Draft 5 of The ISO 31000 Risk Management - A Practical Guide - Documents

ISO/TC 262/\WG 6N171 ISOITC 262IWG 6 "Guidance Handbook" Convenorship: SA Convenor: Foster Helen Ms Draft 5 of the ISO 31000 Risk Management - A Practical Guide Document type _Related content Document date Expected action Meeting / Working documents for 2021-11-28 INFO discussionORY ass UNITED NATIONS QRS INDUSTRIAL DEVELOPMENT ORGANIZATION SS ah LS it ™_Nestor Albuquerque - 2022-06-14 18:34:50 Copyright protected document = 1SO copyright office All rights reserved. Unless otherwise CP.401 + Ch. de Blandonnet 8 specified, or required in the context ofits CH-1214 Vernier, Geneva implementation, no partofthis publication Phone: +41 22749 0111 may be reproduced or utilized otherwise — Fax: +41 22 749 09 47 in any form or by any means, electronic _ Email: copyright @iso.org or mechanical, including photocopying, Website: www.iso.org or posting on the internet oran intranet, Published in Switzerland without prior written permission. Permis- sion can be requested from either ISO at the address below or ISO's member body in the country of the requester. 00 Views expressed in this publication are those of the author(s) and contributors and do not necessarily reflect those of the International Organization for Standardization or United Nations Industrial Development Organization. The designations employed and the presentation of material do not imply the expression of any opinion whatsoever on the part of the Intemational Organization for Standardization or the United Nations Industrial Development Organization concerning the legal status of any country, territory, city or area, or of its authorities, or concerning the delimitation of its frontiers or boundaries; or its economic system or degree of development. Designations such a “developed”. “industrialized” and “developing” are intended for statistical convenience and do not necessarily express a Judgment about the stage reached by a particular country or area in the development process. Mention of names of firms and organizations and thelr websites, commercial products, brand names, or licensed process does not imply endorsement by the International Organization for Standardization or the United Nations Industrial Development Organization.Nestor Albuquerque - 2022-06-14 18:34:50 Contents Foreword ~ 5 Preface ~ 7 Introduction - ~ 9 1SO 31000 Guidance Handbook 1 1. Using the ISO 31000 risk management principles 1 2. Leadership, commitment and responsibilities B 3. Risk management framework 25 4, Risk management process... cn - 39 5. Effectiveness of the risk management program enn - 37 6. Continual improvement... cn 61 Annex A a a ~ 66 Example of gap analysis. ~ 66 Annex B a oo a oo - 68 Example of risk categories. a oo - 68 Bibliography nm ISO documents 1 150 3100022018) Risk management ~ a practical guide ~ 1Nestor Albuquerque - 2022-06-14 18:34:50 2 ~ 150 31000:2018 | iskmanazement —a practical guideForeword If risk is the combination of opportunities, threats and future uncertainty, then risk management is an essential discipline for informed decision-making within all organizations. Moreover, past years have borne witness to all forms and scale of risk, across the spectrum of sizes and potential impacts; these range from the challenges and opportunities seen in day-to-day management, through to major events, such as logistic disruptions, political unrest, large-scale data breaches, and unprecedented lockdowns triggered by global pandemics. Each of these has resulted in an increased recognition and appre- ciation of the absolute value of risk management. All events, whether large or small, can have a strong effect on organizations, businesses and the markets and economies in which they operate. Given the present uncertainties, it is hardly surprising when organizations struggle to identify and manage their risks. Managing risk effectively is how all organizations bring greater certainty into their planning and activities. To serve this highly relevant need, ISO 31000:2018, Risk management - Guide- lines, has been designed to assist organizations by providing guidance and direction on how to integrate an effective decision-making framework into their governance, leadership and culture. Organizations that manage risk well not only survive but thrive. 150 31000:2018 isk management ~a practical sue — 3Asa foundation standard on risk management, ISO 31000 explains the fundamental concepts and principles of risk management, describes a framework, and outlines the processes of risk identification and management. ISO 31000 is supplemented by IEC 31010:2019, Risk management — Risk assessment techniques and [SO 31073, Risk management — Vocabulary; these two ISO standards contain valuable information and guidance on risk management techniques, as well as the terms and definitions. To further assist organizations in implementing risk management, we have now added ISO 31000:2018 — Risk management — A practical guide, to the family of standards. This handbook was written at the request of the ISO Technical Committee, ISO/TC 262, Risk management, to provide an implementation guide to the Inter- national Standard on risk management, ISO 31000. The aim of this handbook is to assist organizations seeking guidance on how to integrate risk management into their activities. The handbook therefore includes information on risk management principles, the framework, roles and responsibilities, planning, processes, communication, monitoring and review, and continual improvement. This handbook was written by experts from Working Group 6 under the ISO/TC262, Risk management, for those who are either starting their risk management journey or require additional guidance on how to improve their current, risk management programme. We hope this handbook, jointly published by the International Organization for Standardization (ISO) and United Nations Industrial Development Organization (UNIDO), will support your organization’ effort in creating and protecting value to assist in realizing the multiple benefits offered by [SO 31000. Zao Sergio Mujica Secretary-General ISO 4 ~ 150 3100022018 | Risk management ~a practical idePreface This handbook aligns with ISO 31000:2018, Risk management - Guidelines. Itis intended to guide organizations to implement and practice risk management. For brevity, this handbook will refer to this International Standard as [SO 31000. This handbook is consistent with the contents of ISO 31000; however, it does not replicate the ISO 31000 structure. It is intended to guide organizations to implement and practice risk management. Any feedback or questions regarding this document should be directed to the user’s national standards organization. 150 31000;2018 Rsk management a practical guide — 5Nestor Albuquerque - 2022-06-14 18:34:50 6 — 150 31000-2018 | isk management —a practical ideIntroduction Implementing effective risk management supports quality and success, and potentially the good of society. 1S0 31000 defines risk as the effect of uncertainty on objectives. This can include the organization’s purpose, vision, and values as well as the goals and targets articulated at different levels in the organization. They can also include the factors that are important to a particular decision. ‘The International Standard provides a common approach to managing any risk and is not industry or sector specific. It provides guidance to assist organizations in integrating an effective risk management program into all their activities and functions. This handbook expands and provides context to the clauses in ISO 31000. It provides advice regarding introducing and implementing risk management, including how to create and protect value for stakeholders. The handbook demonstrates how to: Use the principles of effective and efficient risk management in the way risk is managed; Develop a plan for integrating risk into an organization’s existing arrangements; Understand how organizational culture influences the design and implementation of risk management; 150 31000:2018 | Rsk management a practical guide ~ 7» Confirm that the need for effective risk management is considered when changes affect the organization; » Apply the risk management process to identify, analyse, evaluate, and where required, to treat risk; » Communicate and consult with stakeholders; » Monitor and review the risk management plan and process; and > Continually improve based on context and lessons learned. As with ISO 31000, this handbook can be used to manage risk in all types of organizations. It applies to an organization, and to its activities. It applies to organizations that are considering implementing ISO 31000 or seeking improvement of existing risk management. 8 — 150 31000:2016 | Riskmanazerent—2 practical guideISO 31000 Guidance Handbook 1. Using the ISO 31000 risk management principles The risk management principles link the framework and practice of risk management to the organization's strategic goals and objectives. The core principle and purpose of risk management is that it creates and protects value. The principles are foundational in all aspects of risk management and have been incorporated within the sections of this handbook. Risk management is integrated: Risk should be considered during normal business activities and decision-making throughout the organization and integrated within the organization’s overall management system. Risk management arrangements should be structured and comprehensive: A structured framework assists organizational understanding of roles and tesponsibilities and provides consistent procedures. These include procedures to identify, understand and treat risk and communicate information. Risk management is customized: This principle encourages organizations to customize risk management to their organization's objectives and needs. Risk management is inclusive: Timely and appropriate engagement of stakeholders enables a wide range of views to be considered as part of risk management, resulting in better-informed decisions. 150 31000.2018 Risk a practical guide ~ 9Risk management is dynamic: Asan organization’s context and circumstances change over time, so will its risks. This principle reinforces that risks are to be periodically reviewed to ensure that they are addressing organizational objectives. Best available information: Informed decision-making requires relevant and accurate information from the organization as well as from other sources. Risk management should reflect and consider the input of internal and external stakeholders. Human and cultural factors: Risk management involves collaboration and the engagement of stakeholders. This can result in understanding the human and cultural factors most important to organizational success. This principle also refers to taking unique circumstances and human needs into account when integrating risk management into the organization and developing appropriate risk management processes. Continual improvement: This principle encourages an organization to continually monitor, review and improve risk management processes to ensure their relevance, efficiency, and effectiveness in support of the organization's overall performance. 10 ~ 150 31000:2018 Risk management —a practical guide2. Leadership, commitment and responsibilities 2.1 Overview Managing risk adds and protects value by enabling organizations to achieve their objectives more effectively and efficiently, and with greater long-term certainty. Organizations that continue to succeed are those with the ability to forecast and prepare for risk. Implementing and enhancing risk management supports an organization’s objectives and creates and protects value for the organization. Implementation begins with understanding what value means to the organization. The value of tisk management is expressed in many terms such as market share, profit, service management, project delivery or social services. Nosingle risk management model achieves these goals. Each organization is responsible for identifying value, which depends directly on the mission, vision, strategic objectives, and the primary activities of the organization. The value of risk management is sponsored by the organization’s oversight body, put into effect by top management and risk owners and applied across the organization through a common framework. This framework can vary widely among organizations but typically involves leadership and commitment, resources, defined accountabilities, communication, plans, actions, and processes. 150 3100022018) Risk management ~ a practical guide ~ 112.2 Role of risk management in decision making 2.2.1 General The key to effectively managing an organization and creating value is informed, logical, structured, and consistent decision making. To weigh different options in the pursuit of its objectives and desired outcomes, decision makers select from choices based on experience, reason, and best available information. The risk management process provides a basis for informed decision-making to determine one course or courses of action. Risk management is a decision-making discipline that is to be integrated into all aspects of an organization. The method selected to assess risk can assist the decision maker to make an informed decision. Decision making is a fundamental part of strategic and operational management and controls of a well-run organization. Good decision making is based on a clear understanding of the context and underlying uncertainties in achieving objectives. Organizations will face multiple risks, some with compounding or cascading effects. Both the nature of individual risks and the interaction between risks can be identified and understood to support informed decision-making, and better recognize potential unintended consequences of decisions. Develop- ing and evaluating alternative scenarios reduces uncertainty in decision making and illuminates unknowns that can occur. Timeframes and the extent of impact on the organization determine the criticality of decision- making processes. EXAMPLE - Case study To get its products to market safely and profitably, a petroleum refinery company needs to understand risks related to physical design, operations, safety, the environment, quality, reputation, regulation, supply chain, and economics and the interactions between them. 12 ~ 150 31000:2018 | Riskrmanagement —a practical guideTo be effective, risk management needs to be understood within the context of the governance, compliance, processes, and operating procedures of an organization. For organizations to achieve their strategic and operational objectives, risk management is to be aligned with the governance structures, mission, values, and culture of the organization. For an organization to thrive and be sustainable, managing the uncertainty in achieving the organization’s strategic and operational objectives is an integral part of all the organization’s activities, functions, and processes. Itis a top-down and bottom-up approach. Therefore, decision making can be clearly understood and leveraged when establishing the risk management framework. 2.2.2 Integrating risk into decision making A decision can be considered to have three stages: a pre-decision stage, an active decision stage and a post-decision stage. Risk management can be integrated into all three stages. For example, risk may be assessed prior to deciding whether to proceed with an initiative. During the active decision stage, risk is considered in the context of setting expectations regarding the acceptance of loss and maximiz- ing gain. After the decision has been made, risks that arise from the implementation of strategy can be assessed and treated. Attimes, decisions simply and directly flow from available and reliable evidence where possible outcomes are predictable and probable. At other times, decisions are made under uncertain conditions, where the current state of information is such that: » The order or nature of things is unknown; » The consequences, extent, or magnitude of circumstances, conditions, or events is unpredictable; Credible probabilities to possible outcomes are imprecise at best; Rapidly changing and dynamic situations affect assumptions; and Available information may be ambiguous or incomplete. 150 310002018 Risk manayenent—a practical guide ~ 13,Integrating considerations of uncertainty into decision making can lead to better decisions and better outcomes. To integrate risk into decision making, it is necessary to understand: > Who the individual decision makers are; > Whois accountable for implementing the decisions; > The risk-taking attitudes of the people concerned; > The importance and relevance of the decision; » The implication of the decision for various parts of the organization; and > The available resources to fulfil the decision. Other key considerations are the importance and relevance of the decision, and the implications of the decision on various parts of the organization. 2. Effective risk management enables an organization to achieve its objectives by continually assessing risks to reduce surprises and improve performance. Risk management also provides relevant stakeholders with continuous, consistent, and reliable information. Additional benefits from implementing and integrating processes to manage risk across an organization include: » Amore efficient use and allocation of capital and other resources; » The ability to recognize and capture opportunities and threats quickly, and to respond to them; A reduction in the likelihood and impact of loss; Clearer, better-informed decisions; Lower compliance/auditing costs; Cost savings from using risk information to streamline and improve processes; Better management of human and cultural aspects that affect performance; and A greater understanding of potential events and the ability to influence their outcomes. Benefits of risk management 14 ~ 150 31000:2018 | Risk management —a practical guide2.4 Integrating risk management with organizational strategy 2.4.1 Overview Alldecisions and activities of an organization involve risk, starting with strategy. Integrating risk and strategy enables management to select the best strategies and manage relevant risks. The following subclauses illustrate the steps to integrate tisk management into strategy development. 2.4.2 Communication and consultation Consultation with stakeholders is important when developing a strategy to provide input for identifying risks and to gain support for the resulting plans. Dialogues and discussions about strategy are an opportunity to reach a consensus view of the risks faced by the organization. Communicating and consulting with appropriate stakeholders occurs at the start and throughout strategic planning where additional input would improve the understanding of risks or confidence in the resulting actions. 2.4.3 Establish the strategic context In developing strategy, top management may consider the current internal and external context, past performance, and the vision for the near, medium, and long term ~ see subclause 3.4.1 Understand and use organizational context Integrating tisk management into strategic planning requires a deep understanding of the key business drivers, the needs and objectives of the organization, and how they may change over time. 2.4.4 Identify risks associated with strategy As organizations develop strategies, they consider opportunities and threats, and the associated risks. When determining strategic risks, the organization may consider elements such as Jong- and short-term risks, as well as currentand emerging risks. Risks associated 150 31000:2018| Risk management —a practical guide ~ 15,Nestor Albuquerque - 20 with strategy span multiple elements of an organization and its ability to achieve objectives. EXAMPLE The climate crisis is contributing to an increase in extreme weather events, which may impact the durability of structures, the reliability of production, disrupt travel, etc. These impacts may affect asset life-cycle management, and the projection of operational costs and returns. 2.4.5 Assess the risks of the strategy Assessing the risks associated with the strategy is an iterative process. Risks are assessed during strategy selection as well as afterwards, to identify and analyse risks in more detail. Assessments involve collecting and analysing information, consulting stakeholders and experts and using techniques such as those identified in IEC 31010:2019, Risk management - Risk assessment techniques. Interviews with top management and oversight bodies enable discussions and consideration of risks to potential strategy including emerging risks. 2.4.6 Finalize the plan, including the risk treatment actions for the risks identified The implementation plan for the strategy is to incorporate the treatment of the risks identified. The strategy needs to be integrated into and communicated to all levels of the organization. 2.4.7 Monitor and review risks and strategic objectives Risks, strategic objectives and key risk performance-measures (see Clause 6 Con- tinual improvement) are to be monitored as part of regular reviews. 16 ~ 150 31000:2018 | Riskrmanagement ~a practical guide2.5 Assigning roles and responsibilities 2.5.1 Overview To be successful, risk management requires full support from top management (defined as members of senior executive teams) and from oversight bodies (most commonly the board). Top management is ultimately responsible for an organization’s management of risk and its successes and failures. Accountability for managing risk is an important aspect of governance within the organization. A risk governance structure includes a clear understanding of roles, responsibilities, accountabilities, and oversight. Clearly articulating accountabilities for risk management atall levels supports a full understanding of roles and responsibilities. The following subclauses (Se@ 2.5.2 10 2.5.6) outline roles in managing risk in an organization. 2.5.2 Oversight bodies Boards or oversight bodies have a vital role on behalf of stakeholders to ensure that the organization is managing the risks it faces appropriately. The oversight body’s responsibilities regarding risk include: Overseeing the culture that supports risk management within the organization and how incentives drive that support; Defining the amount and types of risk that an organization can take, in conjunction with top management; Maintaining oversight of risks and controls that can impact the organization’s objectives; Taking steps to ensure that the language used to communicate about risk and its management is clear and understood across the organization; Ensuring risk management is embedded in processes that support important decisions; and Determining an appropriate structure for risk management assurance, including the role of audit and risk committees. 150 31000:2018 | Risk management ~a practical guide ~ 17EXAMPLE - Case study In the example of a small family-owned organization, in some cases the board is comprised of the owners and top management such as the finance and operations managers. In the case of a not-for profit start-up, initially the board may include professional colleagues, partners, and volunteers. As the not-for-profit gains a greater understanding of its context, strategic objectives and risk, requirements fornew board skills and experience in legal, marketing and fundraising may arise. 2.5.3 Top management Whether asa formal or informal process, all organizations manage risk. Top management need to demonstrate a commitment to managing risk that emphasizes its importance, integration, and effectiveness throughout the organization. Top management’s responsibilities are to: Understand the dynamic risk environment in which the organization operates; » Have an overview understanding of risk within the organization; » Establish and communicate a policy regarding risk management internally and to stakeholders as appropriate; » Ensure that risk management aligns with the strategy and objectives of the organization; » Set an example and actively model how to consider risk in decision making, following the same processes expected of the rest of the organization; » Establish the amount of risk that the organization is willing to take in pursuit of objectives; » Allocate resources to implement, monitor and improve risk management throughout the organization; » Ensure implementation of a risk management framework and processes; » Encourage people to view risk identification, analysis, and treatment positively; and > Manage the risks they own. 18 — 150 31000:2018 | iskmanagerent—a practical gue2.5.4 Stakeholders Astakeholder is a person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity (see ISO 31000). Stakeholders may have the opportunity to provide their perspective, and have it considered, even though it may not align with that of the organization. External stakeholders can include: Shareholders who expect a return on their investment and ongoing performance of results; Customers who are affected by the quality of products and services; Suppliers and partners who expect an enduring and reliable relationship; Government (national and local levels), unions, non-governmental organizations; and The public, who depend on the organization’s economic and environmental performance, its reputation and compliance with legal and regulatory obligations. Internal stakeholders include employees, all levels of management, and others involved in the effective management of risk. Specific responsibilities include: Being aware of and fulfilling their responsibilities as defined by the risk management framework; Providing input into risk management activities; Participating in risk management procedures and processes to identify and analyse risk; Ensuring treatments for risks are effective within their area of accountability; Reporting risks; and Following policies and procedures to ensure compliance. At times there can be an overlap between external and internal stakeholders, for example shareholders. 150 310002018 | Risk management ~a practical guide ~ 192.5.5 Risk owners Arisk owner isa person or an entity with the accountability and authority toman- age risk. The organization’s culture and structure play a key part in determining the best model for assigning risk owners. Risk owners are to have the appropriate level of decision-making authority to manage their assigned risks. Risk ownership can be delegated through several levels of the organization. This assists in reducing the workload on top management as well as cultivating the thinking, behaviours and actions regarding riskand risk management throughout the organization. EXAMPLE Arisk owner can beat any level of the organization, for example the project manager in charge of a specific project ora process manager in charge of the budget and resources fora production line ina factory. Risk owners require: » Agood knowledge and an understanding of their area of risk; » The appropriate level of decision-making authority within the organization; » Access to resources such as people and/or funding; » Suitable training in risk management; and » Knowledge and understanding of key stakeholders. 2.5.6 Risk leaders Risk leaders are responsible for ensuring the implementation and integration of the risk management framework and process into the organization’s management system and processes. At times they are referred to as risk champions or coordinators. They have know]- edge and understanding of risk and provide the capacity to facilitate the risk process. In some organizations this can involve designing and customizing the framework and developing appropriate tools and guidance to assist others in their risk management responsibilities. 20 - 150 31000:2018 risk management — a pracicaluideRisk leaders require: Appropriate training in risk management; A good understanding of the organization’s mission, purpose, and objectives and of the environment in which it operates; An understanding of the organization including the governance structure, operations, markets, revenue, and funding sources, technology, and people; and The ability to communicate effectively and to foster risk management in day- to-day activities. 2.6 Leadership’s commitment to risk management Effective risk management provides top management with information and insights to run the organization, make informed decisions and achieve objectives by taking theright risks. Questions that demonstrate the commitment of leaders include: Is risk management supported by top management? Are relevant risks considered in decisions and actions? Is risk discussed at all levels of the organization? Are there appropriate resources assigned to risk management throughout the organization? Have risk owners identified their risks and do they understand how to manage them? Are appropriate risks escalated to top management in a timely manner? Is there a risk function or risk leader within the organization? Does the risk leader have a direct reporting line to top management and the oversight bodies? Are functions and reporting responsibilities assigned? Are oversight bodies engaged in a timely manner on significant risk issues, particularly key strategic risks? Do the oversight bodies understand their role in managing risk? Have the oversight bodies evaluated the effectiveness of the oversight processes? Are the oversight bodies receiving the risk reporting and information that they need? 150 310002018 | Risk management ~ 2 tactical guide ~ 21Nestor Albuquerque - 2022-06-14 18:34:50 22 ~ 150 31000:2018 | isk management ~ « pracical guide3. Risk management framework 3.1 Introduction Clearly defined leadership, commitment and responsibilities are needed to effect better decision making and fewer surprises, but they are not enough to transform tisk management into actions. The purpose of the risk management framework is to assist the organization in integrating risk management into significant activities and functions. This section is to provide guidance on how to develop and continually improve a customized framework for integrating and sustaining risk management in an organization. This foundational work helps integrate risk management into existing governance and management arrangements and continually improve risk management activities, The risk management framework includes the context, policies, resources, process, organizational structure, and techniques necessary to implement risk management inan organization. Customizing a dynamic framework helps the organization integrate risk management into governance arrangements, decision-making, processes, and related activities. 3.2 Provide the rationale for risk management The assigned and accountable leader(s) are to develop a rationale for implementing or improving risk management. This requires a solid understanding of the organization’s vision, mission and objectives and the environment in which it 150 31000:2018 | Riskmmanagement—a practical guide ~ 23operates, as well as of the organization's structure and how risk management will create and protect value. Prepared with the understanding of an organization's mission, business model and environment, the leaders responsible for designing the framework would benefit by confirming top management’s commitment to integrating and assuming accountability for managing risk. Consultation with top management provides a basis for the rationale to implement or improve risk management capabilities and practices. Consultation may include discussion of expectations regarding what risk management can deliver to individual leaders and the organization. Designing a “fit-for-purpose” risk management framework involves understanding how the organization creates, delivers, captures and protects value. For example, the design may include investigating and understanding its purpose, strategy, objectives, decision-making processes, current risk management practices, needs and desired outcomes. Integration of the ISO 31000 risk management principles into the framework design can help organizations focus on why risk management is important. Asking questions such as “How are we currently managing risk?” and “What outcome do we want to achieve that we currently aren’t achieving?” can help determine the rationale for change to improve the risk management practices of the organization. Approaches may differ depending on what is needed and how the organization’s risk management objectives can be supported within current governance arrangements or whether these arrangements can be modified. One way to develop justification and obtain commitment is to develop a clear, concise, and compelling message regarding the value expected to be gained from the risk strategy as it relates to specific organizational objectives. Then, a preview of the business case involving key decision makers and influencers can refine the rationale and business need. 24 ~ 150 31000-2018 | isk management — a pracical guideEXAMPLE Organizational objectives can be: > specific outcomes (such as positive results of a project: to support a 10% increase in new highly qualified clients, or assess risks associated with sales-incentive plans); » supportive of more general objectives (such as. to improve the odds of achieving and maintaining 2 10% increase in revenue growth, assess risks associated with target markets and improve risk-taking competencies); or > process-based objectives (such as, evaluate and report positive and negative deviations from the risk the organization can or cannot take in a grants portfolio). 3.3 Define the business case A business case for risk management outlines the options and provides the recommended approach for moving forward. Such a business case may include the following: » Executive Summary + Formal recognition and individual authority to manage the integration - Program purpose and business need ~ Program priority Strategic, board-level priority Specific benefits to be gained » Program Scope Statement and Definition List of objectives and expected deliverables Description of work List of assumptions and constraints Estimated schedule and resources target measures, dates/milestones Capital and operating expense requests Key internal and external resources needed, estimated work hours Performance measurement and criteria 150 31000:2016 | isk manazement—2 practical ude ~ 25» Program Roles and Responsibilities « Executive sponsor, program lead, project manager, and stakeholder list with authority and accountabilities for each Convincing key decision makers of the value of risk management can make them early adopters and champions of risk management throughout the organization. 3.4 Develop an appropriate framework An appropriate framework helps to integrate risk management activities into the existing management and governance arrangements and continually improve risk management. Building or updating the framework will need to consider how risk is already managed in the organization. Formalizing the organization’s framework usually incorporates an assessment of existing risk management practices to identify gaps, make improvements and create consistency. This assessment may focus on practices as well as people, processes, and technology. Existing risk management practices can be identified by reviewing policies, practices, reports, and activities from key operations, departments, or locations. Other methods include interviews with key personnel, personal observations, and surveys. After documenting and understanding risk management practices and activities, itis possible to compare them for consistency and effectiveness. As gaps are identified, plans can be made to improve, fill gaps, or scale back efforts not suited tothe needs of an area or the whole organization. This process can identify areas that use more resources than necessary, as well as deficiencies. 3.4.1 Understand and use organizational context The elements of organizational context described in ISO 31000 are intended to be comprehensive. Customization aids in aligning the elements to specific organizational structures and purpose. Additional information relevant to the framework includes the structure of the organization itself, which may be evident 26 ~ 150 31000:2018 |isk management ~ s practical zuidethrough an organization chart, or a list of key services or departments, branches, and locations. One approach to articulate the internal and external context is to write descriptions ofeach element. Taken as a whole, the descriptions provide clarity about how to create a consistent and sustainable structure for managing risk across the entire enterprise. Descriptions of internal and external context can also reveal areas of risk worth pursuing or needing extreme caution. A thorough understanding of organizational context can result in the collection of significant information. EXAMPLE - Case study During a discussion of the context of operations, the university's risk committee identified several laws and regulations that require strict adherence (an element of external context). The university has multiple internal departments affected by these laws and regulations, with little communication between them. Therefore, reporting is sometimes duplicated and always inefficient (an element of internal context). This organizational arrangement also creates risk that conflicting information may result in increased scrutiny by regulatory agencies, sanctions, or bad press. Asa result of this information, the framework was established with centralized oversight of these key risks. The reporting and governance processes were improved. The context discussion also identified a key risk that needed to be managed. Another example, from a high-tech start-up company: The company’s founder and a small number of employees used the elements of internal and external context as a checklist as they developed their implementation and marketing strategies. They also incorporated organizational context and the consideration of risks into decisions about projects. Therefore, they integrated their isk management framework directly into decision making and planning processes. An understanding of the organizational context helps customize and integrate the risk management framework so that it is accepted within the organization. 150 31000:2016 | isk management—@ practical ude ~ 273.4.2 Train the team One of the prerequisites of effective risk management is that everyone within the organization understands their role and responsibilities regarding the management of risk. Developing the framework requires decisions including: » How risk management is structured (the framework); » How people are informed and engaged (through the plan and in risk management processes); and » How risk management processes are implemented and reported (an element of the risk management plan). For organizations of any size or complexity, these are decisions that require group participation and input. Organizations can structure the planning and oversight functions using shared governance to incorporate multiple points of view and knowledge of the organization. The organization will need to continually assess and address any gaps in knowledge of individuals in the group. The rationale for risk management, understanding of context, and consideration of stakeholders may inform the organization’s governance structure and process. 28 ~ 150 31000:2018| Risk management — a practical guideEXAMPLE - Case study Alarge, urban county government created an Enterprise Risk Management Advisory Committee of a dozen leaders representing all divisions within the organization. Committee members serve for three-year terms; the committee meets quarterly. The committee’s work began with educating its members on the purpose. value, and outcomes of risk management. The committee then worked through the elements of the risk management framework, including the determination of common definitions, purpose, and process. The committee documented their description of the context of operations and internal stakeholders and used that information to develop the county's multi-year risk management implementation plan. Those descriptions were also integrated into all risk management processes. Committee members developed competencies and experience and were able to assist departments in applying the risk management process to decisions and projects. As risks were identified and treatment plans, developed, the committee provided oversight on key risks. The committee continues to reportto the governing board on key risks, progress, and challenges. 3.4.3 Consider critical success factors Critical success factors are the elements necessary to achieve mission or purpose, They are indicators of opportunities, activities or conditions required to achieve desired outcomes hence are specific to each organization. Critical success factors can be physical (such as production lines or supply chain capacities) or non- physical (skills, markets, or reputation). They are at times described through scale, speed, and dependency. Examples of questions relating to critical success factors include: » Is timeliness or speed an element of any critical success factor? Are there differences in scale that affect any critical elements? What dependencies and interdependencies affect objectives? What quantitative and qualitative parameters are required to be understood and managed to succeed? What changes could affect the achievement of current or future objectives? How are critical factors monitored and measured? What could go wrong, and what needs to go right? 150 31000:20%8 | isk management —a practical guide ~ 29EXAMPLE - Case study Aglobal chain of hotels is considering selling off locations to cover debts. Some of the critical success factors include the amount of time it has to solve its financial problems, the reasons the organization cannot cover the debt with cash flow from operational sources, and whether divestiture has implications for the hotel's brand and reputation. Asmall high-tech start-up with a focus on opportunity management, at the beginning of investor interest is critically dependent on the success of fundraising through investments and developing opportunities to raise needed capital. The critical success. factors will focus on the start-up’s strengths and weaknesses in the eyes of investors and bank managers. Considering critical success factors in decision making and during the risk management process can: » Maximize positive consequences and minimise negative consequences of events or trends that can occur; » Maximize the use of limited resources including time; » Improve efficiency and effectiveness; and » Help prioritize risks and deploy resources in proportion to the organization’s strategies and objectives. Building a framework for a successful and appropriate risk management program requires broad understanding, planning, and a collaborative approach to achieve the organization’s risk management goals. The development ofa plan to introduce or enhance risk management is based on. the business case, organizational context, level of leadership commitment, results of the gap analysis, and organizational goals and expectations. 3.4.4 Conceptualizing a risk management plan Arisk management plan helps an organization improve and integrate risk management. The plan articulates the organization’s vision for managing risk, by explaining the organization’s concept of risk management in its future state. Elements of the formal business case inform this vision, including the rationale, program purpose and business need. 30 — 150 31000-2018 Fisk management —a practical guideThe purpose of a risk Vision#statement is to define why and how risk can be managed in the organization and the strategy to evolve risk management, over time. It can include descriptions of who would be engaged, how risk would be communicated and managed throughout the organization, and expectations for accountability and decision making. Defining and continually communicating this vision helps focus and organize the risk management plan. 3.5 Assessing the current state of risk management practices Improving current practices begins by understanding how risk is currently managed, the risk programs currently in place and where the organization has already built systems or processes to manage risk. Although a variety of techniques can be used, a simple gap analysis seeks to answer the questions “where are we?” (the current state) and “where do we want to be”? (the future state). A risk management practices inventory and gap analysis based on agreed criteria and the organization’s arrangements can be used to analyse the current state. Questions to assess current risk management practices include: How does your organization measure and manage risk in this area, department or for specific activities? Who is accountable for risk management processes and outcomes? What policies and procedures currently exist to manage risk and are they adequately communicated? How do people consider, act on and report on risks? What risk data is collected and reported on? Who is responsible for the accuracy, maintenance and reporting of risk data? Are there other programs or compliance requirements that involve the management and reporting of risks? Does the culture encourage an open discussion of risk? Are risk assessment techniques used appropriately? Involving knowledgeable key stakeholders in developing the gap analysis perfor mance criteria, assessing the current state, and determining the desired future 'S0 31000:2018) Risk management ~a practical guide ~ 31state demonstrates the risk management principles of inclusivity, integration, and customization. Stakeholders need to agree upon fundamental risk management practices that are important to the organization. Listing factors needed to achieve the desired future state (what will be), such as finance, people, processes, or technology, should be based on discussions incorporating the outcome of the organization’s risk management. Discussions with stakeholders highlight the amount by which the need exceeds existing resources and which gaps are to be filled to be successful (what to consider). Refer to Annex A for an example ofa gap analysis. Evidence used for the analysis of existing risk practices is to be recorded. EXAMPLE - Case study Alarge-sized government organization requires internal auditors to complete continuing education in risk management performance assessments in their annual personal development plans to address gaps in knowledge. Documentation of continuing education credits provides evidence related to risk assessment training of personnel ln medium to large organizations the risk framework requires the risk committee to meet once a quarter. To address gaps in governance, the minutes of these meetings provide evidence including who attends, how often they are held, what is discussed and whether actions are closed out within the original time frame. Where required, organizations can establish risk appetite statements or strategies in quantitative or qualitative terms to express willingness to pursue or retain risk toachieve the mission, strategy, ora specific goal. Such statements can be required by regulators, management priorities or industry practice and may be considered when assessing the current state. Organizations that have not established formal or informal risk appetite can consider whether such statements may be helpful as part of a desired future state. Gaining consensus for the rationale for modifying and improving existing practices provides the basis for developing a framework and formulating a realistic risk management plan. 32 — 150 31000-2018 Fisk management a practical ude3.6 Creating a risk management plan Arisk management plan details the steps necessary to establish or improve an organization’s risk management capabilities. A risk management plan ensures that activities occur in a coherent order, and it provides a means of recording progress and tracking improvement. Engaging a broad group of stakeholders with diverse responsibilities in developing the plan can provide a more comprehensive view of the desired outcomes and encourage better adoption. It can also help an organization anticipate and proactively address potential complications and other issues. Organizing the plan in stages can allow for the tracking of immediate, mid-term and long-term objectives. This sets the stage for achieving quick, measurable results, but it also establishes realistic expectations that full integration can be along-term process. Integrating these plan objectives with other organizational improvement activities reinforces risk management as a key component of operational effectiveness, rather than as a separate activity. As with other aspects of risk management, take every opportunity to leverage existing reporting and operational infrastructure. Assessing and managing risks to the successful implementation of the plan itself can keep the plan on track. The plan may incorporate: The scope and objectives of the plan; Elements from the business case, such as estimated implementation schedule and resource needs; Details that are specific, measurable, achievable, realistic, and time-bound; A description of how risk management objectives align with the mission and strategy of the organization; A description of how risk management activities support the pursuit of the organization’s objectives; A statement of leadership’s commitment to risk management, including a discussion of the authority and reporting relationships; Expectations for how the organization integrates risk management into governance, strategy-setting, decision making, and key business, and operational processes; 150 310002016 | Risk management —2 practical ide ~ 33» An outline of relevant oversight committees, governing bodies and key stakeholders and the expectations and responsibilities for each of these groups. This can include the governing board, audit committee, risk committees, (op management, department heads, risk owners, other subject matter experts, and organizational stakeholders; » The resources required to implement the plan and integrate risk management into daily operations and decision-making including: ~ People, skills, experience, and competence; - Financial and technological resources needed to support the risk management process; - Processes and tools to manage, monitor and report on risks; + Tools for effective communication and consultation; - Change management methods; and + Risk management training and other support activities that will be necessary to integrate risk management. Suitable processes to identify, analyse and evaluate risks and analyse the effectiveness and efficiency of risk treatments and controls; An explanation of how risk owners are assigned, how risk treatments are prioritized and selected, and how ongoing performance is measured; Risk communication and reporting mechanisms for each group, including the reporting format, sequence, trigger, frequency, and audience; Defined risk escalation procedures for outcomes that are not usual; Discussion of the organization’s philosophy about lessons learned and how these growth opportunities are identified, evaluated, and incorporated to support continual improvement and the maturity of risk management activities over time; and Monitoring and measuring ongoing performance. 34 — 150 31000:2018 | Risk management—a practical guide3.7. Managing organizational change The risk management plan can include proposals for changes needed to job roles, organizational structures, processes, and technology. Applying change management methods to these changes improves their likely success. Some people willingly accept the integration of risk management into decision making and other activities while others firmly resist it. Anticipating and managing potentially varying responses may be considered as part of integrating the plan. Change management generally involves multiple steps. The fundamental step to integrate change and overcome resistance is developing clear and compelling communications regarding: The nature and scope of the change; Why change is necessary currently (what is the urgency and envisioned outcome); Who is sponsoring, supporting and participating in the change; How the desired change improves the organization's (or resistant individuals’) ability to meet objectives; ‘The obstacles that are to be removed so that change can occur; The means of gathering feedback and measuring adoption of the change; How successful integration and outcomes are recognized; and Consideration of how organizational change management methods help solve human behaviour challenges within any project management or integration approach. Differing change management methods can be researched and customized for an organization depending on whether the change is considered incremental or transformational. 150 31000.2018 | Fisk management a practical guide ~ 35,Nestor Albuquerque - 2022-06-14 18:34:50 ‘36 ~ 150 31000:2018| Fisk manazement —a practical guide4, Risk management process 4.1 Introduction Astructured risk management process aims to align risk management with objectives and manage risk in an unbiased way. Although the basic steps of the process apply to any risk and any level of the organization, different risk assessment techniques can be used depending on the circumstances. Animportant focus of risk management is on the creation of value for the organization and better decision making. However, in many circumstances the risks are well known, and controls are in place. In such cases, the focus of risk management may be on ensuring the controls are appropriate, work effectively, and provide assurance that this is the case. 4.2. Communication and consultation Taking an inclusive approach to communication and consultation assists in identifying risks and gaining acceptance and active support for decisions about the significance and treatment of risks. Internal and external stakeholders are to be identified, and plans made for howto communicate and consult with them. This occurs at the start of the process and at appropriate points throughout. For any risk assessment, consider what expertise is needed, who is to be actively involved and who will be kept informed of outcomes. Consultation can occur at any point in the process where additional input would improve the understanding of risks or confidence in the resulting actions. 150 3100022018 | Riskmanazement—a practical uide ~ 37Stakeholders are to be identified, and communication strategies decided, as: » Human and cultural factors can be a source of uncertainty; » Stakeholders have a right to know ifa risk can affect them; and » Stakeholders’ perspectives on risk can be relevant. The following questions can assist in determining effective and efficient stakeholder consultation: » Were appropriate internal and external stakeholders identified before the risk management process began? > Were the right stakeholders appropriately engaged at each stage of the process? » Were any additional stakeholders identified throughout the risk management process? » Which stakeholders were consulted throughout risk assessment and treatment? » Was there communication with appropriate stakeholders throughout? » Were the outcomes of the decision or risk management process. appropriately communicated? » Were the outcomes required by the stakeholders considered? 4.3 Defining scope and context of risk assessment The first step of the risk management process is to define the scope, boundary(ies) and context. This ensures better utilization of time, effort, and resources of the organization. Establishing the context includes understanding the impact that the organizational context(Seesection3:421Understand and use organizational context) has on the risk assessment. Allrisk management activities need to take account of organizational objectives and values as well as the specific objectives of the risk assessment process. Stra- tegic objectives translate into goals that are both financial and non-financial, and against which the organization measures performance. Objectives at different levels within an organization will need to be aligned with the objectives, values, and goals at the organization level. The goals at the organization level can 38 — 150 31000:2018 |isk management ~ s practical suidecascade to different parts of the organization in different ways so that the defined goals are specific to the work done by individual units. Combined achievement of goals at different unit or department levels helps in the achievement of overall organizational goals. EXAMPLE Information relating to the scope and context is found by talking to people and by reference to policies, business plans and other organization-wide documents. 4.4 Defining risk criteria Risk criteria are a set of rules or statements that enable consistent decision making throughout the organization. The use of risk criteria supports better decision- making, such as: » How it is decided that a risk has been controlled sufficiently; >» When a risk is unacceptable so that work must stop regardless of benefit; » When the potential benefit is sufficient to make a risk acceptable; » How to judge the relative significance of risks for allocation of resources; » When to inform more senior levels of the existence of risks; and 150 310002018 | Risk management —a practical guide ~ 39» How trade-offs are be made when several objectives are affected. Risk criteria can differ for different types of risk and should be compatible with the maximum risk exposure that the organization is willing to take. An organization can set criteria taking into consideration its priorities, for example the three dimensions of sustainability (environmental, social and economic). EXAMPLE > Organizations may set goals to reduce carbon footprint. Risk criteria would take into account threats and opportunities related to this goal. » An organization may state their goal for health and safety risks to be no incidents. Risk criteria compatible with this statement would clarify that risks are controlled so faras is reasonably practicable. if more controls are feasible, they can be applied. » Financial institutions may set criteria based on the Value at Risk (VaR). (The VaR of a portfolio is the maximum financial amount expected to be lost overa given time horizon, at a pre-defined confidence level). Criteria used for comparing the relative significance of risks to different objectives can be based on the consideration of consequences and their likelihood. A commonly applied and relevant scale is needed to measure and compare risks. For example, different likelihoods, levels and types of consequences can be considered using a qualitative, semi-quantitative or quantitative scale. Consequences can be tangible or intangible. Descriptions defining likelihoods, consequences and decision criteria are to be unambiguous and allow for easy interpretation. Allassumptions should be explicitly stated. 40 — 150 31000-2018 |risk management a pracicalsuideEXAMPLE In some situations, a matrix helps to compare different types of risks. The matrix has consequences on one axis, and likelihood on the other. Each risk is plotted on the matrix according to the likelihood of its consequences. Generally, the higher the combination of likelihood and consequence, the higher the priority or the greater the need to refer the risk to higher levels in the organization. The matrix can also show the positive side of risk assessment with the scoring capturing the potential impact and likelihood of opportunities. Risks with higher consequences can merit higher priority due to the nature of the consequence. In the case where an extremely high consequence may be a fatality, all efforts are to be considered to reduce the risk regardless of the likelihood of failure. NOTE: Matrices can help depict relative importance. However, care is needed in assuring the underlying methods used to determine conclusions are accurate and defensible. Where there is high uncertainty, such as in long-term strategic planning orin new technology, pre-determined risk criteria may not be appropriate. In these cases, decisions about risks associated with opportunities and threats can benefit from consultation and discussion. 4.5 Risk assessment Uncertainties permeate every aspect of an organization’s context and activities and can have positive, negative, or neutral outcomes. A negative outcome for one party can become a positive for another. Risks can be identified so that they can be considered in decisions and so that treatments can be developed to support positive outcomes and reduce negative outcomes. Uncertainty influences individuals and organizations, including decision makers. Perception of risk is situational as it arises from uncertainty in the understanding or knowledge of a future event. This includes uncertainty about its consequences for objectives and the characteristics and variables involved, including the likelihood of their occurrence. Risk assessment covers three steps: 1) risk identification (recognizing risks), 2) risk analysis (understanding risk), and 3) risk evaluation (judging its significance). 150 31000.2018| Risk manaement— 2 practical guide ~ 41The approach used is to be structured, coordinated and comprehensive and make use of the best available information. Organizational culture and biases are to be considered when identifying and evaluating risks and assessing the effectiveness of controls. The objectives and decision timeline determine how risks are assessed. Once fully integrated into an organization’s culture, risk assessments can become an automatic and informal part of the decision-making process when decisions are simple and frequent. When decisions become more significant or complex, a deliberative risk assessment process should be applied. In these situations, limited risk assessment techniques may be used to reach a decision in ashortened timeframe. When decisions are strategic in nature or quite complex, a more rigorous deliberative effort should be applied. EXAMPLE - Case study Asan example of both positive and negative outcomes, rain can be a source of loss to a builder but a gain to a farmer. The benefit of rain to the farmer is that existing crops grow better. Rain also provides the opportunity to plant more seeds if the farmer chooses to do so. However, this opportunity is accompanied by the risk that there will be no follow up rain and the cost of the seeds will be lost. On the other hand, rain may delay work for the builder, resulting in loss of time and money. Risk depends on the situation. The same event can hold no risk in one situation but have risk in another context. Depending on objectives and values, a thing can represent a low risk to one person as well as a high risk to another. EXAMPLE Atree falling in the forest is not a risk ifno one is there, but ifit falls acrossa fire tral, it presents a risk to those having to use the fire trall. The level of consequence would be depending on the reason for wanting to use the fire trail, Le., fire or no fire. Risk may be assessed: » For new activities or when new knowledge becomes available; » When there is significant change in context or objectives; 42 — 150 31000-2018 |Risk management — a pracicaluide» Periodically to reflect the current positive and negative outcomes of risks already identified and to identify any new risks; » When controls or risk criteria change; and » When making decisions that can affect organizational objectives. 4.5.1 Risk identification Since the consideration of risk concerns the effect of uncertainty on objectives, the starting point for risk identification is considering what can affect the objectives, both of the organization and for the part for which the assessment is required. Any threat or uncertainty in the achievement of these objectives can warrant further assessment. Identifying uncertainty that can affect objectives includes a variety of considerations, for example what is unknown, not understood, variable, misinterpreted, or known but unpredictable. Uncertainty can arise from the inherent unpredict- ability of natural events and human nature, or due to our inability to understand nature and human nature fully. New, changing, complex, chaotic, rare, and remote circumstances are also risk sources. Risk can also be identified by recognizing things within the organization or its context which can lead to risk (examples include physical hazards, organizational pressures or weaknesses in management systems or risk controls). There are many ways of identifying risk, including: » Collecting historical information reviewing the experience of other organizations and consulting people with experience and expertise; » Applying imaginative thinking about the future; and, » Applying systematic identification tools such as fishbone diagrams, failure mode and effects analysis, structured what if technique and hazard and operability study, as outlined in IEC 31010. When identifying and recording risk, it is helpful to think about risks as scenarios that represent what may happen in the future. There can also be scenarios where a source of risk can be identified but the mecha- nism by which the source is able to affect objectives cannot. In some cases, the 150 31000:2018 |Riskmmanagement—a practical guide ~ Anature of consequences may also be unknown. These sources of risk still may be managed although the risk cannot be fully described or measured. 4.5.2 Defining risk categories Once risks are identified, some organizations find it helpful to categorize them. This can be useful if the number of risks is so large as to become unmanageable. Categorizing risks can enable better use of resources because similar risks can be treated together. This also helps break down barriers between organizational units and encourages communication and understanding. Sorting risks into categories can help identify where an area of risk has been overlooked. The categories used can be customized to make sense to the organization, to be common to the entire organization and to be expressed in clear and unambiguous terms. Inconsistent language defining risks across an organization makes it difficult to relate common risks in different departments and focus on the most important risks. Generally, categories represent the types of risk commonly encountered. Categories are not to limit thinking when identifying risks so that rare and emerging risks are included. Refer to Annex B for examples of risk categories. 4.5.3 Risk analysis The purpose of risk analysis is to understand risk. This includes understanding the consequences to objectives, their likelihood, causes and existing controls and where appropriate, obtaining a level of risk. This understanding can be used: » To identify treatment options that work; » To compare risk with the criteria (see Subelause 4:4 Defining risk criteria); » As input to decisions that can involve multiple risks; and » To provide information to be used by different stakeholders in the evaluation of risk in their context. Analysing sources of risk with root cause techniques can identify both direct and underlying causes. By analysing causes, it is possible to check the extent to which causes are currently well-controlled. Analysis of existing controls checks that 44 ~ 150 31000:2018 | Risk management a practical sidethose controls are effective. Together this provides information about the need for new treatments or for improvements in existing controls. Assessing control effectiveness may include the following checks or tests whether the: » Control is well designed — it is determined through a review of design criteria; » Control exists and is operational; » Control is performing as intended — it is tested and observed in operation; > Control is reliable — it is evaluated for potential deviations, failures, or bypasses; » Control is effective — will work as intended when required; and » Control is efficient — is relevant, adequate, and aligned with current objectives and circumstances. The way risk is analysed depends on the purpose of the analysis and the nature of the criteria against which the risk is to be evaluated. EXAMPLE > To identify treatment options, analysing the causes and existing controls of a safety risk with “so faras is reasonably practical” criteria reveal whether to take additional preventative action. » To see whether the risk ofa flammable liquid distillation experiment is acceptable, simulating and analysing the effects of an explosion in a worst-case scenario determines the effectiveness of explosion protection arrangements. » To decide whether the risks associated with a school excursion into the mountains is justified by the educational value, a subjective analysis of potential positive and negative outcomes of the excursion is carried out taking into account the controls that are planned to be in place. Insome cases, a measure of risk is required to analyse the risk. Traditionally this is a combination of consequences and their likelihood. Consequences can result from a response, or failure to respond to an opportunity or threat in relation to objectives. Consequences can be described in the form of: » One or more discrete outcomes, each of which may have an associated likelihood or probability; and 150 31000:2018 | Riskmmanazerent—2 practicalguide ~ 45,» Arange of outcomes often in the form of a distribution or probability density function. Any single scenario can affect multiple objectives. Some scenarios reveal a chain of events where consequences become sources of other risks. Consequences can also have cascading and compounding effects. For example: » Extreme weather events may result in more wildfires; » Wildfires may result in damage to power distribution systems and more power outages; » Power outages may result in failure of air conditioning systems and more cases of heat stress; and » An opportunity in the frequent power outages may open the market for local solar generation and storage of electricity. EXAMPLE - Case study For example, a spill of a chemical initially affects production as a loss of product and output or business disruption. If the chemical is hazardous there are also consequences for safety, and ifthe spill enters ground water, for the environment. Depending on the scale of the spill there can also be financial consequences and consequences for reputation A measure of consequence can be qualitative (for example, a description or a rating scale) or quantitative. In some cases, outputs of a financial or technical model or a report with such descriptive or quantitative information as is available can be the most useful way to provide information to a decision maker about consequences. 46 ~ 150 31000:2018 [Risk management a pracical ideEXAMPLE Examples of consequences represented by quantification include financial consequences such as revenue productivity and cost. Tangible consequences at times, quantify financial and physical measures. Intangible consequences are more likely to be represented qualitatively, such as employee satisfaction, customer satisfaction, investor confidence or reputation. At times, quantitative measures can be used to illustrate intangible consequences. The use of consistent and unambiguous language is critical to providing a common understanding of risk. It can be useful to understand the likelihood of any of the components of a tisk scenario (for example, the likelihood of the source of risk existing, the likelihood of an event, the likelihood of a control failing or the likelihood ofa particular consequence). The likelihood that is being referred to in any instance is to be specified. When using past data to estimate the likelihood of a particular consequence, note that the future does not necessarily follow the past: just because something has not happened yet does not mean it is unlikely to happen tomorrow. Other approaches to estimating likelihood include forecasts using modelling techniques and expert opinion. Likelihood can be expressed as a frequency (expected number of occurrences ina given period) or asa probability of occurrence (expressed asa ratio, for example, © of projects or % of employees). Generally, expressing likelihood asa frequency is more consistently understood. The likelihood of a consequence depends on the nature of possible causes, the effectiveness of existing controls for those causes and, in some cases, on vulnerability. These need to be analysed before an estimate of likelihood can be made. Likelihood and consequence can be combined to represent the level of risk. How- ever, all methods for doing this, whether qualitative or quantitative, suffer froma common problem. Where there is a distribution of consequences no single valid statistic (or estimate) represents the consequence. Sometimes the mean is used, but this ignores rare high consequence events that may be of most concern to 150 31000:2016 | Risk management 2 practical ide ~ A7management. To use the most serious credible consequences for the measure of risk ignores common events that, when taken together, can be highly significant in the short term. The way in which the estimate of the magnitude of a risk is made is to be understood as well as uncertainties and potential biases in the estimate. Descriptive information on the nature of consequences and what is known about their likelihood can be more useful to a decision maker than a consolidated level of risk. Assessing detectability can help in identifying potential low-impact risks and help decide resource allocation on preventive, corrective versus detective measures. For example: > The speed at which risk materializes, also known as risk velocity, can add importance to the significance of risk. If the risk impact is high, with high probability of occurrence and slow speed, it may be possible for an organization to take adequate steps to reduce the impact. However, if the speed is high, then there will be insufficient time to react and the risk treatment can vary. » Detectability assigns additional weight to risk measures. Questions that can help explain detectability include: « “How easy or difficult is it to detect the occurrence of an event?” - ”Dowe have reasonable time to react before the occurrence of the event?” JEC 31010 gives further information regarding measures of risk and their use. Whether analysis is carried out by experts or not, biases and perceptions can influence the level of risk estimated and how acceptability is interpreted. Given the level of subjectivity involved, organizations can decide whether obtaining a measure for risk is of value to them in the decisions that need to be made, as itcan be a time-consuming activity. Risks are analysed at appropriate intervals and as conditions change. 48 ~ 150 31000:2018 | isk manazement— a practical guide4.5.4 Risk evaluation ‘The purpose of risk treatment is to improve existing controls or where applica- ble to create new ones. This involves reviewing options for improvement and planning, implementing, and reviewing any changes needed. The results of risk analysis can be compared with risk criteria to determine the significance of risk. Anunderstanding of risk and its significances relevant to any decision, including: » Whether to treat a risk or not and the priorities for treatment actions; » How to treat particular risks; How to best allocate resources to achieve objectives; » Selecting between options that involve a range of risks, and the costs and benefits associated with the trade-offs; and » Whether the expected rewards or outcomes of an activity outweigh the potential negative outcomes. The analysis of sources and causes of risk, the range of possible consequences, and existing controls provides information for required actions. When evaluating risk all possible consequences, negative and positive effects are considered as well as potential threats and opportunities. Opportunities aligned with organizational objectives that can arise from threats may also be evaluated. Opportunities identified during risk assessment can be integrated into the planning processes of the organization. When evaluating opportunities, the organization may consider the expected benefits to objectives, the uncertainties, and possible biases in the estimate of those benefits and the threats to achieving them. 4.5.5 Risk treatment The purpose of risk treatment is to improve controls. This involves reviewing options for improvement and planning, implementing, and reviewing changes. Multiple treatments can be implemented, either alone or in combination. Consider- ing all options before selecting specific treatments may result in more effectiveand efficient outcomes. Existing risk treatment options can be applied with or without modification. Deciding the best combination of treatments is an iterative process involving consultation with stakeholders and re-assessing the risk if proposed 150 31000:20%8 [Risk management a practical guide ~ 49Nestor Albuquerque - 20 treatments are to be implemented. Treatments are to be practical and agreed by those who need to implement them. Options may include: Treatment Option Avoid: Share: Description Remove the risk source itself or not undertake a risk-producing activity, initiative, or project. Use an alternate approach that eliminates the source of risk and consequences. Share the risk with a third party. This may include contractual transfer, warranties, and guarantees, the use of insurance, performance bonds, or other financial instruments. Sharing the risk using a contract does not always fully transfer the risk; in many circumstances a technical risk is replaced by a new risk associated with contractual performance. In some jurisdiction’s certain risks, such as those associated with workplace and safety, cannot be transferred under any circumstances. Modify: Undertake activities that reduce potential negative consequences or their likelihood and increase potential positive consequences or their likelihood. This can include pre-loss precautions such as reducing the source of risk or reducing vulnerability and post loss measures to mitigate consequences. Changing the likelihood: Through applying controls, organizational arrangements and procedures designed to reduce the frequency. Retain: ‘Changing the consequence: Verifying that the controls are in place and working as expected to modify the consequences. Decide to accept the risk by planning for ways to actif it ‘occurs, rather than attempting to influence the likelihood or impact. Active acceptance can include developing contingency plans to respond if the event occurs. Passive acceptance is taking no action and dealing with the ‘consequences as they occur. 50 — 150 3100022018 | Risk maraement—a practical guideTreatment Option Description Undertake activities that seek to maximize the positive consequences of a risk and respective likelihoods in achieving gains. Exploit: Reducing uncertainty can also reduce the level of risk. For example, such options may include removing some of the unknowns through research or locking ina future purchase price through the purchase of futures. After the treatment options are considered, the decision may require escalation for higher approval. Individuals are then assigned actions and responsibilities with timelines. While itis important to have one individual accountable for each treatment strategy, organizations need to consider all relevant stakeholders in planning and executing the treatment strategies. Cost-benefit analyses of treatment options may include costs of risk treatments and costs associated with new risks arising from them. Costs and benefits can be expressed in social and environmental terms as well as in economic terms. Threats to successful implementation of treatments such as organizational resistance to change may need to be identified and addressed. Consider if unintended consequences ofa risk treatment cause disruptions, complications, or costs for the organization. By reviewing and comparing a proposed treatment strategy and residual risk to the organization’s tolerance for risk, appropriateness of the treatment can be determined. If the residual risk is not acceptable, then treatment options can be reconsidered. Risks can be diverse. Some sources of risks are not within the control ofan organization, and despite rigorous assessment, some risks may be missed. Accordingly, organizations may need to prepare plans for disruptions that affect those functions and assets that are critical to achieving its objectives. 150 31000:2018| Risk manasement~ a practical guide — 51Nestor Albuquerque - 2022-06-1 EXAMPLE - Case study Production at a call centre of a mid-size company was falling below expected levels. The probable cause was identified as increased absenteeism. The supervisor therefore recommended updating the absenteeism policy so workers who missed too many hours can be replaced. Before taking any action, the head of Human Resources requested that a risk assessment be done to determine ifthe recommended course of action was appropriate. A root cause analysis was conducted which determined that the high absenteeism was due to workers being constantly sick with a higher-than-normal incidence of bacterial infection. The bacterial infections were traced to substandard cleaning of the washrooms. Upon further investigation, it was determined that the reasons for substandard cleaning was lack of training among the cleaning crew and reduced cleaning schedules taken asa cast containment measure by the supervisora few months earlier. To treat the risk of employee illness affecting production schedules, management considered several possible treatment options. 4 18:34 Treatment options Potential treatment Avoid Use technology-based solutions only ~ no workers. Transfer Outsource program to a vendor with a healthier environment. Modify Improve cleanliness of washrooms. Retain Accept conditions as they exist and see if staffing services are available at the time workers are sick. Exploit Introduce preventive health measures. 52 — 150 3100022018 | Riskmanazement —a practical guideManagement determined that multiple options can be used to treat the risk and decided to take the following actions: Avoid: Investigate available technology to replace workers as a longer-term solution. Modify: After weighing the cost of increasing washroom cleaning against the consequences of lost production, the company returned to their original cleaning schedules. In addition, they required the vendor to train cleaners, made hand disinfectant available at workstations, and increased cleaning contractor oversight. Exploit: Research whether an in-house clinic could provide treatment and preventive services to improve the overall health of workers and possibly serve the larger community as a possible mid-term solution. Insome cases, escalating decisions to a higher level in the organization is necessary to determine whether and how a risk is to be treated. Examples of when this can occur are when a risk is considered particularly significant, when there are cross departmental linkages that require a combined decision, or when the resources required for treatment are outside the authority of the risk owner. Implementing treatments can result in residual risk. If the residual risk is not within the organization’s tolerance, the risk owner may consider repeating the process of risk treatment evaluation and implementation. Once an acceptable level of risk is achieved the reason no further treatment is needed is to be recorded. This is control itself, providing assurance to stakeholders and assisting those reviewing the risk assessment in the future. The justification for no further treatment can help organizations address the common bias of overconfidence in the effectiveness of risk treatments. 4.5.6 Monitor and review risks The risk management process is dynamic. The context, risks and the effectiveness of controls can all change. Critical indicators of change can be identified and monitored. Regular review of risks helps encourage continual improvement. Treatment actions need to be continuously monitored and reported to the management on a periodic basis and after any trigger event. The effectiveness and efficiency of treatment options can be reviewed and verified through performance 150 31000.2018 Risk management— a practical guide — 53criteria and updated risk analyses. Delays or deviations in the implementation of treatment strategies may be tracked and reported to the concerned stakeholders ona periodic basis to ensure timely implementation. 4.5.7 Recording and reporting risks Recording risk in a centralized repository, for example in a risk register or information system, eases dissemination through the organization and enables transpar- ency regarding management of proposed treatments. A risk treatment plan that assigns accountabilities and timelines can be part of the same information system or, in the case ofa paper-based system, can be a separate document. The need for historical data analysis and future trend evaluation determines data retention schedules. Recording and reporting significant changes in risk is beneficial. Recording includes noting changes in information, such as treatment implementation modifications in existing controls and changes in priority. It is important that risks and their causes are not confused in the documentation process. Some risks may need recording in a specific way that is inconsistent with others. 54 — 150 3100022018 | Risk management —a practical guide5. Effectiveness of the risk management program Excellence in risk management requires that organizations periodically evaluate the effectiveness of risk management programs and activities and their integration into decision making. The scope of the evaluation may be customized to address critical areas of need. It requires understanding the scope and applicability ofa variety of diagnostic assessment methods. There is no one single standard method for assessing the effectiveness of risk management programs in organizations. Whatever process or method is chosen, it needs to be adaptable to changes in the organization. Various external or internal methods can be used to systematically determine the effectiveness of the organization's risk management program. These include models, processes, reviews, and audits. Finding the appropriate combination of these methods is critical to obtaining successful outcomes. The purpose of these assessments is to identify strengths, successes, gaps, and areas for improvement. These types of assessments can also identify areas where risk management capabilities are not meeting stakeholder expectations. 5.1 External methods External methods can include: » Benchmarking - Benchmarking involves measuring the performance of an organization against external standards of reference that frequently come from similar organizations doing similar things. This may start with identifying peers for common practices through an analysis of the industry sector and relevant market segments. Benchmarking an organization’s 150 31000:2018 | Rsk manayement—a practical uide ~ 55practices with peers through surveys or available trade or association publications can reveal gaps, strengths, and weaknesses, differentiators, and risk statements. Organizations discover additional insights by comparing risk factors noted in competitors’ financial reports, as well those of industry partners, with their own. » Maturity models — Maturity models are a measurement concept for demonstrating development progress and for highlighting consistent outcomes across organizations. Risk management maturity models incorporate risk management criteria in relation to people, culture, processes, structures, and technology. Users score their organization against these criteria to provide them with information on areas of strength and improvement in their risk management practices and processes. This information can assist in focusing the development of risk management programs’ improvement plans. » Publications — Industry groups, regulators, associations, and academics publish research and thought-provoking papers on trends and approaches to risk management. These papers can cover frameworks, integration, techniques, practices, and risk management competencies within successful organizations. Actively researching, synthesizing, and prioritizing practices in the context of the organization under review is a means of evaluating the effectiveness of its practices and provides ideas for developing risk management program’s implementation plans. » Networking — Networking techniques can be formal or informal and can be general or more specifically focused on one area of improvement. Peer reviews of programs are a networking, assessment technique that can be limited in scope by industry, size, or region. While the researcher typically facilitates an assessment through in-person meetings, networking assessments can also work through virtual meetings or surveys. - Networking events, such as conferences, summits, industry meetings and workshops, can provide insight into best practices and program comparisons. These events can be either in-person or virtual. 56 — 150 31000-2018 | Rsk marazement — 2 practical guide5.2 Internal methods ‘The success of risk management programs can be evaluated by determining whether tools are used, and written materials generated, through reviews with stakeholders and by using self-assessment methods. A sample of these methods can include: » Mapping — Mapping can be used as a graphical representation of a procedure, process, structure, or system that depicts the arrangement of and relationships among its different components and traces flows of information, people, and activities. This method can be useful in understanding the activities, people, and competencies already present and available within the organization. It also informs the risk management program’s implementation plans for potential collaboration with business areas and existing processes. Internal surveys and interviews — Structured interviews and surveys can be used to gather information about the effectiveness and value of the risk management program. Internal audit reviews — Internal audit provides the board and management with an objective and independent assessment of an organization’s risk management program’s effectiveness by determining: Whether there is evidence that risks to the organization are appropriately managed on an ongoing basis using feedback as part of continual improvement, and Whether there is evidence that the principles have been applied. Information from internal audit reports helps determine whether risks are appropriately managed on an ongoing basis. Periodic review ~ This method provides the opportunity to review the program on an ongoing basis. The discussion may include key stakeholders and examine outcomes with the intent of identifying successes, problems, and areas that need improvement. This is an effective tool for articulating lessons learned and continual improvement. Evidence of integration of the ISO 31000 principles and framework — The principles describe key qualities of risk management programs. They are 150 31000:2018 isk management 2 practical side — 57used to validate the effectiveness of the risk management program by documenting evidence for each principle. The evidence can specifically describe how each principle applies within the organization. The framework elements provide details on how the risk management program is integrated, designed, implemented, evaluated, and improved. Each element describes components and attributes that are measured and evaluated. » Review of risk management processes and competencies — Risk management processes engage stakeholders, assess, and treat risks, and report on outcomes when applied to decisions, projects, activities, and areas of operation. Applying consistent criteria or questions to these processes helps organizations develop consistent, effective processes across the whole organization. Review questions may include: ~ Was the overall risk management process effective and useful? » Were the leaders sufficiently skilled? » Were the right stakeholders appropriately engaged? » Were appropriate risk assessment techniques applied during the process? » Whatare the lessons learned and how to act on them? » Evaluation of actual results in relation to the amount of risk the organization is willing to pursue to achieve an objective (risk appetite) or tolerate (risk tolerance). « Is there evidence that the principles have been applied? One or more internal or external methods can be used help identify and assess gaps and areas of improvement. A continual improvement plan can then be developed and implemented to address them. 5B — 150 31000-2016 Fisk management a practical ude6. Continual improvement 6.1 Introduction Effective risk management enables the organization to achieve its objectives by continually assessing risks to reduce surprises and improve performance. Risk management, like other organizational processes, requires review against the benefits and objectives that were outlined as part of the business case included in Clause 3 of this handbook. The following questions can assist in determining whether the introduction or update to risk management has been successful. For example, has tisk management: Delivered benefits for the organization in building and sustaining a competitive advantage? Assisted in achieving the organization’s objectives? Been integrated within the organization's core processes that assist in achieving the overall objectives? Improved performance towards innovation? Identified and considered emerging risks? Been effective in assessing and improving preparedness for disruptions? Continual improvement in risk management is achieved through the setting of performance goals, and the measurement and regular review of progress. The organization’s existing performance management system can be used for continual improvement of risk management. This can involve: 150 31000:2016 | isk management 2 practical uide — 59» Setting performance indicators for risk management that are aligned with organizational performance indicators and reviewed periodically for appropriateness; » Measuring risk management performance against the performance indicators; and, » Periodically reviewing whether the risk management implementation plan, framework and processes continue to be appropriate and whether they are being followed throughout organizational changes. 6.2 Measuring risk management improvement through key performance indicators A possible tool that an organization can use for measuring the success of risk management are key performance indicators (KPIs). It is important that performance indicators are defined in the planning phase and based on the goals of the organization. KPIs are to be suitable for communicating the performance of risk management internally and externally. Important questions that may be considered during the measurement of the improvement include: 60 ~ 150 31000:2018 | risk management — s practical suideNestor Albuquerque - 2022-06-14 18:34:50 Question Key Performance Indicator (KPI) Are risk responsibilities addressed at all levels? Number of position descriptions that include risk management responsibilities, Is there risk management training available at required levels within the organization? Are treatments completed on time? Are riskactivities addressed at the required level? Training conducted in accordance with a competency matrix. ‘Treatment schedules met. Risk reporting to leadership and the Board. |s continual improvement ofthe risk management process fully communicated to internal and external stakeholders? Internal risk reporting; external risk reporting as required. Has the integration into the organizational strategy and risk management been successful? Have the benefits of introducing, transitioning, or updating the risk management approach been realized? ‘The measurement of less uncertainty impacting organizational objectives Comparing the organization's risk management process to ‘best practices’ Have we articulated and made progress. towards the desired level of risk maturity? Tracking project plan timelines and deliverables. 150 31000:2018| Risk management a tactical guide ~ 616.3 Lessons learned Organizations committed to continual improvement will consider incorporating lessons learned. Such lessons communicate knowledge acquired through experience to leverage beneficial information into planning, work processes, and activities in the future. Organizations may incorporate information from external and internal sources. The goals, objectives, roles, accountabilities, and competencies of the organization can change. The framework for risk management can go through various iterations over time and processes will also evolve. It is important to accurately assess the progress and performance of risk management implementation and apply lessons learned, to continue to create and add value to the organization. Whichever methodology is used to capture the lessons learned in risk management, it is important to identify or ask: . What went well? . What did not go well or had unintended consequences? . What could be done differently next time? . Were objectives in the business case achieved? . Were KPI's met? . Are all new processes documented? . Has success been communicated and celebrated? 62 ~ 150 31000:2018 | isk management ~ a practical suideNestor Albuquerque - 2022-06-14 18:34:50 150 31000:2018 | iskmanazement a practcal guide — 63Annex A Example of gap analysis Risk management criteria vary from organization to organization. This chart illustrates that it may not be possible, or even desirable, to fill all gaps that are discovered during the analysis. For example, the assessed business units may not be contributing equally to the performance of the enterprise, or the environ- ments in which each of the business units operate can be of varying complexity and levels of risk. Therefore, the effort and resources required to completely fill all the analysed gaps may not be justifiable. 64 ~ 150 31000:2018 |risk management a pracical sideNestor Albuquerque - 2022-06-14 18:34:50 Figure A.1 PY icr te Tg ae iM oS Cd upon risk PR ey LT iad ita} PUP ou (rg Petia CTT om Cee erento ener betas) Leadership it jxcanape | @2@ | @>@ |050|/0>0/0 50 leader Policy / ee | ee |e 0|\e>0\e 50 guidance Integrated inostatesy | GB5@ | O00 |050/0-0/0-€ development Integrated into achievement of strategic e-30e initiatives (performance) Integrated inroaally d | @>-0e |e-0|/0 -0\e-0e operations and decisions O>®@/0>@/0-8e Integrated into performance o-3@e teporting Staff risk assessment | 93Q| @>@ |0-0/0-0/050 competencies Key @ weer DH rovisiese QB usirse O civestesy —> romcarentsse rane stat @>0)/0 0/030 a) Functional areas can be assessed by individual gap analyses using the same risk management performance criteria. 150 31000:2016 | Risk management—2 practical ude ~ 65Nestor Albuquerque - 2022-06-14 18:34:50 Annex B Example of risk categories Risks within the following categories can impact the organization’s objectives and reputation positively or negatively. The example below is illustrative only. It is not intended to fit every organization nor to be exhaustive. Organizations are to rely on their own risk leaders when constructing risk categories and description. Asset mix Ability to hold the most financially advantageous asset portfolio Inflation Unmanageable increases in the general price levels of goods and services in key economies Credit Possibility of a loss resulting from a borrower's failure to repay a loan ormeet contractual obligations Market Possibility of investment losses due to systemic factors that affect the overall performance of the financial markets Hazard Possibility of harm or damages to stakeholders including customers, employees, public Succession planning — | Formal process and plan that identifies successors for keyboard, executive and operational positions 66 ~ 150 31000:2018 |isk management ~ a practical wuideNestor Albuquerque - 20 Talent development and employee satisfaction Data availability foamy Ability to deliver work satisfaction and career advancements by supporting personal growth and development with challenging and dynamic opportunities, mentoring Access to required information at critical times to perform job functions, thereby strengthening business continuity, operations, and processes Data integrity Corrupted, incomplete, or inaccurate information from failures in input and processing controls (e. not manual input error) negatively affects applications, systems, and outputs, limiting management's decision-making capabilities Data / privacy breach Risks and uncertainties associated with large-scale theft or (oss of information and data security Technology infrastructure Intellectual property Reena Risks associated with information systems and telecommunications, and related infrastructure. Consistency and reliability of technology across the organization to support the current and future information requirements of the business in an efficient, cost-effective, and well-controlled method Significant peril, natural or manufactured, that can impede core operations Risks associated with the identification, protection and securing of the organization's intellectual capital assets and managing the organization's use of others’ intellectual property Business process disruption Risks associated with disruption of business processes needed to achieve objectives, such as > Customer strategy & relationships (marketing) > Quality, process improvement and change management » Financial analysis, reporting and capital management > Customer acquisition (sales) Product development Production/service delivery » Accounting > Sourcing and procurement a a 150 31000:2018 | Risk management—2 practical ide ~ 67Nestor Albuquerque - 2022-06-14 18:34:50 Vendor dependencies | Transformation, execution, and oversight of deliverables by vendors and allied organizations to expected quality within expected financial outcomes Mus Environment Impacts on the biological or physical environment damage Eco-system Long-term or permanent damage to an eco-system impairment Brand Ability to forge and maintain superior standing, brand awareness and quality connotation to influence consumers to buy its products or use its service offerings Business model Ability to recognize and innovate the essential elements needed to successfully deliver value to an organization's existing and potential customers Competition Ability to recognize and react to competitors’ actions, products, and services Demographic Ability to plan for and adapt to changes in population changes demographics that impact demand for the organization’s products or services Disruptive innovation | Ability to plan for and adapt to innovations that create a new / technology market and value network and eventually disrupt an existing market and value network. displacing established market leading firms, products, and alliances Economic uncertainty | Fluctuations in the economy that increase or decrease demand for the organization's products and services; ability to plan for, and cope with the possibility of extended recessionary periods in the markets in which the organization operates Regulatory Laws or regulations that govern the conduct, behaviour, or actions of the organization's operations. Media and political risks relating to power, influence or control of government or lobbying efforts affecting organization 6B — 150 31000:2018 Risk management 2 practical ideNestor Albuquerque - 2022-06-14 18:34:50 Bibliography ISO documents * ISO 31000:2018, Risk Management — Guidelines * IEC 31010:2019, Risk management — Risk assessment techniques + ISO 31073, Risk Management — Vocabulary 150 31000:2018 | Risk management —a practical suide — 69)Nestor Albuquerque - 2 Every organization faces risks that could impact its objectives. Risk management is the practice of using processes, methods and tools for managing these risks. Therefore, organizations that have identified risks and committed to the effective management of those risks will be better prepared to deal with them. This handbook has been developed to provide valuable insight on how to implement ISO 31000 Risk management — Guidelines and support an organization’s effort in creating and protecting value. United Nations Industrial Development Organization Vienna International Centre PO. Box 300 AT ~ 1400 Vienna Austria International Organization for Standardization ISO Central Secretariat Ch. de Blandonnet 8 Case Postale 401 CH— 1214 Vermler, Geneva ‘Switzerland iso.org We care about our planet. This handbook s printed on recycled paper. © 180, 2021 All rights reserved ISBN 978-92-67-11233-6

Draft 5 of The ISO 31000 Risk Management - A Practical Guide - Documents

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Draft 5 of The ISO 31000 Risk Management - A Practical Guide - Documents

Uploaded by

Copyright:

Available Formats

You might also like