SlideShare a Scribd company logo

Iso 31000.pdf

A
AdykMargaRaharja

This document discusses risk management basics and the ISO 31000 standard for risk management. It provides an overview of key aspects of risk management including definitions, principles, frameworks, processes, and guidelines. The ISO 31000 standard provides principles and generic guidelines for managing risk across various types of organizations. It describes establishing the context, risk identification, analysis, evaluation, treatment, and monitoring and review as important parts of the risk management process. The goal is to help organizations effectively manage risk to achieve their objectives.

Education
1 of 17
Download to read offline
Risk Management Basics - ISO 31000 Standard Louis Kunimatsu, CRISC IT Security & Strategy, Ford Motor Company
Risk Management Basics - ISO 31000 Standard 1. Risk Management Basics 2. ISO 31000 – Risk 2. ISO 31000 – Risk Management Principles and Guidelines
Risk Management Basics Organizational objectives are influenced by internal and external factors which create uncertainty in achieving those objectives. The effect of this uncertainty is “risk” to the organization’s objectives. Unlike Risk Elimination (approach of military and law enforcement) which seeks to remove all risk; Risk Management is the coordinated activities to direct Management is the coordinated activities to direct and control an organization with regard to risk. Risk Management allows for multiple risk responses dependent upon evaluation and analysis of risk. RISK = Negative IMPACT to objectives X LIKELIHOOD of occurrence.
Risk Management Basics Risk Responses: 1. MITIGATE - corrective action to eliminate or reduce IMPACT or LIKELIHOOD 2. AVOID - Cease activity to eliminate risk 3. TRANSFER - Shift IMPACT to another entity 4. ACCEPT - No corrective action. Document acceptance decision and monitor
ISO 31000: Risk management — Principles and guidelines • Published in 2009, to provide “principles & generic guidelines on risk management” • “…can be applied to any type of risk, whatever its nature, whether having positive or negative consequences” • “…not intended to promote uniformity of risk • “…not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes,..” • “…not intended for the purpose of certification”
ISO 31000: Principles, Framework & Process PRINCIPLES a) Creates value b) Integral part of organizational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured & timely f) Based on the best available Mandate & commitment Design of framework for managing risk FRAMEWORK f) Based on the best available information g) Tailored h) Takes human & cultural factors into account i) Transparent & inclusive j) Dynamic, iterative and responsive to change k) Facilitates continuous improvement & enhancement of the organization Implementing risk management Monitoring & review of the framework Continual improvement of the framework
RISK ASSESSMENT ISO 31000: Principles, Framework & Process Establishing the context Risk identification PROCESS Implementing risk FRAMEWORK Monitoring & review Communication & consultation risk management Risk analysis Risk evaluation Risk treatment Monitoring & review Communication & consultation
Risk Management: Establish the context External context • Legal, Regulatory, Financial • International, national, regional or local • Relationships with, perceptions and values of external stakeholders Internal context • Organizational objectives • Project, process, or activity objectives • Project, process, or activity objectives • Policy, standards, guidelines and models adopted by the organization • Contractual relationships Risk Management process context • Objectives, scope, responsibilities, methods • Defining risk criteria – measures, tolerance levels, views of stakeholders
ISO 31000: Risk Identification • Process of finding, recognizing and describing risks • Comprehensive list of risks based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives. • Identify the risks associated with not pursuing an opportunity opportunity • A risk that is not identified at this stage will not be included in further analysis • Identification should include risks whether or not their source is under the control of the organization
ISO 31000: Risk Analysis • Process to comprehend the nature of risk and to determine the level of risk • “Risk analysis involves consideration of the causes and sources of risk, their positive and negative consequences, and the likelihood that those and the likelihood that those consequences can occur.” • Provides the basis for risk evaluation and decisions about risk treatment • Risk analysis includes risk estimation
Risk Analysis Risk Classifications: • essential risks, • risks to be monitored • risks to be observed Impact scale: Likelihood scale: • more than 10 years • 5 to 10 years (> 0.1 ) • 3 to 5 years (> 0.2 ) Impact scale: • very low (< $1k) • low (< $5k) • medium (< $25k) • high (< $100k) • very high (> $100K) • 3 to 5 years (> 0.2 ) • 2 to 3 years (> 0,33 ) • less than 2 years (> 0.5 ) OWASP Risk Ranking Methodology
ISO 31000: Risk Evaluation • The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation • Decisions should take account of the wider context of the risk and include consideration of the tolerance of the risks borne by parties other than the organization that benefits from the risk that benefits from the risk • Decisions should be made in accordance with legal, regulatory and other requirements • In some circumstances, the risk evaluation can lead to a decision to undertake further analysis • The risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing controls
ISO 31000: Risk Evaluation • Decisions should take account of the wider context of the risk and include consideration of the tolerance of the risks borne by parties other than the organization that benefits from the risk • Decisions should be made in accordance • The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation • Decisions should be made in accordance with legal, regulatory and other requirements • In some circumstances, the risk evaluation can lead to a decision to undertake further analysis • The risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing controls
ISO 31000: Risk Treatment Risk treatment involves selecting one or more options for modifying risks, and implementing those options. Risk treatment options are not necessarily mutually exclusive. The options can include the following: TRANSFER • Sharing the risk with another party or parties (including contracts and risk financing) AVOID AVOID • Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk • Removing the risk source MITIGATE • Changing the likelihood • Changing the consequences (impact) ACCEPT • Retaining the risk by informed decision • Taking or increasing the risk in order to pursue an opportunity
ISO 31000: Risk Treatment • Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the natural environment. • A number of treatment options can be considered • A number of treatment options can be considered and applied either individually or in combination. • Risk treatment itself can introduce risks. A significant risk can be the failure or ineffectiveness of the risk treatment measures. Monitoring needs to be an integral part of the risk treatment plan to give assurance that the measures remain effective.
ISO 31000: Monitoring & Review • An integral part of the risk management process involving regular checking or surveillance • Ensure controls are effective & efficient • Detect change in external or internal context • Analysis, lessons learned, continuous • Analysis, lessons learned, continuous improvement • Identify emerging risks
Risk Management Basics - ISO 31000 Standard Louis Kunimatsu, CRISC IT Security & Strategy, Ford Motor Company THANKS for attending! ENJOY the conference!

Recommended

PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB
 
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB
 
PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005
PECB
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation Slide
SlideTeam
 
PECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB Webinar: ISO 31000 – Risk Management and how it can help an organizationPECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB
 
Managing with KPI's and KRI's
Managing with KPI's and KRI's Managing with KPI's and KRI's
Managing with KPI's and KRI's
Andrew Smart
 
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Association for Project Management
 
Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009
Goutama Bachtiar
 

Recommended

PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB
 
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB
 
PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005
PECB
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation Slide
SlideTeam
 
PECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB Webinar: ISO 31000 – Risk Management and how it can help an organizationPECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB
 
Managing with KPI's and KRI's
Managing with KPI's and KRI's Managing with KPI's and KRI's
Managing with KPI's and KRI's
Andrew Smart
 
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Association for Project Management
 
Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009
Goutama Bachtiar
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk management
Subhendu Datta
 
Business Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation SlidesBusiness Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation Slides
SlideTeam
 
Risk Management
Risk ManagementRisk Management
Risk Management
Stefan Csosz
 
Risk Appetite
Risk AppetiteRisk Appetite
Risk Appetite
Towers Perrin
 
ISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and Implementation
Alvin Integrated Services [AIS]
 
Coso erm
Coso ermCoso erm
Coso erm
Humberto Omar Valverde Taborga
 
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...
Compliance LLC
 
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Zanders Treasury, Risk and Finance
 
Five lines of assurance a new paradigm in internal audit &amp; erm
Five lines of assurance a new paradigm in internal audit &amp; ermFive lines of assurance a new paradigm in internal audit &amp; erm
Five lines of assurance a new paradigm in internal audit &amp; erm
Dr. Zar Rdj
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslide
Zakaria Salah, Ph.D,MBA
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite
Andrew Smart
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
Aronson LLC
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentation
mmagario
 
COSO ERM
COSO ERMCOSO ERM
COSO ERM
Sophia Abigayle
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
PECB
 
Risk management
Risk management Risk management
Risk management
mamta bhaurya
 
Risk Management Procedure And Guidelines PowerPoint Presentation Slides
Risk Management Procedure And Guidelines PowerPoint Presentation Slides Risk Management Procedure And Guidelines PowerPoint Presentation Slides
Risk Management Procedure And Guidelines PowerPoint Presentation Slides
SlideTeam
 
Risk Assessment Step PowerPoint Presentation Slides
Risk Assessment Step PowerPoint Presentation SlidesRisk Assessment Step PowerPoint Presentation Slides
Risk Assessment Step PowerPoint Presentation Slides
SlideTeam
 
Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides
SlideTeam
 
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Eric Campbell
 
Risk management ppt mimi
Risk management ppt mimiRisk management ppt mimi
Risk management ppt mimi
mbondgulo
 
Iso 31000
Iso 31000Iso 31000
Iso 31000
Dr. Jojo Javier
 

More Related Content

What's hot

Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk management
Subhendu Datta
 
Business Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation SlidesBusiness Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation Slides
SlideTeam
 
Risk Management
Risk ManagementRisk Management
Risk Management
Stefan Csosz
 
Risk Appetite
Risk AppetiteRisk Appetite
Risk Appetite
Towers Perrin
 
ISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and Implementation
Alvin Integrated Services [AIS]
 
Coso erm
Coso ermCoso erm
Coso erm
Humberto Omar Valverde Taborga
 
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...
Compliance LLC
 
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Zanders Treasury, Risk and Finance
 
Five lines of assurance a new paradigm in internal audit &amp; erm
Five lines of assurance a new paradigm in internal audit &amp; ermFive lines of assurance a new paradigm in internal audit &amp; erm
Five lines of assurance a new paradigm in internal audit &amp; erm
Dr. Zar Rdj
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslide
Zakaria Salah, Ph.D,MBA
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite
Andrew Smart
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
Aronson LLC
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentation
mmagario
 
COSO ERM
COSO ERMCOSO ERM
COSO ERM
Sophia Abigayle
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
PECB
 
Risk management
Risk management Risk management
Risk management
mamta bhaurya
 
Risk Management Procedure And Guidelines PowerPoint Presentation Slides
Risk Management Procedure And Guidelines PowerPoint Presentation Slides Risk Management Procedure And Guidelines PowerPoint Presentation Slides
Risk Management Procedure And Guidelines PowerPoint Presentation Slides
SlideTeam
 
Risk Assessment Step PowerPoint Presentation Slides
Risk Assessment Step PowerPoint Presentation SlidesRisk Assessment Step PowerPoint Presentation Slides
Risk Assessment Step PowerPoint Presentation Slides
SlideTeam
 
Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides
SlideTeam
 
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Eric Campbell
 

What's hot (20)

Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk management
 
Business Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation SlidesBusiness Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation Slides
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Risk Appetite
Risk AppetiteRisk Appetite
Risk Appetite
 
ISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and ImplementationISO 31000:2018 Risk Management System, Framework and Implementation
ISO 31000:2018 Risk Management System, Framework and Implementation
 
Coso erm
Coso ermCoso erm
Coso erm
 
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...
 
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
Risk Appetite: A new Menu under Basel 3? Pieter Klaassen (UBS) voor het Zande...
 
Five lines of assurance a new paradigm in internal audit &amp; erm
Five lines of assurance a new paradigm in internal audit &amp; ermFive lines of assurance a new paradigm in internal audit &amp; erm
Five lines of assurance a new paradigm in internal audit &amp; erm
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslide
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentation
 
COSO ERM
COSO ERMCOSO ERM
COSO ERM
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
 
Risk management
Risk management Risk management
Risk management
 
Risk Management Procedure And Guidelines PowerPoint Presentation Slides
Risk Management Procedure And Guidelines PowerPoint Presentation Slides Risk Management Procedure And Guidelines PowerPoint Presentation Slides
Risk Management Procedure And Guidelines PowerPoint Presentation Slides
 
Risk Assessment Step PowerPoint Presentation Slides
Risk Assessment Step PowerPoint Presentation SlidesRisk Assessment Step PowerPoint Presentation Slides
Risk Assessment Step PowerPoint Presentation Slides
 
Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides
 
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
Risk Appetite & Risk Tolerance: Improving their application from Abstract to ...
 

Similar to Iso 31000.pdf

Risk management ppt mimi
Risk management ppt mimiRisk management ppt mimi
Risk management ppt mimi
mbondgulo
 
Iso 31000
Iso 31000Iso 31000
Iso 31000
Dr. Jojo Javier
 
ISO 31000
ISO 31000ISO 31000
ISO 31000
yeganehmajidi
 
Bcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementBcu msc cg week 4 risk management
Bcu msc cg week 4 risk management
Stephen Ong
 
G31000 Risk Management Maturity Model
G31000 Risk Management Maturity ModelG31000 Risk Management Maturity Model
G31000 Risk Management Maturity Model
Alexei Sidorenko, CRMP
 
Iso 31000 presentation
Iso 31000 presentationIso 31000 presentation
Iso 31000 presentation
christianaegerter1
 
Risk management
Risk managementRisk management
Risk management
Anurag Bhusal
 
risk.ppt shrey vashistha.ppt
risk.ppt shrey vashistha.pptrisk.ppt shrey vashistha.ppt
risk.ppt shrey vashistha.ppt
UmangVashistha2
 
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docxAbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
ransayo
 
Beyond Compliance
Beyond ComplianceBeyond Compliance
Beyond Compliance
mikaelastafrace
 
Session 6 Power Point
Session 6 Power PointSession 6 Power Point
Session 6 Power Point
hiratufail
 
Presentation on Risk management & controlling (Corporate Finance & Internatio...
Presentation on Risk management & controlling (Corporate Finance & Internatio...Presentation on Risk management & controlling (Corporate Finance & Internatio...
Presentation on Risk management & controlling (Corporate Finance & Internatio...
Suyash Rewale
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
Nikhil Soni
 
Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment
KateKazhan
 
The IRM India- A Risk Management Standard
The IRM India- A Risk Management StandardThe IRM India- A Risk Management Standard
The IRM India- A Risk Management Standard
The IRM India
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
.AIR UNIVERSITY ISLAMABAD
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk management
G3 intelligence Ltd
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentals
mikaelastafrace
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
Paul Hunt
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to finance
Robert Reed
 

Similar to Iso 31000.pdf (20)

Risk management ppt mimi
Risk management ppt mimiRisk management ppt mimi
Risk management ppt mimi
 
Iso 31000
Iso 31000Iso 31000
Iso 31000
 
ISO 31000
ISO 31000ISO 31000
ISO 31000
 
Bcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementBcu msc cg week 4 risk management
Bcu msc cg week 4 risk management
 
G31000 Risk Management Maturity Model
G31000 Risk Management Maturity ModelG31000 Risk Management Maturity Model
G31000 Risk Management Maturity Model
 
Iso 31000 presentation
Iso 31000 presentationIso 31000 presentation
Iso 31000 presentation
 
Risk management
Risk managementRisk management
Risk management
 
risk.ppt shrey vashistha.ppt
risk.ppt shrey vashistha.pptrisk.ppt shrey vashistha.ppt
risk.ppt shrey vashistha.ppt
 
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docxAbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
 
Beyond Compliance
Beyond ComplianceBeyond Compliance
Beyond Compliance
 
Session 6 Power Point
Session 6 Power PointSession 6 Power Point
Session 6 Power Point
 
Presentation on Risk management & controlling (Corporate Finance & Internatio...
Presentation on Risk management & controlling (Corporate Finance & Internatio...Presentation on Risk management & controlling (Corporate Finance & Internatio...
Presentation on Risk management & controlling (Corporate Finance & Internatio...
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment
 
The IRM India- A Risk Management Standard
The IRM India- A Risk Management StandardThe IRM India- A Risk Management Standard
The IRM India- A Risk Management Standard
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk management
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentals
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to finance
 

Recently uploaded

World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024
ak6969907
 
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdfবাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
eBook.com.bd (প্রয়োজনীয় বাংলা বই)
 
Life upper-Intermediate B2 Workbook for student
Life upper-Intermediate B2 Workbook for studentLife upper-Intermediate B2 Workbook for student
Life upper-Intermediate B2 Workbook for student
NgcHiNguyn25
 
How to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP ModuleHow to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP Module
Celine George
 
Hindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdfHindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdf
Dr. Mulla Adam Ali
 
Smart-Money for SMC traders good time and ICT
Smart-Money for SMC traders good time and ICTSmart-Money for SMC traders good time and ICT
Smart-Money for SMC traders good time and ICT
simonomuemu
 
How to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold MethodHow to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold Method
Celine George
 
DRUGS AND ITS classification slide share
DRUGS AND ITS classification slide shareDRUGS AND ITS classification slide share
DRUGS AND ITS classification slide share
taiba qazi
 
writing about opinions about Australia the movie
writing about opinions about Australia the moviewriting about opinions about Australia the movie
writing about opinions about Australia the movie
Nicholas Montgomery
 
The basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptxThe basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptx
heathfieldcps1
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
camakaiclarkmusic
 
Liberal Approach to the Study of Indian Politics.pdf
Liberal Approach to the Study of Indian Politics.pdfLiberal Approach to the Study of Indian Politics.pdf
Liberal Approach to the Study of Indian Politics.pdf
WaniBasim
 
The simplified electron and muon model, Oscillating Spacetime: The Foundation...
The simplified electron and muon model, Oscillating Spacetime: The Foundation...The simplified electron and muon model, Oscillating Spacetime: The Foundation...
The simplified electron and muon model, Oscillating Spacetime: The Foundation...
RitikBhardwaj56
 
Types of Herbal Cosmetics its standardization.
Types of Herbal Cosmetics its standardization.Types of Herbal Cosmetics its standardization.
Types of Herbal Cosmetics its standardization.
Ashokrao Mane college of Pharmacy Peth-Vadgaon
 
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
IreneSebastianRueco1
 
Azure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHatAzure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHat
Scholarhat
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
David Douglas School District
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)
Academy of Science of South Africa
 
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptxC1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
mulvey2
 

Recently uploaded (20)

World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024
 
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdfবাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
 
Life upper-Intermediate B2 Workbook for student
Life upper-Intermediate B2 Workbook for studentLife upper-Intermediate B2 Workbook for student
Life upper-Intermediate B2 Workbook for student
 
How to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP ModuleHow to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP Module
 
Hindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdfHindi varnamala | hindi alphabet PPT.pdf
Hindi varnamala | hindi alphabet PPT.pdf
 
Smart-Money for SMC traders good time and ICT
Smart-Money for SMC traders good time and ICTSmart-Money for SMC traders good time and ICT
Smart-Money for SMC traders good time and ICT
 
How to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold MethodHow to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold Method
 
DRUGS AND ITS classification slide share
DRUGS AND ITS classification slide shareDRUGS AND ITS classification slide share
DRUGS AND ITS classification slide share
 
writing about opinions about Australia the movie
writing about opinions about Australia the moviewriting about opinions about Australia the movie
writing about opinions about Australia the movie
 
The basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptxThe basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptx
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
 
Liberal Approach to the Study of Indian Politics.pdf
Liberal Approach to the Study of Indian Politics.pdfLiberal Approach to the Study of Indian Politics.pdf
Liberal Approach to the Study of Indian Politics.pdf
 
The simplified electron and muon model, Oscillating Spacetime: The Foundation...
The simplified electron and muon model, Oscillating Spacetime: The Foundation...The simplified electron and muon model, Oscillating Spacetime: The Foundation...
The simplified electron and muon model, Oscillating Spacetime: The Foundation...
 
Types of Herbal Cosmetics its standardization.
Types of Herbal Cosmetics its standardization.Types of Herbal Cosmetics its standardization.
Types of Herbal Cosmetics its standardization.
 
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
 
Azure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHatAzure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHat
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)
 
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptxC1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
C1 Rubenstein AP HuG xxxxxxxxxxxxxx.pptx
 

Iso 31000.pdf

  • 1. Risk Management Basics - ISO 31000 Standard Louis Kunimatsu, CRISC IT Security & Strategy, Ford Motor Company
  • 2. Risk Management Basics - ISO 31000 Standard 1. Risk Management Basics 2. ISO 31000 – Risk 2. ISO 31000 – Risk Management Principles and Guidelines
  • 3. Risk Management Basics Organizational objectives are influenced by internal and external factors which create uncertainty in achieving those objectives. The effect of this uncertainty is “risk” to the organization’s objectives. Unlike Risk Elimination (approach of military and law enforcement) which seeks to remove all risk; Risk Management is the coordinated activities to direct Management is the coordinated activities to direct and control an organization with regard to risk. Risk Management allows for multiple risk responses dependent upon evaluation and analysis of risk. RISK = Negative IMPACT to objectives X LIKELIHOOD of occurrence.
  • 4. Risk Management Basics Risk Responses: 1. MITIGATE - corrective action to eliminate or reduce IMPACT or LIKELIHOOD 2. AVOID - Cease activity to eliminate risk 3. TRANSFER - Shift IMPACT to another entity 4. ACCEPT - No corrective action. Document acceptance decision and monitor
  • 5. ISO 31000: Risk management — Principles and guidelines • Published in 2009, to provide “principles & generic guidelines on risk management” • “…can be applied to any type of risk, whatever its nature, whether having positive or negative consequences” • “…not intended to promote uniformity of risk • “…not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes,..” • “…not intended for the purpose of certification”
  • 6. ISO 31000: Principles, Framework & Process PRINCIPLES a) Creates value b) Integral part of organizational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured & timely f) Based on the best available Mandate & commitment Design of framework for managing risk FRAMEWORK f) Based on the best available information g) Tailored h) Takes human & cultural factors into account i) Transparent & inclusive j) Dynamic, iterative and responsive to change k) Facilitates continuous improvement & enhancement of the organization Implementing risk management Monitoring & review of the framework Continual improvement of the framework
  • 7. RISK ASSESSMENT ISO 31000: Principles, Framework & Process Establishing the context Risk identification PROCESS Implementing risk FRAMEWORK Monitoring & review Communication & consultation risk management Risk analysis Risk evaluation Risk treatment Monitoring & review Communication & consultation
  • 8. Risk Management: Establish the context External context • Legal, Regulatory, Financial • International, national, regional or local • Relationships with, perceptions and values of external stakeholders Internal context • Organizational objectives • Project, process, or activity objectives • Project, process, or activity objectives • Policy, standards, guidelines and models adopted by the organization • Contractual relationships Risk Management process context • Objectives, scope, responsibilities, methods • Defining risk criteria – measures, tolerance levels, views of stakeholders
  • 9. ISO 31000: Risk Identification • Process of finding, recognizing and describing risks • Comprehensive list of risks based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives. • Identify the risks associated with not pursuing an opportunity opportunity • A risk that is not identified at this stage will not be included in further analysis • Identification should include risks whether or not their source is under the control of the organization
  • 10. ISO 31000: Risk Analysis • Process to comprehend the nature of risk and to determine the level of risk • “Risk analysis involves consideration of the causes and sources of risk, their positive and negative consequences, and the likelihood that those and the likelihood that those consequences can occur.” • Provides the basis for risk evaluation and decisions about risk treatment • Risk analysis includes risk estimation
  • 11. Risk Analysis Risk Classifications: • essential risks, • risks to be monitored • risks to be observed Impact scale: Likelihood scale: • more than 10 years • 5 to 10 years (> 0.1 ) • 3 to 5 years (> 0.2 ) Impact scale: • very low (< $1k) • low (< $5k) • medium (< $25k) • high (< $100k) • very high (> $100K) • 3 to 5 years (> 0.2 ) • 2 to 3 years (> 0,33 ) • less than 2 years (> 0.5 ) OWASP Risk Ranking Methodology
  • 12. ISO 31000: Risk Evaluation • The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation • Decisions should take account of the wider context of the risk and include consideration of the tolerance of the risks borne by parties other than the organization that benefits from the risk that benefits from the risk • Decisions should be made in accordance with legal, regulatory and other requirements • In some circumstances, the risk evaluation can lead to a decision to undertake further analysis • The risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing controls
  • 13. ISO 31000: Risk Evaluation • Decisions should take account of the wider context of the risk and include consideration of the tolerance of the risks borne by parties other than the organization that benefits from the risk • Decisions should be made in accordance • The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation • Decisions should be made in accordance with legal, regulatory and other requirements • In some circumstances, the risk evaluation can lead to a decision to undertake further analysis • The risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing controls
  • 14. ISO 31000: Risk Treatment Risk treatment involves selecting one or more options for modifying risks, and implementing those options. Risk treatment options are not necessarily mutually exclusive. The options can include the following: TRANSFER • Sharing the risk with another party or parties (including contracts and risk financing) AVOID AVOID • Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk • Removing the risk source MITIGATE • Changing the likelihood • Changing the consequences (impact) ACCEPT • Retaining the risk by informed decision • Taking or increasing the risk in order to pursue an opportunity
  • 15. ISO 31000: Risk Treatment • Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the natural environment. • A number of treatment options can be considered • A number of treatment options can be considered and applied either individually or in combination. • Risk treatment itself can introduce risks. A significant risk can be the failure or ineffectiveness of the risk treatment measures. Monitoring needs to be an integral part of the risk treatment plan to give assurance that the measures remain effective.
  • 16. ISO 31000: Monitoring & Review • An integral part of the risk management process involving regular checking or surveillance • Ensure controls are effective & efficient • Detect change in external or internal context • Analysis, lessons learned, continuous • Analysis, lessons learned, continuous improvement • Identify emerging risks
  • 17. Risk Management Basics - ISO 31000 Standard Louis Kunimatsu, CRISC IT Security & Strategy, Ford Motor Company THANKS for attending! ENJOY the conference!