IN NOMINE

QUALITATIS

TKSG

Overview to Risk Management Processes

Reference: ISO 31000:2018 and ISO/IEC 27005:2018

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management]

 IN NOMINE
QUALITATIS

TKSG

Risk-based thinking of management system -

TWO phases of risk management
Phase 2 - Specific risk management
Phase 1 - Business risk management (4)
“within the scope” of the
management system (6)

Scope, context,
criteria

Communication and consultation

Requirements from Risk assessment
interested parties (4.2)

Monitoring and review

Risk identification

Internal and
Organization
External issues (4.1)
Risk analysis

Risk evaluation

Risk treatment
Management system
“SCOPE” (4.3)

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management] 2

 IN NOMINE
QUALITATIS

TKSG

Risk-based thinking of management system -

TWO phases of risk management
Phase 2 - Specific risk management
Phase 1 - Business risk management (4)
“within the scope” of the
management system (6)

Scope, context,
criteria

Communication and consultation

Requirements from Risk assessment
interested parties (4.2)

Monitoring and review

Risk identification

Internal and
Organization
External issues (4.1)
Risk analysis

Risk evaluation

Risk treatment
Management system
“SCOPE” (4.3)

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management] 3

 IN NOMINE
QUALITATIS

TKSG

Communication and consultation

Scope, context,
criteria

Communication and consultation

Risk assessment

• bring different areas of expertise together for each step of

Monitoring and review

Risk identification
the risk management process;

Risk analysis
• ensure that different views are appropriately considered
when defining risk criteria and when evaluating risks;
Risk evaluation

• provide sufficient information to facilitate risk oversight

and decision-making;

Risk treatment
• build a sense of inclusiveness and ownership among
those affected by risk.

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management] 4

 IN NOMINE
QUALITATIS

TKSG

Defining the scope

Scope, context,
criteria
• When planning the approach, considerations include:

Communication and consultation

Risk assessment
• objectives and decisions that need to be made;

Monitoring and review

Risk identification

• outcomes expected from the steps to be taken in the

process; Risk analysis

• time, location, specific inclusions and exclusions;

Risk evaluation

• appropriate risk assessment tools and techniques;

Risk treatment
• resources required, responsibilities and records to be
kept;

• relationships with other projects, processes and

activities.

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management] 5

 IN NOMINE
QUALITATIS

TKSG

External and internal context

Scope, context,
criteria

Communication and consultation

Risk assessment

• Understanding the context of the organization is

Monitoring and review

Risk identification
important, because:

Risk analysis
• risk management takes place in the context of the
objectives and activities of the organization;
Risk evaluation

• organizational factors can be a source of risk;

• the purpose and scope of the risk management Risk treatment

process may be interrelated with the objectives of the
organization as a whole.

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management] 6

 IN NOMINE
QUALITATIS

TKSG

Defining risk criteria

Scope, context,
criteria
• To set risk criteria, the following should be considered:

Communication and consultation

Risk assessment
• the nature and type of uncertainties that can affect outcomes
and objectives (both tangible and intangible);

Monitoring and review

Risk identification

• how consequences (both positive and negative) and likelihood

will be defined and measured; Risk analysis

• time-related factors;
Risk evaluation

• consistency in the use of measurements;

• how the level of risk is to be determined; Risk treatment

• how combinations and sequences of multiple risks will be

taken into account;

• the organization’s capacity.

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management] 7

 IN NOMINE
QUALITATIS

TKSG

Risk assessment
Scope, context,
criteria

Communication and consultation

Risk assessment

Monitoring and review

Risk identification

• Risk assessment is the overall process of risk

identification, risk analysis and risk evaluation. Risk analysis

• Risk assessment should be conducted systematically, Risk evaluation

iteratively and collaboratively, drawing on the knowledge
and views of stakeholders. It should use the best
available information, supplemented by further enquiry as
necessary. Risk treatment

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management] 8

 IN NOMINE
QUALITATIS

TKSG

Risk identification
Scope, context,
criteria

Communication and consultation

• The following factors, and the relationship between these Risk assessment
factors, should be considered:

Monitoring and review

Risk identification

• tangible and intangible sources of risk;

Risk analysis

• causes and events;

Risk evaluation

• threats and opportunities;

Risk treatment
• vulnerabilities and capabilities;

• changes in the external and internal context;

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management] 9

 IN NOMINE
QUALITATIS

TKSG

Risk identification
Scope, context,
criteria

Communication and consultation

Risk assessment
• indicators of emerging risks;

Monitoring and review

Risk identification

• the nature and value of assets and resources;

Risk analysis

• consequences and their impact on objectives;

Risk evaluation

• limitations of knowledge and reliability of information;

• time-related factors; Risk treatment

• biases, assumptions and beliefs of those involved.

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management] 10

 IN NOMINE
QUALITATIS

TKSG

Risk analysis
Scope, context,
criteria

• Risk analysis should consider factors such as:

Communication and consultation

Risk assessment

Monitoring and review

Risk identification
• the likelihood of events and consequences;

• the nature and magnitude of consequences; Risk analysis

• complexity and connectivity; Risk evaluation

• time-related factors and volatility;

Risk treatment
• the effectiveness of existing controls;

• sensitivity and confidence levels.

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management] 11

 IN NOMINE
QUALITATIS

TKSG

Risk evaluation
Scope, context,
criteria
• The purpose of risk evaluation is to support decisions. Risk
evaluation involves comparing the results of the risk

Communication and consultation

analysis with the established risk criteria to determine Risk assessment
where additional action is required.

Monitoring and review

Risk identification

• This can lead to a decision to:

Risk analysis

• do nothing further;
Risk evaluation

• consider risk treatment options;

• undertake further analysis to better understand the risk; Risk treatment

• maintain existing controls;

• reconsider objectives.

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management] 12

 IN NOMINE
QUALITATIS

TKSG

Risk treatment
Scope, context,
criteria

• The purpose of risk treatment is to select and implement

Communication and consultation

options for addressing risk. Risk assessment

Monitoring and review

Risk identification
• Risk treatment involves an iterative process of:

Risk analysis
• formulating and selecting risk treatment options;

Risk evaluation
• planning and implementing risk treatment;

• assessing the effectiveness of that treatment;

Risk treatment

• deciding whether the remaining risk is acceptable;

• if not acceptable, taking further treatment.

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management] 13

 IN NOMINE
QUALITATIS

TKSG

Selection of risk treatment options

Scope, context,
criteria
• Options for treating risk may involve one or more of the
following:

Communication and consultation

Risk assessment
1.Risk avoidance: avoiding the risk by deciding not to start or
continue with the activity that gives rise to the risk;

Monitoring and review

Risk identification

2.Risk acceptance:
Risk analysis
• taking or increasing the risk in order to pursue an
opportunity;

• retaining the risk by informed decision Risk evaluation

3.Risk reduction:

• removing the risk source;

Risk treatment
• changing the likelihood;

• changing the consequences;

4.Risk transfer: sharing the risk (e.g. through contracts,

buying insurance);

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management] 14

 IN NOMINE
QUALITATIS

TKSG

Preparing and implementing risk treatment

plans
Scope, context,
criteria
• The information provided in the treatment plan should include:

Communication and consultation

• the rationale for selection of the treatment options, including the Risk assessment
expected benefits to be gained;

Monitoring and review

Risk identification

• those who are accountable and responsible for approving and

implementing the plan;
Risk analysis

• the proposed actions;

Risk evaluation
• the resources required, including contingencies;

• the performance measures;

Risk treatment
• the constraints;

• the required reporting and monitoring;

• when actions are expected to be undertaken and completed.

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management] 15

 IN NOMINE
QUALITATIS

TKSG

Monitoring and review

Scope, context,
criteria

• The purpose of monitoring and review is to assure and

Communication and consultation

Risk assessment
improve the quality and effectiveness of process design,
implementation and outcomes. Ongoing monitoring and

Monitoring and review

Risk identification
periodic review of the risk management process and its
outcomes should be a planned part of the risk
management process, with responsibilities clearly Risk analysis
defined.

Risk evaluation
• Monitoring and review should take place in all stages of
the process. Monitoring and review includes planning,
gathering and analysing information, recording results
and providing feedback.
Risk treatment

• The results of monitoring and review should be

incorporated throughout the organization’s performance
management, measurement and reporting activities.

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management] 16

 IN NOMINE
QUALITATIS

TKSG

Recording and reporting

• Recording and reporting aims to:

• communicate risk management activities and outcomes across the organization;

• provide information for decision-making;

• improve risk management activities;

• assist interaction with stakeholders, including those with responsibility and

accountability for risk management activities.

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management] 17

 IN NOMINE
QUALITATIS

TKSG

END

© 2018 All rights reserved. TechKnowledge Services Group [Overview_Risk_Management] 18