RISK MANAGEMENT

PROCESS
Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum
has been the industry's standard dummy text ever since the.

BKAI3043
Enterprise Risk Management
According to ISO 31000, a risk management process systematically applies
management policies, procedures, and practices to a set of activities
intended to establish the context, communicate and consult with
stakeholders, and identify, analyze, evaluate, treat, monitor, record, report,
and review risk.

Enterprise risk management (ERM) is a plan-based business strategy that

aims to identify, assess, and prepare for any dangers, hazards, and other
potentials for disaster—both physical and figurative—that may interfere
with an organization's operations and objectives.
Risk
Principles,
Framework
and Process
 The Principles
Integrated
Risk management is an integral part of all organizational
activities.

Structured and Comprehensive

A structured and comprehensive approach to risk management
contributes to consistent and comparable results.

Customized
The risk management framework and process are customized
and proportionate to the organization’s external and internal
context related to its objectives.

Inclusive
Appropriate and timely involvement of stakeholders enables
their knowledge, views, and perceptions to be considered. This
results in improved awareness and informed risk management.
 The Principles
Dynamic
Risks can emerge, change, or disappear as an organization’s
external and internal context changes. Risk management
anticipates, detects, acknowledges, and responds to those
changes and events in an appropriate and timely manner.

Use Best Available Information

The inputs to risk management are based on historical and
current information, as well as on future expectations. Risk
management explicitly takes into account any limitations and
uncertainties associated with such information and
expectations. Information should be timely, clear, and available
to relevant stakeholders.

Consider Human and Cultural Factors

Human behavior and culture significantly influence all aspects of
risk management at each level and stage.

Seek Continual Improvement

Risk management is continually improved through learning and
experience.
The Framework
The RISK MANAGEMENT PROCESS: ISO31000 (2018)
RISK MANAGEMENT PROCESS

CONTINUOUS ACTIVITIES
Communication and
consultation

Monitoring and Review

Recording & Reporting

RISK MANAGEMENT PROCESS
Communication and consultation

 ‘Communication and consultation’ is not a distinct stage in the

management of risk, but runs through the whole process

Communication and consultation is a dialogue between an

organization and its stakeholders.
This dialogue is both continual and iterative. It is a two-way
process that involves both sharing and receiving information
about the management of risk. However, this is not joint
decision making. Once communication and consultation is
finished, decisions are made and directions are set by the
organization, not by stakeholders.
Discussions could be about risks, their nature, form, likelihood,
and significance, as well as whether or not risks are acceptable
or should be treated, and what treatment options should be
considered.
RISK MANAGEMENT PROCESS
Monitoring and Review

Monitoring
To monitor means to supervise and to continually
check and critically observe. It means to determine the
current status and to assess whether or not required
or expected performance levels are being achieved.

Review
A review is an activity. Review activities are carried out
in order to determine whether something is a suitable,
adequate, and effective way of achieving established
objectives. In general, ISO 31000 2018 expects you to
review your risk management framework and your risk
management process.
It specifically expects you to review your risk
management policy and plans as well as your risks, risk
criteria, risk treatments, risk management controls,
residual risks, and your risk assessment process.
RISK MANAGEMENT PROCESS
Recording and Reporting

Each stage of the risk management process should be

appropriately documented to retain knowledge and
satisfy audit requirements. Documentation should
include objectives, information sources, assumptions,
methods, decisions, and results.

Individual projects and groups maintain Risk Registers,

and enterprise risks are escalated to a Strategic Risk
Database.

Decisions concerning the extent of documentation may

involve costs and benefits and should consider a range
of factors. At each stage of the process, documentation
should include:

a) objectives;
b) information sources;
c) assumptions; and
d) decisions.
RISK MANAGEMENT PROCESS
According to ISO 31000, a risk management process systematically applies management policies, procedures, and practices to a
set of activities intended to establish the context, communicate and consult with stakeholders, and identify, analyze, evaluate,
treat, monitor, record, report, and review risk.
RISK MANAGEMENT PROCESS
Scope, context and criteria

The organization should define the scope of its risk

management activities.
As the risk management process may be applied at different
levels (e.g. strategic, operational, programme, project, or other
activities), it is important to be clear about the scope under
consideration, the relevant objectives to be considered and
their alignment with organizational objectives.
When planning the approach, considerations include:
— objectives and decisions that need to be made;
— outcomes expected from the steps to be taken in the
process;
— time, location, specific inclusions and exclusions;
— appropriate risk assessment tools and techniques;
— resources required, responsibilities and records to be kept;
— relationships with other projects, processes and activities.
RISK MANAGEMENT PROCESS
Scope, context and criteria

To establish the context means to define the external and

internal parameters that organizations must consider when
they manage risk. An organization’s external context includes
its external stakeholders, its local, national, and international
environment, as well as any external factors that influence its
objectives. An organization’s internal context includes its
internal stakeholders, its approach to governance, its
contractual relationships, and its capabilities, culture, and
standards.

In establishing the context, the organization should identify its

objectives and value drivers. What are the value generators and
drivers for the organization, as well as its implicit and explicit
goals and values?
RISK MANAGEMENT PROCESS
Scope, context and criteria

The organization should specify the amount and type of risk that it may or
may not take, relative to objectives. It should also define criteria to evaluate
the significance of risk and to support decision-making processes.

Risk criteria should be aligned with the risk management framework and
customized to the specific purpose and scope of the activity under
consideration.

Risk criteria should reflect the organization’s values, objectives and resources
and be consistent with policies and statements about risk management.

The criteria should be defined taking into consideration the organization’s

obligations and the views of stakeholders.

While risk criteria should be established at the beginning of the risk assessment process, they are dynamic and should
be continually reviewed and amended, if necessary.
RISK MANAGEMENT PROCESS
Risk Appetite vs Risk Tolerance

For example, an entity that has set a target of a customer satisfaction rating of 90% may
tolerate a range of outcomes between 88% and 95%. This entity would not have an appetite
for risks that could put its performance levels below 88%.”
 RISK MANAGEMENT PROCESS
Risk Terms

•Risk capacity: the amount and type of risk an organization is able

to support in pursuit of its business objectives
•Risk appetite: the amount and type of risk an organization is
willing to accept in pursuit of its business objectives
•Risk tolerance: the specific maximum risk that an organization is
willing to take regarding each relevant risk
•Risk target: the optimal level of risk that an organization wants to
take in pursuit of a specific business goal
•Risk limit: thresholds to monitor that actual risk exposure does not
deviate too much from the risk target and stays within an
organization’s risk tolerance/risk appetite. Exceeding risk limits will
typically act as a trigger for management action
RISK MANAGEMENT PROCESS
RISK ASSESSMENT: Risk Identification

The purpose of risk identification is to find, recognize and describe risks that might help or prevent an organization
achieving its objectives. Relevant, appropriate and up-to-date information is important in identifying risks.
The organization can use a range of techniques for identifying uncertainties that may affect one or more objectives. The
following factors, and the relationship between these factors, should be considered:
— tangible and intangible sources of risk;
— causes and events;
— threats and opportunities;
— vulnerabilities and capabilities;
— changes in the external and internal context;
— indicators of emerging risks;
— the nature and value of assets and resources;
— consequences and their impact on objectives;
— limitations of knowledge and reliability of information;
— time-related factors;
— biases, assumptions and beliefs of those involved.
The organization should identify risks, whether or not their sources are under its control. Consideration should be given
that there may be more than one type of outcome, which may result in a variety of tangible or intangible consequences..
RISK MANAGEMENT PROCESS
RISK ASSESSMENT: Risk Identification

SOURCE:

Nawaz A, Waqar A, Shah SAR, Sajid M,

Khalid MI. An Innovative Framework for
Risk Management in Construction
Projects in Developing Countries:
Evidence from Pakistan. Risks. 2019;
7(1):24.
https://doi.org/10.3390/risks7010024
RISK MANAGEMENT PROCESS
RISK ASSESSMENT: Risk Analysis

The risk analysis phase allows for decisions to be made

regarding risk treatment, and to further identify and
define the organisation's risk appetite.

The risk type, level, and likelihood are all taken into
consideration alongside detailed factors such as available
resource and internal/external influences.
RISK MANAGEMENT PROCESS
RISK ASSESSMENT: Risk Evaluation
The idea behind evaluation is to allow an organisation to make decisions regarding
risk treatment and the prioritising of risk mitigation with ease.
Risk evaluation takes the risk criteria and measures against the risk analysis to
determine:

•Effectiveness of criteria definition

•Which risks are the highest priority
•How to approach the next steps (risk treatment)
•Success of risk analysis process (are there any knowledge gaps remaining?)

The outcome of a risk evaluation could result in several actions: you will either need
to assign further analysis, maintain your existing controls, or reconsider the
objectives of the risk strategy in alignment with the organisation’s objectives.
Regular evaluation allows you to develop a comprehensive and mature risk
management strategy, as changes to risk factors, impact, consequence, and
objectives can be addressed in a reasonable time frame.
RISK MANAGEMENT PROCESS
RISK TREATMENT: ISO 31000 Clause 6.5.2 Selection of risk treatment options

Options for treating risk may involve one or more of the

following:
— avoiding the risk by deciding not to start or continue with
the activity that gives rise to the risk;
— taking or increasing the risk in order to pursue an
opportunity;
— removing the risk source;
— changing the likelihood;
— changing the consequences;
— sharing the risk (e.g. through contracts, buying
insurance);
— retaining the risk by informed decision.
 RISK MANAGEMENT PROCESS

BREAKING TIME
READ MORE