ISO31000

Risk management under ISO31000 provides an informed point for generic risk assessments to confirm the current controls for mitigating risks and consequences. The risk process spans horizontally from Inherent to Residual to Target Risks, whilst having depth that accounts for the consequences and controls associated with each risk.

You decide how much of the risk process should be dealt with, making it manageable as well as understandable for staff (for example you may prefer to not deal with Inherent Risk). This process allows a staged approach to be taken, adding more aspects later. The risk process leads to a series of fields that become populated and in turn reflected in KnowRisk®. Staff will become familiar with these fields according to the role they play in the process and become more knowledgeable about risk management through applying the process in their work.

Setting the Scope of the Broad-Brush Method

The risk management process shows the level of risk in conjunction with controls that currently exist or with future controls. An organisation cannot claim the level of future or target risk as the residual risk until the additional controls have been completed and are shown to be working effectively. The following diagram shows the 3 stages of performing risk assessment and analysis:

Setting the Context of Risk

Context of risk is often a difficult concept to grasp, yet its a must to learn and to understand in order to arrange the profile structure in a correct way and to gain full benefit of the overall risk management picture.

Risk management starts with “setting the context” in the sense that this provides the boundary for bringing into view the threats that face the business.  It makes it easier for everyday staff, who may not initially be familiar with risk management concepts, to feel comfortable to identify the risks that exist according to the context.

Some examples of Context include:

• Key objectives and strategies.
• Operations or Services Area (establishing the first tier of the primary structures in the organisation).
• Business Unit (establishing the organisation structure under the company context that provides resources as well as associated support/administrative functions).
• Business processes and sub-processes that reflect the functions that staff do from day to day.
• Assets (the risk profile of assets can be determined to reflect exposure based on a number of factors, eg. the age of equipment).

These Contexts are arranged in meaningful combinations that form a logical/intuitive hierarchical structure reflecting real world operations.

ISO31000 advocates that establishing the context defines the basic parameters within risks must be managed and sets the scope for the rest of the risk management process. This assists to minimise any risks being overlooked.

It will also be necessary to consider the external environment in which you operate. This may, for example, include:

• The business, social, regulatory, cultural, competitive, financial and political environment
• External stakeholders, where it may be prudent to take into account the perceptions and values of external stakeholders.

Establishing the external context is important to ensure that stakeholders and their objectives are considered when developing risk management criteria and that externally generated threats and opportunities are properly taken into account.

Likewise for internal context, it is necessary to understand the key areas that could influence the way risk management is conducted. Exmaples include:

• culture;
• internal stakeholders;
• structure of the operations;
• capabilities in terms of resources such as people, systems, processes, capital; and
• goals and objectives and the strategies that are in place to achieve them.

Identify Risks & Consequences then Classify

Once the Context has been established, the next part of the process is to identify the risks and the consequences should these risks occur. Using a well-structured systematic process is necessary to avoid excluding risks that could be significant. Whilst setting the context will already have set the agenda for risk identification, there are some other aspects that will assist:

• What can happen, where and when?  The approach is to generate a comprehensive list of sources of risks and events that might have an impact on the achievement of specific objectives or functions being performed.
• How and why it can happen?  Here the focus is possible causes and scenarios as there are many ways an event can occur.
• Tools and techniques.   Approaches used to identify risks and consequences include checklists, judgments based on experience and records, flow charts, brainstorming, systems analysis, and systems engineering techniques.

The KnowRisk® Risk Managment module also provides separate fields of information for staff to document the background information to the risks and consequences. KnowRisk® also supports the Risk Manager together with the Risk Analysts and Risk Coordinators to build a representative list of root causes to risks, as this will provide management with another reporting dimension to understand how key risks can be prevented from occurring.

Risk Assessment & Analysis

Risks may be assessed before controls (Inherent Risk) or after controls (Residual Risk), this depends on the method being used.  Working from Inherent Risk involves:

• Assessing the likelihood of the risk without taking into consideration any preventative controls even if they exist. Sometimes it’s difficult for staff to estimate the likelihood in this way as their experience is based on having some form of control.  Good facilitation by the Risk Manager assists to bring out the best estimate.
• Assessing the consequence impact of the risk without taking into consideration any corrective controls even if they exist.  Sometimes it’s difficult for staff to estimate the severity of the impact in this way as their experience is based on having some form of control.  Again, good facilitation by the Risk Manager or analyst will assist to bring out the best estimate.  Ask the stakeholder exposed to the risk what the worst case scenario is, if there are no controls or the controls completely failed.

Even if the values given are not as accurate as they could be, this will be corrected with the use of Knowledge Base which provides a feedback loop to improving the assessments given to risks.

By following the generic risk process, the residual risk is derived from identifying existing controls and assessing their effectiveness in relation to each inherent risk and associated consequences.

Having assessed the level of risk for each risk, it is possible to perform an analysis across the range of risks in context to bring out more meaningful results to assist the company/stakeholder under which risks require to be managed more effectively. Risk analysis must be consistent with the risk criteria developed as part of a standardised methodology to arrive at consistent results across your businesses.

KnowRisk helps you perform varying degrees of detail depending upon the risk, the purpose of the analysis, and the information and resources available. Analysis may be qualitative, semi-quantitative or quantitative or a combination of these, depending on the circumstances. The risk framework sets the pathway for increasing the sophistication and by implication the accuracy of the analysis.

Identifying Controls & Assessing their Effectiveness

The focus must distinguish between controls that actually exist from those the business would like to have. Controls represent the policies and procedures, processes, devices or practices that are designed to make the business operate effectively. It follows that controls will reduce the risks and consequences, however the degree of this depends on how efficiently the control is performed and how well it is designed.

Evaluate Risks

The purpose of risk evaluation is to make decisions based on the outcomes of risk analysis about which risks need treatment. Since controls are in effect resources that cost money directly or indirectly, care is needed to decide where certain risks are above tolerances and additional controls may be needed to reduce the risk and its consequences to a more acceptable levels.

Risk Treatment

KnowRisk® has a comprehansive way of resolving risk, assessing those options and the preparation and implementation of treatment plans. No company has unlimited resources to apply to situations where there may be opportunities to exploit.

Risk Management Process

This is a typical Risk Management Process found in KnowRisk®, however you can set your own.

During the implementation stage, the above process is extended to become more sophisticated and adapted into other risk management strategies. This facilitates embedding risk management within your business-as per usual activities.