1.3 Risk Management Process.pptx

Full Transcript

Fundamentals of
Risk Management
Based on ISO 31000:2018 Risk Management
Guidelines

Ms. Kathrine Camille Nagal,
MBA
Facilitator
Figure 1.
Principles,
framework and
Process of Risk
Management
 Process
The risk management
process should be an
integral part of
management and
decision-making and
integrated into the
structure, operations and
processes of the
organization. It can be
applied at strategic,
operational, program or
 Process
Communication Communication and consultation aims to:
and consultationseeksbring
to different areas ensure that
promote of expertise different views are
involves appropriately
The purpose of awarenesstogether
and for each
obtaining step of the risk
considered when
understanding
communication andfeedback defining risk criteria
and management
consultation is to assist of risk and when
information to process;
relevant stakeholders in evaluating risks;
support
understanding risk, the
decision-making provide sufficient build a sense of
basis on which decisions information to inclusiveness and
are made and the reasons facilitate risk ownership among
why particular actions are oversight and those affected by
decision-making; risk.
required.
 Process
Scope, context and
criteria
The purpose of establishing the
scope, the context and criteria is to
customize the risk
management process, enabling
effective risk assessment and
appropriate risk treatment. 1. Defining the scope
Scope, context and criteria involve 2. External and internal
defining the scope of the context
process, and understanding
the external and internal 3. Defining risk criteria
context.
 Process The organization should define the
scope of its risk management
Scope, activities.
context and
When planning the approach,
criteria considerations include:
1. Defining the outcomes
objectives and time, location,
expected from
scope decisions that
the steps to be
specific
need to be inclusions and
taken in the
2. External and made;
process;
exclusions;
internal context
resources relationships
appropriate risk
3. Defining risk assessment
required, with other
responsibilities projects,
criteria tools and
and records to processes and
techniques;
be kept; activities.
 Process The external and internal context is the
environment in which the organization
seeks to define and achieve its objectives.
Scope,
context and Understanding the context is important
because:
criteria risk management takes place in the context of
the objectives and activities of the organization;
1. Defining the
scope
2. External and organizational factors can be a source of risk;
internal context
3. Defining risk the purpose and scope of the risk management
criteria process may be interrelated with the objectives
of the organization as a whole.
 Process The organization should specify the
amount and type of risk that it may or
may not take, relative to objectives.
Scope,
context and It should also define criteria to evaluate
the significance of risk and to support
criteria decision
To set risk criteria, making
the following processes.
should be considered:
the nature and
1. Defining the type of
uncertainties that
how
consequences
scope can affect
outcomes and
(both positive
and negative)
time-related
factors;
consistency in
the use of
and likelihood measurements;
objectives (both
2. External and tangible and
will be defined
and measured;
intangible);
internal context how
combinations and
3. Defining risk how the level of
risk is to be
sequences of
the
organization’s
multiple risks will
criteria determined;
be taken into
capacity.
account;
 Process
Risk assessment
Risk assessment is the
overall process of risk
identification, risk
analysis and risk
evaluation.
1. Risk identification
Risk assessment should be
conducted systematically, 2. Risk analysis
iteratively and 3. Risk evaluation
collaboratively, drawing on
the knowledge and views of
stakeholders.
 The purpose of risk identification is to find,
Process recognize and describe risks that might help
or prevent an organization achieving its
objectives.
Risk assessment
Relevant, appropriate and up-to-date information
is important in identifying risks.

1. Risk identification Factors to Consider in Risk
2. Risk analysis Identification
tangible and vulnerabilities
causes and threats and
intangible and
events; opportunities;
3. Risk evaluation sources of risk; capabilities;

changes in the consequences
the nature and
external and indicators of and their
value of assets
internal emerging risks; impact on
and resources;
context; objectives;

limitations of biases,
knowledge and time-related assumptions
reliability of factors; and beliefs of
information; those involved.
 The purpose of risk analysis is to comprehend the
Process nature of risk and its characteristics including,
where appropriate, the level of risk.

Risk assessment
Risk analysis involves a detailed consideration of
uncertainties, risk sources, consequences,
likelihood, events, scenarios, controls and their
1. Risk identification effectiveness.

2. Risk analysis An event can have multiple causes and
consequences and can affect multiple objectives.
3. Risk evaluation Factors to Consider in Risk Analysis
the likelihood the nature and
complexity
of events and magnitude of
and
consequences consequences
connectivity;
; ;

the
time-related sensitivity and
effectiveness
factors and confidence
of existing
volatility; levels.
controls;
 The purpose of risk evaluation is to
Process support decisions.
Risk evaluation involves comparing the
Risk assessment results of the risk analysis with the
established risk criteria to determine
1. Risk identification where additional action is required.

2. Risk analysis This can lead to a decision to:

3. Risk evaluation do nothing further;

consider risk treatment options;
undertake further analysis to better
understand the risk;
maintain existing controls;

reconsider objectives.
 Process
Risk Risk treatment involves an iterative
process of:
treatment formulating and selecting risk treatment
options;
planning and implementing risk
The purpose of risk treatment;
treatment is to assessing the effectiveness of that
treatment;
select and deciding whether the remaining risk is
implement options acceptable;
for addressing risk. if not acceptable, taking further
treatment.
 Selecting the most appropriate risk
Process treatment option(s) involves balancing the
potential benefits derived in relation to the
Risk achievement of the objectives against costs,
effort or disadvantages of implementation.
treatment Risk treatment options are not necessarily mutually
exclusive or appropriate in all circumstances. Options
1. Selection of risk for treating risk may involve one or more of the
treatment options following:
avoiding the risk
2. Preparing and by deciding not to
taking or
implementing risk increasing the
start or continue removing the risk changing the
risk in order to
treatment plans with the activity source; likelihood;
pursue an
that gives rise to
opportunity;
the risk;

sharing the risk
retaining the risk
changing the (e.g. through
by informed
consequences; contracts, buying
decision.
insurance);
 The purpose of risk treatment plans is to specify how
Process the chosen treatment options will be implemented,
so that arrangements are understood by those
Risk involved, and progress against the plan can be
treatment monitored.
The treatment plan should clearly identify the order
1. Selection of risk in which risk treatment should be implemented.
treatment options The information provided in the treatment plan
2. Preparing and the rationale for those who are should include:
selection of the accountable and
implementing risk treatment options, responsible for the proposed
the resources
required, including
treatment plans including the approving and actions;
contingencies;
expected benefits implementing the
to be gained; plan;

when actions are
the required
the performance expected to be
the constraints; reporting and
measures; undertaken and
monitoring;
completed.
 Process

Monitoring and Review

The purpose of monitoring and review is to
assure and improve the quality and
effectiveness of process design,
implementation and outcomes.
Ongoing monitoring and periodic review of the
risk management process and its outcomes
should be a planned part of the risk
management process, with responsibilities
clearly defined.
 Process
Recording and
Recording and reporting aims to:
Reporting
communicate risk
The risk management process management
activities and
provide information
for decision-making;
and its outcomes should be outcomes across the
organization;
documented and reported
through appropriate assist interaction
with stakeholders,
mechanisms. improve risk including those with
management responsibility and
activities; accountability for
risk management
activities.
 Process
Factors to consider for reporting include, but
are not limited to:
differing
stakeholders and cost, frequency
their specific and timeliness of
information needs reporting;
and requirements;

relevance of
information to
method of
organizational
reporting;
objectives and
decision-making.
 Risk Management
Process
Review
The risk management process should be an
integral part of management and decision-
making and integrated into the structure,
operations and processes of the organization and
can be applied at strategic, operational, program or
project levels.

There can be many applications of the risk
management process within an organization,
customized to achieve objectives and to suit the
external and internal context in which they are
applied.

The dynamic and variable nature of human behavior
and culture should be considered throughout the
References
ISO 31000:2018 Risk management — Guidelines. International
Organization for Standardization, Switzerland. Retrieved from
https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en
www.youtube.com