ISO 31000 2018 PRESENTATION.pptrisk management principles and frameworkx

- - - - - - ,.. . . ,_.. ........ --- \ -· ISO 31000 : RISK MANAGEMENT GUIDELINES

International O rganization 1 for S tan dardization ISO ( International Organization for Standardization ) is the world's largest developer and publisher of International Standards. Established in 1947, ISO is a network of the national standards institutes of 1 73 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. Nigeria is represented by Standards Organisation of Nigeria(SON)

What is ''risk''?? Risk is present in everything we do. ISO 31000, the international standard on risk management, defines it this way: Risk = the affect of uncertainty on your objectives. Risk can be a threat or an opportunity Anything that could harm, prevent, delay or enhance your ability to achieve your objectives = risk

Definition of terms Risk effect of uncertainty on objectives Risk management coordinated activities to direct and control an organization with regard to risk Stakeholder/“interested party” person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity

Risk dimensions

Risk source element which alone or in combination has the potential to give rise to risk . Event occurrence or change of a particular set of circumstances. Consequence outcome of an event affecting objectives. Control measure that maintains and/or modifies risk .

Why We Need to Manage Risk The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise. National Guidance on Implementing ISO 31000:2009 From NSAI in Ireland

Establishing the context: By establishing the context, the organization articulates its objectives, defines the external and internal parameters to be taken into account when managing risk, and sets the scope and risk criteria for the remaining process. Link between ISO 31000 and other standards ISO 31000 can be easily linked with other Risk Management standards, like ISO Guide 73:2009 – Risk management vocabulary, and ISO/IEC 31010:2009 – Risk management – Risk assessment techniques. ISO/IEC 31010 is a supporting standard for ISO 31000 and provides guidance on selection and application of systematic techniques for risk assessment. Link with ISO 27005 Based on the ISO 31000 framework, the ISO 27005 standard explains in detail how to conduct a risk assessment and a risk treatment, within the context of information security

What is Different about ISO 31000? Without risk there is no reward or progress. Unless risk is managed effectively, organizations cannot maximize opportunities and minimize threats. Risk is all about uncertainty, or more importantly, the effect of uncertainty on the achievement of objectives. This is where iso 31000 is clearly different from existing guidelines in that the emphasis is shifted from something happening - the event- to the effect on objectives. Kevin W. Knight, AM Chair of the ISO 31000 working group & Chair of ISO 31004 project committee ISO Focus, June 2009

This figure shows the relationships between the risk management principles, framework and process d

What is ISO 31000? ISO 31000 is an international standard that provides principles and guidelines for risk management . It outlines a comprehensive approach to identifying, analyzing, evaluating, treating, monitoring and communicating risks across an organization.

Why is ISO 31000 important? . ISO 31000 serves as a beacon: Comprehensive Understanding : It fosters a shared understanding of risks, their nature, and ways to manage them across an organization. Strategic Decision-Making : The guidelines help embed risk management into an organization’s governance, strategy, planning, reporting processes, policies, values, and culture. Operational Excellence : Implementing ISO 31000 can lead to efficiency gains, as it helps organizations recognize potential threats and opportunities in time, allocate resources wisely, and enhance stakeholder confidence.

Importance of ISO 31000 Proactive Approach : Rather than being purely reactive, ISO 31000 equips organizations to anticipate and address risks head-on, turning potential challenges into strategic advantages. Stakeholder Confidence : A structured approach to risk management signals to stakeholders – from investors to customers – that the organization is robustly prepared to navigate uncertainties, reinforcing trust and credibility.

Benefits of ISO 31000 Standard risk management principles, framework and process Guidance for implementing risk management practices Tools for contextualizing risk management to any organization Criteria for monitoring , reviewing and continually improving risk management Foundation for integrating risk management throughout an organization

Is ISO 31000 Certifiable? Does ISO 31000 lead to risk management certification? No . ISO 31000 provides good practice guidelines but is not a certifiable risk management standard. However, it provides an excellent framework on which to build a robust risk management program.

Figure 1 illustrates the relationship between the three components of the ‘Scope and Design’ and Figure 2 illustrates the relationship between the four components of ‘Control and Develop’. Presentation of the Annex SL components in this format separates the ‘Scope and Design’ components, which represent the framework for supporting risk management from the ‘Control and Develop’ components which represent the risk management process itself.

Detailed Explanation of ISO 31000:2018 Clauses ISO 31000:2018 provides guidelines for risk management, structured into clauses that outline principles, frameworks, and processes

ISO 31000 2018 Clause 0: Introduction Purpose : Introduces the standard’s aim to harmonize risk management practices globally. Emphasizes adaptability across organizations and contexts. Key Points : Highlights the relationship between principles, framework, and process

Clause 1: Scope Purpose : Defines applicability and intent. Key Points : Applies to all organizations, regardless of size, industry, or sector. Provides guidelines, not requirements, for integrating risk management into activities.

Scope of ISO 31000 This international standard provides principles and generic guidelines on risk management ... it can be used by any public, private or community enterprise, association, group or individual. Therefore, this standard is not specific to any industry or sector.

Clause 2: Normative References Content : Lists standards referenced for application. In ISO 31000:2018, this clause states there are no normative references. Clause 3: Terms and Definitions Key Definitions : Risk : "Effect of uncertainty on objectives" (positive or negative). Risk Management : "Coordinated activities to direct and control an organization regarding risk." Stakeholder : Entities affecting or affected by organizational decisions. Risk Criteria : Parameters to evaluate significance of risks.

Clause 4: Principles Foundational guidelines for effective risk management: Integrated : Embedded in all organizational activities. Structured and Comprehensive : Consistent approach across risks. Customized : Tailored to organizational context and objectives. Inclusive : Engages stakeholders at all levels. Dynamic : Adapts to internal/external changes. Best Available Information : Uses data, expertise, and stakeholder input. Human and Cultural Factors : Considers biases, perceptions, and culture. 8.Continual Improvement : Iteratively enhanced through experience

d PRINCIPLES OF ISO 31000

PRINCIPLES OF ISO 31000 Integrated Risk management is an integral part of all organizational activities. Structured and comprehensive A structured and comprehensive approach to risk management contributes to consistent and comparable results. Customized The risk management framework and process are customized and proportionate to the organization’s external and internal context related to its objectives.

PRINCIPLES OF ISO 31000 Inclusive Appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions to be considered. This results in improved awareness and informed risk management. Dynamic Risks can emerge, change or disappear as an organization’s external and internal context changes. Risk management anticipates, detects, acknowledges and responds to those changes and events in an appropriate and timely manner. Best available information The inputs to risk management are based on historical and current information, as well as on future expectations. Risk management explicitly takes into account any limitations and uncertainties associated with such information and expectations. Information should be timely, clear and available to relevant stakeholders.

PRINCIPLES OF ISO 31000 Human and cultural factors Human behaviour and culture significantly influence all aspects of risk management at each level and stage. Continual improvement Risk management is continually improved through learning and experience.

.Integrated Principle : Risk management must be embedded in all organizational activities , processes, and decision-making. Explanation : Risk management is not a standalone task but a core component of strategic planning, operations, governance, and culture. Requires alignment with organizational objectives, values, and stakeholder expectations. Practical Implications : Involve risk considerations in daily workflows, project planning, and resource allocation. Leadership must champion integration by linking risk management to performance metrics and accountability.

2. Structured and Comprehensive Principle : A consistent, systematic approach ensures all risks are identified and managed holistically. Explanation : Use standardized frameworks (e.g., risk registers, assessment matrices) to evaluate risks across departments. Address interdependencies between risks (e.g., operational, financial, reputational). Practical Implications : Develop a risk management policy outlining roles, processes, and escalation protocols. Regularly map risks to ensure no critical areas are overlooked.

3. Customized Principle : Tailor risk management to the organization’s context, objectives, and risk appetite . Explanation : Adapt methodologies to industry-specific challenges (e.g., cybersecurity for tech firms, supply chain risks for manufacturers). Align with organizational maturity, size, and culture. Practical Implications : Define risk criteria (e.g., impact vs. likelihood thresholds) specific to the organization. Avoid copying generic frameworks without adjusting to unique needs.

4. Inclusive Principle : Engage stakeholders at all levels to ensure diverse perspectives are considered. Explanation : Stakeholders (employees, customers, regulators, suppliers) provide insights into risks that may not be visible to leadership. Promotes ownership and accountability across the organization. Practical Implications : Conduct workshops, surveys, or interviews to gather stakeholder input. Establish cross-functional risk committees.

5. Dynamic Principle : Adapt to internal and external changes (e.g., market shifts, regulatory updates, technological disruptions). Explanation : Risks evolve, so the risk management process must be agile and forward-looking. Use scenario analysis and real-time monitoring to anticipate emerging risks. Practical Implications : Implement tools like dashboards for continuous risk tracking. Review and update risk assessments regularly, not just annually.

6. Best Available Information Principle : Base decisions on quality data, expertise, and stakeholder input . Explanation : Combine quantitative data (e.g., historical loss data) with qualitative insights (e.g., expert judgment). Acknowledge limitations (e.g., data gaps, cognitive biases) and seek diverse sources. Practical Implications : Invest in data analytics tools and training. Validate assumptions through peer reviews or external audits.

7. Human and Cultural Factors Principle : Recognize how biases, perceptions, and culture influence risk decisions. Explanation : Cognitive biases (e.g., overconfidence, groupthink) can distort risk evaluations. Foster a culture where employees feel safe reporting risks without fear of blame. Practical Implications : Train staff on bias mitigation techniques (e.g., red teams, devil’s advocacy). Align incentives with risk-aware behaviors (e.g., rewarding transparency).

8. Continual Improvement Principle : Iteratively enhance the risk management process through learning and feedback . Explanation : Use lessons from past successes/failures to refine practices. Regularly review the effectiveness of risk controls and frameworks. Practical Implications : Conduct post-incident reviews and share findings organization-wide. Adopt the PDCA (Plan-Do-Check-Act) cycle for iterative refinement.

Interconnections : Principles like Integrated and Structured ensure consistency, while Dynamic and Continual Improvement drive adaptability. Inclusive and Human Factors emphasize the role of people in sustaining a risk-aware culture. By adhering to these principles, organizations build resilience, enhance decision-making, and achieve strategic objectives in uncertain environments.

Detailed Explanation of Clause 5 (Framework) in ISO 31000:2018 Clause 5 of ISO 31000 outlines the Framework for institutionalizing risk management within an organization. The Framework ensures risk management is embedded into all organizational activities, enabling consistent and effective risk handling. Below is a breakdown of its components: 5.1 General The Framework provides the foundation for integrating risk management into organizational processes. It comprises interrelated components: leadership, integration, design, implementation, evaluation, and improvement. Purpose : To align risk management with the organization’s objectives, governance, and culture. Key Elements : Customizability (tailored to the organization’s context), scalability (adaptable to size/complexity), and dynamism (evolves with internal/external changes).

Clause 5: Framework ISO 31000 states that the success of risk management will depend on the effectiveness of the management framework providing the foundations and arrangements what will embed it throughout the organization at all levels. The framework: assists in managing risks effectively through the application of the risk management process; ensures that information about risk derived from the risk management process is adequately reported; and ensures that these information is used as a basis for decision making and accountability at all relevant organizational levels. This clause describes the necessary components of the framework for managing risk and the way in which they interrelate in an iterative manner

5.Framework The organization should evaluate its existing risk management practices and processes, evaluate any gaps and address those gaps within the framework. The components of the framework and the way in which they work together should be customized to the needs of the organization.

5.2 Mandate and commitment: Management of the organization needs to demonstrate: A strong and sustained commitment to risk management by defining risk management policy, objectives, ensuring legal and regulatory compliance, Ensuring necessary resources are allocated to risk management, communicating the benefits of risk management to all stakeholders

5.2 Leadership and commitment Top management and oversight bodies, where applicable, should ensure that risk management is integrated into all organizational activities and should demonstrate leadership and commitment by: customizing and implementing all components of the framework; issuing a statement or policy that establishes a risk management approach, plan or course of action; — ensuring that the necessary resources are allocated to managing risk; assigning authority, responsibility and accountability at appropriate levels within the organization.

This will help the organization to: align risk management with its objectives, strategy and culture; recognize and address all obligations, as well as its voluntary commitments; establish the amount and type of risk that may or may not be taken to guide the development of risk criteria, ensuring that they are communicated to the organization and its stakeholders; communicate the value of risk management to the organization and its stakeholders; promote systematic monitoring of risks; ensure that the risk management framework remains appropriate to the context of the organization.

Top management is accountable for managing risk while oversight bodies are accountable for overseeing risk management. Oversight bodies are often expected or required to: ensure that risks are adequately considered when setting the organization’s objectives; understand the risks facing the organization in pursuit of its objectives; ensure that systems to manage such risks are implemented and operating effectively; ensure that such risks are appropriate in the context of the organization’s objectives; ensure that information about such risks and their management is properly communicated

5.2 Leadership and Commitment Top management must actively champion risk management to ensure its success: Resource Allocation : Provide financial, human, and technological resources. Accountability : Assign roles (e.g., Chief Risk Officer) and integrate risk responsibilities into job descriptions. Strategic Alignment : Ensure risk management supports strategic goals and decision-making. Example : A CEO prioritizing risk discussions in board meetings signals commitment, fostering a risk-aware culture.

5.3 Integration Integrating risk management relies on an understanding of organizational structures and context. Governance guides the course of the organization, its external and internal relationships, and the rules, processes and practices needed to achieve its purpose. . Determining risk management accountability and oversight roles within an organization are integral parts of the organization’s governance. Integrating risk management into an organization is a dynamic and iterative process, and should be customized to the organization’s needs and culture. Risk management should be a part of, and not separate from, the organizational purpose, governance, leadership and commitment, strategy, objectives and operations.

5.3 Integration Risk management must permeate the organization’s: Governance : Embedded in policies, oversight, and reporting structures. Processes : Integrated into operations (e.g., project planning, procurement). Culture : Encouraged through awareness, incentives, and communication. Outcome : Risks are considered in daily decisions, not treated as an afterthought.

5.4 Design The Framework must be tailored to the organization’s unique context: Context Analysis : Internal (e.g., culture, resources) and external (e.g., regulations, market) factors. Risk Appetite : Define the level of risk acceptable to achieve objectives (e.g., a bank may tolerate financial risk but avoid reputational harm). Policies/Procedures : Document risk criteria, roles, and escalation pathways.

5.4 Design When designing the framework for managing risk, 5.4.1 Understanding the organization and its context Understand its external and internal context. Examining the organization’s external context may include, but is not limited to:PESTEL key drivers and trends affecting the objectives of the organization; external stakeholders’ relationships, perceptions, values, needs and expectations; contractual relationships and commitments; the complexity of networks and dependencies.

5.4.1 Examining the organization’s internal context may include, but is not limited to: vision, mission and values; governance, organizational structure, roles and accountabilities; strategy, objectives and policies; the organization’s culture; standards, guidelines and models adopted by the organization; capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, intellectual property, processes, systems and technologies); data, information systems and information flows; relationships with internal stakeholders, taking into account their perceptions and values; contractual relationships and commitments; interdependencies and interconnections.

5.4.2 Articulating risk management commitment through a risk management policy& others which : The organization’s purpose for managing risk and links to its objectives and other policies; Reinforcing the need to integrate risk management into the overall culture of the organization; Leading the integration of risk management into core business activities and decision-making; Authorities, responsibilities and accountabilities; Making the necessary resources available; The way in which conflicting objectives are dealt with; Measurement and reporting within the organization’s performance indicators; Review and improvement. The risk management commitment should be communicated within an organization and to stakeholders, as appropriate.

5.4.3 Assigning organizational roles, authorities, responsibilities and accountabilities Top management and oversight bodies, where applicable, should ensure that the authorities, responsibilities and accountabilities for relevant roles with respect to risk management are assigned and communicated at all levels of the organization, and should: emphasize that risk management is a core responsibility; identify individuals who have the accountability and authority to manage risk (risk owners).

5.4.4 Allocating resources Top management and oversight bodies, where applicable, should ensure allocation of appropriate resources for risk management, which can include, but are not limited to: people, skills, experience and competence; the organization’s processes, methods and tools to be used for managing risk; documented processes and procedures; information and knowledge management systems; professional development and training needs. The organization should consider the capabilities of, and constraints on, existing resources.

5.4.5 Establishing communication and consultation The organization should establish an approved approach to communication and consultation in order to support the framework and facilitate the effective application of risk management. Communication involves sharing information with targeted audiences. Consultation also involves participants providing feedback with the expectation that it will contribute to and shape decisions or other activities. Communication and consultation methods and content should reflect the expectations of stakeholders, where relevant. Communication and consultation should be timely and ensure that relevant information is collected, collated, synthesised and shared, as appropriate, and that feedback is provided and improvements are made.

5.5 Implementation Operationalize the Framework through: Action Plans : Clear steps, timelines, and responsibilities. Communication : Ensure stakeholders understand risks and processes (e.g., training sessions, dashboards). Tools/Techniques : Deploy risk assessment software, incident reporting systems, etc. Example : Rolling out a risk-aware project management tool to identify threats early in workflows.

5.5 Implementation The organization should implement the risk management framework by: developing an appropriate plan including time and resources; identifying where, when and how different types of decisions are made across the organization, and by whom; modifying the applicable decision-making processes where necessary; ensuring that the organization’s arrangements for managing risk are clearly understood and practised .

5.6 Evaluation Assess effectiveness using: Performance Indicators : Metrics like risk mitigation success rates or audit findings. Audits/Reviews : Independent assessments of compliance and gaps. Feedback Loops : Stakeholder input to refine processes. Outcome : Data-driven insights to validate or adjust the Framework.

5.6 Evaluation In order to evaluate the effectiveness of the risk management framework, the organization should: periodically measure risk management framework performance against its purpose, implementation plans, indicators and expected behaviour ; determine whether it remains suitable to support achieving the objectives of the organization.

5.7 Improvement Continuously enhance the Framework by: Learning from Experience : Incorporate lessons from incidents, near-misses, or external benchmarks. Adapting to Change : Respond to new risks (e.g., cybersecurity threats) or organizational shifts (e.g., mergers). PDCA Cycle : Apply Plan-Do-Check-Act principles for iterative refinement.

5.7 Improvement 5.7.1 Adapting The organization should continually monitor and adapt the risk management framework to address external and internal changes. In doing so, the organization can improve its value. 5.7.2 Continually improving The organization should continually improve the suitability, adequacy and effectiveness of the risk management framework and the way the risk management process is integrated. As relevant gaps or improvement opportunities are identified, the organization should develop plans and tasks and assign them to those accountable for implementation. Once implemented, these improvements should contribute to the enhancement of risk management

Interconnection of Components : The Framework operates cyclically: Leadership initiates the process, Integration embeds it into the organization, Design ensures relevance, Implementation executes it, Evaluation monitors outcomes, and Improvement drives evolution. This creates a proactive, adaptive risk culture that aligns with ISO 31000’s overarching goal: turning uncertainty into strategic advantage. Key Takeaway : The Framework is not static—it evolves with the organization, ensuring risk management remains effective in a dynamic environment

Detailed Explanation of Clause 6 of ISO 31000: Risk Management Process ISO 31000 outlines a flexible, iterative framework for managing risk. Clause 6 describes the process as cyclical and adaptive, emphasizing continuous improvement. Below is a structured breakdown: 1. 6.1 General: Iterative Nature The process is not linear but iterative , meaning steps are repeated and refined as new risks emerge, contexts change, or lessons are learned. This allows organizations to adapt dynamically, ensuring risk management remains relevant. Example : After treating a risk (e.g., cybersecurity threats), monitoring might reveal new vulnerabilities, restarting the cycle.

6 Process 6.1 The risk management process involves the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk. This process is illustrated as shown

Components of the Framework Understanding the organization & its context Establishing RM policy Accountability & Authority Integration into organizational processes Determining approp r iate resources Establishing internal communication & reporting mechanisms Establishing external communication & reporting mechanisms

Framework Example: Context External Context Social, cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment Key drivers and trends that will have an impact on your organization Relationships with and perceptions & values of external stakeholders Internal Context Governance, organizational structure, roles & accountabilities Policies, objectives & strategy Capabilities & resources Info systems Organizational culture Contractual r e la t ionships Relationships with, perceptions & values of internal stakeholders

Risk manageme n t f r ame w ork Risk manageme n t ar chit e c tu r e C ommit t ee structure and t erms of re f erence R oles and responsibilities In t ernal reporting requirements Ex t ernal reporting controls Risk management assu r ance ar r angements

Risk manageme n t p r otocols T ools and t echniques Risk classifi c ation s ys t em Risk assessment procedures Risk control rules and procedures R esponding to incidents, issues and ev ents Documen t ation and record k eeping T r aining and communic ations Audit procedures and protocols R eporting/disclosures/certifi c ation

Risk manageme n t st r a t egy Risk management philosop h y Ar r angements f or embedding risk management Risk appeti t e and attitude to risk Benchmark t ests f or signifi c ance Specific risk st a t ements/policies Risk assessment t echniques Risk priorities f or the present year

Framework Example: Benefits • Increase l i k elihood of achieving objectives Encourage proactive management Be aware of the need to identify and treat risk throughout the organization Improve the identification of opportunities & threats Effectively allocate and use resources Comply with relevant legal and regulatory requirements and inter n a tional norms Improve mandatory and voluntary reporting Improve operational effectivness & efficiency Improve stakeholder confidence and trust Establish a reliable basis for decision making & planning Improve controls Improve governance • • • • • • •

2. 6.2 Communication and Consultation Purpose : Engage stakeholders (e.g., employees, regulators, customers) to align on risk criteria, share insights, and ensure transparency. Key Activities : Collaborative workshops to define risk appetite. Regular updates to stakeholders on risk status. Why It Matters : Prevents blind spots and builds trust by integrating diverse perspectives.

6.2 Communication and consultation Communication and consultation with appropriate external and internal stakeholders should take place within and throughout all steps of the risk management process. Communication and consultation aims to: bring different areas of expertise together for each step of the risk management process; ensure that different views are appropriately considered when defining risk criteria and when evaluating risks; provide sufficient information to facilitate risk oversight and decision-making; build a sense of inclusiveness and ownership among those affected by risk.

Scope, context and criteria General The purpose of establishing the scope, the context and criteria is to customize the risk management process, enabling effective risk assessment and appropriate risk treatment. Scope, context and criteria involve defining the scope of the process, and understanding the external and internal context . 6.3.2 Defining the scope The organization should define the scope of its risk management activities. When planning the approach, considerations include: objectives and decisions that need to be made; outcomes expected from the steps to be taken in the process; time, location, specific inclusions and exclusions; appropriate risk assessment tools and techniques; resources required, responsibilities and records to be kept; relationships with other projects, processes and activities.

3. 6.3 Establishing the Context Defines the environment and criteria for risk decisions: Internal Context : Organizational culture, resources, governance. External Context : Regulations, market trends, geopolitical factors. Risk Criteria : Thresholds for impact (e.g., financial loss > $1M) and likelihood (e.g., "probable" vs. "rare"). Example : A multinational company considers local labor laws (external) and internal compliance policies when assessing operational risks.

6.3.3 External and internal context The external and internal context is the environment in which the organization seeks to define and achieve its objectives. The context of the risk management process be established from the understanding of the external and internal environmen t in which the organization operates and to reflect the specific environment of the activity to which the risk management process is to be applied. Understanding the context is important because: risk management takes place in the context of the objectives and activities of the organization; organizational factors can be a source of risk; the purpose and scope of the risk management process may be interrelated with the objectives of the organization as a whole. The organization should establish the external and internal context of the risk management process by considering the factors mentioned in 5.4.1.

6.3.4 Defining risk criteria The organization should specify the amount and type of risk that it may or may not take, relative to objectives. While risk criteria should be established at the beginning of the risk assessment process, they are dynamic and should be continually reviewed and amended, if necessary. To set risk criteria, the following should be considered: the nature and type of uncertainties that can affect outcomes and objectives (both tangible and intangible); how consequences (both positive and negative) and likelihood will be defined and measured; — time-related factors; consistency in the use of measurements; how the level of risk is to be determined; how combinations and sequences of multiple risks will be taken into account; — the organization’s capacity.

4. 6.4 Risk Assessment A three-phase analysis: 6.4.1 Identification Goal : Recognize risks, opportunities, and triggers (e.g., supply chain delays, new market entry). Tools : SWOT analysis, brainstorming, checklists.

6.4 Risk assessment : Risk assessment is the overall process of risk identification, risk analysis and risk evaluation 6.4.1 General Risk assessment should be conducted systematically, iteratively and collaboratively, drawing on the knowledge and views of stakeholders. It should use the best available information, supplemented by further enquiry as necessary. 6.4.2 Risk identification The following factors, and the relationship between these factors, should be considered: tangible and intangible sources of risk; Causes and events; Threats and opportunities; vulnerabilities and capabilities;

Changes in the external and internal context; Indicators of emerging risks; The nature and value of assets and resources; Consequences and their impact on objectives; Limitations of knowledge and reliability of information; Tme -related factors; Biases, assumptions and beliefs of those involved. The organization should identify risks, whether or not their sources are under its control. Consideration should be given that there may be more than one type of outcome, which may result in a variety of tangible or intangible consequences.

6.4.2 Analysis Evaluates : Consequences (e.g., revenue loss) and likelihood (e.g., 30% chance), considering existing controls (e.g., firewalls for IT risks). Methods : Qualitative (risk matrices) or quantitative (Monte Carlo simulations).

6.4.3 Risk analysis Risk analysis should consider factors such as: The likelihood of events and consequences; The nature and magnitude of consequences; Complexity and connectivity; Time-related factors and volatility; The effectiveness of existing controls; — sensitivity and confidence levels. The risk analysis may be influenced by any divergence of opinions, biases, perceptions of risk and judgements. hese influences should be considered, documented and communicated to decision makers.

6.4.4 Risk evaluation Risk evaluation involves comparing results of the risk analysis with established risk criteria to determine where additional action is required. This can lead to a decision to: do nothing further; consider risk treatment options; undertake further analysis to better understand the risk; maintain existing controls; — reconsider objectives. Decisions should take account of the wider context and the actual and perceived consequences to external and internal stakeholders. The outcome of risk evaluation should be recorded, communicated and then validated at appropriate levels of the organization.

6.4.3 Evaluation Prioritization : Compare risks against criteria (e.g., high-impact/low-probability risks may require immediate action). Example : A hospital identifies equipment failure risks (identification), calculates downtime costs (analysis), and prioritizes upgrading ICU machines (evaluation).

5. 6.5 Risk Treatment Selects actions to address risks: Options : Avoid : Exit a risky market. Mitigate : Implement safety protocols. Transfer : Purchase insurance. Accept : Tolerate low-impact risks. Implementation : Develop action plans with timelines, budgets, and accountable parties. Example : A construction firm transfers liability risks via insurance and mitigates safety risks through training.

6.5 Risk treatment 6.5.1 General The purpose of risk treatment is to select and implement options for addressing risk. risk treatment involves an iterative process of: formulating and selecting risk treatment options; planning and implementing risk treatment; assessing the effectiveness of that treatment; deciding whether the remaining risk is acceptable if not acceptable, taking further treatment.

6.5.2 Selection of risk treatment options Options for treating risk may involve one or more of the following: avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; taking or increasing the risk in order to pursue an opportunity; removing the risk source; changing the likelihood; changing the consequences; sharing the risk (e.g. through contracts, buying insurance); — retaining the risk by informed decision.

6.5.3 Preparing and implementing risk treatment plans The information provided in the treatment plan should include: The rationale for selection of the treatment options, including the expected benefits to be gained; Those who are accountable and responsible for approving and implementing the plan; The proposed actions; The resources required, including contingencies; The performance measures; The constraints; The required reporting and monitoring; Wwhen actions are expected to be undertaken and completed.

6. 6.6 Monitoring and Review Ensures the framework stays effective: Activities : Track key risk indicators (KRIs), audit controls, update assessments. Triggers for Iteration : New regulations, incident reports, or performance gaps. Example : Quarterly reviews reveal emerging ESG risks, prompting re-assessment.

6.6 Monitoring and review The purpose of monitoring and review is to assure and improve the quality and effectiveness of process design, implementation and outcomes. Ongoing monitoring and periodic review of the risk management process and its outcomes should be a planned part of the risk management process, with responsibilities clearly defined. Monitoring and review should take place in all stages of the process. Monitoring and review includes planning, gathering and analysing information, recording results and providing feedback. The results of monitoring and review should be incorporated throughout the organization’s performance management, measurement and reporting activities.

6.7 Recording and reporting The risk management process and its outcomes should be documented and reported through appropriate mechanisms. Recording and reporting aims to: communicate risk management activities and outcomes across the organization; provide information for decision-making; improve risk management activities; assist interaction with stakeholders, including those with responsibility and accountability for risk management activities.

7. 6.7 Recording and Reporting Documentation : Records : Risk registers, treatment plans, incident logs. Reporting : Tailored updates to executives, boards, or regulators. Why It Matters : Supports accountability, compliance, and organizational learning. Example : A bank documents fraud incidents to refine future risk models.

Reporting Factors Factors to consider for reporting include, but are not limited to: differing stakeholders and their specific information needs and requirements; cost, frequency and timeliness of reporting; method of reporting; relevance of information to organizational objectives and decision-making.

Integration and Iteration Feedback Loops : Findings from monitoring (6.6) may trigger redefining the context (6.3) or re-assessing risks (6.4). Continuous Improvement : Reporting (6.7) informs strategy, embedding risk awareness into culture. By design, ISO 31000’s process is adaptable , enabling organizations to navigate uncertainty proactively

ISO 31000 2018 PRESENTATION.pptrisk management principles and frameworkx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

ISO 31000 2018 PRESENTATION.pptrisk management principles and frameworkx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77

7-10. STP + Branding and Product & Services Strategies.pptx