RISK MANAGEMENT
Design
Framework of ISO 31000 (process.st)
1. Leadership and commitment
Central to the ISO 31000 framework for risk
management is the importance of leadership and
commitment.
This component includes things like:
 Aligning risk management with the overall
business objectives, strategies, and culture of
the company,
 Issuing statements, announcements, or policies
that clearly describe the risk management
approach, planning, objectives, or actions,
 Making sure resources are adequately allocated
and available for the risk management program,
 Determining the acceptable degree of risk that
the organization can handle (“risk appetite”).
2. Integration
Perhaps second only to leadership and commitment,
integration is super important in any risk management
framework. The effectiveness of your entire risk management
approach will depend on how extensively (and efficiently) it is
integrated into all aspects of your organization, including
decision-making processes.
For example, some processes, like an electrical inspection
checklist, will have some level of risk involved. This could
mean that the decision-making process involves multiple
individuals, which could easily lead to a bottleneck, and result
in a slow, inefficient process.
By effectively integrating the risk management process, these
bottlenecks can be bypassed. One way of doing this is by
utilizing a BPM software like Process Street to streamline
each step along the way.
Using the same example, if a problem was detected by the
electrician, they could swiftly notify management, or the
client, or whoever might be the most relevant interested
party with Process Street’s rich form fields and conditional
logic.
That’s just one example. There are a ton of other ways you
could use software like Process Street to simplify and improve
your risk management framework. For more ideas, check out
this introductory webinar:
Returning to the ISO 31000 framework, this component also
includes things like:
 Roles and responsibilities of organizational
management
 Making sure risk management is part of
(integrated) all aspects of the organization
3.
We now come to the final four components of the
framework: design, implementation, evaluation, and
improvement.
This sequence of four stages is also known as the Plan-Do-
Study-Act cycle, which is a model for continuous quality
improvement.
Despite the naming difference, the approach is largely the
same. Four distinct stages, beginning with planning (or
design), and ending with improvement (or learning), with the
common goal of improving the risk management framework.
This component includes things like:
 Understanding the organization and its context
(both internal and external)
 Planning and allocating resources for the risk
management program
 Establishing communication protocols
4. Implementation
Putting the plans in action. Although, there is still a bit of
planning that happens here; namely, the specific planning
regarding the implementation of the risk management
approach.
This component includes things like:
 Setting objectives and deadlines
 Clearly defining the decision-making process
 Evaluating and making changes to the decision-
making process where appropriate
5. Evaluation
Taking a look at what’s working, what’s not, and figuring out
if the risk management system is working as it should be.
This involves looking at the perceived versus the desired
outcome (e.g., performing a gap analysis), and any other
analytics or feedback from the process and implementation
so far.
It might include things like:
 Measuring the performance of the risk
management system
 Assessing success rate
 Determining whether or not objectives are
feasible
6. Improvement
Risk management is a cyclic and wholly continuous approach.
That means there is always room for improvement.
Despite the fact that there is a step in the ISO 31000
framework dedicated to it, and that the framework is laid out
as a series of consecutive steps, the most effective risk
management systems adopt a truly continuous approach to
improvement.
A big part of that is making sure employees are on board with
the risk management approach and that they understand and
are able to take ownership of the processes they’re
interacting with most frequently. Only by giving process
owners the motivation and responsibility to take action on
improving their processes will risk management thrive in a
business environment.
The improvement component includes things like:
 Continuously monitoring all aspects of the risk
management framework
 Addressing internal and external changes
 Planning and taking actions to improve value
creation within the risk management system
TOPIC 1
RISK MANAGEMENT
Definitions of RISK
 “ A chance or the possibility of danger, loss, injury
or other adverse consequences.” – Oxford English
Dictionary
 At risk- “exposed to danger”
Organization Definition
ISO Guide 73 Effect of uncertainty on
objectives. Note that an effect
may be positive, negative, or a
deviation from the expected.
Also, risk is often described by
an event, a change in
circumstances or
consequence.
Institute of Risk Risk is the combination of the
Management (IRM) probability of an event and its
consequence. Consequences
can range from positive to
negative.
Orange Book from Uncertainty of outcome,
HM Treasury within a range of exposure,
arising from a combination of
the
impact and the probability of
potential events.
Institute of Internal The uncertainty of an event
Auditors occurring that could have an
impact on the achievement of
the objectives. Risk is
measured in terms of
consequences and likelihood.
TYPES OF RISKS
 Compliance (or mandatory) risks -
 Hazard (or pure) risks - events that can only result
in negative outcomes. Maybe thought of as
operational or insurable risks.
Example: Theft and Fire
 Control (or uncertainty) risks - risks that give rise to
uncertainty about the outcome of a situation.
These are risks associated with unknown and
unexpected events.
Example: Uncertainty about the delivery of the project
on time
 Opportunity (or speculative) risks - involve risks to
achieve positive gains. It is focused on investment.
Example: moving business to a new location and
acquiring new property.
Risks Organization’s General Action
Compliance Risks Minimize the risks
Hazard Risks Mitigate the risks
Control Risks Manage the risks
Opportunity Risks Embrace the risks
RISK DESCRIPTION
 To fully understand risk, a detailed description is
necessary so that a common understanding of the
risks can be identified and ownership or
responsibilities may be clearly understood.
a  Name or Title of Risk
 Statement of Risk, including the scope of risk and
details of possible events and dependencies
 Nature of risk, including details of the risk
classification and timescale of the potential impact
 Stakeholders in the risk, both internal and external
 Likelihood and magnitude of event and
consequences should the risk materialize at
current/residual level
 Control standard required, the target level of risk or
risk criteria
 Incident and loss experience
 Existing control mechanisms and activities
 Responsibility for developing risk strategy and
policy
 Potential for risk improvement and level of
confidence in existing controls
 Risk improvement recommendations and deadlines
for implementation
 Responsibility for implementing improvements
 Responsibility for auditing risk compliance
INHERENT (ABSOLUTE/GROSS) LEVEL OF RISK
 This is the level of the risk before any actions have
been taken to change the likelihood or magnitude
of the risk.
 Identifying the inherent level of the risk makes it
possible to identify the importance of control
measures in place.
 According to IIA: “In the risk assessment, we look
at the inherent risks before considering any
controls.”
 A risk matrix is used to show the inherent level of
the risk in terms of likelihood and magnitude.
 Crossing the busy road
Crossing a busy road would be inherently dangerous if
there were no controls in place and many more road
accidents would occur. When a risk is inherently
dangerous, greater attention is paid to the control
measures in place, because the perception of risk is
much higher. Pedestrians do not cross the road without
looking and drivers are always aware that pedestrians
may step into the road. Often, other traffic control
measures are necessary to reduce the speed of the
motorists or increase the risk awareness of both
motorists and pedestrians
5. The component or feature of the organization that
will be impacted (people, premises, processes , or
products)
 An important consideration for organizations when
deciding their risk classification system is to
determine whether the risks will classified
according to the source of the risks, the component
impacted, or of the consequences of the risk
materializing.
 Individual organizations will decide on the risk
classification system that suits them best,
depending on the nature of the organization and its
activities.
 The risk classification system that is selected should
be fully relevant to the organization concerned.
 There is no universal classification system that
fulfills the requirements of all organizations.
RISK LIKELIHOOD AND MAGNITUDE
 Risk likelihood and magnitude are best
demonstrated using a risk matrix.
 Risk matrix is very valuable for risk management.
 The basic style of risk matrix plots the likelihood of
an event against the magnitude or impact should
the event materialize.
Magnitude
Low likelihood High likelihood
High
Low likelihood High likelihood
Low magnitude Low Magnitude
Likelihood

RISK CLASSIFICATION SYSTEMS

Risks can be classified according to:

1. The nature of the attributes of the risk (timescale

for impact, nature of the impact, and/or likely
magnitude of the risk);
2. Timescale of the impact after the event occurs;
3. The source of the risk (origin);
4. The nature of the impact (impact on the finances,
activities, infrastructure, or reputation); and