Risk Management

Services

BS ISO31000:2018 Risk Management

This standard is for use by organisations who create and protect value by managing risks, making decisions, setting and achieving objectives and improving performance. Organisations of all types and sizes face external and internal factors and influences that make it uncertain whether they will achieve their objectives.Managing risk well assists organisations in setting strategy, achieving objectives and making informed decisions. This is  part  of  governance  and  leadership,  and  is  fundamental  to  how  the  organisation  is  managed at all levels. It contributes to the improvement of management systems and considers  all  external  and  internal factors including  human  behaviour and cultural factors. 

Defining Risk Criteria

The  organisation  should  specify  the  amount  and  type  of  risk  that  it  may  or  may  not  take,  relative  to  objectives and define criteria to evaluate the significance of risk and to support decision-making processes.  Risk criteria should reflect the  organisation’s  values,  objectives  and  resources  and  be  consistent  with  policies  and  statements  about risk management and should be defined taking into consideration the organisation’s obligations and the views of stakeholders. Risk  criteria are  dynamic and should be continually reviewed and amended, if necessary.

Risk Identification 

The purpose of risk identification is to find, recognise and describe risks that might help or prevent an organisation achieving its objectives. Information needs to be relevant, appropriate and up-to-date and the following factors, and the relationship between these factors, should be considered:

  • sources of risk including causes and events;
  • threats and opportunities;
  • vulnerabilities and capabilities;
  • changes in the external and internal factors;
  • indicators of emerging risks;
  • assets and resources;
  • limitations of knowledge and reliability of information;
  • time-related factors;
  • biases, assumptions and beliefs of those involved. 

The organisation should also identify risks where the sources are not under its control. 

Risk Analysis 

Risk analysis provides an input to risk evaluation, to decisions on whether risk needs to be treated and how, and on the most appropriate risk treatment strategy and methods. The results provide insight for decisions, where choices are being made, and the options involve different types and levels of risk.

Risk analysis should consider factors such as:

  • the likelihood of events and consequences;
  • the nature and magnitude of consequences;
  • complexity and connectivity;
  • time-related factors and volatility;
  • the effectiveness of existing controls;
  • sensitivity and confidence levels

Risk Evaluation

The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required. This can lead to a decision to:

  • do nothing further;
  • consider risk treatment options;
  • undertake further analysis to better understand the risk;
  • maintain existing controls;
  • reconsider objectives

Risk Treatment Plan

The purpose of risk treatment is to select and implement options for addressing risk. Risk treatment involves the process of:

  • formulating and selecting risk treatment options;
  • planning and implementing risk treatment;
  • assessing the effectiveness of that treatment;
  • deciding whether the remaining risk is acceptable;
  • if not acceptable, taking further treatment.

Risk Treatment Implementation

The purpose of risk treatment plans is to specify how the chosen treatment options will be implemented, so that arrangements are understood by those involved, and progress against the plan can be monitored. 

The treatment plan should clearly identify the order in which risk treatment should be implemented and be integrated into the management plans and processes of the organisation.

Monitoring and Review

The purpose of monitoring and review is to assure and improve the effectiveness of the system. Ongoing monitoring and periodic review of the risk management process and its outcomes is part of the risk management process, with responsibilities clearly defined. This  includes  planning, gathering and analysing information, recording results and providing feedback.

Training

Employee training on risk identification, management and control.