The webinar covers:
• Overview of ISO 31000 and how this standard implies threats but opportunities as well
• Risk-based thinking as an integral part of ISO 9001:2015 and ISO 14001:2015
• Principles, processes and framework of ISO 31000
• How organizations can reduce uncertainty, seize opportunities and treat risks
Presenter:
This session will be presented by PECB Trainer Jacob McLean, Principal Consultant and Managing Director of Kaizen Training & Management Consultants Limited.
Link of the recorded session published on YouTube: https://youtu.be/MVBMM6X3Vgw
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
1. ISO 31000:The Benchmark
for
Risk Management in Uncertain
Times
Presenter: Jacob A. McLean, MS, CSP, QEP, MBA,
B.Sc.
PECB ISO 31000 Lead Risk Manager
1
v
2. Webinar Objectives
• Participants will:
Understand the concept of risk as the effect of uncertainty on
objectives
Understand risk management principles, framework and process
in the context of a Risk Management System
Appreciate the value of ISO 31000 as the benchmark for best
practice in managing risk
2
3. Introduction
• ISO 31000 defines risk as “effect of uncertainty on objectives”.
• It implies threats as well as opportunities, which is the essence of
risk-based thinking.
• ISO 9001:2015, ISO 14001:2015; ISO 22301:2012 and OHAS 18001:
2007 are all risk-based Standards.
3
4. Introduction
• The principles, processes and framework of ISO 31000, the
benchmark for managing risks related to tasks, processes, functions
and enterprises, will be discussed.
• A risk management system based on this Standard reduces
uncertainty, enables the organization to seize opportunities, while
treating risks appropriately, to enable continual improvement and
chart the way to business success in uncertain times.
4
5. ISO 31000 Family of Standards
• ISO 31000:2009 Risk management -- Principles and guidelines
• Risk Management Principles
• Risk Management Framework
• Risk Management Process
• ISO Guide 73
• Global vocabulary of risk management terms
• ISO_IEC 31010:2009 - Risk Assessment Techniques
• Reflects current good practices in selection and utilization of risk assessment
techniques
5
6. ISO 31000 Users
• Stakeholders include:
those responsible for implementing risk management;
those who need to ensure sound risk management;
those who manage risk for the organisation or a
specific area or activity;
those needing to evaluate an organisation’s practices
in managing risk.
6
7. Scope of ISO 31000
• Provides principles and generic guidelines on implementation of risk
management, focusing on managing uncertainty in the meeting of
objectives, and the importance of risk communication.
• Applicable to any kind of organization, is not certifiable (third party)
but outlines general principles and guidelines.
• It harmonizes risk management processes by providing a common
approach in support of standards dealing with specific risks and/or
sectors but does not replace those standards.
7
8. Key Emphases
ISO 31000:
stresses commitment to diligent risk management
encourages priority setting
explains that risk management should itself create value
stresses the importance of context
addresses the sometimes confusing issue of risk terminology
Adopts the viewpoint that risk management is integral to the
organization’s structures, responsibilities, and objectives.
8
9. ISO 31000 Risk Management Architecture:
Principles, Framework, Process
9
10. Principles
Risk management:
a) creates value.
b) is an integral part of organizational processes.
c) is part of decision making.
d) explicitly addresses uncertainty.
e) is systematic, structured and timely.
f) is based on the best available information.
g) is tailored.
h) takes human and cultural factors into account.
i) is transparent and inclusive.
j) is dynamic, iterative and responsive to change.
k) facilitates continual improvement and enhancement of the organization.
10
11. Principles
•Principles provide the foundation for the rest
of the standard.
• The organization’s approach to risk management:
Should be an integral part of its processes (especially
decision making process);
Should be tailored to its environment;
Should create and protect value;
Should support and encourage continual improvement.
11
12. Risk Management Process
• Includes five activities:
Establishing the Context;
Communicating and Consulting;
Risk Assessment;
Risk Treatment; and
Monitoring And Review.
12
13. Establishing the Context
Consider the following:
Objectives and operating environment
Relevant Legislation
Stakeholder identification & analysis
Government Policy
Corporate Policy
Management Structures
Community Expectations
General criteria
Consequence criteria
13
14. Communication and Consultation
• Seeks to improve performance based on informed,
mutual decisions about risk
• Aim is not to avoid all conflict or to diffuse all concerns
14
15. COMMUNICATION AND CONSULTATION
MONITOR AND REVIEW
Establish the
Context
Objectives
Stakeholders
Criteria
Define Key
Elements
Analyze the
Risks
Review
controls
Likelihoods
Consequence
Level of risks
Evaluate
Risks
Rank risks
Treat Risks
Identify
options
Select
Select best
responses
treatment
plans
Implement
6
Identify the
Risks
What can
happen
How it can
happen
2 3
4 5
7
15
17. Benefits of Risk Assessment
• Provides understanding of risks, causes, impacts and
probabilities
• Provides input to decision-making regarding:
whether activity should be undertaken;
how to maximize opportunities;
whether risks need treatment;
prioritizing risk treatment options;
risk treatment strategies that will bring adverse risks to
tolerable level
choosing between options with different risks.
17
18. How the Risk Assessment Process Works
Step 1 : Establish the Context
external context
internal context
risk management context
risk criteria
define the structure
18
19. How the Risk Assessment Process Works
•Step 2 : Identify Risks
What can happen, when, where and how
Identify key processes, tasks, activities
Recognise risk areas
Define risks
Categorize risk
19
20. How the Risk Assessment Process Works
Find, recognize and describe risks that could affect
achievement of objectives
Identify sources of risk
Include identification of possible causes and potential
consequences
20
21. How the Risk Analysis Process Works
•Step 3 : Analyse Risks
Purpose:
Separate minor from major risks
Provide data to assist risk evaluation
Identify controls
Determine likelihood
Determine consequence
Determine level of risk
Where possible, place confidence limits on estimates
Use best available information
21
22. How the Risk Evaluation Process Works
•Step 4 : Evaluate Risks
Identify tolerable versus unacceptable risks (Compare
risk rating against risk criteria)
Prioritize risks for treatment
22
23. How the Risk Evaluation Process Works
Consider:
Objectives of projects and opportunities
Tolerability of risks
Whether risk needs treatment
Consider if activity should be undertaken
Priorities for treatment
23
24. Risk Treatment Options
• Reduce:
Likelihood
Consequence
• Contingency Planning
• Sharing in full or part (this creates a new risk)
• Avoid (but not because of aversion)
• Retain residual risk
24
28. Treatment Based on Risk Evaluation
• Low - No additional controls required unless cost is minimal
• Medium – Give consideration to whether risks can be lowered to
tolerable level
• High - Substantial efforts should be made to reduce risk.
Consider suspending/restricting the activity, or apply interim risk control
measures
• Very high - risk are unacceptable.
Effect substantial improvements to reduce to tolerable/acceptable level
28
29. Monitor and Review
• Risk management is a journey, not a destination
• What may be of minor significance today may be the disaster
of tomorrow
• Review is an integral part of the risk management process
29
30. Attributes of Enhanced Risk Management
• Comprehensive, fully defined and fully accepted accountability
for risks, controls and treatment tasks.
• Named individuals fully accept, are appropriately skilled and
have adequate resources to check controls, monitor risks,
improve controls and communicate effectively about risks and
their management to interested parties.
30
31. Attributes of Enhanced Risk Management
• All decision making within the organisation, whatever the level of
importance and significance, involves the explicit consideration of
risks and the application of the risk management process to some
appropriate degree.
• A pronounced emphasis on continuous improvement in risk
management through the setting of organizational performance
goals, measurement, review and the subsequent modification of
processes, systems, resources and capabilities/skills.
31
32. Attributes of Enhanced Risk Management
• Continual communications and highly visible, comprehensive and
frequent reporting of risk management performance to all
“interested parties” as part of the governance process.
• Risk management is always viewed as a core organizational
process where risks are considered in terms of sources of
uncertainty that can be treated to maximize the chance of gain
while minimizing the chance of loss.
32
33. Attributes of Enhanced Risk Management
• Critically, effective risk management is regarded by senior
managers as essential for the achievement of the organization’s
objectives.
• The organization’s governance structure and process are
founded on the risk management process.
33