Risk MGT Training Based On ISO 22000 and 31000 - HMAMC2022-09-544-B

HMA Management
Consulting
WELCOME PARTICIPANTS!
Course No. HMAMC2022-09-544-B (October 19-20, 2022)
For HMAMC training purposes only
Risk Management Training Course

based on the Requirements of ISO 22000:2018, ISO 9001:2015 and the
Principles and Guidelines of ISO 31000:2018
Date: October 19-20, 2022

Prepared for:
Risk Management Training

House Rules
1. Phone etiquette. Kindly set your cellular phones on silent

mode.
2. Participants shall attend at least 90% of the training session.
3. Follow designated break times (Lunch break at 12 noon, and 15
minutes break in the morning and afternoon)
4. Refrain from unnecessary conversations during the training
proper.
5. Refrain from unnecessary trips out of the training room.
6. Questions and answers simultaneously.
7. Group of 4 – Risk Management Planning
HMAMC2022-09-544-B (Oct 15, 2022)

3
Introduction of the Trainer

and Participants
HMAMC2022-09-544-B (Oct 15, 2022)

4

HMA Management
Consulting
Group Profile
Harvi Mijares Abangan Management Consulting

Mobile: +639206365598 (SMART); +639278347694 (GLOBE)
Email: harviabangan@hotmail.com; harviabangan@yahoo.com
Address: Unit 1908, Laureano de Trevi Tower 1, Chino Roces Ave., Makati City
5
About the Trainer
HMAMC2022-09-544-B (Oct 15, 2022)

6

Course Participants
INTRODUCTION
◼ Name
◼ Company & Business
◼ Position
◼ Expectations on this course
◼ Knowledge of the course

[Scale of 1 (lowest) – 10 (highest)]
HMAMC2022-09-544-B (Oct 15, 2022)

7
• To provide participants with an overview of the relevant changes

and updates of ISO 22000:2018 standard
• Identify the systems gaps against the requirements, establish
action plans, and learn how the standard can be applied to the
company
• Understand the transition process from ISO 22000:2018 to ISO
31000:2018
Important Notes:
• It is not the intent of this course to develop Risk Management experts
amongst participants at the end of the training session.
• Competency and added expertise may be developed through continual
practice and effective implementation and compliance to the
requirements of the international standard.

Course Agenda & Content Summary
(Kindly treat with flexibility)
Day 1 (0800 to 1700H): – The Risk Management Process

– FSMS Introduction (ISO 9001:2015/ • Communication and
ISO 22000:2018) – Changes and consultation, Establishing the
updates context, Risk Assessment, Risk
– Correlation between ISO 22000-2018 Analysis, Risk Evaluation, Risk
Treatment, Risk Management
– A quick review of changes and the Planning.
requirements on risk-based thinking – Workshop 2 – working in groups:
and planning Establishing the Risk Management
– Workshop 1 Plan
Morning BREAK (1030-1045H) Afternoon BREAK (1530-1545H)
– Risk Management Standards and – The Risk Management Process
Guidelines • Monitoring and Reviewing the
– The ISO 31000 – Risk Management Effectiveness of Risk
Principles and Guidelines Management Plan
– Rationale and Principles of Risk • Recording and Updating the
Risk Management Process
Management
– Open Forum
– Design of Framework for Managing
Risk – End of training
– Day 2 – workshops and
– Implementing Risk Management
presentations (0800 to 1700 H)
Lunch Break (1200-1300H)
HMAMC2022-09-544-B (Oct 15, 2022)
9
Training Course
Attendance
◼ Delegates shall be required to be in attendance for the full

duration of the course.
◼ The appropriate attendance record is to be completed. Names

must be clearly written and should be in the format required
for the certificate.
HMAMC2022-09-544-B (Oct 15, 2022)

10
10

The Requirements of
ISO 22000:2018
(Highlights of Changes and the
Risk Management Requirements)
HMAMC2022-09-544-B (Oct 15, 2022)

11
11
About ISO
✓ International Organization for Standardization (ISO) – a worldwide
federation of national standards bodies (ISO member bodies).
✓ an independent, non-governmental international organization

with a membership of 161 national standards bodies.
✓ ISO technical committees prepare the International Standards. ISO

22000:2018 is prepared by Technical Committee ISO/TC 34, Food
products, Subcommittee SC 17, Management systems for food
safety.
✓ ISO 22000:2018 cancels and replaces the first edition (ISO

22000:2005).
HMAMC2022-09-544-B (Oct 15, 2022)

12
12

Revision History of ISO 22000:2018
Reference: http://www.srac.ro/en/stiri/revision-iso-22000-food-safety-management-underway
HMAMC2022-09-544-B (Oct 15, 2022)

13
13
Legal Requirements: USA ■ At the core of the food safety

plan is a new process that
requires identification and
prevention of all reasonably
foreseeable food safety
hazards—whether naturally
occuring or unintentionally
introduced into the facility—not
just those identified by Hazard
Analysis and Critical Control
Points (HACCP) methods. This
new process is called Hazard
Analysis and Risk-Based
Preventive Controls (HARPC).
■ While the food safety plan must

describe the current knowledge
base that the food company
uses to prevent food safety
issues in each of its
manufactured foods, HARPC is
the process and plan the food
company uses in each of its
facilities to implement its food
safety plan.
HMAMC2022-09-544-B (Oct 15, 2022)
14
14

HMAMC2022-09-544-B (Oct 15, 2022)
15
15
Legal Requirements: European Union (EU)
REGULATION (EC) No 852/2004 OF THE EUROPEAN PARLIAMENT AND OF

THE COUNCIL of 29 April 2004 on the hygiene of foodstuffs
Excerpted portion from Article 5 Hazard analysis and critical control points
1. Food business operators shall put in place, implement and maintain a permanent
procedure or procedures based on the HACCP principles.
2. The HACCP principles referred to in paragraph 1 consist of the following:
(a) identifying any hazards that must be prevented, eliminated or reduced to acceptable levels;
(b) identifying the critical control points at the step or steps at which control is essential to prevent or
eliminate a hazard or to reduce it to acceptable levels;
(c) establishing critical limits at critical control points which separate acceptability from unacceptability for
the prevention, elimination or reduction of identified hazards;
(d) establishing and implementing effective monitoring procedures at critical control points;
(e) establishing corrective actions when monitoring indicates that a critical control point is not under control;
(f) establishing procedures, which shall be carried out regularly, to verify that the measures outlined in
subparagraphs (a) to (e) are working effectively; and
(g) establishing documents and records commensurate with the nature and size of the food business to
demonstrate the effective application of the measures outlined in subparagraphs (a) to (f).
When any modification is made in the product, process, or any step, food business
operators shall review the procedure and make the necessary changes to it.
HMAMC2022-09-544-B (Oct 15, 2022)

16
16

Legal Requirements: Philippines
• Article 4, Rule 7 - RULE. 7. Use of Science- L

based Risk Analysis. – The following shall
guide the use of science and risk analysis in
food safety regulation:
• (b) Risk assessment shall be based on
sound scientific evidence and shall be
undertaken in an independent, objective
and transparent manner. Scientific
information as obtained from scientific
literature, epidemiological and monitoring
studies and other data that supports the
risk assessment shall be used.
• (e) Food business operators shall be
encouraged to implement a HACCP-based
system for food safety assurance in their
operations.
HMAMC2022-09-544-B
HMAMC2017-07-231B (Oct
(Jul 7,
15,2017)
2022)
17 17
For
ForHMAMC
HMAMCTraining Purposes only
training purposes Only
17
ISO 22000:2018
ISO 22000:
2018
vs
Codex
Alimentarius
Reference:
ISO 22000:2018
Annex A
(informative)
Cross references
between the CODEX
HACCP and this
document
HMAMC2022-09-544-B (Oct 15, 2022)

18
18

Key Features of ISO 22000:2018
Process approach Risk-based ISO high level

(PDCA Cycle) thinking structure (HLS).
• enables an organization
• enables an • enables an to use the process
organization to ensure organization to approach, coupled with
that its processes are determine the factors the PDCA cycle and risk-
adequately resourced that could cause its based thinking, to align
and managed, and processes and its or integrate its FSMS
that opportunities for FSMS to deviate from approach with the
improvement are the planned results, requirements of other
determined and acted and to put in place management systems
on controls to prevent or and supporting
minimize adverse standards.
effects
HMAMC2022-09-544-B (Oct 15, 2022)

19
19
Process Approach
Plan
• establish the objectives of the system and its processes, provide the
resources needed to deliver the results, and identify and address risks and
opportunities;
Do
• implement what was planned;
Check
• monitor and (where relevant) measure processes and the resulting
products and services, analyse and evaluate information and data from
monitoring, measuring and verification activities, and report the results;
Act
• take actions to improve performance, as necessary.
HMAMC2022-09-544-B (Oct 15, 2022)
20
20

Risk-based Thinking
Reference: https://www.quality.org/knowledge/iso-220002018-set-impact-global-food-sector
HMAMC2022-09-544-B (Oct 15, 2022)

21
21
Risk-based Thinking (cont.)

• Two Levels
1. Organizational risk management
• A positive deviation arising from a risk can provide an
opportunity, but not all positive effects of risk result in
opportunities.
• Clause 6 - Addressing risks establishes a basis for
increasing the effectiveness of the FSMS, achieving
improved results and preventing negative effects.
HMAMC2022-09-544-B (Oct 15, 2022)

22
22

Risk-based Thinking (cont.)
• Two Levels
2. Hazard analysis — Operational processes
• The subsequent steps in HACCP can be
considered as the necessary measures to
prevent hazards or reduce hazards to
acceptable levels to ensure food is safe at the
time of consumption (Clause 8).
• Decisions taken in the application of HACCP
should be based on science, free from bias
and documented. The documentation should
include any key assumptions in the decision-
making process.
HMAMC2022-09-544-B (Oct 15, 2022)
23
23
______________________
SESSION 2:
ISO 22000:2018 Structure
______________________
HMAMC2022-09-544-B (Oct 15, 2022)

24
24

ISO 22000: 2018 Structure (Second edition:2018-06)
Food safety management systems – Requirements for
any organization in the food chain
1. Scope • Annex A (informative)

2. Normative references – Cross references
between the CODEX
3. Term and definitions HACCP and this
4. Context of the organization document
• Annex B (informative)
5. Leadership
– Cross references
6. Planning between this
7. Support document and ISO
22000:2005
8. Operation • Bibliography
9. Performance evaluation
10. Improvement
HMAMC2022-09-544-B (Oct 15, 2022)

25
25
Clause 4 Context of the organization

✓ Outline of Requirements:
✓ 4.1 Understanding the

organization and its context
✓ 4.2 Understanding the needs
and expectations of
interested parties
✓ 4.3 Determining the scope of
the food safety management
system
✓ 4.4 Food safety management
system
HMAMC2022-09-544-B (Oct 15, 2022)

37
37

Clause 4 Context of the organization
4.1 Understanding the organization and its context

The organization shall determine external and internal issues
that are relevant to its purpose and that affect its ability to
achieve the intended result(s) of its FSMS.
The organization shall identify, review and update information
related to these external and internal issues.
NOTE 1 Issues can include positive and negative factors or conditions for
consideration.
NOTE 2 Understanding the context can be facilitated by considering external and
internal issues, including, but not limited to, legal, technological, competitive,
market, cultural, social and economic environments, cybersecurity and food
fraud, food defence and intentional contamination, knowledge and
performance of the organization, whether international, national, regional or
local.
HMAMC2022-09-544-B (Oct 15, 2022)

38
38
Some tools for identifying External and Internal Issues
ISO 31000:2009 is to provide principles and generic guidelines on risk management.

HMAMC2022-09-544-B (Oct 15, 2022)
39
39

Some tools for identifying External and Internal Issues
HMAMC2022-09-544-B (Oct 15, 2022)

40
40
Clause 4 Context of the organization (cont.)
4.2 Understanding the needs and expectations of interested

parties
To ensure that the organization has the ability to consistently
provide products and services that meet applicable statutory,
regulatory and customer requirements with regard to food
safety, the organization shall determine:
a) the interested parties that are relevant to the FSMS;
b) the relevant requirements of the interested parties of
the FSMS.
The organization shall identify, review and update information

related to the interested parties and their requirements.
HMAMC2022-09-544-B (Oct 15, 2022)

41
41

Who are these Interested Parties?
3.23. interested party (preferred term)/ stakeholder (admitted
term) => person or organization (3.31) that can affect, be affected
by, or perceive itself to be affected by a decision or activity - (ISO
22000:2018)
HMAMC2022-09-544-B (Oct 15, 2022)

42
42
Sample Template
HMA AND ASSOCIATES
Whereroad, Fantaplace, Neverland
Mobile: +639206365598
Email: harviabangan@yahoo.com
Eligibility number: 02-052837 <11011463>
Determining the Context of the Organization

Date: ______________
Interested Parties Impact to QMS Needs and Expectations Measures

External Supplier
Employees
Cutomers/ End
Consumers
Regulatory Authorities
Business Owners and
Stakeholders
Competitors
Other Interested Parties
HMAMC2022-09-544-B (Oct 15, 2022)

43
43

Clause 4 Context of the organization (cont.)
4.3 Determining the scope of the food safety management system
The organization shall determine the boundaries and applicability of the
FSMS to establish its scope. The scope shall specify the products and
services, processes and production site(s) that are included in the
FSMS. The scope shall include the activities, processes, products or
services that can have an influence on the food safety of its end
products.
When determining this scope, the organization shall consider:

a) the external and internal issues referred to in 4.1;
b) the requirements referred to in 4.2.
The scope shall be available and maintained as documented information.
HMAMC2022-09-544-B (Oct 15, 2022)

44
44
4.3 Determining the scope of the food safety management system
HMAMC2022-09-544-B (Oct 15, 2022)

45
45

Clause 6 Planning
HMAMC2022-09-544-B (Oct 15, 2022)

46
46
6.1 Actions to address risks and opportunities

6.1.1 When planning for the FSMS, the organization shall
consider the issues referred to in 4.1 and the requirements
referred to in 4.2 and 4.3 and determine the risks and
opportunities that need to be addressed to:
a) give assurance that the FSMS can achieve its intended
result(s);
b) enhance desirable effects;
c) prevent, or reduce, undesired effects;
d) achieve continual improvement.
NOTE In the context of this document, the concept of risks and opportunities is
limited to events and their consequences relating to the performance and
effectiveness of the FSMS. Public authorities are responsible for addressing
public health risks. Organizations are required to manage food safety hazards
(see 3.22) and the requirements related to this process that are laid down in
Clause 8.
HMAMC2022-09-544-B (Oct 15, 2022)
47
47

(cont.)
6.1.2 The organization shall plan:
a) actions to address these risks and opportunities;
b) how to:
1) integrate and implement the actions into its FSMS
processes;
2) evaluate the effectiveness of these actions.
HMAMC2022-09-544-B (Oct 15, 2022)

48
48

(cont.)
6.1.3 The actions taken by the organization to address risks and
opportunities shall be proportionate to:
a) the impact on food safety requirements;
b) the conformity of food products and services to
customers;
c) requirements of interested parties in the food chain.
NOTE 1 Actions to address risks and opportunities can include: avoiding risk,
taking risk in order to pursue an opportunity, eliminating the risk source,
changing the likelihood or consequences, sharing the risk, or accepting the
presence of risk by informed decision.
NOTE 2 Opportunities can lead to the adoption of new practices (modification of

products or processes), using new technology and other desirable and viable
possibilities to address the food safety needs of the organization or its
customers.
HMAMC2022-09-544-B (Oct 15, 2022)
49
49

Sample Page 1 of 4 Risk Management Plan
HMAMC2022-09-544-B (Oct 15, 2022)

50
50
HMAMC2022-09-544-B (Oct 15, 2022)

51
51

HMAMC2022-09-544-B (Oct 15, 2022)

52
52
HMAMC2022-09-544-B (Oct 15, 2022)

53
53

HMAMC2022-09-544-B (Oct 15, 2022)

54
54
HMAMC2022-09-544-B (Oct 15, 2022)

55
55

HMAMC2022-09-544-B (Oct 15, 2022)

56
56
HMAMC2022-09-544-B (Oct 15, 2022)

57
57

HMAMC2022-09-544-B (Oct 15, 2022)

58
58
9.3 Management review

9.3.2 Management review input
The management review shall consider:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the FSMS, including changes in the
organization and its context (see 4.1);
c) information on the performance and the effectiveness of the FSMS, including trends in:
1) result(s) of system updating activities (see 4.4 and 10.3);
2) monitoring and measurement results;
3) analysis of the results of verification activities related to PRPs and the hazard control plan (see
8.8.2);
4) nonconformities and corrective actions;
5) audit results (internal and external);
6) inspections (e.g. regulatory, customer);
7) the performance of external providers;
8) the review of risks and opportunities and of the effectiveness of actions taken to address
them (see 6.1);
9) the extent to which objectives of the FSMS have been met;
d) the adequacy of resources;
e) any emergency situation, incident (see 8.4.2) or withdrawal/recall (see 8.9.5) that occurred;
f) relevant information obtained through external (see 7.4.2) and internal (see 7.4.3) communication,
including requests and complaints from interested parties;
g) opportunities for continual improvement.
The data shall be presented in a manner that enables

HMAMC2022-09-544-B top management to relate the information to
(Oct 15, 2022)
59
stated objectives of For
theHMAMC
FSMS. training purposes only
59

HMAMC2022-09-544-B (Oct 15, 2022)

60
60
6.2 Objectives of the food safety management system

and planning to achieve them
6.2.1 The organization shall establish objectives for the FSMS at

relevant functions and levels.
The objectives of the FSMS shall:
a) be consistent with the food safety policy;
b) be measurable (if practicable);
c) take into account applicable food safety requirements,
including statutory, regulatory and customer
requirements;
d) be monitored and verified;
e) be communicated;
f) be maintained and updated as appropriate.
The organization shall retain documented information on the
objectives for the FSMS.
HMAMC2022-09-544-B (Oct 15, 2022)

61
61

SMART Objectives
Letter Major Minor Terms

Term
S Specific Significant, Stretching, Simple
M Measureable Meaningful, motivational, manageable
A Attainable Appropriate, achievable, agreed,

assignable, actionable, ambitious,
aligned, aspirational
R Relevant Realistic, resourced, resonant
T (ER) Time-bound Time-oriented, time framed, time, time-

based, timeboxed, timely, time-specific,
timetabled, time limited, trackable,
tangible
SMARTER – Engaging and Rewarding
62
HMAMC2022-09-544-B (Oct 15, 2022)

63
63

6.2 Objectives of the food safety management system
and planning to achieve them (cont.)
6.2.2 When planning how to achieve its objectives for the FSMS,
the organization shall determine:
a) what will be done;
b) what resources will be required;
c) who will be responsible;
d) when it will be completed;
e) how the results will be evaluated.
HMAMC2022-09-544-B (Oct 15, 2022)

64
64
HMAMC2022-09-544-B (Oct 15, 2022)

65
65

HMAMC2022-09-544-B (Oct 15, 2022)
66
66
HMAMC2022-09-544-B (Oct 15, 2022)

67
67

HMAMC2022-09-544-B (Oct 15, 2022)
68
68
So on…
HMAMC2022-09-544-B (Oct 15, 2022)
69
69

ISO 22000 Transition Timeline
2021
2020
2019
2018
June 2018: Updated standard published marking the start of
the three-year transition period to June 2021
HMAMC2022-09-544-B (Oct 15, 2022)

76
76
Risk Management Standard
HMAMC2022-09-544-B (Oct 15, 2022)

77
77

HMAMC2022-09-544-B (Oct 15, 2022)
78
78
ISO 9001:2015 Risk-based Thinking

(ISO/TC 176/SC 2/N1283)
What is Risk-based Thinking

• Risk-based thinking is something we all do
automatically and often sub-consciously to get the
best result
• The concept of risk has always been implicit in ISO
9001 – this edition makes it more explicit and builds
it into the whole management system
• Risk-based thinking ensures risk is considered from
the beginning and throughout
• Risk-based thinking makes preventive action part of
strategic and operational planning
HMAMC2022-09-544-B (Oct 15, 2022)

79
79

(ISO/TC 176/SC 2/N1283)
What is Risk Addressed in ISO 9001:2015?
Risk-based thinking is in:

• Introduction - the concept of risk-based thinking is explained
• Clause 4 - organization is required to determine its QMS processes and
address its risks and opportunities
• Clause 5 – top management is required to
– Promote awareness of risk-based thinking
– Determine and address risks and opportunities that can affect
product /service conformity
• Clause 6 - organization is required to identify risks and opportunities
related to QMS performance and take appropriate actions to address
them
HMAMC2022-09-544-B (Oct 15, 2022)

80
80

(ISO/TC 176/SC 2/N1283)
Risk-based Thinking is in:

• Clause 7 – organization is required to determine and
provide necessary resources
• Clause 8 - organization is required to manage its
operational processes
• Clause 9 - organization is required to monitor, measure,
analyse and evaluate the effectiveness of actions taken to
address risks and opportunities
• Clause 10 - organization is required to correct, prevent or
reduce undesired effects and improve the QMS and update
risks and opportunities
• Note, risk is implicit whenever suitable or appropriate is
mentioned (clause 7 and 8)
HMAMC2022-09-544-B (Oct 15, 2022)

81
81

(ISO/TC 176/SC 2/N1283)
Why Use Risk-based Thinking?
Successful organizations intuitively apply risk-based thinking

because it brings benefits that:
• improve governance
• establish a proactive culture of improvement
• assist with compliance
• assure consistency of quality of products and services
• improve customer confidence and satisfaction
HMAMC2022-09-544-B (Oct 15, 2022)

82
82

(ISO/TC 176/SC 2/N1283)
How do I do it?
• Identify what your risks are – it depends on context
• Use risk-based thinking to prioritize the way you manage your
processes
• ISO 9001:2015 does not require formal risk management
• ISO 31000 Risk management — Principles and guidelines may
be a useful reference for organizations that want or need a
more formal approach to risk (but its use is not obligatory)
• Balance risks and opportunities
• Analyse and prioritize your risks
– what is acceptable?
– what is unacceptable?
• Plan actions to address the risks
– how can I avoid, eliminate or mitigate risks?
• Implement the plan; take action
• Check the effectiveness of the action; does it work?
• Learn from experience; improve
HMAMC2022-09-544-B (Oct 15, 2022)

83
83

(ISO/TC 176/SC 2/N1283)
Risk-based thinking:
• is not new
• is something you probably do already
• is on-going
• ensures greater knowledge of risks and improves
preparedness
• increases the probability of reaching objectives
• reduces the probability of negative results
• makes prevention a habit
L
HMAMC2022-09-544-B (Oct 15, 2022)

84
84
ISO 31000: Risk Management –

Principles and Guidelines
HMAMC2022-09-544-B (Oct 15, 2022)

85
85

Introduction
• Organizations of all types and sizes face internal and external factors and
influences that make it uncertain whether and when they will achieve their
objectives. The effect this uncertainty has on an organization's objectives is
“risk”.
• All activities of an organization involve risk. Organizations manage risk by
identifying it, analysing it and then evaluating whether the risk should be
modified by risk treatment in order to satisfy their risk criteria.
• The ISO 31000 International Standard recommends that

organizations develop, implement and continuously improve
a framework whose purpose is to integrate the process for
managing risk into the organization's overall governance,
strategy and planning, management, reporting processes,
policies, values and culture.
• Risk management can be applied to an entire organization,

at its many areas and levels, at any time, as well as to
specific functions, projects and activities.
HMAMC2022-09-544-B (Oct 15, 2022)

86
86
Introduction
The management of risk enables an organization to, for example:
• increase the likelihood of achieving objectives;
• encourage proactive management;
• be aware of the need to identify and treat risk throughout the
organization;
• improve the identification of opportunities and threats;
• comply with relevant legal and regulatory requirements and
international norms;
• improve financial reporting;
• improve governance;
• improve stakeholder confidence and trust;
• establish a reliable basis for decision making and planning;
• improve controls;
• effectively allocate and use resources for risk treatment;
• improve operational effectiveness and efficiency;
• enhance health and safety performance, as well as environmental
protection;
• improve loss prevention and incident management;
• minimize losses;
• improve organizational learning; and
• improve organizational resilience.
HMAMC2022-09-544-B (Oct 15, 2022)
87
87

Introduction
• Managing risk is iterative and assists
organizations in setting strategy, achieving
objectives and making informed decisions.
• Managing risk is part of governance and
leadership, and is fundamental to how the
organization is managed at all levels. It
contributes to the improvement of
management systems.
• Managing risk is part of all activities
associated with an organization and includes
interaction with stakeholders.
• Managing risk considers the external and
internal context of the organization, including
human behavior and cultural factors.
HMAMC2022-09-544-B (Oct 15, 2022)

88
88
Why We Need to Manage Risk
The purpose of managing risk is to increase the

likelihood of an organization achieving its
objectives by being in a position to manage threats
and adverse situations and being ready to take
advantage of opportunities that may arise.
National Guidance
on Implementing ISO 31000:2018
From NSAI in Ireland
HMAMC2022-09-544-B (Oct 15, 2022)

89
89

Figure 1 – Principles, framework and process
HMAMC2022-09-544-B (Oct 15, 2022)

90
90
Terms and Definitions Related to Risk

Management
Group of 5
(30 minutes activity)
HMAMC2022-09-544-B (Oct 15, 2022)

91
91

Risk Management Principles
For risk management to be effective, an organization should at
all levels comply with the principles below.
HMAMC2022-09-544-B (Oct 15, 2022)

92
92

a) Integrated
Risk management is an integral part of all
organizational activities.
b) Structured and comprehensive

A structured and comprehensive approach to risk
management contributes to consistent and
comparable results.
c) Customized
The risk management framework and process are customized and
proportionate to the organization’s external and internal context related to
its objectives.
d) Inclusive
Appropriate and timely involvement of stakeholders enables their
knowledge, views and perceptions to be considered. This results in
improved awareness and informed risk management.
HMAMC2022-09-544-B (Oct 15, 2022)
93
93

e) Dynamic
Risks can emerge, change or disappear as an organization’s
external and internal context changes. Risk management
anticipates, detects, acknowledges and responds to those
changes and events in an appropriate and timely manner.
f) Best available information

The inputs to risk management are based on historical and
current information, as well as on future expectations. Risk
management explicitly takes into account any limitations
and uncertainties associated with such information and
expectations. Information should be timely, clear and
available to relevant stakeholders.
g) Human and cultural factors

Human behaviour and culture significantly influence all aspects of risk management
at each level and stage.
h) Continual improvement
Risk management is continually improved through learning and experience.
HMAMC2022-09-544-B (Oct 15, 2022)
94
94
ISO 31000: Risk Management –

Framework
HMAMC2022-09-544-B (Oct 15, 2022)

95
95

5. Design of Framework for Managing Risk
5.1 General
• The purpose of the risk management
framework is to assist the organization in
integrating risk management into
significant activities and functions. The
effectiveness of risk management will
depend on its integration into the
governance of the organization, including
decision-making. This requires support
from stakeholders, particularly top
management.
The organization should evaluate its
existing risk management practices and
processes, evaluate any gaps and address
those gaps within the framework.
The components of the framework and the
way in which they work together should be
customized.
HMAMC2022-09-544-B (Oct 15, 2022)
96
96
5.2 Leadership and Commitment

5.1 General
• Top management and oversight bodies, where applicable, should ensure that risk
management is integrated into all organizational activities and should demonstrate leadership
and commitment by:
— customizing and implementing all components of the framework;
— issuing a statement or policy that establishes a risk management approach, plan or course
of action;
— ensuring that the necessary resources are allocated to managing risk;
— assigning authority, responsibility and accountability at appropriate levels within the
organization.
This will help the organization to:
— align risk management with its objectives, strategy and culture;
— recognize and address all obligations, as well as its voluntary commitments;
— establish the amount and type of risk that may or may not be taken to guide the development of
risk criteria, ensuring that they are communicated to the organization and its stakeholders;
— communicate the value of risk management to the organization and its stakeholders;
— promote systematic monitoring of risks;
— ensure that the risk management framework remains appropriate to the context of the
organization.
HMAMC2022-09-544-B (Oct 15, 2022)
97
97

5.2 Leadership and Commitment
Top management is accountable for managing risk while
oversight bodies are accountable for overseeing risk
management. Oversight bodies are often expected or required
to:
— ensure that risks are adequately considered when setting
the organization’s objectives;
— understand the risks facing the organization in pursuit of its
objectives;
— ensure that systems to manage such risks are implemented
and operating effectively;
— ensure that such risks are appropriate in the context of the
organization’s objectives;
— ensure that information about such risks and their
management is properly communicated.
HMAMC2022-09-544-B (Oct 15, 2022)

98
98
5.3 Integration
Integrating risk management relies on an understanding of
organizational structures and context. Structures differ depending on
the organization’s purpose, goals and complexity. Risk is managed in
every part of the organization’s structure. Everyone in an organization
has responsibility for managing risk.
Governance guides the course of the organization, its external and internal
relationships, and the rules, processes and practices needed to achieve its
purpose. Management structures translate governance direction into the
strategy and associated objectives required to achieve desired levels of
sustainable performance and long-term viability. Determining risk
management accountability and oversight roles within an organization are
integral parts of the organization’s governance.
Integrating risk management into an organization is a dynamic and iterative

process, and should be customized to the organization’s needs and culture.
Risk management should be a part of, and not separate from, the
organizational purpose, governance, leadership and commitment, strategy,
objectives and operations.
HMAMC2022-09-544-B (Oct 15, 2022)

99
99

5.4 Design
5.4.1 Understanding the organization and its context
When designing the framework for managing risk, the organization

should examine and understand its external and internal context.
Examining the organization’s external context may include, but is not
limited to:
— the social, cultural, political, legal, regulatory, financial, technological,

economic and environmental factors, whether international, national,
regional or local;
— key drivers and trends affecting the objectives of the organization;
— external stakeholders’ relationships, perceptions, values, needs and
expectations;
— contractual relationships and commitments;
— the complexity of networks and dependencies.
HMAMC2022-09-544-B (Oct 15, 2022)

100
100
5.4 Design
5.4.1 Understanding the organization and its context (continued)…
Examining the organization’s internal context may include, but is not

limited to:
— vision, mission and values;
— governance, organizational structure, roles and accountabilities;
— strategy, objectives and policies;
— the organization’s culture;
— standards, guidelines and models adopted by the organization;
— capabilities, understood in terms of resources and knowledge (e.g.
capital, time, people, intellectual property, processes, systems and
technologies);
— data, information systems and information flows;
— relationships with internal stakeholders, taking into account their
perceptions and values;
— contractual relationships and commitments
HMAMC2022-09-544-B (Oct 15, 2022)

101
101

5.4 Design
5.4.2 Articulating risk management commitment
Top management and oversight bodies, where applicable, should demonstrate
and articulate their continual commitment to risk management through a policy, a
statement or other forms that clearly convey an organization’s objectives and
commitment to risk management. The commitment should include, but is not
limited to:
— the organization’s purpose for managing risk and links to its objectives and
other policies;
— reinforcing the need to integrate risk management into the overall culture of
the organization;
— leading the integration of risk management into core business activities and
decision-making;
— authorities, responsibilities and accountabilities;
— making the necessary resources available;
— the way in which conflicting objectives are dealt with;
— measurement and reporting within the organization’s performance indicators;
— review and improvement.
The risk management commitment should be communicated within an
organization and to stakeholders, if applicable to relevant interested parties.
HMAMC2022-09-544-B (Oct 15, 2022)

102
102
5.4 Design
5.4.3 Assigning organizational roles, authorities, responsibilities and
accountabilities
Top management and oversight bodies, where applicable, should ensure that
the authorities, responsibilities and accountabilities for relevant roles with
respect to risk management are assigned and communicated at all levels of
the organization, and should: — emphasize that risk management is a core
responsibility; — identify individuals who have the accountability and
authority to manage risk (risk owners).
5.4.4 Allocating resources

Top management and oversight bodies, where applicable, should ensure
allocation of appropriate resources for risk management, which can include, but
are not limited to:
— people, skills, experience and competence;
— the organization’s processes, methods and tools to be used for managing risk; —
documented processes and procedures;
— information and knowledge management systems;
— professional development and training needs.
The organization should consider the capabilities of, and constraints on, existing resources.
HMAMC2022-09-544-B (Oct 15, 2022)

103
103

5.4 Design
5.4.5 Establishing communication and consultation
The organization should establish an approved approach to

communication and consultation in order to support the framework
and facilitate the effective application of risk management.
Communication involves sharing information with targeted
audiences. Consultation also involves participants providing
feedback with the expectation that it will contribute to and shape
decisions or other activities.
Communication and consultation methods and content should

reflect the expectations of stakeholders, where relevant.
Communication and consultation should be timely and ensure that
relevant information is collected, collated, synthesized and shared,
as appropriate, and that feedback is provided and analyzed.
HMAMC2022-09-544-B (Oct 15, 2022)

104
104
5.5 Implementation
The organization should implement the risk management framework by:
— developing an appropriate plan including time and resources;
— identifying where, when and how different types of decisions are
made across the organization, and by whom;
— modifying the applicable decision-making processes where necessary;
— ensuring that the organization’s arrangements for managing risk are
clearly understood
Successful implementation of the framework requires the engagement and

awareness of stakeholders. This enables organizations to explicitly address
uncertainty in decision-making, while also ensuring that any new or subsequent
uncertainty can be taken into account as it arises.
Properly designed and implemented, the risk management framework will

ensure that the risk management process is a part of all activities throughout
the organization, including decision-making, and that changes in external and
internal contexts will be adequately captured.
HMAMC2022-09-544-B (Oct 15, 2022)

105
105

5.6 Evaluation
In order to evaluate the effectiveness of the
risk management framework, the organization
should:
— periodically measure risk management

framework performance against its purpose,
implementation plans, indicators and expected
behaviour;
— determine whether it remains suitable to

support achieving the objectives of the
organization.
HMAMC2022-09-544-B (Oct 15, 2022)

106
106
5.7 Improvement
5.7.1 Adapting
The organization should continually monitor and adapt the risk
management framework to address external and internal changes.
In doing so, the organization can improve its value.
5.7.2 Continually improving
The organization should continually improve the suitability,

adequacy and effectiveness of the risk management framework and
the way the risk management process is integrated.
As relevant gaps or improvement opportunities are identified, the

organization should develop plans and tasks and assign them to
those accountable for implementation. Once implemented, these
can be use to facilitate improvement throughout the organization.
HMAMC2022-09-544-B (Oct 15, 2022)

107
107

ISO 31000 Clause 6.0
Risk Management Process
HMAMC2022-09-544-B (Oct 15, 2022)

108
108
6.1 General
6.1 General
The risk management
process should be
• an integral part of
management,
• embedded in the
culture and
practices, and
• tailored to the
business processes
of the organization.
HMAMC2022-09-544-B (Oct 15, 2022)

109
109

HMAMC2022-09-544-B (Oct 15, 2022)
110
110
6.2 Communication and Consultation

6.2 Communication and consultation
• Communication and consultation with external
and internal stakeholders should take place
during all stages of the risk management
process.
• Therefore, plans for communication and
consultation should be developed at an early
stage. These should address issues relating to the
risk itself, its causes, its consequences (if known),
and the measures being taken to treat it.
Effective external and internal communication
and consultation should take place to ensure
that those accountable for implementing the risk
management process and stakeholders
understand the basis on which decisions are
made, and the reasons why particular actions are
required.
HMAMC2022-09-544-B (Oct 15, 2022)

111
111

6.2 Communication and Consultation
A consultative team approach may:
• help establish the context appropriately;
• ensure that the interests of stakeholders are
understood and considered;
• help ensure that risks are adequately identified;
• bring different areas of expertise together for
analyzing risks;
• ensure that different views are appropriately
considered when defining risk criteria and in
evaluating risks;
• secure endorsement and support for a treatment
plan;
• enhance appropriate change management during
the risk management process; and
• develop an appropriate external and internal
communication and consultation plan.
HMAMC2022-09-544-B (Oct 15, 2022)

112
112
6.3 Scope, Context and Criteria

6.3.1 General
• The purpose of establishing the scope, the context and criteria
is to customize the risk management process, enabling
effective risk assessment and appropriate risk treatment.
Scope, context and criteria involve defining the scope of the
process, and understanding the external and internal context.
6.3.2 Defining the scope
When planning the approach, considerations include:

— objectives and decisions that need to be made;
— outcomes expected from the steps to be taken in the process;
— time, location, specific inclusions and exclusions;
— appropriate risk assessment tools and techniques;
— resources required, responsibilities and records to be kept;
— relationships with other projects, processes and activities.
HMAMC2022-09-544-B (Oct 15, 2022)

113
113

6.3.3 Internal and External Context
Establishing the external context
The external context is the external environment in which the organization seeks to
achieve its objectives. Understanding the external context is important in order to
ensure that the objectives and concerns of external stakeholders are considered
when developing risk criteria. It is based on the organization-wide context, but with
specific details of legal and regulatory requirements, stakeholder perceptions and
other aspects of risks specific to the scope of the risk management process.
The external context can include, but is not limited to:

• the social and cultural, political, legal, regulatory, financial, technological,
economic, natural and competitive environment, whether international, national,
regional or local;
• key drivers and trends having impact on the objectives of the organization; and
• relationships with, perceptions and values of external stakeholders.
HMAMC2022-09-544-B (Oct 15, 2022)

114
114

Establishing the internal context
The internal context is the internal environment in which the
organization seeks to achieve its objectives.
The risk management process should be aligned with the
organization's culture, processes, structure and strategy.
Internal context is anything within the organization that can
influence the way in which an organization will manage risk. It
should be established because:
• a) risk management takes place in the context of the
objectives of the organization;
• b) objectives and criteria of a particular project, process or
activity should be considered in the light of objectives of
the organization as a whole; and
• c) some organizations fail to recognize opportunities to
achieve their strategic, project or business objectives, and
this affects on-going organizational commitment,
credibility, trust and value.
HMAMC2022-09-544-B (Oct 15, 2022)

115
115

It is necessary to understand the internal context. This
can include, but is not limited to:
• governance, organizational structure, roles and
accountabilities;
• policies, objectives, and the strategies that are in
place to achieve them;
• capabilities, understood in terms of resources and
knowledge (e.g. capital, time, people, processes,
systems and technologies);
• the relationships with and perceptions and values of
internal stakeholders and the organization's culture;
• information systems, information flows and decision
making processes (both formal and informal);
• standards, guidelines and models adopted by the
organization; and
• form and extent of contractual relationships.
HMAMC2022-09-544-B (Oct 15, 2022)

116
116

Establishing the context of the risk management process
The context of the risk management process will vary according to the needs of an
organization. It can involve, but is not limited to:
• defining the goals and objectives of the risk management activities;
• defining responsibilities for and within the risk management process;
• defining the scope, as well as the depth and breadth of the risk management
activities to be carried out, including specific inclusions and exclusions;
• defining the activity, process, function, project, product, service or asset in
terms of time and location;
• defining the relationships between a particular project, process or activity and
other projects, processes or activities of the organization;
• defining the risk assessment methodologies;
• defining the way performance and effectiveness is evaluated in the
management of risk;
• identifying and specifying the decisions that have to be made; and
• identifying, scoping or framing studies needed, their extent and objectives, and
the resources required for such studies.
Attention to these and other relevant factors should help ensure that the risk
management approach adopted is appropriate to the circumstances, to the
organization and to the risks affecting the achievement of its objectives.
HMAMC2022-09-544-B (Oct 15, 2022)
117
117

Samples of Issues/Risks
Executive Support
1. Executives fail to support project
The project team may lack the authority to achieve project objectives. In such cases, executive
management support is fundamental to project success. When this doesn't materialize the
project fails.
2. Executives become disengaged with project

Executive management disregards project communications and meetings.
3. Conflict between executive stakeholders disrupts project

Members of executive management are combative to the project or there is a disagreement
over project issues at the executive level.
4. Executive turnover disrupts project

A key executive leaves the company, the resulting disruption becomes a project issue.
HMAMC2022-09-544-B (Oct 15, 2022)

118
118
Scope Cost Management
5. Scope is ill defined 11. Cost forecasts are inaccurate
The general risk of an error or omission in scope Inaccurate cost estimates and forecasts.
definition.
6. Scope creep inflates scope 12. Exchange rate variability
Uncontrolled changes and continuous growth of When costs are incurred in foreign
scope. currencies exchange rates can have a
7. Gold plating inflates scope dramatic impact.
The project team add their own product features
that aren't in requirements or change requests.
8. Estimates are inaccurate
Inaccurate estimates is a common project risk.
9. Dependencies are inaccurate
Dependencies dramatically impact the project
schedule and costs.
10. Activities are missing from scope
Required activities are missing from scope
definition.
HMAMC2022-09-544-B (Oct 15, 2022)
119
119

Change Management
13. Change management overload - A large number of change requests dramatically raises
the complexity of the project and distracts key resources.
14. Stakeholder conflict over proposed changes - Change requests may be the source of
stakeholder conflict.
15. Perceptions that a project failed because of changes - Large numbers of high priority
change requests may lead to the perception that the project has failed. When the schedule
and budget are continually extended — stakeholders may feel the project missed its original
targets.
16. Lack of a change management system - Identify any lack of critical tools as a risk.
17. Lack of a change management process - Change management at the organizational or
departmental level is critical to project success. Otherwise, the project will have limited
visibility into changes that impact the project.
18. Lack of a change control board - A change control board is essential to managing change
for large projects.
19. Inaccurate change priorities - When non-essential changes are prioritized impacting
critical schedules.
20. Low quality of change requests - Change requests that are low quality (e.g. ambiguous).
21. Change request conflicts with requirements - Change requests that make no sense in the
context of the requirements.
HMAMC2022-09-544-B (Oct 15, 2022)
120
120
Stakeholders
22. Stakeholders become disengaged
When stakeholders ignore project communications.
23. Stakeholders have inaccurate expectations

Stakeholders develop inaccurate expectations (believe that the project will achieve something
not in the requirements, plan, etc).
24. Stakeholder turnover

Stakeholder turnover can lead to project disruptions.
25. Stakeholders fail to support project

When stakeholders have a negative attitude towards the project and wish to see it fail.
26. Stakeholder conflict

Disagreement between stakeholders over project issues.
27. Process inputs are low quality

Inputs from stakeholders that are low quality (e.g. business case, requirements, change
requests).
HMAMC2022-09-544-B (Oct 15, 2022)
121
121

Communication
28. Project team misunderstand requirements - When requirements are misinterpreted by
the project team a gap develops between expectations, requirements and work packages.
29. Communication overhead - When key project resources spend a high percentage of their
time engaging stakeholders on project issues and change requests their work may fall behind.
30. Under communication

Communication is a challenge that's not to be underestimated. You may need to communicate
the same idea many times in different ways before people remember it.
31. Users have inaccurate expectations

The risk that users believe the project is building an apple when you're really building an
orange (i.e. users don't understand the product that's coming their way).
32. Impacted individuals aren't kept informed

A stakeholder is missing in your communication plan. Anyone who isn't informed but is
impacted has an excellent reason to throw up project roadblocks. For example, if you build a
system but fail to consult the operations group that will be responsible for support.
HMAMC2022-09-544-B (Oct 15, 2022)

122
122
Resources & Team
33. Resource shortfalls - Inability to secure sufficient resources for the project.
34. Learning curves lead to delays and cost overrun - When your project team need to
acquire new skills for the project there's a risk that productivity will be low.
35. Training isn't available - Quality training for certain skills can be difficult to secure.
36. Training is inadequate - Training is often a poor substitute for professional experience.
Projects shouldn't assume that resources will be fully productive in a new skill.
37. Resources are inexperienced - Resources who are just out of school or who are new to
your industry or profession tend to make more mistakes and be less productive.
38. Resource performance issues - Resources who perform below expectations.
39. Team members with negative attitudes towards the project - Resources who are negative
towards the project may actively or passively sabotage project efforts.
40. Resource turnover - Resource turnover leads to delays and cost overrun.
41. Low team motivation - Your team lacks motivation. This is a particularly common risk for
long running projects.
42. Lack of commitment from functional managers - In a matrix organization your team may
report to functional managers. These functional managers are important stakeholders whose
support is critical.
HMAMC2022-09-544-B (Oct 15, 2022)

123
123

Architecture Design
43. Architecture fails to pass governance 47. Design is infeasible
processes The design isn't possible, is excessively
Plan for any architectural or technology costly or doesn't support the requirements.
governance processes that the project may
need to pass. 48. Design lacks flexibility
A poor design makes change requests
44. Architecture lacks flexibility difficult and costly.
The architecture is incapable of supporting
change requests and needs to be reworked. 49. Design is not fit for purpose
The design is low quality.
45. Architecture is not fit for purpose
The architecture is low quality. 50. Design fails peer review
It's a good idea to have peers or
46. Architecture is infeasible architectural experts review your designs.
The architecture is impossible to implement,
excessively costly or doesn't support the
requirements.
HMAMC2022-09-544-B (Oct 15, 2022)

124
124
Technical (1)
51. Technology components aren't fit for purpose - Technology components are low quality.
52. Technology components aren't scalable - Components that can't be scaled to meet
performance demands.
53. Technology components aren't interoperable - Components that lack standard interfaces.
54. Technology components aren't compliant with standards and best practices - Non-
standard components that violate best practices.
55. Technology components have security vulnerabilities - Security vulnerabilities are key
technology risks.
56. Technology components are over-engineered - A component that's bloated with
unneeded functionality and design features.
57. Technology components lack stability - Components that crash.
58. Technology components aren't extensible - Components that are difficult to extend with
new capabilities.
59. Technology components aren't reliable - Components that fail after a short time.
60. Information security incidents - The risk of a a security incident during the project (e.g.
information is leaked).
61. System outages - Critical systems such as your test environments go down.
HMAMC2022-09-544-B (Oct 15, 2022)

125
125

Technical (2)
62. Legacy components lack documentation - Integration with undocumented legacy

components is a high risk activity.
63. Legacy components are out of support

Integration with legacy components that are no longer in support.
64. Components or products aren't maintainable

Technology components, tools or platforms that are difficult to maintain (e.g. lacking
documentation, rare skills, complex or experimental).
65. Components or products can't be operationalized

Technology operations may have criteria for operationalization of new systems that need to
be met.
66. Project management tool problems & issues

Technical problems with the project management tools themselves.
HMAMC2022-09-544-B (Oct 15, 2022)

126
126
Integration
67. Delays to required infrastructure - Delays to infrastructure such as hardware or software.
68. Failure to integrate with business processes -The risk that your product will fail to fit into
the existing business.
69. Failure to integrate with systems - The risk that your product will fail to integrate with
existing systems.
70. Integration testing environments aren't available - The risk that environments won't be
available to test integration.
71. Failure to integration with the organization - The risk that your project fails to integrate
with the organization. This happens when the project is focused on delivering something
specific and fails to look at the organization as a whole. For example, you deliver a sales
system but your organization doesn't have a sales team.
72. Failure to integrate components - The risk that product components will fail to integrate
with each other. This can represent a significant risk when you've outsourced work to a large
number of vendors.
73. Project disrupts operations - The last thing you want is for your project to disrupt business
operations and damage the firm's financial results. Think about risks beyond project failure.
74. Project disrupts sales - The risk that the project disrupts sales effectiveness.
75. Project disrupts compliance - The risk that the project disrupts compliance processes such
as audits and reporting.
HMAMC2022-09-544-B (Oct 15, 2022)
127
127

Requirements
76. Requirements fail to align with strategy
Your requirements conflict with the firm's strategy. If you sense that this is the case, list it as a
risk.
77. Requirements fail to align with business processes
The requirements make no sense in the context of the business.
78. Requirements fail to align with systems
The requirements fail to align with other systems (e.g. they duplicate functionality).
79. Requirements have compliance issues
If you have any doubt that requirements comply with the law list it as a risk.
80. Requirements are ambiguous
Requirements are unclear and open to interpretation.
81. Requirements are low quality
Requirements aren't fit for purpose.
82. Requirements are incomplete
You can spot obvious holes in the requirements.
HMAMC2022-09-544-B (Oct 15, 2022)

128
128
Decisions & Issue Resolution
83. Decision delays impact project
Establish guidelines for decision turnaround time. Identify the risk that guidelines will be
exceeded.
84. Decisions are ambiguous

Stakeholders may have a tendency to make decisions that are intentionally ambiguous (a
responsibility avoidance technique). This can be identified as a risk and managed.
85. Decisions are low quality

Decisions aren't fit for purpose.
86. Decisions are incomplete

Issue resolutions that don't address the issue or create more issues.
HMAMC2022-09-544-B (Oct 15, 2022)

129
129

Procurement
87. No response to RFP - The risk that there is limited response to an RFP. This occurs when the RFP
terms are unacceptable to vendors or if your firm has a bad reputation amongst vendors.
88. Low quality responses to RFP - Half hearted responses to your RFP that are unusable.
89. Failure to negotiation a reasonable price for contracts - Inability to negotiate a reasonable price
for contracts. This occurs when the requirements or contract terms make vendors nervous.
90. Unacceptable contract terms - Inability to negotiate acceptable contract terms.
91. Conflict with vendor leads to project issues - The relationship with vendor turns to conflict and
project issues mount.
92. Conflict between vendors leads to project issues - Your vendors develop conflict with each
other and cooperation breaks down.
93. Vendors start late - The risk of a late start.
94. Vendor components fail to meet requirements - A vendor misunderstands requirements or
delivers components that are completely off the mark.
95. Vendor components are low quality - Vendor components aren't fit for purpose.
96. Infrastructure is low quality - Your infrastructure fails or is not fit for purpose.
97. Service quality is low - Services you procure such as consulting are not fit for purpose.
98. Vendor components introduce third party liability - Vendor components introduce liability (e.g.
they violate patents).
99. Loss of intellectual property - Vendors spy on you.
HMAMC2022-09-544-B (Oct 15, 2022)

130
130
Authority
100. Project team lack authority to complete work
If you lack specific authorities required to deliver the project list this as a risk.
101. Authority is unclear
It's unclear who has the authority to accomplish a project objective.
Approvals & Red Tape

102. Delays to stakeholder approvals impact the project - The risk that approval deadlines will
be exceeded.
103. Delays to financial approvals impact the project - The risk of delays to financial approvals
and processes to release funds.
104. Delays to procurement processes impact the project - Many organizations have specific
procurement processes that must be followed. These processes can be time consuming and
highly variable. Document the risk that procurement process will exceed deadlines.
105. Delays to recruiting processes impact the project - If your project involves recruiting
resources, this will typically take many months and is highly variable.
106. Delays to training impact the project - If your training budget requires separate approvals
(e.g. from functional managers or HR) document the risk that this will be slow.
HMAMC2022-09-544-B (Oct 15, 2022)
131
131

Organizational
107. The project fails to match the organization's culture
A culture fit issue between your product and the organization. If the organization's culture
calls for employees to bring their own mobile devices to work (BYOD) and you build a user
interface that only works on a specific device.
108. An organizational restructuring throws the project into chaos

If your project has a large footprint it may be extremely sensitive to organizational changes.
109. A merger or acquisition disrupts the project

Mergers & acquisitions may represent significant organizational changes.
HMAMC2022-09-544-B (Oct 15, 2022)

132
132
External
110. Legal & regulatory change impacts project
If your project spans areas that are compliance-sensitive you may want to list regulatory
change as a risk.
111. Force Majeure (e.g. act of nature) impacts project

Major disruptions such as acts of nature.
112. Market forces impact project

Market changes impact project (e.g. a market crash).
113. Technical change impacts project

A technology innovation changes your industry and impacts the project.
114. Business change impacts project

A business innovation changes your industry and impacts the project.
HMAMC2022-09-544-B (Oct 15, 2022)

133
133

Project Management
115. Failure to follow methodology
If your organization asks you to streamline your project management methodology, that can
be documented as a risk.
116. Lack of management or control

A lack of project management should be documented as a risk. For example, if resource
constraints cause the project to skip certain project management best practices.
117. Errors in key project management processes

Errors in project management such as schedule errors.
Secondary Risks
118. Counterparty risk
The risk you get back when you transfer a risk.
HMAMC2022-09-544-B (Oct 15, 2022)

134
134
User Acceptance
119. Users reject the prototype - One of the key methods of improving user acceptance is to
get regular prototypes in front of users. There's always a risk that these prototypes will be
rejected (require significant rework).
120. User interface doesn't allow users to complete tasks - The risk that the user interface
doesn't allow users to complete end-to-end tasks.
121. User interface is low quality - The user interface is buggy, slow or difficult to use.
122. User interface isn't accessible - In many jurisdictions, user interfaces must be accessible
(e.g. employment or consumer law). Many organizational cultures require accessible user
interfaces.
123. Project reduces business productivity - Users identify your product(s) as reducing their
productivity.
124. Project reduces innovation - Users identify your product(s) as a roadblock to innovation.
125. Product disrupts business metrics (measurements of objectives) - Your product launch
causes business KPIs to worsen. For example, if you launch a new ERP and Supply Chain Cycle
Times jump.
126. Users reject the product - The general risk that users will reject your product.
HMAMC2022-09-544-B (Oct 15, 2022)

135
135

Commercial
The following risks may apply to new product development projects.
127. Product doesn't sell

Demand risk for the new product.
128. Product incurs legal liability

The product has quality issues that harm your customers.
129. Product negatively affects brand

The product has quality issues that damage your brand.
130. Product negatively affects reputation

The product generates negative publicity and/or damages customer relationships.
HMAMC2022-09-544-B (Oct 15, 2022)

136
136
PESTEL
ANALYIS
HMAMC2022-09-544-B (Oct 15, 2022)

137
137

L
Other tools:
FMEA (FMECA)
HACCP/ HARPC
ORM Matrix
FDPB/ CARVER SHOCK+
DSA
Environmental Aspect/ Impact,
etc.
HMAMC2022-09-544-B (Oct 15, 2022)

138
138
6.3.4 Defining Risk Criteria

6.3.4 Defining risk criteria
The organization should define criteria to be used to evaluate the
significance of risk. The criteria should reflect the organization's
values, objectives and resources. Some criteria can be imposed by,
or derived from, legal and regulatory requirements and other
requirements to which the organization subscribes. Risk criteria
should be consistent with the organization's risk management policy
(see 4.3.2), be defined at the beginning of any risk management
process and be continually reviewed.
When defining risk criteria, factors to be considered should include
the following:
• the nature and types of causes and consequences that can
occur and how they will be measured;
• how likelihood will be defined;
• the timeframe(s) of the likelihood and/or consequence(s);
• how the level of risk is to be determined;
• the views of stakeholders;
• the level at which risk becomes acceptable or tolerable; and
• whether combinations of multiple risks should be taken into
account and, if so, how and which combinations should be
considered.
HMAMC2022-09-544-B (Oct 15, 2022)
139
139

6.4 Risk Assessment
6.4.1 General
• Risk assessment is the overall process of risk identification, risk analysis and risk
evaluation. NOTE IEC 31010 provides guidance on risk assessment techniques.
6.4.2 Risk Identification

• The organization should identify sources of risk, areas of
impacts, events (including changes in circumstances) and
their causes and their potential consequences. The aim of this
step is to generate a comprehensive list of risks based on
those events that might create, enhance, prevent, degrade,
accelerate or delay the achievement of objectives. It is
important to identify the risks associated with not pursuing an
opportunity.
• Identification should include risks whether or not their source
is under the control of the organization, even though the risk
source or cause may not be evident. All significant causes and
consequences should be considered.
• The organization should apply risk identification tools and
techniques that are suited to its objectives and capabilities,
and to the risks faced.
HMAMC2022-09-544-B (Oct 15, 2022)
140
140
Four Key Questions
HMAMC2022-09-544-B (Oct 15, 2022)

141
141

Risk Assessment
HMAMC2022-09-544-B (Oct 15, 2022)

142
142
6.4.3 Risk Analysis

• Risk analysis involves developing an understanding of the
risk.
• Risk analysis involves consideration of the causes and
sources of risk, their positive and negative consequences,
and the likelihood that those consequences can occur.
Factors that affect consequences and likelihood should be
identified. Risk is analyzed by determining consequences
and their likelihood, and other attributes of the risk. An
event can have multiple consequences and can affect
multiple objectives. Existing controls and their
effectiveness and efficiency should also be taken into
account.
• Risk analysis can be undertaken with varying degrees of
detail, depending on the risk, the purpose of the analysis,
and the information, data and resources available. Analysis
can be qualitative, semi-quantitative or quantitative, or a
combination of these, depending on the circumstances.
HMAMC2022-09-544-B (Oct 15, 2022)

143
143

6.4.4 Risk Evaluation
• The purpose of risk evaluation is to assist in making
decisions, based on the outcomes of risk analysis, about
which risks need treatment and the priority for
treatment implementation.
• Risk evaluation involves comparing the level of risk found
during the analysis process with risk criteria established
when the context was considered. Based on this
comparison, the need for treatment can be considered.
• Decisions should take account of the wider context of the
risk and include consideration of the tolerance of the risks
borne by parties other than the organization that benefits
from the risk. Decisions should be made in accordance
with legal, regulatory and other requirements.
• In some circumstances, the risk evaluation can lead to a
decision to undertake further analysis. The risk evaluation
can also lead to a decision not to treat the risk in any way
other than maintaining existing controls.
• This decision will be influenced by the organization's risk
attitude and the risk criteria that have been established.
HMAMC2022-09-544-B (Oct 15, 2022)

144
144
Six Broad Cluster of Techniques
HMAMC2022-09-544-B (Oct 15, 2022)

145
145

HMAMC2022-09-544-B (Oct 15, 2022)

146
146
HMAMC2022-09-544-B (Oct 15, 2022)

147
147

HMAMC2022-09-544-B (Oct 15, 2022)

148
148
HMAMC2022-09-544-B (Oct 15, 2022)

149
149

HMAMC2022-09-544-B (Oct 15, 2022)

150
150
HMAMC2022-09-544-B (Oct 15, 2022)

151
151

Risk Treatment
HMAMC2022-09-544-B (Oct 15, 2022)

152
152
6.5.1 General
Risk treatment involves selecting Risk treatment options are not necessarily mutually
one or more options for modifying exclusive or appropriate in all circumstances. The options
risks, and implementing those can include the following:
options. Once implemented, a) avoiding the risk by deciding not to start or continue with
treatments provide or modify the the activity that gives rise to the risk;
controls. b) taking or increasing the risk in order to pursue an
opportunity;
Risk treatment involves a cyclical c) removing the risk source;
process of: d) changing the likelihood;
• ⎯ assessing a risk treatment; e) changing the consequences;
• ⎯ deciding whether residual f) sharing the risk with another party or parties (including
risk levels are tolerable; contracts and risk financing); and
• ⎯ if not tolerable, generating a g) retaining the risk by informed decision.
new risk treatment; and
• ⎯ assessing the effectiveness
of that treatment.
HMAMC2022-09-544-B (Oct 15, 2022)

153
153

6.5.2 Selection of Risk Treatment Options
• Selecting the most appropriate risk treatment option
involves balancing the costs and efforts of
implementation against the benefits derived, with
regard to legal, regulatory, and other requirements
such as social responsibility and the protection of the
natural environment. Decisions should also take into
account risks which can warrant risk treatment that is
not justifiable on economic grounds, e.g. severe (high
negative consequence) but rare (low likelihood) risks.
• When selecting risk treatment options, the
organization should consider the values and
perceptions of stakeholders and the most appropriate
ways to communicate with them. Where risk treatment
options can impact on risk elsewhere in the
organization or with stakeholders, these should be
involved in the decision.
• Though equally effective, some risk treatments can be
more acceptable to some stakeholders than to others.
HMAMC2022-09-544-B (Oct 15, 2022)

154
154
6.5.2 Selection of Risk Treatment Options

• The treatment plan should clearly identify the
priority order in which individual risk treatments
should be implemented.
• Risk treatment itself can introduce risks. A
significant risk can be the failure or ineffectiveness
of the risk treatment measures. Monitoring needs
to be an integral part of the risk treatment plan to
give assurance that the measures remain effective.
• Risk treatment can also introduce secondary risks
that need to be assessed, treated, monitored and
reviewed. These secondary risks should be
incorporated into the same treatment plan as the
original risk and not treated as a new risk. The link
between the two risks should be identified and
maintained
HMAMC2022-09-544-B (Oct 15, 2022)

155
155

6.5.3 Preparing and Implementing Risk
Treatment Plans
The purpose of risk treatment plans is to document how the chosen treatment options will be
implemented.
The information provided in treatment plans should include:
• the reasons for selection of treatment options, including expected benefits to be gained;
• those who are accountable for approving the plan and those responsible for implementing
the plan;
• proposed actions;
• resource requirements including contingencies;
• performance measures and constraints;
• reporting and monitoring requirements; and
• timing and schedule.
• Treatment plans should be integrated with the management processes of the organization
and discussed with appropriate stakeholders.
• Decision makers and other stakeholders should be aware of the nature and extent of the
residual risk after risk treatment. The residual risk should be documented and subjected to
monitoring, review and, where appropriate, further treatment.
HMAMC2022-09-544-B (Oct 15, 2022)

156
156

Monitoring and Review
HMAMC2022-09-544-B (Oct 15, 2022)

157
157

6.6 Monitoring and Review
Both monitoring and review should be a planned part of
the risk management process and involve regular
checking or surveillance. It can be periodic or ad hoc.
Responsibilities for monitoring and review should be
clearly defined.
The organization's monitoring and review processes
should encompass all aspects of the risk management
process for the purposes of:
✓ ensuring that controls are effective and efficient in
both design and operation;
✓ obtaining further information to improve risk
assessment;
✓ analyzing and learning lessons from events (including
near-misses), changes, trends, successes and failures;
✓ detecting changes in the external and internal
context, including changes to risk criteria and the risk
itself which can require revision of risk treatments
and priorities; and
✓ identifying emerging risks.
HMAMC2022-09-544-B (Oct 15, 2022)

158
158
6.7 Recording the Risk Management

Process
Risk management activities should be traceable. In the risk
management process, records provide the foundation for
improvement in methods and tools, as well as in the overall
process.
Decisions concerning the creation of records should take
into account:
• the organization's needs for continuous learning;
• benefits of re-using information for management
purposes;
• costs and efforts involved in creating and maintaining
records;
• legal, regulatory and operational needs for records;
• method of access, ease of retrievability and storage
media;
• retention period; and
• sensitivity of information.
HMAMC2022-09-544-B (Oct 15, 2022)
159
159

Risk Management Planning
Group of 5
(Day 2 – Presentations will start at 1 pm)
HMAMC2022-09-544-B (Oct 15, 2022)

160
160
Approach to Risk-based Thinking

(Reference: ISO 31000:2018)
• SWOT – All groups • Internal Assessments

• Employees – G4
• External Assessments • Organization's culture – G3
• Governance, organizational structure, roles and
• External suppliers accountabilities – G2
(suppliers of raw materials, • Policies, objectives, and the strategies that are in
ingredients, packaging materials place to achieve them – G3
and utilities) – G5 • Capabilities, understood in terms of resources and
knowledge (e.g. Capital, time, people, processes,
• Customers/ consumers – G4
systems and technologies) – G5
• External supplier (TMO) – G5
• The relationships with and perceptions and values
• External supplier of services (pest of internal stakeholders and the organization's
control, testing and calibration) – culture – G2
G1 • Information systems, information flows and
• Regulatory authorities – G1 decision-making processes (both formal and
• Competitors – G3 informal) – G4
• Opportunities • Standards, guidelines and models adopted by the
(prioritize, optimize, area for organization – G1
improvement) - ALL • Form and extent of contractual relationships – G2
• Threats - ALL • Strengths - all
(counter, preventive action) (maintain, build, leverage, continual improvement)
• Weaknesses - all
(remedy corrective action)
HMAMC2022-09-544-B (Oct 15, 2022)

161
161

Benefit
HMAMC2022-09-544-B (Oct 15, 2022)

162
162
Extending The Process
The role of assurance activity, not just as a risk control, but

as part of ‘Monitor and Review’ should be developed. This
should go further than just audit.
Other interested stakeholders can also benefit from the risk process,
such as quality assurance, security, safety & environment
management. The process is all about facilitating linkages between
different stakeholders across the organisation
HMAMC2022-09-544-B (Oct 15, 2022)

163
163

HMAMC2022-09-544-B (Oct 15, 2022)
164
164
HMAMC2022-09-544-B (Oct 15, 2022)

165
165

HMAMC2022-09-544-B (Oct 15, 2022)
166
166
Summary of Workshop Scores

Note: Ps – partial score
Grou Worksho Workshop 2 Workshop 3 Workshop 4 Workshop 5 Workshop 6 Total
p No. p1 (Risk (Strengths (Monitoring (131)
(Understandi (Risk
Treatment, and and
(31 pts) ng the context Identificatio
Mitigation and Opportuniti Measurement
– internal and n and Passin
Implementatio es Leverage s)
external) Evaluation) g rate
n) Plan)
20 pts is 70%
20 pts 20 pts
20 pts 20 pts
G1 %
R
G2 %
E
S
U
G3 %
L
T
S
G4 %
HMAMC2022-09-544-B (Oct 15, 2022)

167
167

Look for other
training
resources
168
For Other Training Needs:
169

Thank you
Course Tutor: Harvi Mijares Abangan
170

Risk MGT Training Based On ISO 22000 and 31000 - HMAMC2022-09-544-B

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk MGT Training Based On ISO 22000 and 31000 - HMAMC2022-09-544-B

Uploaded by

Copyright:

Available Formats

HMA Management

Risk Management Training Course

Date: October 19-20, 2022

Risk Management Training

1. Phone etiquette. Kindly set your cellular phones on silent

HMAMC2022-09-544-B (Oct 15, 2022)

Introduction of the Trainer

HMAMC2022-09-544-B (Oct 15, 2022)

Risk Management Training

Harvi Mijares Abangan Management Consulting

HMAMC2022-09-544-B (Oct 15, 2022)

Risk Management Training

◼ Company & Business

◼ Expectations on this course

◼ Knowledge of the course

HMAMC2022-09-544-B (Oct 15, 2022)

• To provide participants with an overview of the relevant changes

Risk Management Training

Day 1 (0800 to 1700H): – The Risk Management Process

◼ Delegates shall be required to be in attendance for the full

◼ The appropriate attendance record is to be completed. Names

HMAMC2022-09-544-B (Oct 15, 2022)

Risk Management Training

HMAMC2022-09-544-B (Oct 15, 2022)

✓ an independent, non-governmental international organization

✓ ISO technical committees prepare the International Standards. ISO

✓ ISO 22000:2018 cancels and replaces the first edition (ISO

HMAMC2022-09-544-B (Oct 15, 2022)

Risk Management Training

HMAMC2022-09-544-B (Oct 15, 2022)

Legal Requirements: USA ■ At the core of the food safety

■ While the food safety plan must

Risk Management Training

Legal Requirements: European Union (EU)

REGULATION (EC) No 852/2004 OF THE EUROPEAN PARLIAMENT AND OF

HMAMC2022-09-544-B (Oct 15, 2022)

Risk Management Training

• Article 4, Rule 7 - RULE. 7. Use of Science- L

HMAMC2022-09-544-B (Oct 15, 2022)

Risk Management Training

Process approach Risk-based ISO high level

HMAMC2022-09-544-B (Oct 15, 2022)

Risk Management Training

HMAMC2022-09-544-B (Oct 15, 2022)

Risk-based Thinking (cont.)

HMAMC2022-09-544-B (Oct 15, 2022)

Risk Management Training

HMAMC2022-09-544-B (Oct 15, 2022)

Risk Management Training

1. Scope • Annex A (informative)

HMAMC2022-09-544-B (Oct 15, 2022)

Clause 4 Context of the organization

✓ 4.1 Understanding the

HMAMC2022-09-544-B (Oct 15, 2022)

Risk Management Training

4.1 Understanding the organization and its context

HMAMC2022-09-544-B (Oct 15, 2022)

Some tools for identifying External and Internal Issues

ISO 31000:2009 is to provide principles and generic guidelines on risk management.

Risk Management Training

HMAMC2022-09-544-B (Oct 15, 2022)

Clause 4 Context of the organization (cont.)

4.2 Understanding the needs and expectations of interested