421 likes | 2.42k Views
[To download this presentation, visit: https://www.oeconsulting.com.sg/training-presentations]
E N D
ISO 31000:2018 Risk Management – Guidelines © Operational Excellence Consulting © Operational Excellence Consulting. All rights reserved.
NOTE: This is a PARTIAL PREVIEW. To download the complete presentation, please visit: https://www.oeconsulting.com.sg LEARNING OBJECTIVES Understand the concept of risk as the uncertainty on objectives Describe the risk management principles, framework and process in the context of a Risk Management System Appreciate the value of ISO 31000 as the benchmark for best practice in managing risk 2 © Operational Excellence Consulting
CONTENTS 01 02 INTRODUCTION & KEY CONCEPTS OF ISO 31000 THE THREE PILLARS OF ISO 31000 3 © Operational Excellence Consulting
ISO STANDARDS CONTRIBUTE DIRECTLY TO THE U.N. SUSTAINABLE DEVELOPMENT GOALS (SDGs) Some examples of popular ISO standards that are adopted by various companies and organizations: ISO 9001:2015 ISO 14001:2015 ISO 45001:2018 ISO 26000:2010 Quality Management Systems Environmental Management Systems Occupational Health & Safety Management Systems Social Responsibility ISO/IEC 27001:2022 ISO 37001:2016 ISO 50001:2018 ISO 22000:2018 Anti-Bribery Management Systems Energy Management Systems Food Safety Management Systems Information Security Management Systems 4 © Operational Excellence Consulting
WHAT IS ISO 31000? An international standard that provides principles and generic guidelines on risk management ● Not specific to any industry or sector ● Can be applied to any type of risk (financial, technological, natural, project) ● Can be applied to any type of organization ● Can be applied to organizational activities such as decision making ● 5 © Operational Excellence Consulting © Operational Excellence Consulting
THE ISO 31000 FAMILY GUIDELINES Focus of this presentation ISO 31000:2018 Risk management guidelines RISK MANAGEMENT ISO Guide 73:2009 Risk management vocabulary IEC 31010:2019 Risk assessment techniques VOCABULARY TECHNIQUES 6 Source: Adapted from ISO/IEC © Operational Excellence Consulting
KEY FOCUS OF ISO 31000 Stresses commitment to diligent risk management ● Encourages priority setting ● Explains that risk management should itself create and protect value ● Stresses the importance of context ● Adopts the viewpoint that risk management is integral to the organization’s objectives ● 7 © Operational Excellence Consulting © Operational Excellence Consulting
OBJECTIVES OF ISO 31000 Helps organizations develop a risk management strategy to effectively identify and mitigate risks Develop a risk management culture where employees and stakeholders are aware of the importance of monitoring and managing risk 8 © Operational Excellence Consulting
WHAT IS “RISK”? Risk is present in everything we do ● Risk can be a threat or an opportunity ● Anything that could harm, prevent, delay or enhance your ability to achieve your objectives ● ISO 9001:2015, ISO 14001:2015, ISO 22301:2012 and ISO 45001:2018 are all risk-based standards ● 9 © Operational Excellence Consulting
EXAMPLES OF RISKS Damage to reputation or brand Infectious diseases Cyber crime Climate change Political risk Economic downturn Digital currency Terrorism 10 © Operational Excellence Consulting
WHY DO WE NEED TO BE AWARE OF RISK? Risk is something that we all face every day ● As a company, we have to take risks in pursuit of our commercial objectives ● To raise awareness that we all have to manage risk as part of our daily working lives as well as personal ● 11 © Operational Excellence Consulting © Operational Excellence Consulting
YOU MANAGE RISKS WHEN YOU… Reduce uncertainty to an acceptable level for better informed decisions leading to achieving or varying objectives ● Control the likelihood of events occurring that affect the certainty of achieving your objectives ● Reduce the likelihood of a negative consequence occurring or effectively and efficiently exploit an opportunity ● 12 © Operational Excellence Consulting © Operational Excellence Consulting
DEFINITION OF “RISK MANAGEMENT” In ISO 31000, “risk management’ is defined as: Coordinated activities to direct and control an organization with regard to risk. 13 Source: Based on ISO © Operational Excellence Consulting
BENEFITS OF ADOPTING ISO 31000 STANDARD Improve the identification of opportunities and threats Increase the likelihood of achieving objectives Identify and treat risk throughout the organization Encourage proactive management Comply with relevant legal and regulatory requirements and internal norms Establish a reliable basis for decision making Improve financial reporting Improve governance 14 © Operational Excellence Consulting
THE THREE PILLARS OF ISO 31000 Continual Improvement Integrated Human and Structured and Comprehensive Cultural Factors Value Creation and Protection Best Customized Available Information Dynamic Inclusive PRINCIPLES (Clause 4) Scope, Context, Criteria Risk Assessment MONITORING & REVIEW COMMUNICATION & CONSULTATION Risk Identification Leadership and Commitment Risk Analysis Risk Evaluation Risk Treatment FRAMEWORK (Clause 5) PROCESS (Clause 6) RECORDING & REPORTING 15 © Operational Excellence Consulting Source: Adapted from ISO
THE THREE PILLARS OF ISO 31000 The ISO 31000 standard comprises three pillars: PRINCIPLES FRAMEWORK PROCESS Required elements of an effective and efficient risk management Assists in integrating risk management into the activities and functions of the organization Integral part of management, structure, operations and processes (activities) of the organization 16 © Operational Excellence Consulting
RISK MANAGEMENT PRINCIPLES Continual Improvement Integrated Human and Structured and Comprehensive Cultural Factors Value Creation and Protection Best Customized Available Information Inclusive Dynamic 17 © Operational Excellence Consulting © Operational Excellence Consulting
RISK MANAGEMENT FRAMEWORK Leadership and Commitment 18 © Operational Excellence Consulting © Operational Excellence Consulting
RISK MANAGEMENT PROCESS Scope, Context, Criteria Risk Assessment MONITORING & REVIEW COMMUNICATION & CONSULTATION Risk Identification Risk Analysis Risk Evaluation Risk Treatment RECORDING & REPORTING 19 © Operational Excellence Consulting © Operational Excellence Consulting
RISK MANAGEMENT PROCESS DESCRIPTION Risk identification What could prevent us from achieving our objectives? § Understanding the sources and causes of the identified risks; studying probabilities and consequences given the existing controls, to identify the level of residual risk. § Risk analysis Comparing risk analysis results with risk criteria to determine whether the residual risk is tolerable. § Risk evaluation Changing the magnitude and likelihood of consequences, both positive and negative, to achieve a net increase in benefit. § Risk treatment 20 © Operational Excellence Consulting
RISK ASSESSMENT Risk Management Process Scope, Context, Criteria Should be conducted systematically, iteratively and collaboratively ● Risk Assessment MONITORING & REVIEW COMMUNICATION & CONSULTATION Risk Identification Risk Analysis Tools for risk management can be found in ISO/IEC 31010 ● Risk Evaluation Risk assessment is the process of: ● Risk Treatment Risk identification Risk analysis, and o o o RECORDING & REPORTING Risk evaluation 21 © Operational Excellence Consulting
RISK IDENTIFICATION Risk Management Process Find, recognize and describe risks that might help or prevent an organization achieving its objectives ● Scope, Context, Criteria Risk Assessment MONITORING & REVIEW COMMUNICATION & CONSULTATION Risk Identification Relevant, appropriate and up-to- date information is important in identifying risks ● Risk Analysis Risk Evaluation A risk not identified is a risk not analyzed, not evaluated and not treated ● Risk Treatment RECORDING & REPORTING The biggest risk of all is not to consider the risks of your objectives! ● 22 © Operational Excellence Consulting
RISK ANALYSIS –FACTORS TO CONSIDER Risk Management Process The likelihood of events and consequences ● The nature and magnitude of consequences ● Complexity and connectivity ● Time-related factors and volatility ● The effectiveness of existing controls ● Sensitivity and confidence levels ● 23 © Operational Excellence Consulting
RISK TREATMENT Risk Management Process The purpose of risk treatment is to select and implement options for addressing risk: ● Scope, Context, Criteria Risk Assessment MONITORING & REVIEW COMMUNICATION & CONSULTATION Risk Identification Selection of risk treatment options (balancing benefits against costs, effort and disadvantages – but justification might be broader) ● Risk Analysis Risk Evaluation Risk Treatment Preparing and implementing risk treatment plans ● RECORDING & REPORTING No options available à risk should be recorded and kept under ongoing review ● 24 © Operational Excellence Consulting
ISO 31000 KEY CLAUSE STRUCTURE (4-6) 4. Principles 5. Framework 6. Process Value creation and protection § Integrated § Structured and comprehensive § Customized § Inclusive § Dynamic § Best available information § Human and cultural factors § Continual improvement 5.1 General 5.2 Leadership and commitment 5.3 Integration 5.4 Design 5.4.1 Understanding the organization and its context 5.4.2 Articulating risk management commitment 5.4.3 Assigning organizational roles, authorities, responsibilities and accountabilities 5.4.4 Allocating resources 5.4.5 Establishing communication and consultation 5.5 Implementation 5.6 Evaluation 5.7 Improvement 5.7.1 Adapting 5.7.2 Continually improving 6.1 General 6.2 Communication and consultation 6.3 Scope, context and criteria 6.3.1 General 6.3.2 Defining the scope 6.3.3 External and internal context 6.3.4 Defining risk criteria 6.4 Risk management 6.4.1 General 6.4.2 Risk identification 6.4.3 Risk analysis 6.4.4 Risk evaluation 6.5 Risk treatment 6.5.1 General 6.5.2 Selection of risk treatment options 6.5.3 Preparing and implementing risk treatment plans 6.6 Monitoring and review 6.7 Recording and reporting 25 © Operational Excellence Consulting
ISO 31000 & PROJECT MANAGEMENT An essential aspect of project management is controlling the inherent risks of a project Most individuals associate the concept of risk with the potential for loss in value, control, functionality, quality, or timeliness of completion of a project ● ● Risks arise from uncertainty surrounding project decisions and outcomes ● However, project outcomes may also result in failure to maximize gain in an opportunity and the uncertainties in decision making leading up to this outcome can also be said to involve an element of risk ● 26 © Operational Excellence Consulting
YOUR RISK MANAGEMENT CHECKLIST 1. Do you have a risk management plan (it does not have to be lengthy or complicated)? 2. Have you identified and captured your risks in a risk register? 3. How have you evaluated and prioritized your risks? 4. Have you engaged the appropriate stakeholders in the risk identification and evaluation processes? 5. What about risk owners? Does each risk have a risk owner? 6. Have the risk owners developed risk response plans for the highest risks? 7. Are you facilitating a review of your risks periodically, resulting in updates to the risk register and effective risk responses? 27 © Operational Excellence Consulting
ABOUT OPERATIONAL EXCELLENCE CONSULTING Operational Excellence Consulting is a management training and consulting firm that assists organizations in improving business performance and effectiveness. Based in Singapore, the firm’s mission is to create business value for organizations through innovative design and operational excellence management training and consulting solutions. For more information, please visit www.oeconsulting.com.sg © Operational Excellence Consulting