The webinar covers: • Overview of ISO 31000 and how this standard implies threats but opportunities as well • Risk-based thinking as an integral part of ISO 9001:2015 and ISO 14001:2015 • Principles, processes and framework of ISO 31000 • How organizations can reduce uncertainty, seize opportunities and treat risks Presenter: This session will be presented by PECB Trainer Jacob McLean, Principal Consultant and Managing Director of Kaizen Training & Management Consultants Limited. Link of the recorded session published on YouTube: https://youtu.be/MVBMM6X3Vgw

1. ISO 31000:The Benchmark
for
Risk Management in Uncertain
Times
Presenter: Jacob A. McLean, MS, CSP, QEP, MBA,
B.Sc.
PECB ISO 31000 Lead Risk Manager
1
v

2. Webinar Objectives
• Participants will:
Understand the concept of risk as the effect of uncertainty on
objectives
Understand risk management principles, framework and process
in the context of a Risk Management System
Appreciate the value of ISO 31000 as the benchmark for best
practice in managing risk
2

3. Introduction
• ISO 31000 defines risk as “effect of uncertainty on objectives”.
• It implies threats as well as opportunities, which is the essence of
risk-based thinking.
• ISO 9001:2015, ISO 14001:2015; ISO 22301:2012 and OHAS 18001:
2007 are all risk-based Standards.
3

4. Introduction
• The principles, processes and framework of ISO 31000, the
benchmark for managing risks related to tasks, processes, functions
and enterprises, will be discussed.
• A risk management system based on this Standard reduces
uncertainty, enables the organization to seize opportunities, while
treating risks appropriately, to enable continual improvement and
chart the way to business success in uncertain times.
4

5. ISO 31000 Family of Standards
• ISO 31000:2009 Risk management -- Principles and guidelines
• Risk Management Principles
• Risk Management Framework
• Risk Management Process
• ISO Guide 73
• Global vocabulary of risk management terms
• ISO_IEC 31010:2009 - Risk Assessment Techniques
• Reflects current good practices in selection and utilization of risk assessment
techniques
5

6. ISO 31000 Users
• Stakeholders include:
 those responsible for implementing risk management;
 those who need to ensure sound risk management;
 those who manage risk for the organisation or a
specific area or activity;
 those needing to evaluate an organisation’s practices
in managing risk.
6

7. Scope of ISO 31000
• Provides principles and generic guidelines on implementation of risk
management, focusing on managing uncertainty in the meeting of
objectives, and the importance of risk communication.
• Applicable to any kind of organization, is not certifiable (third party)
but outlines general principles and guidelines.
• It harmonizes risk management processes by providing a common
approach in support of standards dealing with specific risks and/or
sectors but does not replace those standards.
7

8. Key Emphases
 ISO 31000:
 stresses commitment to diligent risk management
 encourages priority setting
 explains that risk management should itself create value
 stresses the importance of context
 addresses the sometimes confusing issue of risk terminology
 Adopts the viewpoint that risk management is integral to the
organization’s structures, responsibilities, and objectives.
8

9. ISO 31000 Risk Management Architecture:
Principles, Framework, Process
9

10. Principles
Risk management:
a) creates value.
b) is an integral part of organizational processes.
c) is part of decision making.
d) explicitly addresses uncertainty.
e) is systematic, structured and timely.
f) is based on the best available information.
g) is tailored.
h) takes human and cultural factors into account.
i) is transparent and inclusive.
j) is dynamic, iterative and responsive to change.
k) facilitates continual improvement and enhancement of the organization.
10

11. Principles
•Principles provide the foundation for the rest
of the standard.
• The organization’s approach to risk management:
Should be an integral part of its processes (especially
decision making process);
Should be tailored to its environment;
Should create and protect value;
Should support and encourage continual improvement.
11

12. Risk Management Process
• Includes five activities:
Establishing the Context;
Communicating and Consulting;
Risk Assessment;
Risk Treatment; and
Monitoring And Review.
12

13. Establishing the Context
Consider the following:
Objectives and operating environment
Relevant Legislation
Stakeholder identification & analysis
Government Policy
Corporate Policy
Management Structures
Community Expectations
General criteria
Consequence criteria
13

14. Communication and Consultation
• Seeks to improve performance based on informed,
mutual decisions about risk
• Aim is not to avoid all conflict or to diffuse all concerns
14

15. COMMUNICATION AND CONSULTATION
MONITOR AND REVIEW
Establish the
Context
Objectives
Stakeholders
Criteria
Define Key
Elements
Analyze the
Risks
Review
controls
Likelihoods
Consequence
Level of risks
Evaluate
Risks
Rank risks
Treat Risks
Identify
options
Select
Select best
responses
treatment
plans
Implement
6
Identify the
Risks
What can
happen
How it can
happen
2 3
4 5
7
15

16. Risk Assessment
• Comprises three sub-processes:
 risk identification;
 risk analysis;
 risk evaluation.
16

17. Benefits of Risk Assessment
• Provides understanding of risks, causes, impacts and
probabilities
• Provides input to decision-making regarding:
 whether activity should be undertaken;
 how to maximize opportunities;
 whether risks need treatment;
 prioritizing risk treatment options;
 risk treatment strategies that will bring adverse risks to
tolerable level
 choosing between options with different risks.
17

18. How the Risk Assessment Process Works
Step 1 : Establish the Context
 external context
 internal context
 risk management context
 risk criteria
 define the structure
18

19. How the Risk Assessment Process Works
•Step 2 : Identify Risks
 What can happen, when, where and how
 Identify key processes, tasks, activities
 Recognise risk areas
 Define risks
 Categorize risk
19

20. How the Risk Assessment Process Works
 Find, recognize and describe risks that could affect
achievement of objectives
 Identify sources of risk
 Include identification of possible causes and potential
consequences
20

21. How the Risk Analysis Process Works
•Step 3 : Analyse Risks
Purpose:
 Separate minor from major risks
 Provide data to assist risk evaluation
 Identify controls
 Determine likelihood
 Determine consequence
 Determine level of risk
 Where possible, place confidence limits on estimates
 Use best available information
21

22. How the Risk Evaluation Process Works
•Step 4 : Evaluate Risks
 Identify tolerable versus unacceptable risks (Compare
risk rating against risk criteria)
 Prioritize risks for treatment
22

23. How the Risk Evaluation Process Works
Consider:
 Objectives of projects and opportunities
 Tolerability of risks
 Whether risk needs treatment
 Consider if activity should be undertaken
 Priorities for treatment
23

24. Risk Treatment Options
• Reduce:
 Likelihood
 Consequence
• Contingency Planning
• Sharing in full or part (this creates a new risk)
• Avoid (but not because of aversion)
• Retain residual risk
24

25. Risk Treatment Plans
Document options for plan implementation:
 Responsibilities
 Schedules
 Expected outcomes
 Budget
 Performance measures
 Review processes
25

26. The Concept of ALARP
26

27. The Concept of ALARP
27

28. Treatment Based on Risk Evaluation
• Low - No additional controls required unless cost is minimal
• Medium – Give consideration to whether risks can be lowered to
tolerable level
• High - Substantial efforts should be made to reduce risk.
Consider suspending/restricting the activity, or apply interim risk control
measures
• Very high - risk are unacceptable.
Effect substantial improvements to reduce to tolerable/acceptable level
28

29. Monitor and Review
• Risk management is a journey, not a destination
• What may be of minor significance today may be the disaster
of tomorrow
• Review is an integral part of the risk management process
29

30. Attributes of Enhanced Risk Management
• Comprehensive, fully defined and fully accepted accountability
for risks, controls and treatment tasks.
• Named individuals fully accept, are appropriately skilled and
have adequate resources to check controls, monitor risks,
improve controls and communicate effectively about risks and
their management to interested parties.
30

31. Attributes of Enhanced Risk Management
• All decision making within the organisation, whatever the level of
importance and significance, involves the explicit consideration of
risks and the application of the risk management process to some
appropriate degree.
• A pronounced emphasis on continuous improvement in risk
management through the setting of organizational performance
goals, measurement, review and the subsequent modification of
processes, systems, resources and capabilities/skills.
31

32. Attributes of Enhanced Risk Management
• Continual communications and highly visible, comprehensive and
frequent reporting of risk management performance to all
“interested parties” as part of the governance process.
• Risk management is always viewed as a core organizational
process where risks are considered in terms of sources of
uncertainty that can be treated to maximize the chance of gain
while minimizing the chance of loss.
32

33. Attributes of Enhanced Risk Management
• Critically, effective risk management is regarded by senior
managers as essential for the achievement of the organization’s
objectives.
• The organization’s governance structure and process are
founded on the risk management process.
33

34. THANK YOU!
Kaizen Training and Management Consultants Limited
22B Old Hope Road,
Kingston 5
Jamaica, West Indies
Phone (land line): (876) 631- 0365
Phone (mobile): (876) 475 – 1963
Fax : (876) 906 – 7423
Email: ktmclimited@gmail.com
Website: www.ktmcltd.com
34