A second guest post on this topic by Karel Simpson, Corporate Risk Manager, GardaWorld. You can find part 1 here
Hopefully part 1 of my view on ISO 31000 has brought you back to look at part 2, albeit a little late in coming. In this part we are going to continue talking about the actual standard itself and then look to add a third part a little bit later down the line on what it all really means and not just a look at the standard. This ensures these posts are kept hopefully short and sweet.
So if we now take the term risk, this is a term most people understand by the common definition of being known as the likelihood of harm being realised, normally shown as risk= likelihood x severity.
ISO 31000 defines risk as ‘effect of uncertainty on objectives’; where an effect is a deviation from the expected and objectives having different aspects with examples stating financial, health and safety, and environmental goals. This can be applied to different levels for example strategic, projects, products, processes or organisation wide. Although a different definition initially, the notes then talk about risk being categorised by reference to potential events and consequences or a combination of these and the associated likelihood.
Now I could try and list certain terms used in ISO 31000 as a blog post, it may however become long, boring and misses the point, so instead I will refer readers to the following website , http://www.praxiom.com/iso-31000-terms.htm, which in plain English covers key terms of ISO 31000 .
The standard is focused on creating a framework for use, remember risk management is different to managing risks; see the first part on ISO 31000. A framework is the foundations and arrangements of the organisation. It assists in the management of risks and ensures information about risk from the management processes is adequately reported and used as a basis for decision making and accountability.
To ensure a strong risk management approach exists and ensuring its on-going effectiveness requires a strong and sustained approach from management, combined with strategic and rigorous planning. Part of this process should see management (4.2 Mandate and Commitment):
- Define and endorse the risk management policy.
- Ensure that the organisations culture and risk management policy are aligned.
- Determine risk management performance indications that align with performance indicators of the organisation.
- Align risk management objectives with the objectives and strategies of the organisation.
- Ensure legal and regulatory compliance.
- Assign accountabilities and responsibilities at appropriate levels within the organisation.
- Ensure that the necessary resources are allocated to risk management.
- Communicate the benefits of risk management to all stakeholders.
- Ensure that the framework for risk continues to remain appropriate.
In establishing this framework it is vital to ensure that an evaluation is made of the organisation and its context in which to provide an understanding of the environments both internally and externally that you are trying to achieve your objectives within. Once the context is established then the risk management framework can be established.
Within the risk management process itself, we will revert to the adoption of risk assessment, a term used throughout industry to a large scale and sometimes the results, formats and information can be of quantity and not quality. The risk assessment is the process and means by which you are going to identify your risks and this will influence decision making, therefore it is important to get this right.
Within the risk assessment process is a simple approach involving
Risk Identification – the initial risks being identified
Risk Analysis – Analysing the specific risks, how they are presented, influencing factors etc
Risk Evaluation – Evaluating the risk and making a decision using the information gained through the analysis of the risk.
Risk Treatment – Decision time is here, are you going to tolerate the risk and accept it, decide to further control the risk with different risk treatment, avoiding the activity altogether or transfer part of the risk through using a third party or obtaining insurance against any potential losses.
Note that when it comes to making a decision on risk we talk about risk appetite. I could of course again ramble on this point but will once again point you in the direction of a website that I think sums it up quite well. Although I have never used this product and do not know the company, they summarise the risk appetite point very well in my viewpoint and in trying to sell their product provide some pointers along the way, see http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-appetite-risk-tolerance-residual-risk/.
The above is a summary of the risk treatment options and stages of the assessment without going too in depth and detailed. The risk assessment process and the risk decision making of course needs to be recorded to show the decisions being made. As with all risk based decisions, risk very rarely remains static and therefore reviews need to take place, it may be that a risk increases resulting in a business deciding to stop a specific activity until it reduces. A perfect example of this is airline movements into certain countries being stopped due to the perceived risk to the passengers, airline, crew, reputation etc.
One point I will make and one that is often overlooked in the management of risk is ensuring that the workforce is both consulted in the risk decision or information feeds and that they participate in the risk assessment process, this will tend to bring about a better quality assessment.