Professional Documents
Culture Documents
Risk Management ISO 31000
Risk Management ISO 31000
• Executive Manager – ISC Global – Egypt office • Member of ISO TC 176 (ISO 9001)
• Ph.D. in Human resources development • Member of ISO PC 283 (ISO 45001)
• The impact of human resources management strategies in
supporting total quality management programs
• Member of ISO/CASCO/JWG48 (ISO/IEC TS 17021-10)
• Events will happen, we just don't know which, how and when.
• ISO 31000 defines effect as "a deviation from the expected - positive or negative".
• So if we use that definition, and insert it into the definition of risk, we get:
Risk = the deviation from the expected, due to our ignorance, on
objectives.
Risk Management
Principles and Guidelines
1 Scope 5 Process
2 Terms and definitions 5.1 General
5.2 Communication and consultation
3 Principles 5.3 Establishing the context
4 Framework 5.4 Risk assessment
4.1 General 5.5 Risk treatment
4.2 Mandate and commitment 5.6 Monitoring and review
4.3 Design of framework for managing risk 5.7 Recording the risk management process
4.4 Implementing risk management
4.5 Monitoring and review of the framework
4.6 Continual improvement of the framework
• ISO 31000 can be applied to the achievement of any and all types of
objectives at all levels and areas within an organization.
• It can be used at a strategic or organizational level to help make
decisions and can be applied to all types of activities.
• It can be used to help manage processes, operations, functions,
projects, programs, products, services, and assets.
• However, exactly how the organisation apply ISO 31000 is up to the
organisation and will depend o the orga izatio ’s needs, objectives,
and challenges, and should reflect what it does and how it operates.
• ISO 31000 can be used by a wide range of stakeholders, including people who
need to:
• Establish a risk management policy (top management).
• Evaluate risk management practices and processes (assessors).
• Manage and control risk within an organization (managers).
• Explain how risk should be managed and controlled (trainers - consultants).
• Develop risk management procedures and guides (implementers).
• Prepare related standards and codes of practice (experts).
Together these three sections make up what ISO 31000 calls a risk management
architecture.
• A stakeholder is a person or an
organization that can affect or be
affected by a decision or an activity.
• Stakeholders also include those who
have the perception that a decision or an
activity can affect them.
• ISO 31000 distinguishes between
external and internal stakeholders.
• A risk owner is a person or entity that has been given the authority
to manage a particular risk and is accountable for doing so.
• Risk criteria are terms of reference and are used to evaluate the
sig ifi a e or i porta e of a orga izatio ’s risks.
• They are used to determine whether a specified level of risk is acceptable or
tolerable.
• Risk criteria should refle t the orga izatio ’s alues, poli ies, a d
objectives, should be based on its external and internal context, should consider
the views of stakeholders, and should be derived from standards, laws, policies,
and other requirements.
• Risk analysis is a process that is used to understand the nature, sources, and
causes of the risks that the organisation have identified and to estimate the level
of risk.
• It is also used to study impacts and consequences and to examine
the controls that currently exist.
• How detailed the risk analysis ought to be will depend upon the risk, the purpose
of the analysis, the information the organisation have, and the resources
available.
Risk assessment is that part of risk management which provides a structured process that
identifies how objectives may be affected, and analyses the risk in term of consequences
and their probabilities before deciding on whether further treatment is required.
Risk assessment attempts to answer the following fundamental questions:
• what can happen and why (by risk identification)?
• what are the consequences?
• what is the probability of their future occurrence?
• are there any factors that mitigate the consequence of the risk or that reduce the
probability of the risk?
• Is the level of risk tolerable or acceptable and does it require further treatment?
• Risk assessment may be undertaken in varying degrees of depth and detail and
using one or many methods ranging from simple to complex.
• The form of assessment and its output should be consistent with the risk criteria
developed as part of establishing the context.
• In general terms, suitable techniques should exhibit the following characteristics:
• it should be justifiable and appropriate to the situation or organization under
consideration;
• it should provide results in a form which enhances understanding of the
nature of the risk and how it can be treated;
• it should be capable of use in a manner that is traceable, repeatable and
verifiable.
Risk Management Principles and Guidelines - ISO 31000,
82
Prepared by Dr. Mohamed Lashin
types of risk assessment techniques
1. Brainstorming 12. Root cause analysis (RCA) 23. Sneak circuit analysis
2. Structured or semi-structured 13. Failure mode effect analysis 24. Markov analysis
Interviews (FMEA)
25. Monte Carlo simulation
3. Delphi 14. Fault tree analysis
26. Bayesian statistics and Bayes
4. Check-lists 15. Event tree analysis Nets
5. Primary hazard analysis 16. Cause and consequence 27. FN curves
analysis
6. Hazard and operability studies 28. Risk indices
(HAZOP) 17. Cause-and-effect analysis
29. Consequence/probability
7. Hazard Analysis and Critical 18. Layer protection analysis matrix
Control Points (HACCP) (LOPA)
30. Cost/benefit analysis
8. Environmental risk 19. Decision tree
assessment 31. Multi-criteria decision analysis
20. Human reliability analysis (MCDA)
9. Structure « What if? » (SWIFT)
21. Bow tie analysis
10. Scenario analysis
22. Reliability centered
11. Business impact analysis (BIA) maintenance
Risk Management Principles and Guidelines - ISO 31000,
83
Prepared by Dr. Mohamed Lashin
applicability of tools used for risk assessment
Tools and techniques Risk assessment process
Risk Identification Risk analysis Risk evaluation
Consequence Probability Level of risk
Brainstorming SA NA NA NA NA
Hazard and operability SA A A A A
studies (HAZOP)
Hazard Analysis and SA SA NA NA SA
Critical Control Points
(HACCP)
Environmental risk SA SA SA SA SA
assessment
Structure « What if? » SA SA SA SA SA
(SWIFT)
Business impact analysis A SA A A A
Root cause analysis NA SA SA SA SA
Failure mode effect SA SA SA SA SA
analysis
Fault tree analysis A NA SA A A
Event tree analysis A SA A A NA
Cause and consequence A SA SA A A
analysis
Cause-and-effect analysis SA SA NA NA NA
Consequence/probability SA SA SA SA A
matrix Risk Management Principles and Guidelines - ISO 31000,
84
Prepared by Dr. Mohamed Lashin
Risk Management Principles and Guidelines - ISO 31000,
85
Prepared by Dr. Mohamed Lashin