Go to Risk Management Services page.
Go to Risk Management Resources page.
Go to Free Risk Management Newsletter page.
Go to Contact Us page.
Go to About SW&C page
Go to Links page.
First Name:
Last Name:

Earlier Issues:

Risk Management Strategists - Banner.
Go to Home page. Go to Risk Management Services page. Go to Risk Management Resources page. Go to Free Risk Management Newsletter page. Go to About SW&C page. Go to Contact Us page. Go to Links page.
A Free Risk Management Newsletter, Caretaker - Insight to Risk Logo.


Insight to Risk

A Free Risk Management Newsletter

August 2009
Issue 15

ISO 31000 The Process














































































Risk management and competitive advantage
Delivering a paper on ISO 31000 at the IRMSA conference the other day I was asked to comment on how risk management can create competitive advantage. I found a book review here: - http://www.husdal.com/2009/08/17/risk-management-core-competence/ that could interest those of you who are looking to promote this angle. The message is that companies should accept risk as an opportunity. It should be welcomed, not feared.

King III Report
I hear the revised risk management chapter of the King III Report has been completed. It appears to be considerably reduced in size, which must be good news. I look forward to reviewing it and will give you comment in the next issue.

ISO 31000 – the Process
Although it has been stressed that establishing a sound framework is essential for effective risk management, it is the process that usually gets more attention. It is an area where there have been a wide variety of approaches and terminology and I think that we should be grateful to the developers of this international standard for reaching agreement on both the most appropriate process and the naming of components.
The standard states that the process, shown in the diagram below, should be an integral part of management, embedded in the organization’s culture and practices and tailored to its business processes.

ISO 31000 - The Process (Diagram)

  • Communication and consultation is important at all stages of the process but is vital as a first step. All those with a stake in the objectives and activities of the organisation, as well as anyone with useful knowledge, should be included from the outset. Without full communication and consultation the next component cannot be adequately addressed.
  • Establishing the context has only recently been recognised as an indispensible element in the process but is in fact a prerequisite. Firstly, risks have no relevance on their own – they only have meaning in relation to the objectives of the organisation and its stakeholders. Secondly, understanding the various environments in which the organisation functions is necessary in order to assess what risks there may be, as well as what effect they could have. The standard breaks context into three parts:
  • External: those features, relationships and drivers outside the organisation that can influence its success or failure;
  • Internal: the organisation’s own values, strategy and objectives; its culture, structure and processes; its capabilities and capacity;
  • Risk management: the objectives, strategies and scope of risk management within the organisation; the resources, responsibilities and relationships; the assessment methodologies to be used and the way in which performance will be evaluated.

Still under the heading of context, the need to define risk criteria is addressed. The third step of the risk assessment process involves evaluating the risk against the organisation’s own criteria, including regulatory requirements and stakeholder expectations. These need to be established at an early stage, even when the framework is designed. They need to include the types of consequences which are of concern and how they will be measured, the basis for considering likelihood and how risk levels will be determined and evaluated. 

  • Risk Assessment is the term used in the standard for the overall process of risk identification, risk analysis and risk evaluation.
  • Risk identification, defined as the process of finding, recognising and describing risks, it is the part where the organisation’s objectives should be considered in the light of any and all events or situations that could affect their achievement, whether positive or negative. Although the exploration should be wide ranging, considering all sources of risk and types of impact, if the right people participate it is easy to screen out risks that are not significant at the particular level of enquiry.
  • Risk analysis is defined as the process to comprehend the nature of risk and to determine the level of risk. This is the part where an understanding of the risks is developed. Causes are examined, consequences defined and the likelihood of various scenarios considered, taking into account the effectiveness of any controls that are already in place. This is an important step in providing a basis for risk-informed decision making.
  • Risk evaluation. Rather a long definition, this is given as the process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude are acceptable or tolerable. The risks that have been identified and analysed can now be compared with the risk criteria developed earlier, ideally in the design of the framework. With this as the basis, the organisation can make rational decisions as to the tolerability of the risks and the need for further risk treatment.

I will leave the discussion of Risk Treatment to the next issue of Caretaker butbeforewe move away from assessment there are a couple points worth noting about the process and terminology used in the Standard.

  • The standard has agreed on the term likelihoodto express the chance of something happening. This was preferred over the word probability because in English usage this is often interpreted in the narrow mathematical sense. So here likelihood is intended to have the same broad interpretation as the term “probability” has in many other languages.
  • With respect to level of risk many people may be disappointed not to see any reference to inherent risk. The Standard defines residual risk as the risk remaining after risk treatment but is not very specific about the risk that exists if treatment measures fail. It acknowledges that controls are fallible and need to be rigorously monitored but does not suggest that this eventuality be given particular reference. There is of cause no proscription on its use and I am sure that it will still be considered a vital component for risk-based auditing.

Distance Consulting Services
This is a reminder to have a look at our offers in issues 12 and 13 for the review or development of risk management frameworks as an alternative to the more costly on-site options. In the next issue we should be showing small business owners how the same distance approach can be used for their benefit.

Best wishes

Steve Winks

Quote of the month: “We trained hard but it seemed that every time we were beginning to form up into teams we would be reorganised. I was to learn later in life that we tend to meet any new situation by reorganising, and a wonderful method it can be for creating the illusion of progress while producing confusion, inefficiency and demoralisation…”
Petronius Arbiter (c. 210 BC)

Copyright 2003-2009 Caretaker - Insight to Risk. A Free Risk Management Newsletter. All Rights Reserved.