ISO 31000 Course PowerPoint v4

ISO 31000:2018
Architecture for Risk Management

Instructor: Allen Gluck, M.A. Leadership, CT31000
Adjunct Professor, Manhattanville School of Business
Member US Technical Advisory Groups to TC 262 & TC 176
V4.0 - Spring 2018
© ISO 31000 Architecture for Risk Management

Goals for this course:
Gain a comprehensive and holistic understanding of the nature of risk and
how to best manage it
Learn to distinguish ISO 31000 from others including industry specific
standards
What is ISO 31000 past and present?
Learn how to apply this standard at a workplace
Learn how to create a Risk Management culture
Master the standard’s philosophy, vocabulary and content
Pass mid-term exam
Learn how to create a framework for Risk Management (Final Paper)
Legal Disclosure: All quotes and references from the ISO standard have been copied from the Indian government’s public
domain document, which can be found at https://archive.org/details/gov.in.is.iso.31000.2009
© ISO 31000 Architecture for Risk Management A-2

Course Basics and Exam Tips
Tips to pass this course:
Mastery of the 8 vocabulary terms and 8 principles including the ability
to reference Guide 73
Read the standard in its entirety many times to understand the ideas
behind risk management and its application in a business
Don’t browse or text during the class lectures or group work.
Vocabulary words will be highlighted in red, and taught in the
course of the training.
All direct quotes from either the 2009 or the 2018 standard
appear in blue on this PowerPoint.
If you hear the words, “this is very important,” you should
consider that it is an idea or concept that may appear in the
exam.

3.2 risk management
coordinated activities to direct
What is Risk Management? and control an organization with
regard to risk
Managing risk is simply managing uncertainty.
We all do this every day, in both our professional and personal lives.
All organizations do this, whether formally or informally.
Managing uncertainty = Making decisions considering the possible

effects of uncertainty
© ISO 31000 Architecture for Risk Management 4

What is ISO 31000?
It is an international standard for managing risk.
The number 31000 is arbitrary. It has no meaning.
The first version of this standard was created over a period of
five years by hundreds of volunteers and published in 2009.
The standard was under revision from 2013-2017 and a Final
Draft International Standard (FDIS) has been published.
This revision will be finalized in February 2018. This is the first
professional course in the world focusing on the new standard.

ISO 31000:2018 Timeline

What’s Different in 2018?
2009 2018
23 pages 16 pages
Full of jargon Most jargon removed
Emphasis on ‘positive’ consequences Emphasis removed
De-emphasized ‘recording’ New focus on recording
Introduced Communication and Redefined communication
Consultation & consultation
Purist, philosophical perspective on Focus on Governance &
management vs. governance Leadership
See the FORWARD on page iv of the standard for another perspective on the differences.

What’s the Same?
Focus on objectives
Centrality of risk management framework
Built on PDCA
Importance of Continuous improvement
Both standards are composed of conceptual ‘building blocks’. Many of

these ideas only become clear after later sections of the standard are
learned and well understood.

What are the advantages of ISO 31000?
ISO 31000 provides:
A systematic and logical process for managing uncertainty.
A simple blueprint for implementation in your organization.
A methodology which focuses on company vision, mission and
objectives.
Companies which already have a formal process for the

management of uncertainty can use ISO 31000 to carry out a
critical review of its existing practices and processes.

Why Manage Risk?
3.1 Risk - Effect of uncertainty on objectives
Note 1: An effect is a deviation from the expected. It can be positive,
All activities of an organization involve risk.
negative or both. An effect can arise as a result of a response, or failure to
Internal
respond, and
to an external factors
opportunity or to a and influences
threat related tomake it uncertain
objectives.
whether and when organizations will achieve their objectives.
NoteAll2:organizations
Objectives can manage risk to some
have different degree.
aspects Why? Because
and categories, and can be
managers
applied desire
at different to achieve their objectives!
levels.
The adoption of consistent processes within a comprehensive
Note 3: Risk is can
framework usually
helpexpressed
to ensureinthat
terms
riskofis risk sourceseffectively,
managed (3.4), potential
events (3.5), their
efficiently andconsequences (3.6) and
coherently across their likelihood (3.7).
an organization.
© ISO 31000 Architecture for Risk Management A-

New Standard Stats
One Purpose
Eight Principles
Eight Definitions
Four Step Iterative Framework
Six Component Iterative Process
2 Plans

The Evolution of Formal Risk Management
1921 1956
First book on Harvard
risk Business
management Review 1962 1966
by Frank publishes, Rachel Carlson The Institutes, 1975
Knight, “Risk “Risk publishes “The formerly American
Uncertainty Management Silent Spring”, Insurance Society of
and Profit.” – Uncertainty launching the Institute of Insurance Mgmt.
and Profit” on environmental America, becomes RIMS.
insurance. creates the They publish an
movement.
ARM for the article in
Fortune called,
insurance
“The Risk
industry. Management
Revolution.”

A-9
1979
1983
Kahneman
A former EPA
demonstrates
director
that people
delivers,
can be
“Science, Risk
irrational
and Public 1987 1995
when making 1992
Policy” at Nat’l Black Monday Australia
decisions. BP self insures
Academy of publishes 4360
Science. operations
above $10M. Same year, a
trader for
Barings Bank
takes down
entire bank on
single trade.

A-9
9/11/2001
2000
Y2K has no Enron 2004
effect. collapses. Publication of
COSO II and
Sarbanes the Basel II 2008
Oxley passed. Accords Financial Crisis 2009
ISO 31000 is
published

A-9
2010
Dodd-Frank
2012
Wall Street 2015
JPMorgan 2013
reform Quality 2015
Chase & the Popular LinkedIn
Management ISO 31000
London Whale Group tops
Systems active revision
23,000 process begins
(2018: 64,000+) Standard ISO
9001 includes
Risk-Based ISO
Thinking 31000:2018
to be
published

3.2 risk management
The Scope of Risk Management
coordinated activities to direct and control an organization with regard to risk (2.1)
The practice of risk management Some sectors:

has been developed over time Insurance
and within many sectors in order Financial, Banking, Equities
to meet diverse needs. Medicine, Medical Devices
Is there a sector which doesn’t Energy: Nuclear, Gas, Oil, Wind
In this course, the expressions “risk management” and “managing risk” are both used.
Environmental
need to be managing risk?
Health and Safety
Generally, risk management refers to ideas being taught about the operational structure a
company needs to manage risk effectively. Aerospace and Aviation
Quality Management
Managing risk refers to applying the companies architecture or framework to its particular
risks.

A-16
Voluntary Frameworks and Mandatory Governance
Voluntary “Risk Management” Mandatory Governance
Frameworks Requirements
IRM 2002 Sarbanes-Oxley Act:2002 (RM
COSO:2004 - ERM Integrated requirements for U.S. public
Framework companies)
Solvency II:2009 Risk management Dodd-Frank Act:2010 (Capital
for insurance companies requirements for US banks)
Q9 QRM:2009 Solvency II:2014 -Capital
requirements for EU insurance
Basel III:2010 companies (and US subsidiaries)
ISO 9001:2015 Quality Basel III (Banking, Federal Reserve
Management Systems and the EU)
ISO 31000:2018 - Risk AML-KYC-CFT, FATF, FATCA
Management Guidance

Which is better: industry-specific or generic standards?
This course is designed to Why?

teach you:
how to build a tailored, risk
It creates tremendous
management framework value
based on generic standards It is time-appropriate
Embed it within your entire It is achievable
organizations
Implement your framework
and launch risk management
processes

3.3 stakeholder
The Dawn of the Generic ISO 31000 Standard
person or organization that can affect,
be affected by, or perceive themselves
to be affected by a decision or activity
2009 – 2018 an evolution The value of standardization:
Organizations are not intended Note 1: The termconsensus
International “interested party” can
to be certified to the ISO 31000 be used
Bestas an alternative to
practices?
standard, yet certifications are “stakeholder”.
Single global reference for all
evolving. stakeholders
Organizations can undertake a Broadest application
risk management maturity An umbrella for 60+
assessment (RMMA). specialized standards

A-19
Is ISO 31000 a Management System?
According to ISO’s website, “A management

system describes the set of procedures an The Answer:
organization needs to follow (i.e. must follow)
in order to meet its objectives.” Risk
management is
tailored due to
This framework is not intended to prescribe a the dynamic
nature of risk
management system, but rather to assist the
organization to integrate risk management
into its overall management system.
How about Enterprise Risk Management?
Other Risk Management ISO 31000 Risk Management
Scope of “Risk”: Hazards Scope of Risk: Hazards + Business risk +

only Opportunity
Loss vs. No Loss Gain vs. Loss vs. No Loss
It’s promise: Restore an It’s promise: Enable an organization to
organization to its former fulfill its greatest productive potential
pre-loss condition
Focus on the accidental Focus on the value of the organization
loss Focus on an organization as a whole
Focus on specific loss More than all: Focus on the Objectives!
exposure

A-21
Risk Management Principles and Guidelines
Section 0: Introduction
Risk Management Architecture
A most important diagram: Figure 1
Section 1: Scope
Quiz Questions

Introduction
This document is for use by people who create and protect value in organizations
by managing risks, making decisions, setting and achieving objectives and
improving performance.
Organizations of all types and sizes face external and internal factors and influences
that make it uncertain (when and) whether they will achieve their objectives.
Managing risk is iterative and assists organizations in setting strategy, achieving

objectives and making informed decisions.
Managing risk is part of governance and leadership, and is fundamental to how the
organization is managed at all levels. It contributes to the improvement of
management systems.

Introduction, Continued
Managing risk is part of all activities of an organization and All activities of an
includes interaction with stakeholders. organization involve
risk
Managing risk considers the external and internal context of the Risk Management can
be applied to an
organization, including human behavior and cultural factors. entire organization, at
its many areas and
levels, at any time, as
Managing risk is based on the principles, framework and process well as to specific
outlined in this document, as illustrated in Figure 1. functions, projects
and activities.
a key feature of this
These components might already exist in full or in part within the standard is the
organization, however, they might need to be adapted or inclusion of
“establishing the
improved so that managing risk is efficient, effective and context”
consistent.

1-24
Figure 1
© 25
The Retired Figure 1:

1-26
My Figure 1: The ISO 31000 Risk Management Architecture
Leadership &
Commitment
The FRAMEWORK rests

upon the 8 PRINCIPLES. Design of
Framework
Implementing
Continual
Improvement
Risk
Management
Evaluation
Eight Principles

1-27
A Modified Figure 1:
Leadership &
Commitment
Implementing Framework
Design of
The framework and Process
Framework
& process
sections are
built upon the
eight principles. Continual
Improvement
Evaluation
Eight Principles

1-28
The Value Proposition of Robust ERM
Increase the likelihood of Improve governance
achieving objectives Improve stakeholder confidence
Be aware of the need to identify and trust
and treat risk throughout the Establish a reliable basis for
organization decision making and planning
Comply with relevant legal and Improve operational
regulatory requirements and effectiveness and efficiency
international norms
Improve organizational learning
Improve mandatory and
voluntary reporting Improve organizational
resilience
© 29
Section 1: Scope
This document provides guidelines on managing risk faced by
3.6 consequence
organizations. The outcome
application of these
of an event guidelines
(3.5) affecting can be customized
objectives
to any organizationNOTE
and1:itsA consequence
context. can be certain or uncertain and can have
positive or negative direct or indirect effects on objectives.
This document provides
NOTE 2: a common can
Consequences approach to qualitatively
be expressed managingorany type of
quantitatively.
NOTE 3:or
risk and is not industry- Initial consequences can escalate through cascading and
sector-specific.
cumulative effects.
This document can be used throughout the life of the organization
and can be applied to any activity, including decision-making at all
levels.
(This standard can be applied to any type of risk, whatever its nature,
whether having positive or negative consequences.)

1-30
Standardization vs Uniformity
This standard is not intended to promote uniformity of risk
management across organizations because no two
organizations have the same context and the design and
implementation of risk management takes into account
the varying needs of an organization, its objectives,
context and specific practices.

Certification of Organizations – The Controversy
“This standard is not intended for the purpose of certification.”
PROS CONS
• Validation by external • Rarely objective, and different in each

independent third parties country
• Validation of the • Additional burden on resources with no
decision-making process tangible gain because certified companies
do not enjoy better performance
•Mandatory obligation in
specific sectors/areas • Sense of false security
• Confidence of • May result in legal mandates
stakeholders to an
international recognized • In a legal dispute, records of non-
standard conformance are a source of negligence
• Too much focus on audits and not enough
on process!

A-32
Quiz
INTRODUCTION and SCOPE
A = True B = False

Q1. True or False?
The profession of Risk Management

began in 1921.

Q2. True or False?
Risk Management is best suited for mid-

size to large public corporations.

Q3. Regarding ISO 31000:
A. It is a management system for risk.

B. It is a guidance document intended to
promote uniformity of risk management
across organizations.
C. Neither ‘A’ nor ‘B’ are true.
D. Both ‘A’ and ‘B’ are true.

Q4. Regarding certification for ISO 31000:
A. Only ISO in Geneva and its international
representatives are authorized to certify
organizations.
B. Certification of organizations is not discussed in
ISO 31000:2018.
C. Neither ‘A’ nor ‘B’ are true.

Q5. What is Risk?
A. Uncertainty is risk
B. The effects of uncertainty
C. Effect of uncertainty on objectives.

Section 2: Terms and Definitions
Vocabulary words are always highlighted in red. Let’s look these up
them now:
3.1 Risk 3.2 Risk Management 3.3 Stakeholder
3.4 Risk Source 3.5 Event 3.6 Consequence
3.7 Likelihood 3.8 Control

2-39
More Terms and Definitions
What is Guide 73:2009?

It contains 49 terms and definitions:
29 of which are in the 2009 standard and
Only 8 of which are in the 2018 standard.
What does this declining list say about the editors’ opinion on definitions?
How important is vocabulary?
Critical for passing your exam
Important for coherence in education and training of others
Useful in establishing a common vocabulary throughout your company
But even language for risk management should be tailored to your sector and
organization
What is a Risk Manager?

-40
Contents of ISO Guide 73
• 1.1 RISK
3.5.1.2 EVENT • 3.7.1.5 RISK AGGREGATION
• 2.1 RISK MANAGEMENT
3.5.1.3 HAZARD • 3.7.1.6 RISK ACCEPTANCE
• 2.1.1 RISK MANAGEMENT FRAMEWORK
3.5.1.4 RISK OWNER • 3.8.1 RISK TREATMENT
• 2.1.2 RISK MANAGEMENT POLICY
3.6.1 RISK ANALYSIS • 3.8.1.1 CONTROL
• 2.1.3 RISK MANAGEMENT PLAN
3.6.1.1 LIKELIHOOD • 3.8.1.2 RISK AVOIDANCE
• 3.1 RISK MANAGEMENT PROCESS
3.6.1.2 EXPOSURE • 3.8.1.3 RISK SHARING
• 3.2.1 COMMUNICATION & CONSULTATION
3.6.1.3 CONSEQUENCE • 3.8.1.4 RISK FINANCING
• 3.2.1.1 STAKEHOLDER
3.6.1.4 PROBABILITY • 3.8.1.5 RISK RETENTION
• 3.2.1.2 RISK PERCEPTION
3.6.1.5 FREQUENCY • 3.8.1.6 RESIDUAL RISK
• 3.3.1 ESTABLISHING THE CONTEXT
• 3.3.1.1 EXTERNAL CONTEXT
3.6.1.6 VULNERABILITY • 3.8.1.7 RESILIENCE
• 3.3.1.2 INTERNAL CONTEXT 3.6.1.7 RISK MATRIX • 3.8.2.1 MONITORING
• 3.3.1.3 RISK CRITERIA 3.6.1.8 LEVEL OF RISK • 3.8.2.2 REVIEW
• 3.4.1 RISK ASSESSMENT 3.7.1 RISK EVALUATION • 3.8.2.3 RISK REPORTING
• 3.5.1 RISK IDENTIFICATION 3.7.1.1 RISK ATTITUDE • 3.8.2.4 RISK REGISTER

• 3.5.1.1 RISK SOURCE 3.7.1.2 RISK APPETITE • 3.8.2.5 RISK PROFILE
3.7.1.3 RISK TOLERANCE • 3.8.2.6 RISK MANAGEMENT AUDIT
3.7.1.4 RISK AVERSION

2-41
RISK is the effect of uncertainty on your objectives
Negative consequence And/ Positive consequence

or
Property damage, New and safe
3.1 risk destruction construction
effect of uncertainty on objectives
Note 1: An effect is aLoss of revenue,
deviation from the expected. It can Profit, return
be positive, on or both and can
negative
loss
address, create or result of money and threats.
in opportunities investment
Note 2: Objectives canHealth
have different
damage,aspects and categories, and can beofapplied
Quality life, at different levels.
Note 3: Risk is usually expressed
injury, death in terms of risk sources (3.4), potential events (3.5), their
employment
consequences (3.6) and their likelihood (3.7).
Liability Opportunities

Importance of Focusing Upon Objectives
Objectives can have different aspects:
financial
health and safety
environmental
etc.
Objectives can apply at different levels
strategic
organization-wide
project
product and process
Objectives can be in concert with each other or can be in conflict
the objectives of the organization
the objectives of its stakeholders
the objectives of society as a whole.

2-43
‘Wordsmithing’ the Definition of Risk
“Risk is the effect of uncertainty on objectives?”
• An effect is a deviation from the expected – positive, negative or both.
• Uncertainty is the state, even partially, of deficiency of information relating to,
an event, its consequences or likelihood.
Objective: Event: Does Uncertainty Can it Effect My RISK?
Exist? Objective(s)?
Make 1st Quarter #’s Stock market tanks YES (likelihood) Yes (negatively) YES
YES (consequences)
Distribute 99.5% Supplier quality YES (likelihood) Yes (positively) YES
defect-free product improves NO (consequences)
Distribute 99.5% Supplier shortage, YES (likelihood) NO NO
defect-free product but quality-audited NO (consequences)
stock is in-house
ISP to have < 0.05% Earthquake hits YES (likelihood) NO (redundant data NO
downtime datacenter NO (consequences) centers are online)

Quiz on the
ISO 31000 risk Management standard
Terms and Definitions

Q6. An event is defined as:
A. Occurrence
B. Change of a particular set of
circumstances
C. Something which does not
happen
D. All of the above
Q7. A risk source is defined as:
A. Person or entity whom presents a portfolio
which may cause risk
B. element which alone or in combination has
the potential to give rise to risk
C. None of the above

Q8. A stakeholder is defined as:
A. Person or organization than can
affect or be affected by a decision
or activity
B. An interested party
C. People who own shares in the
organization
D. None of the above.

Q9. Which is a risk?
A. An event failure which hinders an

objective
B. An event success which promotes an
objective
C. Both (a) and (b)

Q10. Which is a consequence?
A. A booming stock market

B. An earthquake in Mali
C. Both (a) and (b)
D. The outcome of an event which
affects my objectives

Q12. Which is risk management?
A. Effect of uncertainty on objectives

B. Coordinated activities to direct and
control an organization with regard to
risk
C. Both (a) and (b)

Q13. True or False:
Likelihood is the definitive

probability or measure of whether an
event will occur whether or not its
consequences affect your objectives.

Section 4: Principles

Figure 2: Principles
The principles provide guidance on the
characteristics of effective and efficient risk
management, communicating its value and
explaining its intention and purpose. The
principles are the foundation for managing
risk and should be considered when
establishing the organization’s risk
management framework and processes.
These principles should enable an
organization to manage the effects of
uncertainty on its objectives.
The Purpose of Risk Management is the
Creation and Protection of Value
Risk Management contributes to Environmental
the demonstrable achievement of protection
objectives and improvement of
performance in: Product quality
Human health & safety Project management
Security Efficiency in
operations
Legal and regulatory
compliance Governance and
Public acceptance Reputation

a) Integrated
RM is not a stand-alone activity that is separate from
the main activities and processes of the organization.
RM is part of the responsibilities of management and
an integral part of all organizational processes,
including:
strategic planning,
all project management,
change management processes.

b) Structured and Comprehensive
A systematic, timely and structured approach to risk

management contributes to
efficiency and
to consistent, comparable and reliable results.

c) Customized
Risk management’s framework and processes are
customized and proportionate with
the organization's external and internal context
related to its objectives
Establishing the context will capture the objectives
of the organization, the environment in which it
pursues those objectives and its stakeholders – all
of which will help reveal and assess the nature
and complexity of its risks.
internal context external context
internal environment in which the external environment in which
organization seeks to achieve its the organization seeks to achieve
objectives its objectives 3-58
d) Inclusive
Appropriate and timely involvement of
stakeholders enables their knowledge, views
and perceptions to be considered. This results in
improved awareness and informed risk
management.
This results in risk management remaining
relevant and up-to-date.

3-59
e) Dynamic
Risk Management must continually sense and respond to
change in a timely manner.
As external and internal events occur (i.e. change of context)

context and knowledge change,
new risks emerge,
some change, and
other risks disappear.

3-60
f) Best Available Information
The inputs to risk management are based on
historical and current information, as well as on
future expectations.
Risk management explicitly takes into account any
limitations and uncertainties associated with such
information and expectations. Information should be
timely, clear and available to relevant stakeholders.

3-61
g) Human and Cultural Factors
Human behavior and culture significantly influence all
aspects of risk management at each level and stage.
Risk management recognizes the capabilities,

perceptions and intentions of internal and external
people because these can all facilitate or hinder the
achievement of the organization's objectives.

3-62
h) Continual Improvement
• Risk management is
continually improved
through learning and
experience.
• What is PDCA?

Quiz
Principles

Q14. True or False?
You can customize your risk

management processes but not the
terminology you use.

Q15. True or False?
It is preferred to use data that has matured

and survived the test of time, rather than
up-to-the-minute data.

Q16. True or False?
Each step of the ISO 31000 processes

must be integrated into your existing
management systems, whether or not
they enhance your current operations.

Q17. Which is a principle of ISO 31000?
A. Plan before you act

B. Inclusive
C. Neither of the above
D. Both of the above

Q18. Which are principles of ISO 31000?
A. Plan before you act

B. Best available information
C. Structured and comprehensive
D. ‘B’ and ‘C’

Q19. True or False?
Culture has a very limited effect on an

organization’s context.

5: FRAMEWORK
In general terms, a framework is a real or conceptual structure

intended to serve as a support or guide for the construction of
something more – expanding the structure into something useful.

4-71
Why does my company need to create or ensure
the existence of a risk management framework?
The effectiveness of risk management will depend on

its integration into the governance of the
organization, including decision-making.
Having a framework assists the organization in

integrating risk management into significant activities
and functions.
So What Does it Take to Integrate Risk
Management?
Support from stakeholders, particularly top management.

A risk management framework provides an organizational
structure that will facilitate the use of consistent risk
management processes wherever decisions are being made.
This can include all projects, functions and activities, at all
levels of your organization.

Figure 3 and PDCA
5.4 Design
5.2
Leadership &
5.7 Improvement Commitment 5.5 Implementation
5.3
Integration
5.6 Evaluation

Have an Objectives-based Approach
Aligning RM with Objectives
Assign Risk Ownership
Establish Risk Attitude
Communicating
Monitoring
Top Management: Oversight Bodies:
• Board of • Internal and
Directors External Auditors
• CEO, CFO, COO • Regulators
• President & VP • Certifying Bodies

Leadership and Commitment is
a Predicate to an Effective Framework
Employ strategic and rigorous planning
Communicate benefits of risk management to
stakeholders
ensure organization's culture and risk
management are aligned
Allocate necessary resources
Assign accountabilities
Ensure legal and regulatory compliance
Ensure framework for managing risk remains
appropriate to ever-changing context
4-
76
5.2 Leadership and Commitment
Create strong and sustained commitment to the management of uncertainty!
Define and endorse a

statement or policy of risk
management
Align risk management
objectives with the objectives
of the organization
Determine risk management
performance indicators which
align with other performance
indicators of the organization

5.3 Integration Into All Organizational Processes
Integration injects/translates objectives into the

organizational structure (framework) of an
organization.
5.3
Everyone in the organization has responsibility
Integration for managing risk.
What is governance?
Exercise of authority or control
Organizational Structures = Framework

5.3 Integration Into All Organizational Processes
• Integrating risk management relies on an

understanding of organizational structures and
context.
• Structures differ depending on the organization’s
purpose, goals and complexity.
• Internal and external context change all the time!
• Integrating risk management into an organization is a dynamic and

iterative process, and should be customized to the organization’s needs
and culture.
• Risk management should be a part of, and not separate from, the
organizational purpose, governance, leadership and commitment,
strategy, objectives and operations.

Section 5.4 Design
Before starting the design and

implementation of the framework
for managing risk, it is important to
evaluate and understand both the
external and internal context of the
organization, since these can
significantly influence the design of
the framework.
© ISO 31000 Architecture for Risk Management 4-

5.4.1 Understanding of the Organization and its Context
Evaluating the organization's external context may
include, but is not limited to:
• the social and cultural, political, legal, regulatory,
financial, technological, economic, environmental
factors, whether international, national, regional
or local;
• key drivers and trends affecting the objectives of
the organization; and
• external stakeholder’s relationships, perceptions,
values, needs and expectations
• contractual relationships and commitments;
• the complexity of networks and dependencies.

5.4.1 Understanding of the Organization and its Context
Examining the organization’s internal context may
include, but is not limited to:
vision, mission and values;
governance, organizational structure, roles and accountabilities;
strategy, objectives and policies;
the organization’s culture;
standards, guidelines and models adopted by the organization;
capabilities, understood in terms of resources and knowledge (e.g.
capital, time, people, intellectual property, processes, systems and
technologies);
data, information systems and information flows;
relationships with internal stakeholders, taking into account their
perceptions and values;
contractual relationships and commitments;
interdependencies and interconnections.
4-82
Section 5.4.2 Articulating Risk Management Commitment
Top management and oversight
bodies, where applicable, should
demonstrate and articulate their
continual commitment to risk
management through
a policy,
a statement or
other forms
that clearly convey an

organization’s objectives and
commitment to risk
management.

4-83
Section 5.4.2 Articulating Risk Management Commitment
The commitment should include, but is not limited to:
the organization’s purpose for managing risk and links to its objectives and other policies;
reinforcing the need to integrate risk management into the overall
culture of the organization;
leading the integration of risk management into core business activities
and decision-making;
authorities, responsibilities and accountabilities;
making the necessary resources available;
the way in which conflicting objectives are dealt with;
measurement and reporting within the organization’s performance
indicators;
review and improvement.
The risk management commitment should be communicated within an
organization and to stakeholders, as appropriate.

4-84
Section 5.4.3 Assigning organizational roles, authorities, responsibilities and accountabilities
Top management and oversight

bodies, where applicable, should
ensure that the authorities,
responsibilities and accountabilities risk owner
for relevant roles with respect to
risk management are assigned and person or entity with the
communicated at all levels of the accountability and authority
organization, and should:
emphasize that risk management is a
to manage a risk
core responsibility; (From ISO 31000:2009)
identify individuals who have the
accountability and authority to
manage risk (risk owners).

5.4.3 Example
Safety Officer on Campus
Have they been identified ? Think: Are they a risk manager?
Has this been communicated? NO.
Do they have authority to make Do they manage risk?

changes? YES
Do they have the budget? My generic definition for risk
manager:
Have they been trained to Individuals responsible for
manage risk? educating, championing and
leading an organization’s
management of risk.

5.4.4 Allocating Resources
Top management and oversight bodies, where applicable, should ensure
allocation of appropriate resources for risk management, which can include,
but are not limited to:
people, skills, experience and competence;
the organization’s processes, methods and tools to be used for managing risk;
documented processes and procedures;
information and knowledge management systems;
professional development and training needs.
The organization should consider the capabilities of, and constraints on,
existing resources.

4-87
5.4.5 Establishing Communication and Consultation
The organization should establish
an approved approach to
communication and consultation in
order to support the framework
and facilitate the effective
application of risk management.
Communication involves sharing
information with targeted audiences.
Consultation also involves participants
providing feedback with the
expectation that it will contribute to
and shape decisions or other
activities.
© ISO 31000 Architecture for Risk Management 4-88

5.4.5 Establishing Communication and Consultation
Communication and consultation methods and content should reflect the
expectations of stakeholders, where relevant.
Communication and consultation should be timely and ensure that relevant
information is collected, collated, synthesized and shared, as appropriate,
and that feedback is provided and improvements are made.

At all times and especially prior to making a
decision or determining a direction on an issue
Communication and
consultation is a process
which impacts on a
decision through influence
rather than power.
It is an input to decision
making, not joint decision
making.

Let’s assess our readiness for Implementation
Has management asserted a strong and sustained commitment to the
management of uncertainty? (5.2)
Is there a commonly accepted and consistent way in which uncertainties are
identified and managed in your organization and is it integrated with your other
policies, practices and processes? (5.3)
Do you have a high-level plan to ensure your risk management statement or
policy is implemented? Do you have low-level plans in place to manage
individual uncertainties? (5.4.2)
Do all staff and management understand they have a role in managing
uncertainty? Have you clearly assigned accountabilities for your plan to
implement your framework? Have you clearly assigned risk ownership for
managing individual uncertainties? (5.4.3)
Let’s assess our readiness for Implementation
Have you allocated the necessary resources to manage
uncertainties properly, including training or otherwise
building staff competencies? (5.4.4)
Have you communicated and consulted with your internal
and external stakeholders in developing your risk
management policy, plans and risk management process?
(5.4.5)
Have you establish an approach to effective two-way
communication and consultation? Are you giving
stakeholders and opportunity to influence decisions being
made? (5.4.5)
The design of your framework is complete!
You still need to implement:
your organization's framework for managing risk, and
Your organization’s processes for managing risk.
Define the appropriate timing and strategy for implementing
the framework;
develop a plan;
hold information and training sessions; and
Explicitly address risk in all decision making by implementing
risk management processes.

Quiz
DESIGN OF YOUR FRAMEWORK

Q19. The way your organization will resolve
conflicting interests should be accounted for in:
A. Leadership and Commitment

B. Communication and Consultation
C. Understanding the organization and it’s context
D. Articulating risk management commitment

Q20. True or False?
Establishing the context should be

established immediately after you
design your framework.

Q21. A Risk Management framework is:
A. Leadership and Commitment

B. An intangible idea
C. An organizational structure that facilitates
doing risk management processes
D. All of the above

Q23. Integration is important because:
A. All activities in an organization involve risk.
B. Management structures translate governance direction
into the strategy and associated objectives required to
achieve desired levels of sustainable performance and
long-term viability.
C. The success of risk management will depend on the
effectiveness of the management framework providing the
organizational structures that will embed it throughout
the organization.
D. All of the above.
Q24. Communication and Consultation is:
A. A two-way activity.
B. Sharing decision making with
stakeholders.
C. Both of the above.

5.5 Implementation
Implement the framework in your
organization by:
• Seeing that organizational framework
is understood
• Plan times & resources
• Who, when & where are decisions
made
• Update decision-making to comply
with Figure 4
Section 6, Figure 4

5.5 Framework Refinement AND the Risk Management Process (Section 6)
are BOTH Part of Risk Management
5.4 Design
5.5
5.2
Leadership &
Implementation of
5.7 Improvement Commitment Framework AND
Implementation of Risk
Mgmt. Process (section 6)
5.3
Integration
5.6 Evaluation
3.2 risk management

coordinated activities to direct and control an organization with regard to risk (3.1)

5.5 Implementation requires:
Awareness and Engagement of stakeholders

enabling:
Explicitly addressing uncertainty and its effects
Integration in all organizational activities
Changes to context are captured and integrated

5.6 - Evaluation of the Framework and Risk Management Process
Actively: Periodically:
Measure risk management measure risk management
performance against pre- framework performance against its
established indicators purpose, implementation plans,
indicators and expected behavior
Determine whether framework and
Review the effectiveness of
process are still adequate given
the risk management
changes to the organization’s
framework.
external and internal context
Determine whether it remains
Measure progress against suitable to support achieving the
the implementation plan objectives of the organization
4-
103
5.7 - Continual Improvement
Based on results of evaluation,
decisions should be made on
how the risk management
framework, policy and
implementation plan can be
improved.
These decisions should lead to
improvements in the
organization's management of
risk and its risk management
culture.
4-104
5.7 - Continual Improvement
The organization should continually improve the suitability,
adequacy and effectiveness of the risk management
framework and the way the risk management process is
integrated.
As relevant gaps or improvement opportunities are identified,
the organization should develop plans and tasks and assign
them to those accountable for implementation. Once
implemented, these improvements should contribute to the
enhancement of risk management.

4-105
TERM PAPER
1) Create a hypothetical company in the industry of your choice (ex. health, environment, finance, agriculture,
manufacturing, banking, insurance, etc.) It can be as large as IBM or as small as a lemonade stand and write a 6 -
10 page paper describing your company’s risk management framework
1) The framework must include a description of its design, including:

a. The company’s context
b. An articulation of risk management commitment
c. How integration was or will be achieved
d. How risk ownership was or will be achieved
e. How resources were or will be allocated
f. How communication and consultation was or will be achieved
g. How results will be evaluated, and improvements made
h. How the risk management process will be deployed
1) All of the above will be judged primarily based on its consistency with the ISO 31000 standard and the inclusion of
adequate detail, which when read by a professional in that industry will pass for an actual company Risk
Management Framework (i.e. include names, position titles, departments and functions and real-life scenarios.)
This paper should NOT include actual risk management processes (Section 6)

4-106
Section 6: PROCESS
6.1 The risk management process • communicating and consulting,
involves the systematic application of • establishing the context and
policies, procedures and practices to
the activities of: • assessing,
• treating,
• monitoring,
• reviewing,
• recording and
• reporting risk.
© ISO 31000 Architecture for Risk Management 5A

The Three Step Risk Management Process
Eight Components
6.2 Communication & Consultation
6.3 Establishing the Context (Step One)
6.4 Risk Assessment (Step Two)
6.4.2 Risk Identification
6.4.3 Risk Analysis
6.4.4 Risk Evaluation
6.5 Risk Treatment (Step Three)
6.6 Monitoring & Review
6.7 Recording and Reporting

6.2. Communication and Consultation

6.2 Communication and Consultation
A team approach to C & C may help:
develop an effective communication and consultation plan.
help establish the context in a comprehensive fashion
bring different areas of expertise together for each step of the risk
management process;
ensure that different views are appropriately considered when defining risk
criteria and when evaluating risks;
provide sufficient information to facilitate risk oversight and decision-
making
ensure that the interests of stakeholders are understood and considered
build a sense of inclusiveness and ownership among those affected by risk.

6.2 – C & C
• Communication and consultation with
stakeholders is important as they make
judgments about risk, based on their personal
perceptions of risk.
• Perceptions can vary due to differences in
values, needs, assumptions, ideas and
concerns.
• The stakeholder’s perceptions should be
identified, recorded, and taken into account in
the decision making process because their
views can have a significant impact on the
decisions to be made.

(Step One) -- 6.3. Scope, Context and Criteria
The purpose of establishing the context (i.e. the scope,

the context and the risk criteria) is to customize the risk
management process, enabling effective risk assessment
and appropriate risk treatment.
Scope, context and criteria involve defining the scope of
the particular decision-making process, and
understanding the external and internal context.

(Step One) 6.3.2 – Defining the Scope
As the risk management process may
be applied at different levels (e.g.
strategic, operational, program,
project, or other activities), it is
important to be clear about the scope
under consideration, the relevant
objectives to be considered and their
alignment with organizational
objectives.
ISO 31000 Architecture for Risk Management
© 5
(Step One) -- 6.3.2 Defining the Scope
Include:
— objectives and decisions that need to be made;
— outcomes expected from the steps to be taken in
the process;
— time, location, specific inclusions and exclusions;
— appropriate risk assessment tools and techniques;
— resources required, responsibilities and records to
be kept;
— relationships with other projects, processes and
activities.

(Step One) -- 6.3.3 Establishing the Context
(Again!)
The context of the risk
While
management many
process of these parameters are similar to
should be established
from thethose considered in the design of the risk
understanding
of the external and
management
internal environment in
framework,
Understanding when
the establishing
context is important the
because:
context
which for the risk
the organization — riskmanagement
management takes place process, they
in the context of
operates and should the objectives and activities of the organization;
need
reflect to be considered
the specific in greater detail and
— organizational factors can be a source of risk;
particularly
environment of the how—they relate
the purpose and to the
scope scope
of the of the
risk management
activity to which the risk process may be interrelated with the objectives of
management particular
process is risk management process.
the organization as a whole.
to be applied.

(Step One) – 6.3.4 – Defining Risk Criteria
Why Define the Criteria in Advance

of the Decision-Making Activities?
By defining criteria to be used to evaluate the
significance of a particular risk in advance, you
prevent the occurrence of group-think and/or
emotional decision-making.

5A-116
The organization should specify the amount and
type of risk that it may or may not take, relative
to objectives.
It should also define criteria to evaluate the significance

of risk (level of risk) and to support decision-making processes.
Risk criteria should be aligned with the risk management

framework and customized to the specific purpose and scope of
the activity under consideration.

5A-117
Risk criteria should reflect the organization’s
values, objectives and resources and be
consistent with (culture and) policies and
statements about risk management.
The criteria should be defined taking into consideration the

organization’s obligations and the views of stakeholderrs.
While risk criteria should be established at the beginning of the risk assessment
process, they are dynamic and should be continually reviewed and amended, if
necessary.

5A-118
level of risk
Magnitude of a risk (or combination of risks), expressed in terms of:
To set risk criteria, the following should be considered:
• the combination of consequences and
— the nature and type of uncertainties
• their likelihood. that can affect outcomes and objectives
(both tangible and intangible);
— how consequences (both positive and negative) and likelihood will be defined
and measured;
— time-related factors;
— consistency in the use of measurements;
— how the level of risk is to be determined;
— how combinations and sequences of multiple risks will be taken into account;
— the organization’s capacity.

Quiz
STEP ONE OF THE PROCESS

Q25. Which is true? Our Standard contains:
A. A three step process

B. An eight component process
C. Both of the above
D. Neither of the above.

A. A three step process

B. Eight principles

A. A three step process w/eight

components
B. Eight definitions

Q28. Which is true?
A. Criteria should be established before
making a decision
B. Risk Criteria should be established
after the decision
C. Context should be established after
establishing the criteria
Q29. Which is true?
A. Communication seeks to promote awareness and
understanding of risk, whereas consultation involves
obtaining feedback and information to support decision-
making.
B. Communication and consultation aims to bring different
areas of expertise together for each step of the risk
management process
C. Communication and consultation aims to build a sense of
inclusiveness and ownership among those affected by risk

Q30. Which is true?
A. Implementation refers to the risk

management framework
B. Implementation refers to the risk
management process
C. Implementation refers to both of the above
D. Implementation refers to neither of the
above.

The Risk Assessment Process – (Step Two)
Risk Identification
What is uncertain?
What are the sources of the uncertainty?
6.4.1 Risk
What are the causes? Assessment is the
What are the potential consequences?
Risk Analysis overall process of
What is the likelihood of the consequences? risk identification,
Quantify the level of risk
Risk Evaluation risk analysis and
Compare fully-defined “risk” to your previously risk evaluation.
established risk criteria

The Risk Assessment Process – (Step Two)
Risk Identification 6.4.2 The purpose of risk
What is uncertain? identification is to find,
What are the sources of the uncertainty? recognize and describe risks
What are the causes? (i.e. effects of uncertainty on
What are the potential consequences? objectives) that might help or
Risk Analysis prevent an organization
What is the likelihood of the consequences? achieving its objectives.
Quantify the level of risk
Risk Evaluation Relevant, appropriate and up-
Compare fully-defined “risk” to your previously to-date information is
established risk criteria
important in identifying risks.

PROCESS, Section 5.4 – RISK ASSESSMENT
5.4.2 Risk Identification. The organization
should identify sources of risk, areas of
impacts, events (including changes in
circumstances) and their causes and their
potential consequences.
2.17 event
occurrence or change of a particular set of circumstances
It is important
NOTE to be
1 An event can identify
one orthe
more risks associated
occurrences, andwith not several causes.
can have
pursuing
NOTE an opportunity.
2 An event can consist of something not happening.
NOTE 3 An event can sometimes be referred to as an “incident” or “accident”.
NOTE 4 An event without consequences (2.18) can also be referred to as a “near miss”,
“incident”,
© “near hit” or “close ISO
call”.
31000 Architecture for Risk Management
PROCESS, Section 5.4 – RISK ASSESSMENT
The aim of this step is to generate a
comprehensive list of risks based
on those events that might create,
enhance, prevent, degrade,
accelerate or delay the
achievement of objectives.
Comprehensive identification is
critical, because a risk that is not
identified at this stage will not be
included in further analysis.

5B-
Provide Sufficient Detail
‘There is a risk that a researcher falsifies
research findings resulting in cancellation of the
‘There is a risk that a fraud occurs.’ program, loss of grant funds and reputational
harm to the university.’
It leaves too many questions:
What parts of the organization Much better description because it:
might be affected?
▪ Allows better consideration of causal factors
How might it occur? ▪ Allows us to better frame consequence and
Who in the organization might be likelihood
affected? ▪ Allows us to consider what existing controls are in
What are the consequences? place and how effective they are, such as :
What clues are there for developing - Staff codes and professional conduct, peer
review and quality assurance mechanisms,
treatments? relationship management, reputational
management.

PROCESS, Section 5.4.2 – RISK IDENTIFICATION
Identification should include risks
whether or not their source is under
the control of the organization, even
though the risk source or cause may
3.4
not be evident. risk source
Risk identification should include element which alone or in
examination of the knock-on effects combination has the
of particular consequences, including potential to give rise to risk
cascade and cumulative effects. It
should also consider a wide range of
consequences even if the risk source
or cause may not be evident.
PROCESS, Section 5.4.2 – RISK IDENTIFICATION
As well as identifying what might happen, it is necessary to consider
possible causes and scenarios that show what consequences can occur.
All significant causes and consequences should be considered.
The organization should apply risk identification tools and techniques

that are suited to its objectives and capabilities, and to the risks faced.
Relevant and up-to-date information is important in identifying risks.
This should include appropriate background information where

possible. People with appropriate knowledge should be involved in
identifying risks.

5B-
ISO 31010 Risk Assessment Techniques
Selection of Techniques. Risk
assessment may be undertaken
in varying degrees of depth and
detail and using one or many
methods ranging from simple to
complex. The form of
assessment and its output
should be consistent with the
risk criteria developed as part of
establishing the context.

ISO 31010
Table A.1
provides a list of
tools which are
strongly
applicable (SA),
applicable (A),
and not
applicable (NA),
for each of the
three
components
which make up
Risk Assessment.
It references
Annex ‘B’ which
contains a
tutorial.

Table A.2 –
Attributes
of a
Selection of
Risk
Assessment
Tools

2.21 risk analysis
5.4.3 Risk Analysis process to comprehend the nature of
risk (2.1) and to determine the level
of risk (2.23)
Risk Analysis. Process to comprehend NOTE 1 Risk analysis provides the
the nature of risk and to determine basis for risk evaluation (2.24) and
the level of risk. decisions about risk treatment (2.25).
NOTE 2 Risk analysis includes risk
estimation.
Unless you can predict the future, you often need to resort to estimation during risk analysis!

PROCESS, Section 5.4.3 Risk Analysis
Risk analysis involves developing an
understanding of the risk. It provides an
input to:
• risk evaluation and
• to decisions on whether risks need to be
treated,
2.24 and
risk evaluation
• on the
process of most appropriate
comparing risk
the results of risktreatment
analysis (2.21)
strategies
with and
risk criteria methods.
(2.22) to determine whether the risk
It can
(2.1) alsoits
and/or provide an isinput
magnitude into making
acceptable or tolerable
decisions
NOTE where choices
Risk evaluation assists in must be made
the decision aboutand
risk
the options
treatment involve different types and
(2.25).
levels of risk.

Risk analysis involves consideration of the causes and sources of

risk, their positive and negative consequences, and the
likelihood that those consequences can occur.
Factors that affect consequences and likelihood should be
identified. Risk is analyzed by determining consequences and
their likelihood, and other attributes of the risk.

5C-139
Risk Analysis
Consider:
• causes and sources of risk
• positive and negative consequences
• likelihood that those consequences can occur.
• Identify factors that affect consequences and likelihood
• One event can have multiple consequences and can affect
multiple objectives.
• Existing controls and their effectiveness should be taken
into consideration.

5C-140
Risk Analysis
When we created risk criteria, we already established:
• the way in which consequences and likelihood will be expressed
• the way in which they will be combined
Determine the level of risk based on the type of risk, the

information available and the purpose for which the risk assessment
output is to be used.
It is also important to consider the interdependence of different
risks and their sources.

5C-141
Communicate:
•Factors such as divergence of
opinion among experts,
uncertainty, availability, quality,
quantity and ongoing relevance of
information.
•Any limitations of modeling tools
should be stated.
Analysis can be qualitative, semi-
quantitative or quantitative, or a
combination of these, depending
on the circumstances.
5C-142
ISO 31010
Table A.1
provides a list of
tools which are
strongly
applicable (SA),
applicable (A),
and not
applicable (NA),
for each of the
three
components
which make up
Risk Assessment.
It references
Annex ‘B’ which
contains a
tutorial.

Heat Chart
C 5 10 15 20 25
o
n
4 8 12 16 20
s
e
q 3 6 9 12 15
u
e
n 2 4 6 8 10
c
e 1 2 3 4 5
s
Low
Questionable
Moderate Likelihood
High

Bow Tie Analysis - The focus of the bow tie is on the barriers (controls) between
the causes and the event, and between the event and consequences.

5C-145
5.4.4 Risk Evaluation
Risk Evaluation. Process of comparing
the results of risk analysis with risk
criteria to determine whether the risk
and/or its magnitude is acceptable or
tolerable.
• The purpose of risk evaluation is to
assist in making decisions, based on the
outcomes of risk analysis, about which
risks need treatment and the priority
for treatment implementation.

5D-
PROCESS, Section 5.4.4 Risk Evaluation
Risk evaluation involves

comparing the level of risk
found during the analysis
process with risk criteria
established when the context
was considered. Based on this
comparison, the need for
treatment can be considered.

5D-147
PROCESS, Section 5.4.4 Risk Evaluation
Decisions should take account of In some circumstances, the risk
the wider context of the risk and evaluation can lead to a decision
include consideration of the to undertake further analysis. The
tolerance of the risks borne by risk evaluation can also lead to a
parties other than the decision not to treat the risk in
organization that benefits from any way other than maintaining
the risk.  Involve Stakeholders! existing controls. This decision will
Decisions should be made in be influenced by the
2.5 risk attitude organization's risk attitude and
accordance with legal, regulatory
organization's approach to assess and the risk criteria that have been
and other requirements.
eventually pursue, retain, take or turn established.
away
©
from risk (2.1) ISO 31000 Architecture for Risk Management
ISO 31010
Table A.1
provides a list of
tools which are
strongly
applicable (SA),
applicable (A),
and not
applicable (NA),
for each of the
three
components
which make up
Risk Assessment.
It references
Annex ‘B’ which
contains a
tutorial.

5.5 Risk Treatment (Step Three)
2.28 Risk Treatment. Process to modify risk.
NOTE 2: Risk treatments that deal with
negative consequences are sometimes
referred to as “risk mitigation”, “risk
elimination”, “risk prevention” and “risk
reduction”.
NOTE 3: Risk treatment can create new
risks or modify existing risks.

5D-
Section 5.5 Risk Treatment - Another Cyclical Process
Propose a risk
treatment
Risk treatment involves a
cyclical process of:
2.27 residual risk
assessing a risk treatment;
risk (2.1) remaining
Is the level of after risk
deciding whether residual residual risk
treatment (2.25)
tolerable?
risk levels are tolerable;
NOTE 1 Residual risk can contain
if not tolerable, generating unidentified risk.
a new risk treatment; and
NOTE
Yes 2 Residual risk canNo also be
assess the effectiveness of known as “retained risk”.
that treatment.
Approve and
Implement

PROCESS, Section 5.5 Risk Treatment
Risk treatment options are not necessarily mutually exclusive or
appropriate in all circumstances. The options can include the following:
a) avoiding the risk by deciding not to start or continue with the activity that
gives rise to the risk;
b) taking or increasing the risk in order to pursue an opportunity;
c) removing the risk source;
d) changing the likelihood;
e) changing the consequences;
f) sharing the risk with another party or parties (including contracts and risk
financing); and
g) retaining the risk by informed decision.

5D-152
Risk Treatment Options
• Avoid the risk Examples:
• Don’t start the activity
• Discontinue the activity
• Discontinue a product
• Take or increase the risk to pursue an • Double production
opportunity • Add window shading to
• Remove or modify the risk source facility
• Change the likelihood • Install sprinkler system
• Change the consequences • Create redundant facility
• Share the risk: • Outsource production
• Contracts
• Risk financing • Purchase Insurance
• Retain the risk by informed decision
© ISO 31000 Architecture for Risk Management 5D

PROCESS, Section 5.5.2 - Selection of Risk Treatment Options
Selecting the most appropriate risk treatment option
involves balancing the costs and efforts of
implementation against the benefits derived, with regard
to legal, regulatory, and other requirements such as
social responsibility and the protection of the natural
environment.
Decisions should also take into account risks which can
warrant risk treatment that is not justifiable on economic
grounds, e.g. severe (high negative consequence) but
rare (low likelihood) risks.

5D-154
PROCESS, Section 5.5.2 Selection of Risk Treatment Options
A number of treatment options can be considered and applied
either individually or in combination. The organization can
normally benefit from the adoption of a combination of
treatment options.
When selecting risk treatment options, the organization should
consider the values and perceptions of stakeholders and the
most appropriate ways to communicate with them.
Where risk treatment options can impact on risk elsewhere in
the organization or with stakeholders, these should be involved
in the decision. Though equally effective, some risk treatments
can be more acceptable to some stakeholders than to others.
5D-155
Risk Treatment Planning
When warranted, a plan should identify the priority … in
which individual risk treatments should be implemented.
Risk treatment itself can introduce secondary risks. The link
between the two risks should be identified.
A significant risk can be the failure or ineffectiveness of the
treatment measures. Therefore, monitoring needs to be an
integral part of the risk treatment plan to give assurance that
the measures remain effective.
© ISO 31000 Architecture for Risk Management 5D

5.5.3 Include in Your Treatment Plan
Reasons for selection of treatment options
Those accountable for approving and implementing plan proposed
actions;
Resource requirements (including contingencies)
Performance measures and constraints
Reporting and monitoring requirements
Timing and schedule.
Decision makers and other stakeholders should be aware of the nature

and extent of the residual risk after risk treatment. These should be
documented and subjected to monitoring, review.
© ISO 31000 Architecture for Risk Management 5D-157
5.6 Monitoring and Review
Monitoring – Assessing Status
Review – Assessing efficacy
These should be a planned part of your risk management

process and involve regular checking or surveillance whether
periodic or ad hoc. Responsibilities should be defined.
5E-158
Ensure that controls are effective and efficient in both design and
operation;
Obtain further information to improve risk assessment;
Analyze and learn lessons from events (including near misses),
changes, trends, successes and failures;
Detect changes in the external and internal context, including
changes to risk criteria and the risk itself which can require revision
of risk treatments and priorities; and
Identify emerging risks.

5E-159
How well are you implementing

risk treatment plans? (A good
Record and report results
performance measure.)
externally and internally as
Results can be incorporated into appropriate.
your organization's overall
Use as input to the review
performance management,
of your framework
measurement and external and
internal reporting activities.

5E-160
PROCESS, Section 5.7 Recording the Risk Management Process
Risk management activities the organization's needs for continuous

learning;
should be traceable. In the risk
management process, records benefits of re-using information for
management purposes;
provide the foundation for
improvement in methods and costs and efforts involved in creating
and maintaining records;
tools, as well as in the overall
process. legal, regulatory and operational needs
for records;
method of access, ease of retrievability
Decisions concerning the and storage media;
creation of records should take retention period; and
into account: sensitivity of information.

5E-161
PROCESS, Section 5.2 - Communication and Consultation
Principle (c): Risk management is part of decision making
(If ISO 31000 is only “part” of decision making, what else is left?)
Decision Making – 100%
25%
ISO 31000 75%
What else is part of decision

making? 25%
75%
© ISO 31000 Architecture for Risk Management 5A-

Quiz
Process

Q21. The Deming Cycle is:
A. PDAC: a methodology for zero-

defect attainment
B. A methodology for continual
improvement
C. PCDA
Q22. Risk management is best managed as:
A. A silo activity, designated as the risk

management department.
B. An integral part of all organizational
processes.
C. The responsibility of the risk owner who
delegates tasks throughout the organization.

Q23. Communication and consultation is a
process where:
A. Management shares decision-making with all
staff members.
B. Management shares decision-making with
stakeholders as appropriate.
C. Others might impact on a decision using their
influence.

Q25. The part of the risk management
process which is most critical:
A. Establishment the context
B. Comprehensive risk identification
C. Mandate and commitment
D. The creation of a risk management
policy

Wrap Up Our Risk Management Course
Introduction to COSO ERM and
other Standards
Annex A: - Attributes of
Enhanced Risk Management
Key Outcomes
Continual Improvement
Full Accountability for Risks
Application of Risk Management in
All Decision Making
Continual Communications
Full Integration in the
Organization's Governance
Structure

B-168
Old Figures for ERM
COSO ERM CUBE ISO 31000

New Proposed Figures
ISO 31000 COSO ERM

Which is better: industry-specific or generic standards?
This course is designed to Why?

teach you:
how to create a tailored, risk
It creates tremendous
management framework value
based on generic standards It is time-appropriate
Embed it within your entire It is achievable
organizations
Implement the framework
and its processes

Voluntary Frameworks and Mandatory Governance
Voluntary “Risk Management” Mandatory Governance
Frameworks Requirements
IRM 2002 Sarbanes-Oxley Act:2002 (RM requirements
for U.S. public companies)
COSO:2004 - ERM Integrated Dodd-Frank Act:2010 (Capital requirements
Framework for US banks)
ISO 31000:2009 - Risk Solvency II:2014 -Capital requirements for EU
Management Guidance insurance companies (and US subsidiaries)
Basel III (Banking, Federal Reserve and the
Solvency II:2009 Risk management EU)
for insurance companies AML-KYC-CFT, FATF, FATCA
Q9 QRM:2009 https://www.rims.org/resources/ERM/Docum
ents/RIMS%20Executive%20Report%20on%2
Basel III:2010 0Widely%20Used%20Standards%20and%20G
ISO 9001:2015 Quality uidelines%20March%202010.pdf
Management Systems

Risk Management Maturity Assessment
Current Status:
ERM31000's 'Five Hour RMMA' is based on ISO Not at all 1
31000 Annex 'A'. This worksheet provides a Somewhat 2
prelimenary Risk Management Maturity Moderate 3
Assessment. Upon Completion, organizations can Maturing 4 Maximum Your
advance to a full scale RMMA activity. Mature 5 score: score:
20 12
A.2.1 Is your understanding of your organization's risk:
a) current? 4 Value:
b) correct? 3 60%
c) comprehensive? 5
Are your organization's risks within your risk

A.2.2
criteria? (If no formal criteria is used, answer '0'.) 0

Current Status:
Not at all 1
Somewhat 2
Moderate 3
Maturing 4 Maximu Your
Mature 5 m score: score:
45 36
Do you place an emphasis on continual
A.3.1 improvement in risk management through the
setting of:
a) organizational performance goals, 5 Value:
b) measurement 3 80%
c) review and the subsequent modification of:
i) processes 3
ii) systems 2
iii) resources 5
iv) capability 5
v) skills. 5
Do you perform at least an annual review of

performance and then a revision of processes, and
A.3.1
the setting of revised performance objectives for
the following period? 5
A toolkit which guides you in the
implementation of risk management in
accordance with ISO 31000
New South Wales, Australia

Executive Guide to ISO 31000
Toolkit
Templates, Ex., Case Studies
http://tinyurl.com/k6zb79y

ISO 31000 Course PowerPoint v4

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO 31000 Course PowerPoint v4

Uploaded by

Copyright:

Available Formats

ISO 31000:2018

Architecture for Risk Management

© ISO 31000 Architecture for Risk Management

© ISO 31000 Architecture for Risk Management A-2

© ISO 31000 Architecture for Risk Management A-3

Managing uncertainty = Making decisions considering the possible

© ISO 31000 Architecture for Risk Management 4

© ISO 31000 Architecture for Risk Management 5

© ISO 31000 Architecture for Risk Management 6

© ISO 31000 Architecture for Risk Management 7

Both standards are composed of conceptual ‘building blocks’. Many of

© ISO 31000 Architecture for Risk Management 8

Companies which already have a formal process for the

© ISO 31000 Architecture for Risk Management 9

© ISO 31000 Architecture for Risk Management A-

© ISO 31000 Architecture for Risk Management 11

© ISO 31000 Architecture for Risk Management

© ISO 31000 Architecture for Risk Management

© ISO 31000 Architecture for Risk Management

© ISO 31000 Architecture for Risk Management

The practice of risk management Some sectors:

© ISO 31000 Architecture for Risk Management

© ISO 31000 Architecture for Risk Management 17

This course is designed to Why?

© ISO 31000 Architecture for Risk Management 18

© ISO 31000 Architecture for Risk Management

According to ISO’s website, “A management

Scope of “Risk”: Hazards Scope of Risk: Hazards + Business risk +

© ISO 31000 Architecture for Risk Management

© ISO 31000 Architecture for Risk Management

Managing risk is iterative and assists organizations in setting strategy, achieving

© ISO 31000 Architecture for Risk Management

© ISO 31000 Architecture for Risk Management

© ISO 31000 Architecture for Risk Management

The FRAMEWORK rests

© ISO 31000 Architecture for Risk Management

© ISO 31000 Architecture for Risk Management

© ISO 31000 Architecture for Risk Management

© ISO 31000 Architecture for Risk Management

• Validation by external • Rarely objective, and different in each

© ISO 31000 Architecture for Risk Management

INTRODUCTION and SCOPE

© ISO 31000 Architecture for Risk Management

The profession of Risk Management

© ISO 31000 Architecture for Risk Management 34

Risk Management is best suited for mid-

© ISO 31000 Architecture for Risk Management 35

A. It is a management system for risk.

© ISO 31000 Architecture for Risk Management 36

© ISO 31000 Architecture for Risk Management 37

© ISO 31000 Architecture for Risk Management 38

3.4 Risk Source 3.5 Event 3.6 Consequence

3.7 Likelihood 3.8 Control

© ISO 31000 Architecture for Risk Management

What is Guide 73:2009?

© ISO 31000 Architecture for Risk Management

• 3.3.1.2 INTERNAL CONTEXT 3.6.1.7 RISK MATRIX • 3.8.2.1 MONITORING

• 3.3.1.3 RISK CRITERIA 3.6.1.8 LEVEL OF RISK • 3.8.2.2 REVIEW

• 3.4.1 RISK ASSESSMENT 3.7.1 RISK EVALUATION • 3.8.2.3 RISK REPORTING

• 3.5.1 RISK IDENTIFICATION 3.7.1.1 RISK ATTITUDE • 3.8.2.4 RISK REGISTER

© ISO 31000 Architecture for Risk Management

Negative consequence And/ Positive consequence

© ISO 31000 Architecture for Risk Management