Risk Management Process PDF
Document Details
Uploaded by MatchlessKindness
University of Santo Tomas
Ms. Kathrine Camille Nagal
Tags
Summary
This document describes the Fundamentals of Risk Management, based on ISO 31000:2018 guidelines. It outlines the principles, framework, and process of risk management, covering key aspects such as communication and consultation, scope, context, and criteria, and risk treatment.
Full Transcript
Fundamentals of Risk Management Based on ISO 31000:2018 Risk Management Guidelines Ms. Kathrine Camille Nagal, MBA Facilitator Figure 1. Principles, framework and Process of Risk Management Process The risk management process should be an in...
Fundamentals of Risk Management Based on ISO 31000:2018 Risk Management Guidelines Ms. Kathrine Camille Nagal, MBA Facilitator Figure 1. Principles, framework and Process of Risk Management Process The risk management process should be an integral part of management and decision-making and integrated into the structure, operations and processes of the organization. It can be applied at strategic, operational, program or Process Communication Communication and consultation aims to: and consultationseeksbring to different areas ensure that promote of expertise different views are involves appropriately The purpose of awarenesstogether and for each obtaining step of the risk considered when understanding communication andfeedback defining risk criteria and management consultation is to assist of risk and when information to process; relevant stakeholders in evaluating risks; support understanding risk, the decision-making provide sufficient build a sense of basis on which decisions information to inclusiveness and are made and the reasons facilitate risk ownership among why particular actions are oversight and those affected by decision-making; risk. required. Process Scope, context and criteria The purpose of establishing the scope, the context and criteria is to customize the risk management process, enabling effective risk assessment and appropriate risk treatment. 1. Defining the scope Scope, context and criteria involve 2. External and internal defining the scope of the context process, and understanding the external and internal 3. Defining risk criteria context. Process The organization should define the scope of its risk management Scope, activities. context and When planning the approach, criteria considerations include: 1. Defining the outcomes objectives and time, location, expected from scope decisions that the steps to be specific need to be inclusions and taken in the 2. External and made; process; exclusions; internal context resources relationships appropriate risk 3. Defining risk assessment required, with other responsibilities projects, criteria tools and and records to processes and techniques; be kept; activities. Process The external and internal context is the environment in which the organization seeks to define and achieve its objectives. Scope, context and Understanding the context is important because: criteria risk management takes place in the context of the objectives and activities of the organization; 1. Defining the scope 2. External and organizational factors can be a source of risk; internal context 3. Defining risk the purpose and scope of the risk management criteria process may be interrelated with the objectives of the organization as a whole. Process The organization should specify the amount and type of risk that it may or may not take, relative to objectives. Scope, context and It should also define criteria to evaluate the significance of risk and to support criteria decision To set risk criteria, making the following processes. should be considered: the nature and 1. Defining the type of uncertainties that how consequences scope can affect outcomes and (both positive and negative) time-related factors; consistency in the use of and likelihood measurements; objectives (both 2. External and tangible and will be defined and measured; intangible); internal context how combinations and 3. Defining risk how the level of risk is to be sequences of the organization’s multiple risks will criteria determined; be taken into capacity. account; Process Risk assessment Risk assessment is the overall process of risk identification, risk analysis and risk evaluation. 1. Risk identification Risk assessment should be conducted systematically, 2. Risk analysis iteratively and 3. Risk evaluation collaboratively, drawing on the knowledge and views of stakeholders. The purpose of risk identification is to find, Process recognize and describe risks that might help or prevent an organization achieving its objectives. Risk assessment Relevant, appropriate and up-to-date information is important in identifying risks. 1. Risk identification Factors to Consider in Risk 2. Risk analysis Identification tangible and vulnerabilities causes and threats and intangible and events; opportunities; 3. Risk evaluation sources of risk; capabilities; changes in the consequences the nature and external and indicators of and their value of assets internal emerging risks; impact on and resources; context; objectives; limitations of biases, knowledge and time-related assumptions reliability of factors; and beliefs of information; those involved. The purpose of risk analysis is to comprehend the Process nature of risk and its characteristics including, where appropriate, the level of risk. Risk assessment Risk analysis involves a detailed consideration of uncertainties, risk sources, consequences, likelihood, events, scenarios, controls and their 1. Risk identification effectiveness. 2. Risk analysis An event can have multiple causes and consequences and can affect multiple objectives. 3. Risk evaluation Factors to Consider in Risk Analysis the likelihood the nature and complexity of events and magnitude of and consequences consequences connectivity; ; ; the time-related sensitivity and effectiveness factors and confidence of existing volatility; levels. controls; The purpose of risk evaluation is to Process support decisions. Risk evaluation involves comparing the Risk assessment results of the risk analysis with the established risk criteria to determine 1. Risk identification where additional action is required. 2. Risk analysis This can lead to a decision to: 3. Risk evaluation do nothing further; consider risk treatment options; undertake further analysis to better understand the risk; maintain existing controls; reconsider objectives. Process Risk Risk treatment involves an iterative process of: treatment formulating and selecting risk treatment options; planning and implementing risk The purpose of risk treatment; treatment is to assessing the effectiveness of that treatment; select and deciding whether the remaining risk is implement options acceptable; for addressing risk. if not acceptable, taking further treatment. Selecting the most appropriate risk Process treatment option(s) involves balancing the potential benefits derived in relation to the Risk achievement of the objectives against costs, effort or disadvantages of implementation. treatment Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. Options 1. Selection of risk for treating risk may involve one or more of the treatment options following: avoiding the risk 2. Preparing and by deciding not to taking or implementing risk increasing the start or continue removing the risk changing the risk in order to treatment plans with the activity source; likelihood; pursue an that gives rise to opportunity; the risk; sharing the risk retaining the risk changing the (e.g. through by informed consequences; contracts, buying decision. insurance); The purpose of risk treatment plans is to specify how Process the chosen treatment options will be implemented, so that arrangements are understood by those Risk involved, and progress against the plan can be treatment monitored. The treatment plan should clearly identify the order 1. Selection of risk in which risk treatment should be implemented. treatment options The information provided in the treatment plan 2. Preparing and the rationale for those who are should include: selection of the accountable and implementing risk treatment options, responsible for the proposed the resources required, including treatment plans including the approving and actions; contingencies; expected benefits implementing the to be gained; plan; when actions are the required the performance expected to be the constraints; reporting and measures; undertaken and monitoring; completed. Process Monitoring and Review The purpose of monitoring and review is to assure and improve the quality and effectiveness of process design, implementation and outcomes. Ongoing monitoring and periodic review of the risk management process and its outcomes should be a planned part of the risk management process, with responsibilities clearly defined. Process Recording and Recording and reporting aims to: Reporting communicate risk The risk management process management activities and provide information for decision-making; and its outcomes should be outcomes across the organization; documented and reported through appropriate assist interaction with stakeholders, mechanisms. improve risk including those with management responsibility and activities; accountability for risk management activities. Process Factors to consider for reporting include, but are not limited to: differing stakeholders and cost, frequency their specific and timeliness of information needs reporting; and requirements; relevance of information to method of organizational reporting; objectives and decision-making. Risk Management Process Review The risk management process should be an integral part of management and decision- making and integrated into the structure, operations and processes of the organization and can be applied at strategic, operational, program or project levels. There can be many applications of the risk management process within an organization, customized to achieve objectives and to suit the external and internal context in which they are applied. The dynamic and variable nature of human behavior and culture should be considered throughout the References ISO 31000:2018 Risk management — Guidelines. International Organization for Standardization, Switzerland. Retrieved from https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en www.youtube.com