Professional Documents
Culture Documents
ISO 31000 Course PowerPoint v4
ISO 31000 Course PowerPoint v4
Legal Disclosure: All quotes and references from the ISO standard have been copied from the Indian government’s public
domain document, which can be found at https://archive.org/details/gov.in.is.iso.31000.2009
See the FORWARD on page iv of the standard for another perspective on the differences.
1921 1956
First book on Harvard
risk Business
management Review 1962 1966
by Frank publishes, Rachel Carlson The Institutes, 1975
Knight, “Risk “Risk publishes “The formerly American
Uncertainty Management Silent Spring”, Insurance Society of
and Profit.” – Uncertainty launching the Institute of Insurance Mgmt.
and Profit” on environmental America, becomes RIMS.
insurance. creates the They publish an
movement.
ARM for the article in
Fortune called,
insurance
“The Risk
industry. Management
Revolution.”
1979
1983
Kahneman
A former EPA
demonstrates
director
that people
delivers,
can be
“Science, Risk
irrational
and Public 1987 1995
when making 1992
Policy” at Nat’l Black Monday Australia
decisions. BP self insures
Academy of publishes 4360
Science. operations
above $10M. Same year, a
trader for
Barings Bank
takes down
entire bank on
single trade.
9/11/2001
2000
Y2K has no Enron 2004
effect. collapses. Publication of
COSO II and
Sarbanes the Basel II 2008
Oxley passed. Accords Financial Crisis 2009
ISO 31000 is
published
2010
Dodd-Frank
2012
Wall Street 2015
JPMorgan 2013
reform Quality 2015
Chase & the Popular LinkedIn
Management ISO 31000
London Whale Group tops
Systems active revision
23,000 process begins
(2018: 64,000+) Standard ISO
9001 includes
Risk-Based ISO
Thinking 31000:2018
to be
published
Section 0: Introduction
Risk Management Architecture
A most important diagram: Figure 1
Section 1: Scope
Quiz Questions
Organizations of all types and sizes face external and internal factors and influences
that make it uncertain (when and) whether they will achieve their objectives.
Managing risk is part of governance and leadership, and is fundamental to how the
organization is managed at all levels. It contributes to the improvement of
management systems.
© 25
The Retired Figure 1:
Leadership &
Commitment
Implementing
Continual
Improvement
Risk
Management
Evaluation
Eight Principles
Implementing Framework
Design of
The framework and Process
Framework
& process
sections are
built upon the
eight principles. Continual
Improvement
Evaluation
Eight Principles
© 29
Section 1: Scope
This document provides guidelines on managing risk faced by
3.6 consequence
organizations. The outcome
application of these
of an event guidelines
(3.5) affecting can be customized
objectives
to any organizationNOTE
and1:itsA consequence
context. can be certain or uncertain and can have
positive or negative direct or indirect effects on objectives.
This document provides
NOTE 2: a common can
Consequences approach to qualitatively
be expressed managingorany type of
quantitatively.
NOTE 3:or
risk and is not industry- Initial consequences can escalate through cascading and
sector-specific.
cumulative effects.
This document can be used throughout the life of the organization
and can be applied to any activity, including decision-making at all
levels.
(This standard can be applied to any type of risk, whatever its nature,
whether having positive or negative consequences.)
PROS CONS
A = True B = False
A. Uncertainty is risk
B. The effects of uncertainty
C. Effect of uncertainty on objectives.
D. Both ‘A’ and ‘B’ are true.
A. Occurrence
B. Change of a particular set of
circumstances
C. Something which does not
happen
D. All of the above
© ISO 31000 Architecture for Risk Management 46
Q7. A risk source is defined as:
A. Person or entity whom presents a portfolio
which may cause risk
B. element which alone or in combination has
the potential to give rise to risk
C. None of the above
• What is PDCA?
Principles
5.4 Design
5.2
Leadership &
5.7 Improvement Commitment 5.5 Implementation
5.3
Integration
5.6 Evaluation
4-
© ISO 31000 Architecture for Risk Management
76
5.2 Leadership and Commitment
Create strong and sustained commitment to the management of uncertainty!
What is governance?
a policy,
a statement or
other forms
It is an input to decision
making, not joint decision
making.
A. A two-way activity.
B. Sharing decision making with
stakeholders.
C. Both of the above.
D. None of the above.
5.5
5.2
Leadership &
Implementation of
5.7 Improvement Commitment Framework AND
Implementation of Risk
Mgmt. Process (section 6)
5.3
Integration
5.6 Evaluation
1) All of the above will be judged primarily based on its consistency with the ISO 31000 standard and the inclusion of
adequate detail, which when read by a professional in that industry will pass for an actual company Risk
Management Framework (i.e. include names, position titles, departments and functions and real-life scenarios.)
This paper should NOT include actual risk management processes (Section 6)
While risk criteria should be established at the beginning of the risk assessment
process, they are dynamic and should be continually reviewed and amended, if
necessary.
2.17 event
occurrence or change of a particular set of circumstances
It is important
NOTE to be
1 An event can identify
one orthe
more risks associated
occurrences, andwith not several causes.
can have
pursuing
NOTE an opportunity.
2 An event can consist of something not happening.
NOTE 3 An event can sometimes be referred to as an “incident” or “accident”.
NOTE 4 An event without consequences (2.18) can also be referred to as a “near miss”,
“incident”,
© “near hit” or “close ISO
call”.
31000 Architecture for Risk Management
PROCESS, Section 5.4 – RISK ASSESSMENT
The aim of this step is to generate a
comprehensive list of risks based
on those events that might create,
enhance, prevent, degrade,
accelerate or delay the
achievement of objectives.
Comprehensive identification is
critical, because a risk that is not
identified at this stage will not be
included in further analysis.
Unless you can predict the future, you often need to resort to estimation during risk analysis!
f) sharing the risk with another party or parties (including contracts and risk
financing); and
g) retaining the risk by informed decision.
5E-158
© ISO 31000 Architecture for Risk Management
5.6 Monitoring and Review
Ensure that controls are effective and efficient in both design and
operation;
Obtain further information to improve risk assessment;
Analyze and learn lessons from events (including near misses),
changes, trends, successes and failures;
Detect changes in the external and internal context, including
changes to risk criteria and the risk itself which can require revision
of risk treatments and priorities; and
Identify emerging risks.
25%
ISO 31000 75%
Process