Professional Documents
Culture Documents
Bkai3043 Topic 3
Bkai3043 Topic 3
PROCESS
Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum
has been the industry's standard dummy text ever since the.
BKAI3043
Enterprise Risk Management
According to ISO 31000, a risk management process systematically applies
management policies, procedures, and practices to a set of activities
intended to establish the context, communicate and consult with
stakeholders, and identify, analyze, evaluate, treat, monitor, record, report,
and review risk.
Customized
The risk management framework and process are customized
and proportionate to the organization’s external and internal
context related to its objectives.
Inclusive
Appropriate and timely involvement of stakeholders enables
their knowledge, views, and perceptions to be considered. This
results in improved awareness and informed risk management.
The Principles
Dynamic
Risks can emerge, change, or disappear as an organization’s
external and internal context changes. Risk management
anticipates, detects, acknowledges, and responds to those
changes and events in an appropriate and timely manner.
CONTINUOUS ACTIVITIES
Communication and
consultation
Monitoring
To monitor means to supervise and to continually
check and critically observe. It means to determine the
current status and to assess whether or not required
or expected performance levels are being achieved.
Review
A review is an activity. Review activities are carried out
in order to determine whether something is a suitable,
adequate, and effective way of achieving established
objectives. In general, ISO 31000 2018 expects you to
review your risk management framework and your risk
management process.
It specifically expects you to review your risk
management policy and plans as well as your risks, risk
criteria, risk treatments, risk management controls,
residual risks, and your risk assessment process.
RISK MANAGEMENT PROCESS
Recording and Reporting
a) objectives;
b) information sources;
c) assumptions; and
d) decisions.
RISK MANAGEMENT PROCESS
According to ISO 31000, a risk management process systematically applies management policies, procedures, and practices to a
set of activities intended to establish the context, communicate and consult with stakeholders, and identify, analyze, evaluate,
treat, monitor, record, report, and review risk.
RISK MANAGEMENT PROCESS
Scope, context and criteria
The organization should specify the amount and type of risk that it may or
may not take, relative to objectives. It should also define criteria to evaluate
the significance of risk and to support decision-making processes.
Risk criteria should be aligned with the risk management framework and
customized to the specific purpose and scope of the activity under
consideration.
Risk criteria should reflect the organization’s values, objectives and resources
and be consistent with policies and statements about risk management.
While risk criteria should be established at the beginning of the risk assessment process, they are dynamic and should
be continually reviewed and amended, if necessary.
RISK MANAGEMENT PROCESS
Risk Appetite vs Risk Tolerance
For example, an entity that has set a target of a customer satisfaction rating of 90% may
tolerate a range of outcomes between 88% and 95%. This entity would not have an appetite
for risks that could put its performance levels below 88%.”
RISK MANAGEMENT PROCESS
Risk Terms
The purpose of risk identification is to find, recognize and describe risks that might help or prevent an organization
achieving its objectives. Relevant, appropriate and up-to-date information is important in identifying risks.
The organization can use a range of techniques for identifying uncertainties that may affect one or more objectives. The
following factors, and the relationship between these factors, should be considered:
— tangible and intangible sources of risk;
— causes and events;
— threats and opportunities;
— vulnerabilities and capabilities;
— changes in the external and internal context;
— indicators of emerging risks;
— the nature and value of assets and resources;
— consequences and their impact on objectives;
— limitations of knowledge and reliability of information;
— time-related factors;
— biases, assumptions and beliefs of those involved.
The organization should identify risks, whether or not their sources are under its control. Consideration should be given
that there may be more than one type of outcome, which may result in a variety of tangible or intangible consequences..
RISK MANAGEMENT PROCESS
RISK ASSESSMENT: Risk Identification
SOURCE:
The risk type, level, and likelihood are all taken into
consideration alongside detailed factors such as available
resource and internal/external influences.
RISK MANAGEMENT PROCESS
RISK ASSESSMENT: Risk Evaluation
The idea behind evaluation is to allow an organisation to make decisions regarding
risk treatment and the prioritising of risk mitigation with ease.
Risk evaluation takes the risk criteria and measures against the risk analysis to
determine:
The outcome of a risk evaluation could result in several actions: you will either need
to assign further analysis, maintain your existing controls, or reconsider the
objectives of the risk strategy in alignment with the organisation’s objectives.
Regular evaluation allows you to develop a comprehensive and mature risk
management strategy, as changes to risk factors, impact, consequence, and
objectives can be addressed in a reasonable time frame.
RISK MANAGEMENT PROCESS
RISK TREATMENT: ISO 31000 Clause 6.5.2 Selection of risk treatment options
BREAKING TIME
READ MORE