ISO 31000 Risk

Management Process

Osama Mohammed
Quality & Safety Officer
• Osama Mohammed Quality and safety officer at Altameer
systems solutions
• I started working there after my graduation and in my current
position I’m responsible for implementing ISO standards and
improving performance, I am also responsible for the safety of
the employee on the site.
• I graduated from the technical college of Management in Quality
management techniques, I graduated with the second-highest
result in my college.
• I have many certificates in risk management from Udemy and
Coursera.
 Risk management standards
• ISO 31000: International standard issued by the International Organization
for Standardization (ISO) provides principles, framework, and process
guidelines for risk management. ISO 31000 is applicable to all types of
risks and helps organizations establish a risk management system that
aligns with their objectives and context.
• IEC 31010: This standard, part of the IEC 31000 series, focuses on risk
assessment techniques and provides guidance on selecting and applying
various methods to assess risks.
• COSO Enterprise Risk Management (ERM) Framework: Developed by
the Committee of Sponsoring Organizations of the Treadway Commission
(COSO), this framework offers a comprehensive approach to enterprise
risk management. It emphasizes integrating risk management into an
organization's strategic planning and decision-making processes.
 ISO 31000
• ISO 31000 An international standard developed by the International Organization
for Standardization (ISO) that provides guidelines and principles for risk
management.
• It was first published in 2009 and has since been revised in 2018 to ensure its
continued relevance and effectiveness. The standard is designed to help
organizations of all types and sizes establish a systematic and structured
approach to managing risks.
• Key points about ISO 31000 include:
1.Purpose: ISO 31000 aims to assist organizations in effectively identifying,
assessing, and managing risks that could impact their ability to achieve
objectives and succeed in their missions.
2.Scope: The standard is applicable to all types of risks, whether they are related
to financial, operational, strategic, or other aspects of an organization.
 ISO 31000
3. Framework: The standard provides a flexible framework for
risk management, allowing organizations to tailor their approach
to suit their specific context, objectives, and risk appetite.
4. Benefits: By adopting ISO 31000, organizations can enhance
their ability to identify opportunities and threats, improve
decision-making, optimize the allocation of resources, and
strengthen their resilience in the face of uncertainties.
 Terms and definitions

Risk: Effect of uncertainty on objectives

Note 1: An effect is a deviation from the expected. It can be positive, negative or both, and
can address, create or result in opportunities and threats.

Note 2: Objectives can have different aspects and categories, and can be applied at
different levels.
Risk management: Coordinated activities to direct and control an organization with regard
to risk

Stakeholder: A person or organization that can affect, be affected by, or perceive

themselves to be affected by a decision or activity
 Terms and definitions

Likelihood: Chance of something happening

Note 1: In risk management terminology, the word “likelihood” is used to refer to the chance of
something happening, whether defined, measured or determined objectively or subjectively,
qualitatively or quantitatively, and described using general terms or mathematically (such as a
probability or a frequency over a given time period).

Control: Measure that maintains and/or modifies risk.

Note 1: Controls include, but are not limited to, any process, policy, device, practice, or other
conditions and/or actions which maintain and/or modify risk.
Note 2: Controls may not always exert the intended or assumed modifying effect.
Risk source: Element which alone or in combination has the potential to give rise to risk
 Three Lines of Defense Model
The model helps to clarify and promote effective risk management practices throughout the
organization.
Each "line" represents a distinct group involved in managing risks:
1. First Line of Defense: This refers to the operational level of an organization where business
activities are conducted. It includes front-line employees, managers, and operational teams directly
responsible for identifying, assessing, and managing risks in their day-to-day operations. They are
the ones accountable for controlling and mitigating risks at the operational level.
2. Second Line of Defense: The second line involves risk management and compliance functions.
This includes departments like risk management, compliance, and internal control teams. Their role
is to oversee and support the first line in implementing effective risk management practices,
establishing policies and procedures, monitoring risks, and providing guidance to ensure that risks
are appropriately managed.
3. Third Line of Defense: The third line is the internal audit function. Internal audit is an independent
and objective assurance function within the organization. Their role is to assess the effectiveness of
risk management and control processes implemented by the first and second lines. They provide an
unbiased evaluation of risk management practices and ensure that the organization is complying
with relevant regulations and standards.
• By implementing the Three Lines Model, organizations create a structured approach to risk
management, promoting better risk awareness, accountability, and overall risk culture within the
organization. This framework helps improve transparency, control, and risk governance across all
levels.
 Risks types
Risk types can be categorized into various categories based on their nature and
impact on the organization. The four common types of risks are:

• Operational Risk: This type of risk is associated with the internal processes,
systems, and procedures within an organization. It includes risks related to
human errors, technology failures, supply chain disruptions, fraud, legal and
compliance issues, and any other risks that may arise from day-to-day
operational activities.
• Strategic Risk: Strategic risks are those risks that arise from the strategic
decisions and choices made by the organization. These risks are related to the
organization's long-term goals, objectives, and business direction. Examples
include market shifts, changes in consumer behavior, new competitors, mergers
and acquisitions, and changes in government regulations.
 Risk Types
• Financial Risk: Financial risks are related to the organization's
financial structure and performance. This includes risks
associated with credit, liquidity, market fluctuations, interest
rates, exchange rates, and investment decisions. Financial risks
can have a significant impact on the organization's profitability
and stability.

• Reputational Risk: Reputational risk refers to the potential

damage to an organization's reputation and brand image due to
negative publicity, public perception, customer dissatisfaction,
or any other factors that may harm the organization's standing
in the eyes of stakeholders, customers, or the general public.
 Risk management process
1. Risk Identification: The first step in risk management is to identify and recognize potential
risks that may affect the organization's objectives. This involves gathering information,
conducting risk assessments, and analyzing historical data to identify both internal and
external risks.
2. Risk Analysis: Once risks are identified, the next step is to analyze and assess them. This
involves evaluating the probability of each risk occurring and the potential impact it may have
on the organization. Risk analysis helps prioritize risks based on their severity and likelihood.
3. Risk Evaluation: After analyzing risks, they need to be evaluated to determine the level of
acceptability. Some risks may be deemed acceptable within certain thresholds, while others
may require mitigation measures to reduce their impact.
4. Risk Treatment: Risk treatment involves developing strategies and action plans to address
identified risks. This step may include risk avoidance, risk reduction, risk transfer (e.g.,
insurance), risk acceptance, or a combination of these approaches.
5. Risk Monitoring and Review: Risk management is an ongoing process that requires
continuous monitoring and review. Organizations must regularly assess the effectiveness of
risk treatments, update risk assessments, and adapt their strategies as circumstances
change.
 Identifying Risk
• Identifying risks is a crucial step in the risk management process that
involves systematically recognizing potential threats and opportunities that
could affect an organization's objectives. Here are some key methods and
techniques to help identify risks:
1.Brainstorming: Conduct brainstorming sessions with relevant
stakeholders, including team members, subject matter experts, and
decision-makers. Encourage open discussions to identify risks associated
with different aspects of the organization's activities.
2.SWOT Analysis: Perform a SWOT (Strengths, Weaknesses,
Opportunities, Threats) analysis to assess the internal strengths and
weaknesses of the organization and the external opportunities and threats
it may face.
3.Historical Data Analysis: Review past incidents, accidents, and near-
miss events to identify patterns and potential risks that could reoccur.
 Identifying Risk
4. Scenario Analysis: Develop various scenarios to explore potential future
events or situations that could impact the organization. This helps identify
risks that might arise in different contexts.
5. Expert Interviews: Conduct interviews with industry experts, consultants,
or other professionals with experience in the organization's field. Their
insights can help identify risks that might not be apparent to internal team
members.
6. Process Mapping: Analyze the organization's processes and workflows
to identify points where risks may arise or vulnerabilities may exist.
7. Surveys and Questionnaires: Surveys and questionnaires are used to
collect data from a larger group of individuals. They are valuable for
gathering quantitative and qualitative data on risks and their likelihood and
impact.
 Analyzing Risks
1.Risk Description: For each identified risk, provide a clear and
concise description, including its nature, possible triggers, and
context. Understanding the specific characteristics of each risk is
essential for a thorough analysis, of the effectiveness of existing
controls.
2.Risk Categorization: Group similar risks into categories or themes
based on their nature or impact. This can help in organizing the
analysis process and identifying patterns or commonalities among
risks.
3.Risk Impact Assessment: Assess the potential impact of each risk
on the organization or project. Consider both quantitative and
qualitative factors, such as financial losses, reputational damage,
operational disruptions, safety hazards, and regulatory compliance.
 Evaluating risk
1.Risk Evaluation Criteria: Establish clear risk evaluation
criteria that define the organization's risk appetite and tolerance
levels. These criteria will serve as a basis for comparing and
prioritizing risks.
2.Risk Scoring: Develop a risk scoring system to assign
numerical values or qualitative descriptions to the risks based
on their likelihood and impact. The scoring system helps rank
risks in order of significance.
3.Risk Ranking: Rank the risks based on their scores or ratings,
from high to low. This ranking allows for the prioritization of risks
for further attention and resource allocation.
 Evaluating risk
The purpose of risk evaluation is to support decisions. Risk evaluation
involves comparing the results of the risk analysis with the established risk
criteria to determine where additional action is required
This can lead to a decision to:
• Do nothing further;
• Consider risk treatment options;
• Undertake further analysis to better understand the risk;
• Maintain existing controls;
• Reconsider objectives.
• Decisions should take account of the wider context and the actual and
perceived consequences to External and internal stakeholders.
 Treating risks
Risk Response Planning: Based on the results of risk evaluation, develop a comprehensive
risk response plan for each identified risk.
The plan should outline specific actions and strategies to address the risk effectively:
1.Risk Mitigation: Implement measures to reduce the likelihood or impact of the risk. This
may involve modifying processes, enhancing controls, or improving safety measures. The
goal is to prevent the risk from occurring or minimize its potential consequences.
2.Risk Avoidance: In some cases, the best approach is to avoid the risk altogether. This
may involve refraining from specific activities or projects that carry excessive risks or fall
outside the organization's risk tolerance.
3.Risk Transfer: Transfer the risk to a third party, such as through insurance or
outsourcing. This strategy shifts the financial burden or responsibility of the risk to another
entity, reducing the organization's exposure.
4.Risk Acceptance: For risks with a low impact or likelihood, the organization may choose
to accept the risk without taking any specific actions. This decision is made when the
potential cost of risk treatment outweighs the benefits.
 Monitoring and review
The purpose of monitoring and review is to assure and improve the quality and
effectiveness of the process
Design, implementation, and outcomes.
Ongoing monitoring and periodic review of the risk management process and its outcomes
should be a planned part of the risk management process, with responsibilities clearly
defined.

Monitoring and review should take place in all stages of the process. Monitoring and review
include:
• Planning, gathering, and analyzing information, recording results, and providing feedback.
• The results of monitoring and review should be incorporated throughout the organization’s
performance management, measurement, and reporting activities.
 Recording and reporting
The risk management process and its outcomes should be
documented and reported through appropriate mechanisms.
Recording and reporting aim to:
• Communicate risk management activities and outcomes across
the organization;
• Provide information for decision-making.
• Improve risk management activities.
• Assist interaction with stakeholders, including those with
responsibility and accountability for risk management activities.
Risk Matrix
SWOT Analysis
Fishbone
Risk Register
 Thank you for your listening

If you have any questions, feel free to contact me:

https://www.linkedin.com/in/osama-tqm/

https://www.instagram.com/osama_tqm3/