Risk Management ISO 31000

ISO 31000
Prepared by Dr. Mohamed Lashin
• Executive Manager – ISC Global – Egypt office • Member of ISO TC 176 (ISO 9001)
• Ph.D. in Human resources development • Member of ISO PC 283 (ISO 45001)
• The impact of human resources management strategies in
supporting total quality management programs
• Member of ISO/CASCO/JWG48 (ISO/IEC TS 17021-10)
• Ph.D. In Risk management • QMS ISO 9001 Lead auditor

• Risk management strategies for micro companies • QMS ISO 29990 Lead auditor
• Lecturer of higher education – Cairo university. • OHSMS OHSAS 18001 Lead auditor
• Member of the Egyptian Society for Quality (ESQ) • BCMS ISO 22301 Lead auditor
• Member of the American Society for Quality (ASQ) • Registered in the International Register of Certified
• Member of the American Society for Safety Engineers lead Auditors and trainers (IRCA)
(ASSE) • Registered in the organization of certified lead
• Member of the Institute of Risk Management (IRM) auditors and trainers (Exemplar Global - RABQSA)
Risk Management Principles and Guidelines - ISO 31000,

2
risk means
"effect of uncertainty on objectives"
• u ertai t is ot a out ho thi gs ill happe , ut is ore a out our state of

knowledge. It is ore a out our lack of knowledge” about how things will turn
out.
• Events will happen, we just don't know which, how and when.

3
risk means
• Uncertainty is our ignorance.
• Uncertainty is "the state, even partial, of deficiency of information related to

understanding or knowledge of an event, its consequence or likelihood."
• If we replace this meaning of uncertainty in the definition of risk, we come up

with:
Risk = the effect of ignorance on objectives.

4
risk means
• But what about "effect"? What does this word mean?
• ISO 31000 defines effect as "a deviation from the expected - positive or negative".
• So if we use that definition, and insert it into the definition of risk, we get:
Risk = the deviation from the expected, due to our ignorance, on
objectives.

5
what is risk management
• Coordinated activities to direct and control an organization with regard to risk.
It is an integrated and joined up approach to managing risk across an organisation

and its extended networks.

6
involvement of risk management
• Risk is part of all our lives. As a society, we need to take risks to grow and
develop.
• From energy to infrastructure, supply chains to airport security, hospitals to
housing, effectively managed risks help societies achieve.
• In our fast paced world, the risks we have to manage evolve quickly.
• We need to make sure we manage risks so that we minimise their threats and
maximise their potential.
• Risk management involves understanding, analysing and addressing risk to make
sure organisations achieve their objectives. So it must be proportionate to the
complexity and type of organisation involved.

7
risk management standards
• A number of standards have been developed worldwide to help organisations
implement risk management systematically and effectively.
• Commonly used standards include:

• ISO 31000 2009 – Risk Management Principles and Guidelines
• A Risk Management Standard – IRM/Alarm/AIRMIC 2002 – UK’s ai risk orga isatio s.
• COSO 2004 - Enterprise Risk Management - Integrated Framework
• OCEG Red Book . : 9 - a Governance, Risk and Compliance Capability Model

8
ISO 31000:2009
Risk Management
Principles and Guidelines

9
ISO 31000 family
• ISO 31000:2009 Risk management - Principles and guidelines

• ISO/CD 31000 Risk management - Principles and guidelines
• ISO/TR 31004:2013 Risk management - Guidance for the implementation of ISO
31000
• IEC 31010:2009 Risk management - Risk assessment techniques
• ISO/NP 31020 Risk Management - Managing Disruption Related Risk
• ISO/AWI 31021 Managing Supply Chain Risk - A Compilation of Best Practices
• ISO/AWI 31022 Guidelines for Implementation of Enterprise Legal Risk
Management

10
executive summary
• ISO 31000 is a generic risk management standard, defines a set of guidelines.

• We refer to them as guidelines e ause the ’re voluntary. The ’re not
requirements or contractual obligations.
• These risk management guidelines are discussed in the following sections:
Clause 3. Risk Management Principles
Clause 4. Risk Management Framework
Clause 5. Risk Management Process

11
contents of ISO 31000
1 Scope 5 Process
2 Terms and definitions 5.1 General
5.2 Communication and consultation
3 Principles 5.3 Establishing the context
4 Framework 5.4 Risk assessment
4.1 General 5.5 Risk treatment
4.2 Mandate and commitment 5.6 Monitoring and review
4.3 Design of framework for managing risk 5.7 Recording the risk management process
4.4 Implementing risk management
4.5 Monitoring and review of the framework
4.6 Continual improvement of the framework

12
scope of ISO 31000
• ISO 31000 is an international risk management standard.

• It can be used by any organization no matter what size it is or what it does.
• It can be used by both public and private organizations and by groups,
associations, and enterprises of all kinds.
• It is not specific to any sector or industry and can be applied to any type of risk.

13
scope of ISO 31000
• ISO 31000 can be applied to the achievement of any and all types of
objectives at all levels and areas within an organization.
• It can be used at a strategic or organizational level to help make
decisions and can be applied to all types of activities.
• It can be used to help manage processes, operations, functions,
projects, programs, products, services, and assets.
• However, exactly how the organisation apply ISO 31000 is up to the
organisation and will depend o the orga izatio ’s needs, objectives,
and challenges, and should reflect what it does and how it operates.

14
who should use ISO 31000?
• ISO 31000 can be used by a wide range of stakeholders, including people who
need to:
• Establish a risk management policy (top management).
• Evaluate risk management practices and processes (assessors).
• Manage and control risk within an organization (managers).
• Explain how risk should be managed and controlled (trainers - consultants).
• Develop risk management procedures and guides (implementers).
• Prepare related standards and codes of practice (experts).

15
risk management architecture
• The standard starts by listing a set of risk management principles.

• Use these principles to guide the establishment of the risk management
framework.
• Then use the framework to guide the establishment of the risk management
process.
Together these three sections make up what ISO 31000 calls a risk management
architecture.

16
Risk Management Architecture
risk management principles
risk management framework
risk management process

17
the 11 risk management principles
3C. Should be part 3D. Should be

3A. Should create 3B. Should be part
of the decision used to handle
& protect value of all processes
making uncertainty
3E. Should be 3F. Should be 3G. Should be 3H. Should

systematic and based on the best tailored to the consider human
timely data environment factors
3I. Should be 3J. Should be 3K. Should

transparent and responsive and support continual
inclusive iterative improvement

18
4.2 Make a
commitment to
risk management
4.6 Improve the 4.3 Design the risk

risk management management
framework framework
4.5 Monitor the 4.4 Implement the

risk management approach to risk
framework management

19
5.3 Establish your unique risk management context
5.4 Carry out your risk assessment process

5.4.1 Identify, analyze, and evaluate risks
. . Ide tif our orga isatio ’s risk

5.2 Communicate & Consult 5.6 Monitor & Review your
with your interested parties risk management process
. . A al se our orga isatio ’s risk
. . E aluate our orga isatio ’s risk
5.5 Formulate & Implement

your risk treatment plans
20
relationships between the risk management principles,
framework and process

21
4. RISK MANAGEMENT
FRAMEWORK

22
4.1 establish a risk management framework
• Make risk management part of the

management system.
• Establish an effective risk management
framework.
• Use the framework to support risk
management process.

23
Risk management framework is a set of

components that support and sustain risk
management throughout an organization.
There are two types of components: foundations

and organizational arrangements.
• Foundations include the risk management policy,
objectives, mandate, and commitment.
And
• Organizational arrangements include the plans,
relationships, accountabilities, resources,
processes, and activities the organisation use to
a age the orga izatio ’s risk.

24
4.2 make a commitment to risk management
• Define the orga izatio ’s risk a age e t policy.

• Establish risk management performance indicators.
• Formulate risk management objectives.
• Assign risk management responsibilities.
• Allocate risk management resources.
• Communicate risk management benefits.
• Support the risk management framework.

25
4.3 design the risk management framework
4.3.1 understand the organization's context
• Evaluate and understand the orga izatio ’s external context
and then use this knowledge to design the risk management
framework.
• Evaluate and understand the external environment.
• Evaluate and understand the external stakeholders.
• Evaluate and understand the external influences.
• Evaluate and understand the orga izatio ’s internal context
and then use this knowledge to design the risk management
framework.
• Understand the orga izatio ’s internal stakeholders.
• Understand the orga izatio ’s governance.
• Understand the orga izatio ’s capabilities.
• Understand the orga izatio ’s culture.
• Understand the orga izatio ’s standards.
• Understand the orga izatio ’s contracts.
26
internal context
• A orga izatio ’s internal context includes all of the internal

environmental parameters and factors that influence how it
manages risk and tries to achieve its objectives.
• It includes its internal stakeholders, its approach to governance,
its contractual relationships, and its capabilities, culture, and
standards.
• Governance i ludes the orga izatio ’s stru ture, poli ies,
objectives, roles, accountabilities, and decision making process,
and capabilities include its knowledge and human, technological,
capital, and systemic resources.

27
external context
• A orga izatio ’s external context includes all of the external environmental

parameters and factors that influence how it manages risk and tries to achieve its
objectives.
• It includes its external stakeholders, its local, national, and international
environment, as well as key drivers and trends that influence its objectives.
• It includes stakeholder values, perceptions, and relationships, as well as its social,
cultural, political, legal, regulatory, financial, technological, economic, natural,
and competitive environment.

28
stakeholder
• A stakeholder is a person or an
organization that can affect or be
affected by a decision or an activity.
• Stakeholders also include those who
have the perception that a decision or an
activity can affect them.
• ISO 31000 distinguishes between
external and internal stakeholders.

29
4.3.2 formulate the risk management policy
• Establish a risk management policy for the organization.

• Make a clear commitment to risk management.
• Define the risk management objectives.
• Explain how the policy will be implemented.
• Communicate the risk management policy.

30
risk management policy
• A policy statement defines a general commitment, direction, or intention.

• A risk management policy state e t e presses a orga izatio ’s o it e t to risk
management and clarifies its general direction or intention.
31
4.3.3 make people accountable for managing risk
• Identify the orga izatio ’s risk owners.

• Give risk owners the authority to manage
risk.
• Make risk owners accountable for
managing risk.
• Establish risk management performance
measurement methods.
• Develop risk management reporting and
escalation processes.

32
risk owner
• A risk owner is a person or entity that has been given the authority
to manage a particular risk and is accountable for doing so.

33
4.3.4 build risk management into the organization
• Make risk management a part of all processes and practices.

• Develop an organization-wide risk management plan.

34
risk management plan
• A orga izatio ’s risk management plan describes how it intends

to manage risk.
• It describes the management components, the approach, and the resources that
will be used to manage risk.
• Typical management components include procedures, practices, responsibilities,
and activities (including their sequence and timing).
• Risk management plans can be applied to products, processes,
and projects, or to an entire organization or to any part of it.

35
4.3.5 allocate resources for risk management
• Allocate appropriate resources to support the

orga izatio ’s risk management activities.
• Consider providing people who can support the orga izatio ’s risk management activities.
• Consider providing resources needed to support each step of the risk management process.
• Consider providing information and knowledge
management systems to support risk management.
• Consider providing risk management procedures and processes.
• Consider providing appropriate risk management methods and tools.

36
4.3.6 establish internal communication mechanisms
• Establish internal risk management communication

and reporting processes and mechanisms.

37
4.3.7 develop an external communication plan
• Develop a plan that describes how the organisation

intend to communicate with the external stakeholders.
• Implement the risk management communication plan.

38
4.4 implement the approach to risk management
4.4.1 implement the risk management framework
• Develop a strategy to implement the orga izatio ’s framework.

• Implement the orga izatio ’s risk a age e t framework.

39
4.4 implement the approach to risk management
4.4.2 implement the risk management process
• Develop a plan that explains how the

organisation intend to apply
the orga izatio ’s risk management process
(Part 5).
• Use the risk management plan to implement
the orga izatio ’s risk management process
(Part 5).

40
4.5 monitor the risk management framework
• Evaluate the ongoing

effectiveness of the
orga izatio ’s risk manage
ment framework.
• Prepare reports on the
effectiveness of the
orga izatio ’s risk manage
ment framework.

41
4.6 improve the risk management framework
• Study the results of the organization’s risk management

monitoring and review activities (see Part 4.5, above).
• Figure out how the organization is going to improve
the risk management framework.

42
5. RISK MANAGEMENT PROCESS

43
5.1 apply the risk management process
• Apply the risk management process (see Part 5.2 to 5.6).

• Make the risk management process part of the orga izatio ’s management approach.
• Make the risk management process part of the orga izatio ’s unique culture.

44
5.2 communicate and consult with the stakeholders
• Communicate and consult with stakeholders

during all stages of the risk management process.
• Use a consultative team approach to
communicate
and consult with the orga izatio ’s stakeholders.

45



46
communication and consultation
• Communication and consultation is a dialogue between an organization

and its stakeholders.
• This dialogue is both continual and iterative. It is a two-way process that involves
both sharing and receiving information about the management of risk.
However, this is not joint decision making.
• Once communication and consultation is finished, decisions are made
and directions are established by the organization, not by stakeholders.
• Discussions could be about the existence of risks, their nature, form,
likelihood, and significance, as well as whether or not risks are acceptable
or should be treated, and what treatment options should be considered.

47
5.3 establish the unique risk management context
5.3.1 establish the risk management parameters
• Identify and understand the parameters and

variables that
influence and control how the organization manages
risk.
• Defi e the orga izatio ’s e ter al o te t see Part . . .
• Defi e the orga izatio ’s i ter al o te t see Part . . .

48



49
5.3.2 establish the organization's external context
• Identify and understand the orga izatio ’s external context
and consider the influence it could have on its ability to manage
risk and achieve its objectives.
• Identify and understand environmental conditions and
consider the influence they could have on the orga izatio ’s a ilit to achieve its objectives.
• Identify and understand key external factors and consider
the influence they could have on the orga izatio ’s a ilit
to achieve its objectives.
• Identify and understand the relationships the organisation have with
external stakeholders and consider the influence they could
have on the orga izatio ’s ability to achieve its objectives.
• Consider the organization external context when the organisation
develop risk criteria (see Part 5.3.5 for details).
• Consider the concerns, objectives, and perceptions of external stakeholders when the
organisation formulate theRiskrisk
Management Principles and Guidelines - ISO 31000,
criteria.
50
5.3.3 establish the organization's internal context
• Identify a d u dersta d our orga izatio ’s internal context
and consider the influence it could have on its ability to manage
risk and achieve objectives.
• Understand our orga izatio ’s internal stakeholders.
• U dersta d our orga izatio ’s governance structure.
• U dersta d our orga izatio ’s capabilities.
• U dersta d our orga izatio ’s culture.
• U dersta d our orga izatio ’s standards.
• U dersta d our orga izatio ’s contracts.

51
5.3.4 establish the context of the risk management process
• Establish the unique context of the risk management process.
•Adopt a risk management approach that is appropriate to the circumstances and consistent with the context.
•Identify the organizational areas or parts that will participate in the risk management process and make sure the
organisation understand what they do and how they do it.
• Clarify how each specific risk management process or activity should be organized and managed.
•Define the goals and objectives of the risk management activities and projects the organisation intend to carry out.
•Define the resources that the risk management activities and projects will need.
•Define the risk management responsibilities and authorities of all process participants.
•Define the focus of each risk management project including where and when it will be carried out.
•Define the decisions that will need to be made as the organisation carry out each risk management process.
•Define the risk assessment methodologies that the organisation intend to use for each risk management process or
project.
•Define how the risk management process is related to the organization’s other processes.
•Define the studies that the organisation intend to carry out to support each risk management process.
•Define how risk management process performance and effectiveness will be evaluated.
•Define the records that each risk management process or activity should maintain.

52
establishing the context
• To establish the context means to define the external and internal

parameters that organizations must consider when they manage risk.
• A orga izatio ’s external context includes its external stakeholders,
its local, national, and international environment, as well as any external
factors that influence its objectives.
• A orga izatio ’s internal context includes its internal stakeholders, its approach
to governance, its contractual relationships, and its capabilities, culture, and
standards.
• I“O e pe ts the orga isatio to o sider the orga izatio ’s o te t he
the organisation
define the scope of its risk management program, when the organisation
formulate its
risk management policy, and when the organisation establish its risk criteria.
53
5.3.5 establish the organization's risk criteria
• Define the orga izatio ’s risk criteria.
• Consider the organization and how it
functions when defining the risk criteria.
• Consider the views of the orga izatio ’s
stakeholders when defining the risk criteria.
• Consider the nature and type of causes when
defining the risk criteria.
• Consider the consequences and impacts that
could occur when defining the risk criteria.
• Consider how likelihood or probability will be
determined when defining the risk criteria.
• Consider how the level of risk will be determined
when defining the risk criteria.
• Consider whether combinations of multiple risks
should be taken into account when defining the risk
criteria.
• Review and periodically update the risk criteria.
54
risk criteria
• Risk criteria are terms of reference and are used to evaluate the
sig ifi a e or i porta e of a orga izatio ’s risks.
• They are used to determine whether a specified level of risk is acceptable or
tolerable.
• Risk criteria should refle t the orga izatio ’s alues, poli ies, a d
objectives, should be based on its external and internal context, should consider
the views of stakeholders, and should be derived from standards, laws, policies,
and other requirements.

55
level of risk
• The level of risk is its magnitude.

• It is estimated by considering and combining consequences and likelihoods.
• A level of risk can be assigned to a single risk or to a combination of risks.
• A consequence is the outcome of an event and has an effect on
objectives.
• Likelihood is the chance that something might happen.

56
consequence

objectives.
• A single event can generate a range of consequences which can have both
positive and negative effects on objectives.
• Initial consequences can also escalate through knock-on effects.

57
likelihood

• Likelihood can be defined, determined, or measured objectively or subjectively
and can be expressed either qualitatively or quantitatively (using mathematics).

58
. carry out the orga izatio ’s risk assess e t process
5.4.1 identify, analyze, and evaluate risks
• Carry out the risk assessment process.
• Identify the orga izatio ’s risks see Part . . for details .
• Analyze the orga izatio ’s risks see Part . . for details .
• Evaluate the orga izatio ’s risks see Part . . for details .

59
Risk assessment
• Risk assessment is a process that is, in turn, made up of three

processes: risk identification, risk analysis, and risk evaluation.
• Risk identification is a process that is used to find, recognize, and
describe the risks that could affect the achievement of objectives.
• Risk analysis is a process that is used to understand the nature,
sources, and causes of the risks that the organisation have identified and to
estimate the level of risk. It is also used to study impacts and
consequences and to examine the controls that currently exist.
• Risk evaluation is a process that is used to compare risk analysis
results with risk criteria in order to determine whether or not a
specified level of risk is acceptable or tolerable.

60
5.4.2 identify the organization's risks
• Choose suitable risk identification tools and techniques.
• Select suitable people to ide tif the orga izatio ’s risks.
• Use the tools and techniques to identify the risks that could
affect the achievement of the orga izatio ’s o je ti es.
• Generate a comprehensive list of risks that could affect
the achievement of the orga izatio ’s objectives.

61



62
risk identification
• Risk identification is a process that involves finding, recognizing,

and describing the risks that could affect the achievement of an
orga izatio ’s o je ti es.
• It is used to identify possible sources of risk in addition to the events and
circumstances that could affect the achievement of objectives.
• It also includes the identification of possible causes and potential consequences.
• the organisation can use historical data, theoretical analysis, informed opinions,
e pert ad i e, a d stakeholder i put to ide tif the orga izatio ’s risks.

63
risk source
• A risk source has the intrinsic potential to give rise to risk.

• A risk source is where a risk originates.
• It’s here it o es fro .
• Potential sources of risk include at least the following: commercial relationships
and obligations, legal expectations and liabilities, economic shifts and
circumstances, technological innovations and upheavals, political changes and
trends, natural events and forces, human frailties and tendencies, and
management shortcomings and excesses.
• All of these elements could potentially generate a risk that must be managed.

64
event
• An event could be one occurrence, several occurrences, or even a

o o urre e he so ethi g does ’t happe that as supposed
to happen).
• It can also be a change in circumstances.
• Events are sometimes referred to as incidents or accidents.
• Events always have causes and usually have consequences.
• Events without consequences are sometimes referred to as
near-misses, near-hits, or close-calls.

65
5.4.3 analyze your organization's risks
• Analyze the risks that your organization faces.
• Estimate our orga izatio ’s level of risk.
• Specify how much confidence you have in your analysis.
• Use your risk analysis to understand our orga izatio ’s risks.
• Communicate the results of your risk analysis.

66
risk analysis
• Risk analysis is a process that is used to understand the nature, sources, and
causes of the risks that the organisation have identified and to estimate the level
of risk.
• It is also used to study impacts and consequences and to examine
the controls that currently exist.
• How detailed the risk analysis ought to be will depend upon the risk, the purpose
of the analysis, the information the organisation have, and the resources
available.

67
level of risk
• The level of risk is its magnitude.

• It is estimated by considering and combining consequences and likelihoods.
• A level of risk can be assigned to a single risk or to a combination of risks.
objectives.

68
5.4.4 evaluate the organization's risks
• Use the risk analysis results to evaluate the orga izatio ’s risks.
• Use the risk analysis results to consider the risk treatment options.

69



70
risk evaluation
• Risk evaluation is a process that is used to compare risk analysis

results with risk criteria in order to determine whether or not a specified level of
risk is acceptable or tolerable.

71
5.5 formulate and implement the risk treatment plans
5.5.1 explore the organization's risk treatment options
• Establish a cyclical risk treatment
process.
• Co sider the orga izatio ’s risk
treatment options.

72



73
control
• A control is any measure or action that modifies risk.

• Controls include any policy, procedure, practice, process, technology, technique,
method, or device that modifies or manages risk.
• Risk treatments become controls, or modify existing controls, once they have
been implemented.

74
5.5.2 select the organization's risk treatment options
• Select the most appropriate risk treatment options.
• Plan the implementation of the risk treatments.

75
5.5.3 prepare risk treatment implementation plans
• Document the orga izatio ’s risk treat e t plans.
• Discuss risk treatment plans with all participants.
• Carry out the risk treatment implementation plans.

76
5.6 monitor and review the risk management process
• Plan the risk management monitoring and review processes.

• Monitor and review all aspects of the risk management process.
• Record the orga izatio ’s o itori g a d re ie results.
• Report the risk management monitoring and review results.

77



78
5.7 maintain a record of risk management activities
• Create and maintain records to support risk management process.

• Use the records to support the risk management process.

79
Risk assessment techniques

80
Risk assessment
Risk assessment is that part of risk management which provides a structured process that
identifies how objectives may be affected, and analyses the risk in term of consequences
and their probabilities before deciding on whether further treatment is required.
Risk assessment attempts to answer the following fundamental questions:
• what can happen and why (by risk identification)?
• what are the consequences?
• what is the probability of their future occurrence?
• are there any factors that mitigate the consequence of the risk or that reduce the
probability of the risk?
• Is the level of risk tolerable or acceptable and does it require further treatment?

81
selection of risk assessment techniques
• Risk assessment may be undertaken in varying degrees of depth and detail and
using one or many methods ranging from simple to complex.
• The form of assessment and its output should be consistent with the risk criteria
developed as part of establishing the context.
• In general terms, suitable techniques should exhibit the following characteristics:
• it should be justifiable and appropriate to the situation or organization under
consideration;
• it should provide results in a form which enhances understanding of the
nature of the risk and how it can be treated;
• it should be capable of use in a manner that is traceable, repeatable and
verifiable.
82
types of risk assessment techniques
1. Brainstorming 12. Root cause analysis (RCA) 23. Sneak circuit analysis
2. Structured or semi-structured 13. Failure mode effect analysis 24. Markov analysis
Interviews (FMEA)
25. Monte Carlo simulation
3. Delphi 14. Fault tree analysis
26. Bayesian statistics and Bayes
4. Check-lists 15. Event tree analysis Nets
5. Primary hazard analysis 16. Cause and consequence 27. FN curves
analysis
6. Hazard and operability studies 28. Risk indices
(HAZOP) 17. Cause-and-effect analysis
29. Consequence/probability
7. Hazard Analysis and Critical 18. Layer protection analysis matrix
Control Points (HACCP) (LOPA)
30. Cost/benefit analysis
8. Environmental risk 19. Decision tree
assessment 31. Multi-criteria decision analysis
20. Human reliability analysis (MCDA)
9. Structure « What if? » (SWIFT)
21. Bow tie analysis
10. Scenario analysis
22. Reliability centered
11. Business impact analysis (BIA) maintenance
83
applicability of tools used for risk assessment
Tools and techniques Risk assessment process
Risk Identification Risk analysis Risk evaluation
Consequence Probability Level of risk
Brainstorming SA NA NA NA NA
Hazard and operability SA A A A A
studies (HAZOP)
Hazard Analysis and SA SA NA NA SA
Critical Control Points
(HACCP)
Environmental risk SA SA SA SA SA
assessment
Structure « What if? » SA SA SA SA SA
(SWIFT)
Business impact analysis A SA A A A
Root cause analysis NA SA SA SA SA
Failure mode effect SA SA SA SA SA
analysis
Fault tree analysis A NA SA A A
Event tree analysis A SA A A NA
Cause and consequence A SA SA A A
analysis
Cause-and-effect analysis SA SA NA NA NA
Consequence/probability SA SA SA SA A
matrix Risk Management Principles and Guidelines - ISO 31000,
84
85

Risk Management ISO 31000

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Management ISO 31000

Uploaded by

Copyright:

Available Formats

ISO 31000

Prepared by Dr. Mohamed Lashin

• Ph.D. In Risk management • QMS ISO 9001 Lead auditor

Risk Management Principles and Guidelines - ISO 31000,

"effect of uncertainty on objectives"

• u ertai t is ot a out ho thi gs ill happe , ut is ore a out our state of

Risk Management Principles and Guidelines - ISO 31000,

• Uncertainty is our ignorance.

• Uncertainty is "the state, even partial, of deficiency of information related to

• If we replace this meaning of uncertainty in the definition of risk, we come up

Risk Management Principles and Guidelines - ISO 31000,

• But what about "effect"? What does this word mean?

Risk Management Principles and Guidelines - ISO 31000,

• Coordinated activities to direct and control an organization with regard to risk.

It is an integrated and joined up approach to managing risk across an organisation

Risk Management Principles and Guidelines - ISO 31000,

Risk Management Principles and Guidelines - ISO 31000,

• Commonly used standards include:

Risk Management Principles and Guidelines - ISO 31000,

Risk Management Principles and Guidelines - ISO 31000,

• ISO 31000:2009 Risk management - Principles and guidelines

Risk Management Principles and Guidelines - ISO 31000,

• ISO 31000 is a generic risk management standard, defines a set of guidelines.

Risk Management Principles and Guidelines - ISO 31000,

Risk Management Principles and Guidelines - ISO 31000,

• ISO 31000 is an international risk management standard.

Risk Management Principles and Guidelines - ISO 31000,

Risk Management Principles and Guidelines - ISO 31000,

Risk Management Principles and Guidelines - ISO 31000,

• The standard starts by listing a set of risk management principles.

Risk Management Principles and Guidelines - ISO 31000,

risk management principles

risk management framework

risk management process

3C. Should be part 3D. Should be

3E. Should be 3F. Should be 3G. Should be 3H. Should

3I. Should be 3J. Should be 3K. Should

Risk Management Principles and Guidelines - ISO 31000,

4.6 Improve the 4.3 Design the risk

4.5 Monitor the 4.4 Implement the

Risk Management Principles and Guidelines - ISO 31000,

5.4 Carry out your risk assessment process

. . Ide tif our orga isatio ’s risk

. . E aluate our orga isatio ’s risk

5.5 Formulate & Implement

Risk Management Principles and Guidelines - ISO 31000,

Risk Management Principles and Guidelines - ISO 31000,

• Make risk management part of the

Risk Management Principles and Guidelines - ISO 31000,

Risk management framework is a set of

There are two types of components: foundations

Risk Management Principles and Guidelines - ISO 31000,

• Define the orga izatio ’s risk a age e t policy.

Risk Management Principles and Guidelines - ISO 31000,

• A orga izatio ’s internal context includes all of the internal

Risk Management Principles and Guidelines - ISO 31000,

• A orga izatio ’s external context includes all of the external environmental

Risk Management Principles and Guidelines - ISO 31000,

Risk Management Principles and Guidelines - ISO 31000,

• Establish a risk management policy for the organization.

Risk Management Principles and Guidelines - ISO 31000,

• A policy statement defines a general commitment, direction, or intention.