Please enable JavaScript.
Coggle requires JavaScript to display documents.
ISO 31000 Framework - Coggle Diagram
ISO 31000 Framework
The Risk Management Process
Risk Assessment Activities (Identification and Ranking)
Risk identification establishes the exposure of the organisation to risk and uncertainty.
This requires thorough knowledge of the organisation, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as an understanding of strategic an operational objectives.
The result of the risk analysis can be used to produce a risk profile that gives a rating of significance to each risk and provides a tool for prioritising risk treatment efforts. This ranks the importance of each identified risk.
Reviewing the risk management framework:
Includes the essential steps in the implementation and ongoing support of the risk management process.
It is the 'mandate and commitment by the Board and this is thus followed by:
Design of framework
Taking into consideration the organisation and its context
Risk management policy
Embedding risk management
Implementing risk management
Implement framework
Implement risk management process
Monitor and review framework
Improve framework
Can be presented as a list of coordinated activities and this list represent the 7Rs and the 4Ts of (hazard) risk management:
Recognition or identification of risks (forms the first part of the risk assessment activity)
Ranking or evaluation of risks (Forms the second part of the risk assessment activity)
Responding to significant risks (aka. 'Risk treatment')
Tolerate
Treat
Transfer
Terminate
Exploit (only in the case for opportunity risks)
Resourcing controls
Reaction planning
Reviewing the risk management framework
Reporting and monitoring risk performance
The risk management process includes:
Risk architecture
Specifies the roles, responsibilities, communication and risk reporting structure.
Risk strategy
Risk strategy, attitudes, appetite and philosophy are defined in the risk management policy.
Risk appetite and tolerances:
Some organisations have produce a risk appetite statement that is applicable to all classes of risk.
Risk appetite needs to be developed into a set of targets for health and safety performance. These is a danger that risks appetite statements fail to be dynamics, and they can constrain behaviour and rapid response.
At Board level, risk appetite is a driver of strategic risk decisions. At executive (management) level, risk appetite is translated into a set of procedures to ensure that risk receives adequate attention when making tactical decisions. At operational level, risk appetite dictates operational constraints for routine activities.
Risk protocols
Presented in the form of risk guidelines for the organisation and include the rules and procedures as well as specifying the management methodologies, tools and techniques that should be used.
Risk Treatment (4Ts)
The activity of selecting and implementing appropriate control measures to modify the risk.
The major element of risk treatment is risk control (or mitigation) but extends into risk avoidance, risk transfer and risk financing.
One method of obtaining financial protection against the impact of risks is through risk financing, including insurance.
Risk treatment should provide effective and efficient internal controls, and this effectiveness is thus the degree which risk will be eliminated or reduced.
Feedback Mechanisms (Reporting and Monitoring Risk Performance)
Feedback has two mechanisms:
Monitoring and review of performance
Communication and consultation (part of the supporting framework)
Principles of Risk Management
Risk management is a central part of the strategic management of an organisation and should support the development and implementation of strategy of an organisation.
Risk management is a continuous process whereby organisations methodically address all the risks that constitute opportunities for benefit (upside), threats to success (downside) or an increased degree of uncertainty.
The focus of risk management is the assessment of significant risks and the implementation of suitable risk responses.
The objective of risk management is to achieve maximum sustainable value from all the activities of the organisation.
Risk management aware culture
Risk management must be integrated into the culture of the organisation and this will include mandate, leadership, and commitment form the Board
The Board should assign risk management responsibilities throughout the organisation and should support accountability, performance measurement, and reward which would thus promote operational efficiency at all levels.
Achieving a good risk aware culture is ensure by establishing an appropriate risk architecture, strategy and protocols.
Recording Risk Assessments
Risk assessment involves the identification of risks followed by their evaluation and ranking.
Risk classification systems
An important part of analysing a risk is to determine the nature, source or type of impact of the risk.
They are important because the help a business to identify accumulations of similar risk.
They enable an organisation to identify which strategies, tactics and operations are most vulnerable.
It is important to have a template for recording appropriate information about each risk.
The objective of the template is to enable the information to be recorded in a table, risk register, spreadsheet or a computer-based system.
Definition of risk: "The effect of uncertainty on objectives."