Please enable JavaScript.
Coggle requires JavaScript to display documents.
ISO 31000 - Coggle Diagram
ISO 31000
Part 1: Risk, risk management and ISO 31000
1 Nature and impact of risk
Risk impact -
Short term-Operations
Medium term-Tactics
Long term- Strategic
Recording risk assessments
Involves identification of risks, their evaluation or ranking
Consequences of risk materializing
1
negative- hazard risks
2
positive- opportunity risks
3
greater uncertainty
Template
-
enable the information to be recorded in a table, risk register, spreadsheet or computer based systems
Risk classification systems
based on the division of risks into those related to:
financial control,
reputational exposure
commercial activities
operational efficiency,
Depend on the size, nature and complexity of the organisation
ISO 31000
does not recommend a specific risk classification system
Enable an organisation to:
1
identify accumulations of similar risks
2
identify which strategies, tactics or operations are most vulnerable
There is no risk classification system that is universally applicable to all types of organisations
Risk Definition
Risk is the effect of uncertainty on objectives
2 Principles of risk management
Definition
RISK MANAGEMENT
It is process whereby organisations methodically address the risks attached to their activities
Context for risk management
Should be a continuous process that supports the development and implementation of the strategy of an organisation
Risk aware culture
Risk management must be integrated into the
culture of the organisation which include: mandate, leadership and commitment from the board
Achieving a good risk aware culture is ensured by
establishing an appropriate risk architecture,
strategy and protocols
risk management context structure
Risk architecture
roles
responsibilities,
communication
risk reporting structure
Risk strategy
Risk strategy, appetite, attitudes and philosophy, are defined in Risk management policy
Risk Protocols
are presented in the form of the risk guidelines for the
organisation and include the rules and procedures as well as specifying the
risk management methodologies tools and techniques that should be used
Risk management process
ISO 31000
7 rs
recognition or identification of risk
ranking or evaluation of risks
responding to significant risks
resourcing controls
reaction planning
reporting and monitoring risk performance
reviewing the risk management framework
4 ts-risk treatment
tolerate
treat
transfer
terminate
Objective- to achieve maximum sustainable value from all the activities of the organisation
Successful risk management initiative should be:
1
proportionate to the level of risk in the organisation,
2
aligned with other corporate activities
3
comprehensive in its scope
4
embedded into routine activities
5
dynamic by being responsive to changing circumstances.
3 Review of ISO 31000
Framework for managing risk
ISO 31000 describes a
framework for
implementing risk management
rather than a
framework for supporting the risk management
process
Mandate and commitment
Design of framework
Implement risk management
Monitor and review framework
Improve framework
4 Achieving the benefits of ERM
Risk assessment
Risk identification establishes the exposure of the
organisation to risk and uncertainty
use of risk analysis result-
to produce a risk profile
that gives a rating of significance to each risk
provides a tool for prioritising risk treatment efforts
This ranks the relative importance of each identified risk
there is a need to improve the control environment
Feedback mechanisms
ISO 31000 two mechanisms importance of feedback
:
monitoring and review of performance
communication and consultation
Risk Treatment
Presented as: activity of selecting and implementing appropriate control measures to modify the risk
Any system of risk treatment should
provide efficient and effective internal controls
Effectiveness of internal control is the degree to which the risk will either be eliminated or reduced by the proposed control measures
An organisation must understand the
applicable laws and must implement a system of controls that achieves compliance
Part 2: Enterprise risk management
1 Planning and designing
Board mandate and commitment
organisations issue an updated version of their risk management policy each year
It ensures that the overall risk management approach is in line with current best practice
It gives the organisation the opportunity to focus on the intended benefits for the coming year
It identify the risk priorities
Ensure that appropriate attention is paid to emerging risks.
it needs to be continuous
and high-profile
Scope of the initiative
In order to be successful, it is necessary for an organisation to decide the scope of the ERM initiative as it develops
the range of benefits the organisation is seeking to achieve is what defines scope of initiative
It will be influenced by the expectations of the various stakeholders in the organisation.
Risk management framework
The risk management function may range from a part-time risk manager, to a single risk champion, to a full-scale risk management department
Role of the internal audit
function will differ among organisations
It is responsibility of the board for determining the strategic direction of the organisation and creating the context for risk management
2 Implementing and benchmarking
Establish risk assessment procedures
Is required as part of the decision-making processes intended to exploit business opportunities
ensure that a risk assessment is attached to all
strategy papers presented to the Board
It should
be undertaken and further undertaken throughout the project
Is required in relation to routine operations.
identify the risk classification system to be used by the organisation.
Undertake risk assessment
To determine the significance (or materiality) of the identified risks, an organisation should develop benchmarks.
The nature of these benchmark tests will depend on the type of risk
Internal and external factors can give rise to risks
Risk appetite and tolerances
risk appetite is a driver of strategic risk
decisions at Board level
It is important that the Board sets rules for risk taking in respect of all types of risk
it is fairly easy for an organisation to confirm that it has no appetite for causing injury and ill health
limitations
risk appetite
statements fail to be dynamic
they can constrain behaviour and rapid response
3 Measuring and monitoring
There is no standard format for a risk register
Evaluate existing controls
It should be viewed as a risk action plan that includes details of the current controls and details of any further actions that are planned
Embed risk aware culture
monitoring and measuring process should determine whether
the measures adopted achieved the intended result
the procedures adopted were efficient
sufficient information was available for the risk assessments
improved knowledge would have helped to reach better decisions
lessons can be learned for future assessments and controls
For modification of procedures, changes within the organisation and the external business environment must be identified
Learning and reporting
Monitor risk performance
Learning the lessons from risk management
requires investigation of the opinions of key stakeholders both internally and externally
It is important that the organisation has a risk-based audit plan and undertakes appropriate risk reviews
Learning from experience requires more than evaluation of the risk performance indicators.
features of learning from experience.
.
evaluation of audit reports
an assessment of the sources of risk assurance available to the Board and the audit committee.
Report risk performance
Organisation have to report externally.
External risk reporting
is designed to provide external stakeholders with assurance that risks have been adequately managed.
It provides information on historical losses and trends