ensure currency and continuous improvement www.jjprojectconsulting.com.au 13
- 14. Implementing 31000 – 3.3 Integration of ISO 31000 into the Organisations management processes • 3.3.1 General • Choice and order of elements should be tailored to the needs of the organisation and stakeholders • Integration supports the overall business strategy • Meet the organisations objectives and protect/create value • Consider culture and change management methodologies • 3.3.2 Mandate & Commitment • Any business management activity begins with an analysis of the rationale…and cost / benefit analysis • Implementation process typically involves the following; • Acquiring mandate & commitment • A gap analysis • Tailoring & scale based on org needs, culture and creating value • Evaluating risks associated with transition • Developing a business plan – objectives, scope, accountabilities, timeframe & resources • Identifying the context of implementation, inc. communication with stakeholders www.jjprojectconsulting.com.au 14
- 15. Implementing 31000 – 3.3 • 3.3.3 Designing the Framework • Existing approaches to RM should be evaluated (in context) • Consider legal / regulatory / customer obligations and certification requirements • Careful tailoring of the design and implementation plan • Permit alignment with the structure, culture and general systems • Establish risk criteria – consistent with the objectives & risk attitude • 3.3.3.2 – decide which aspects of the current RM approach… • Could continue to be used in the future and extended to other areas • Need amendment or enhancement • No longer add value and should be discontinued • 3.3.4 Implementing the Framework • A detailed implementation plan is needed = ref PM 101 (including its own implementation R/A) www.jjprojectconsulting.com.au 15
- 16. Implementing 31000 – 3.4 • 3.4 Continual Improvement • As part of Monitoring & Review • Assess whether design of framework & processes remains appropriate • Assess whether implementation is adding value as intended • Constant awareness and uptake of the opportunity for improvement www.jjprojectconsulting.com.au 16
- 18. Annex B –Application of ISO 31000 Principles Principles (Clause 3) a) Creates value b) Integral part of organisational processes c) Part of decision making d) Explicitly address uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation www.jjprojectconsulting.com.au 18
- 19. Annex B –Application of ISO 31000 Principles c) Part of decision making Risk Management helps decision makers make informed choices, prioritise actions and distinguish among alternative courses of action. How to apply the principle • States that RM provides the foundation for informed decision making • Should be integrated into activities supporting the achievement of objectives and the decision-making process • Decision-making should assess and treat risk, proactively Practical Help Following questions should be carefully considered… • How…Who….What…. www.jjprojectconsulting.com.au 19
- 20. Annex B –Application of ISO 31000 Principles Masterclass Exercise • Aim Working as a table cohort, examine the designated Principle and content provided in 31004, to conclude on its usefulness as a guide to application by practitioners. • Method Team discussion Flip-chart • Deliverable Appointed speaker to provide 1 min summary of table discussion and findings; - How to Apply overall scope out of 10 - Practical Help useful Y/N - biggest challenge? - what’s missing? • Time 15 minutes (5 read + 5 discuss + 5 prep) www.jjprojectconsulting.com.au 20
- 22. Annex E – Integrating risk management within a management system E2 What is a management system? www.jjprojectconsulting.com.au 22
- 23. Annex E – Integrating risk management within a management system E1 General • Integrate RM into organisations system of management (inc. governance & strategy) • If purpose is to add value, logically signifies adopting ways to influence what already takes place, to enhance & improve it, as a natural function of decision making • Requires the adaption and alteration of tools and processes to suit the needs of the decision makers and their existing processes for decision making E3 approach • Integration with core business processes AND create interaction between all management systems • The RM framework should extent to and incorporate all management systems • Utilising risk assessment techniques within other systems www.jjprojectconsulting.com.au 23
- 24. Annex E – Integrating risk management within a management system E4 Implementing RM into a Quality Management System framework www.jjprojectconsulting.com.au 24
- 25. In conclusion…. “For organisations that have transitioned to ISO 31000, there should be a constant awareness and uptake of the opportunity for improvement”. ISO/TR 31004:2013 www.jjprojectconsulting.com.au 25
Editor's Notes
- Firstly – is everyone in the right room? There are 5 workshops on this morning….this is the “Masterclass”. I have had some workshops where some people have actually taken 5 mins to realise they are in the wrong meeting room. So, on behalf of RMIA Conference Committee I’m very pleased to welcome you to the National Conference (official opening tomorrow morning) and to kick-off this Masterclass. Hence, the music – for no other reason than Mozart was regarded as a master in his class - as all of you no doubt are, in our profession of risk management.
- Before I start my session I’d like to set some “conference context“ (as per RM101 risk assessment process)… These are the aims as detailed on the Conference Flyer, you may of course have your own additional stakeholder objectives. Q1 – Would anyone like to add anything fundamental or material? My personal objective is that we all head out to Morning Tea in a couple of hours time having achieved all of them in this session and that you have been stimulated with some new ideas to apply in your own arenas. My reason for starting with this is to also create some “session rules” for this Masterclass – refer FLIPCHART 1 to amend/add as necessary. We all agree to work towards the conference aims We will have open, frank, robust and constructive conversations We may agree that there is no right / wrong / optimum…. and “I will take it professionally” (rather than personally) Yes, you have made a valid point/comment…lets now move on Don’t shoot the facilitator (not with real bullets anyway)
- With that out of the way…. This workshop is centred around ISO 31004 – you may or may not have already heard of it. Doesn’t matter if you haven’t, that’s the purpose of this MasterClass; to examine and unpack it. I will provide some background and overview of it shortly. There is some contention or differing views about its existence and relevance to us in Aus context wrt the updated HB436, also released late 2013. Overall, I think it makes a great basis for an RMIA Conference Masterclass to explore and see what we make it – remember, it may be healthy to agree to disagree and we can all hold differing views. I’m particularly interested to see what a room full of experts think of the content and the hear what you think the challenges are when it comes to implementing a risk management framework and processes. I don’t think it’s easy and a guide such as this is hopefully helpful in our quest as practitioners.
- So I’d like to start with some introductions and understand the demographic of who’s in the room…. Sorry no flowers from me…but might join you on the dance-floor tomorrow night
- Starting with me, I’m presenting this material and facilitating this workshop session under my independent consulting capacity (ie not in any RMIA capacity) – this is a diagram I often use to declare my various associations and manage any potential conflict of interest (please let me know if you have a problem with any aspect). In summary, I have current long-term & ongoing contracts with Aquas, APP, Thiess & Santos The other ½ of my consulting portfolio is provided under trading entity pda – mostly practitioner ERM consulting, running workshops & risk assessments Involved with professional bodies and various committee roles – RES(EA), RMIA of course and SPE Essentially I’ll be coming at things from my 10 years of direct involvement in implementing and reviewing enterprise risk management in a wide variety of company and independent consulting roles; My career foundation was 10 years at Esso in upstream Oil & Gas, mostly in facility engineering essentially as what SPE call a P-F-C engineer I had 10 years as a Project Manager at Thiess & the last 7 in Corporate – responsible for defining and implementing a RM framework applied across all BU’s – construction, mining & services Ongoing contract for providing risk workshop facilitation & project QRA Involved with Santos for last 5 years; 4 years in GLNG $20B Mega-Project – internal role as Upstream Risk Manager for implementation of extensive project ERM framework, countless workshops and also working in unison with Santos corporate (Adelaide) Last 3 years in the NSW Narrabri GDP – internal role of Project Risk Manager – defined & implemented a tailored framework, ongoing workshops and support APP – PM services Bluecare – development of a RM framework for Property Services BU under a Corporate umbrella AQUAS – I provide Lead Auditor services – come across embedded RM in context of auditing compliance with company’s management systems (ISO 4800/9000/14000) – separate conference! Under pda – adhoc engagements for private SME’s & Government departments; for RM consulting, predominantly risk workshops Non-commercial non-exclusive business associations with Cura & Palisade
- More-so, I’m interested in YOU! I’d like to understand who we have in the Masterclass and I’m sure your peers would like to know in terms of benchmarking and conversations with you throughout the masterclass. EXERCISE 1 - So, can I get you to quickly introduce yourself to the person on your left & right. Name, current company / role Ok, I don’t think we have time to go around the room so here’s an approach I’d like to try to give us an simple overview of the masterclass by broad category numbers; WHITEBOARD 1 Lets start with CPRM / CRMT Employment - Independent Consultant / Company Role (SME / large) / retired & unemlployed Best describes main Role – C-suite (inc CRO), Management (General – Middle), Operations, Shop-floor Industry – Health, Council, Defence, Project / Construction, IT, Manufacturing ERM / FRM / PRM / SSRM / BCM / IRM / ?? Direct accountability / involvement in RM – Yes / No Anyone else? I would say we have a pretty good spectrum of industries & organisations represented.
- As a class of masters – I presume you are all intimately familiar with Figure 1 of ISO 31000. If not – I suggest you carry it around with you until you are! HANDOUT 1 – copy of Figure 1 My take on it is - ISO 31000 essentially took the PROCESS from AS4360 (Clause 5), introduced it under a RM framework (Clause 4) according to a set of Principles (Clause3). Q2 - Let’s ponder it for a while Are people reasonable comfortable with the process and level of maturity? The PROCESS is what I refer to as RM101 – remember, it’s not specifically aimed at how to do a qualitative risk assessment with a risk matrix. It’s in fact highly generic and allows for the plethora of tools & techniques to the various steps in the iterative process. It’s about assessing (identifying /analysing /evaluating) the risk and treating it. The box that a lot of people miss is the box labelled “Risk Assessment” does not equal Risk Management! How about the framework? Ref Thiess =/ framework versus Santos experience. And the principles – can anyone recite the 11 of them? Seriously, how much credence have you given them in applying yourself to best practise RM? The whole picture forms an holistic view of RM with the relationships indicated by the arrows – never seen the arrows?? The PRINCIPLES underpin the Mandate & Commitment and Implementing RM in the FRAMEWORK is pivitol with the process. I also believe that the Figure will be modified slightly in next ISO revision to enhance the arrows & connections. This is what we will be exploring throughout this session. Here’s a question; Q3 – do you the data or the process more important? Let’s see if you can reach some consensus at your table. A – Hands up if “data”…vs “process”? it’s a bit of a chicken and egg argument isn’t it. Depends on the context. Both equally important is my view.
- Also by way of background; ISO 31000 left us with Annex A (the only annexure in the Standard) Here’s a snap-shot of the Annex – HANDOUT 2 Essentially clause A3 listed 5 attributes of enhanced RM and what represents a high level of performance in managing risk, with some indicators on what that it might look like in orgs with advanced RM. Although it’s not my intent to spend long on this, hence the handout for you to take it away and apply it, I would like to share my experience with you…
- For me Annex A became my beacon for embedding RM frameworks and aiming for enhanced application. So here’s a simple spider diagram I used for a Client with an assessment taken 12 months apart for the 5 attributes, which are….READ from SLIDE. In my opinion, this was probably the only tool provided in ISO 31000 for readily making any kind of maturity assessment or health check on implementation or continuous improvement. Q4 – has anyone had any experience with applying Annex A that would like to share the experience?
- To complete my context setting, let’s also go back a step; Orgs use various methods to manage risk - the effect of uncertainty on their objectives ie to manage risk, by detecting and understanding risk and modifying it where necessary. It’s your (org I mean) risk if you choose to utilise any formal & structured framework (per 1 of the principles). My assumption is that if you are in this room you’re familiar with ISO 31000 and maybe going back to AS4360 (Principles & Guidelines) and that you probably generally believe you apply it or seek to. Referenced in the Bibliography of ISO 31000 are actually 2 other important ISO documents; IEC/ISO 31010 Risk Assessment Techniques. Which was the subject of our MasterClass 2 years ago – “Beyond the Matrix”. Guide 73 for RM Vocabulary – which I believe has come a long way in a few short years although still some way to go on LinkedIn forums As risk practitioners you may not be as familiar with or have made the necessary link with the following other ISO standards… ISO 9000 suite of documents, including… ISO 9001 and… ISO 19011 – Guidelines for auditing management systems I have these here because they are listed as the (5) reference standards in the Bibliography of 31004. And nothing to do with certification to ISO standards - ISO31000 was specifically structured as to not be suitable or prescribed for certification, which has probably been a reason for it retaining it’s pureness and uptake. At the end of the day, for RM to be effective it needs to be integrated into an orgs mgt systems. In fact a clear use of the PDCA concept from a QMS has been embedded within the framework.
- So, we are here to look at 31004. Result of Technical Committee ISO/TC 262 Risk Management -> Technical Report (TR) released late 2013 (a couple of months prior to the revised SA HB 436 released in Dec’13). A TR is the “lowest form of ISO life” but essentially TR31004 is the iso equivalent of the more mature HB436, which I’ll come back to in a moment. So put your international ISO hat on for a moment. Intended to assist orgs make a transition and/or enhance the effectiveness of their RM efforts or by aligning with ISO31000 . Applicable to all industries & organisations. 31000 explained how to manage risk effectively (inc. R/A process) but did not really go into explaining how to integrate RM into the orgs management processes, and all the nuances and challenges of that. 31004 is to be read in conjunction with 31000. This TR is intended to be used by those in orgs who make decisions that impact on achieving its objectives, including those responsible for governance, RM advise and support services, and also legislators and regulators. *** Importantly, I see 31004 as quite different but certainly complimentary to HB436. Some of the material is exactly the same. I have heard from members of the OB-007 Committee responsible for AS adoption of ISO standards that there’s a view that 31004 does not cover the “process”, which is true but also the reason why I like it. It’s concise and fundamentally about the implementation at a framework level and goes into much more detail around the principles with Practical Help tips – which is what I’d like to focus on today. To be clear – I think as practitioners you need both in your tool bag and for process and AS context I would certainly go to the HB.
- So what does TR 31004 contain… It’s really simple; Section 3 provides a generic methodology to help orgs transition existing RM arrangements to align with ISO 31000 in a planned and structured way. = 6 pages! I suggest you read these 6 pages. It’s similar to HB436. Annex A – E cover informative approaches & real steps toward implementation, indispensable in its application. After 10 years of wandering through the jungle I wish I’d had the benefit of this document earlier. Obviously, the guide does not offer a single text-book recipe approach, as context and culture are everything when it comes to RM and certainly for defining & implementing frameworks. So I’m now going to cover section 3 quite briefly in next 3 slides….
- 3.1 – General Methodology This section provides a general methodology, irrespective of the nature of the organisations current management arrangements. It recognises that most orgs do manage risk to some extent, I would add some better than others, some formally in a consistent and structured way, some ad-hoc, some fully embedded in core business processes and procedures top-to-bottom. For many organisations it’s probably about some sort of conscious transition from “here” to “there”. So the premise here is really about taking stock and measuring up against 31000 PRINCIPLES and understanding the nature of how the org wishes to adopt the various elements of a RM framework as defined in ISO 31000. This process alone could help identify current risks facing the organisation ie by doing gap analysis can yield huge benefits and pathway to value creation. This is probably an area where I personally pause and would postulate that you need to ascertain if indeed an org wishes to achieve some or all of the principles, after all it’s not gospel and its not for certification. All need to be considered, with some may not be as immediately important or applicable as others. Eg I’m working with 1 Client with a brand new start-up business….they don’t have any processes yet and less of a structure is required up front. Need to get some traction with the Board on RA, low-hanging treatments and part of decision making. If you are going full-on with 31000 principles, the details in Section 3.1 provide an excellent narration on what constitutes a solid framework approach, including “integration (cover later annex), the org understanding of uncertainty (Santos example project vs reservoir), tailoring to the size of org, governance, reporting, RM performance as an integral part of org performance, communication, RM silos focus on common objectives, risk treatment & controls as an integral part of daily operations”. Undertaking a review per section 3.1 is probably the pivotal point in applying 31004.
- I haven’t covered 3.2 – How to Implement ISO 31000….which I will leave to you to read in detail assuming most in the room have already taken that journey, possible many times. 1 important point it makes is “aspects of transition may be helped by drawing on the experience of other orgs which manage similar types of risks or have gone through a similar process”. This is not advocating plagiarism, as one RM framework is next to useless in another context, but about constructive benchmarking. ================= 3.3 – Integration of ISO 31000 into the Organisations management processes Section 3.3 is the guts of the 6 pages – and here’s some key points….loose ”quotes” in slide… 3.3.1 “there are many ways to integrate ISO 31000 into an organisation”. Some general aspects are probably true most of the time…..here’s my summary of key items presented READ FROM SLIDE. Eg Santos MoC form 3.3.2 must have M&C – “any business activity starts with an analysis of the rationale – cost/benefit analysis”. A really goo dset of dot-points further explained in 31004….READ FROM SLIDE That’s why I start with Boards on talking frameworks, otherwise you will spend your time pushing it uphill & always be behind the 8-ball; risk that it all dies before it survives. Hopefully, your efforts survive you & your framework implementation. Q – has anyone tried to implement a framework without M&C? (ref Thiess!!!)
- 3.3 Cont’d 3.3.3 actually contains 3.3.3.1 – 4 – which I’ll focus on 3.3.3.2 here READ FROM SLIDE there’s also cross-references back to ISO 31000 in this regard 3.3.3.2 Framework Design Requirements - is actually quite good in that it makes you review what’s working and therefore carried forward (if it aint broken don’t muck with it). Basically a decision may be to start with a fresh framework – probably pretty radical but may be required. Q – who thinks they would like to start with a new step-change framework? Would your organisations cope? 3.3.4 I wont go into here as its really no different to PM 101 principles, including involvement of stakeholders to define objectives, a detailed project plan, resources & responsibilities etc, progress reporting etc
- Lastly… 3.4 is about Continual Improvement – it is really the alignment with ISO 9000 P-D-C-A playing out, to ensure that the RM process should be reviewed to assess whether their design is appropriate and whether their implementation is adding value to the organisation as intended, as well as some triggers for continual improvement (cover more in our wrap-up). Key points ….READ FROM SLIDE If you are interested further in this aspect I’d be happy to talk some more with you afterwards, as I’m quite excited about this convergence aspect and have written a paper for the AOQ Qualcon conference in Adelaide later this month.
- So we’ve covered off Section 3 . Q - Any major queries or questions? Moving onto the annexures – “provide advise, examples and explanation regarding the implementation of selected aspects of 31000”. I consider the most useful Annexures as B & E – which is what I would like to focus on in a table exercise in a moment So I will just mention the others briefly; Annex A is quite short and gives some really good latest views on practical application such as… READ ALOUD “risks associated with a decision should be understood at the time the decision is made, and risk-taking is therefore intentional” “Objectives are highest expression of intent & purpose” “likelihood is not just that of n event occurring, it is the overall likelihood of experiencing the consequences flowing from a defined event” “you can modify risk by changing any source of uncertainty (eg by making it more or less likely that something will occur) or by changing the range of possible consequences and where they may occur.” “risk treatment is the process that is intended to change or create controls and includes retaining the risk”. For those that are members of LinkedIn forums such as “31000” I’m constantly entertained by conversation threads on the underlying concepts, which I guess is healthy but sometimes concerning with preferential or even ego engineering at play. Similarly, Annex C is really practical and has a good expression of Key characteristics as well as an extensive Practical Help box and guidance on developing the mandate & commitment including; “Establishing the mandate for RM requires careful thought, a strategic perspective and consultation between the oversight body and top management and needs to be considered on both the tactical and strategic levels”. There is some really good tips on policy setting and questions to ask the organisation (Board). And C2.3 REINFORCEMENT provides some great tips to reinforce positive behaviour that & culture. I really related to the content here in terms of my own endeavours in obtaining M&C. Best example – Santos “what would you do if you in my shoes”. Annex D would actually be a separate Masterclass - I feel we haven't focused enough n in our journeys to date, including the applicability of Audit & Review processes (often confused with “certification”). It’s about some level of independent review of the framework effectiveness, processes and risk management performance. Eg risk treatment implementation is the easy one. Testing or proof of effective decisions is harder.
- As covered earlier, ISO 31000 introduced us to 11 principles for effective RM - the role of the principles is to inform and guide all aspects of the organisations approach to risk management. Principles describe the characteristics of effective risk management. They also influence all elements of the transition process described above. Annexure B contains a really thorough (11 pages!) guidance on the application of these ISO 31000 principles, including very good Practical Help Boxes for some. Each of the principles is really well covered in detail in 31004. In line with the approach proposed in Section 3 where all should be considered (and kept in mind at all times) but key principles focused on as a priority in a framework implementation ie bang for buck. Eg From my experience, I believe that by addressing Principle B & C all others in fact essentially flow from there. On put another way, even if you do a fantastic job of addressing all of the others, it will fail in being effective if it’s not embedded as part of decision-making.
- I have chosen Principle C first because I firmly believe this is where effective RM starts and ends in terms of endeavouring to achieve effectiveness. It is all about risk being part of decision making, from top (Board) to bottom of an organsation. The last dot point goes further – this will require clear allocation of accountability, supported by skills training and performance review. I have spoken with HR in various capacities but mostly get push-back on this subject. One HR Manager said that he’s had the same request (for manager training) from engineering, procurement, quality etc This is one of the Principles that also has some “Practical Help” tips which I warn you could be confronting to some decision makers!
- Here’s the exercise for this morning; READ FROM SLIDE HANDOUT 3 - Allocate 1 principle per table. ===================================== Let’s collate the consensus results on the WHITEBOARD 2; Principle | How to Apply/Practical Help (score out of 10) | Key Challenge | What’s missing? eg 1 | 7/10 Y | getting access to Board | doesn’t mention HR
- So we’ve covered off Annex B. Let’s now finish briefly with Annex E.
- So here’s a bit of Management System 101 – if you're not familiar, have a read of ISO 9001 (Quality Management System) – it’s only a dozen pages! Q5 – how would you describe a management system? Basic principles to me (as a Mgt Systems auditor) A framework to establish management practices and procedures to direct & control its activities It’s a set of inter-related or interacting elements to achieve objectives From a business management perspective, efficiency is gained by having one integrated system of management Interestingly, compatibility with other management systems is covered off in the Introduction in ISO 9001 and includes reference to Risk Management as another management system which for 2000 was fairly progressive given AS4360 was only first introduced in 1995 and 2009 before it was superseded by creation of ISO 31000. A sign of further integration is that the draft ISO 9001 has apparently replaced preventive action with risk analysis! Perhaps the start of something new…once again I’m happy to share the paper with you after I present it at the AOQ Qualcon conference in Adelaide later this month.
- Anyhow…the fundamental premise & approach is covered…. READ FROM SLIDE I see this as essentially achieving what we commonly look at as ERM – but is a term that probably scares non-practitioners away. So I’m taking a fresh approach to this area. Work with an organisation not against it. Thiess example from senior RM exec sponsor - we manage risk from when we get out of bed in the morning we manage risk (winning construction tenders with carefully developed pricing and levels of “risk” money or contingency) Not allowed to call it a framework – FINE vs fight it! Santos example – PD said to “speak his language” and into his “world” which was the black art of Reservoir Engineering and predicting reserves and well deliverability…they already have sophisticated QRA.
- Hopefully you are inspired to head back into your work arena and look at your own Management Systems (Quality or otherwise) and seek to determine the worth of integration and application of the principles of 31000 as per 31004 guide. Key points from my experience…. integrating RM & RA with core business processes Interaction between all mgt system approaches Enables all risks in the IMS to be handled according to 31000 principles & processes Can involve application of R/A techniques throughout the QMS Application of P-D-C-A with a focus on continual improvement because the risks are not static! E4.4 goes into implications and extends to the training, changing procedures etc etc The triggers for continual improvement; Routine monitoring and review of the RM framework and the RM process, which identifies opportunities to improve New knowledge becoming available A substantive change to the organisations internal and external context
- Hopefully the session has been useful; You depart more aware of ISO/TR 31004 You may not have thought about your RM within management system context before You might head away with a renewed awareness of the fundamental 31000 principles and review your framework against them And the C/I aspect of PDCA