Chapter 4 4.3
The principles are described below
1. Integrated. Risk management is integrated into all organizational activities. 2. Structured and comprehensive. The risk management approach needs to be structured and comprehensive. 3. Customized. The risk management framework and process should be customized to the organizational objectives. 4. Inclusive. Appropriate involvement of stakeholders enables informed risk management. 5. Dynamic. Risk management foresees, recognizes, and reacts to changing risks. 6. Best available information. Risk management considers past, current, and future information and any related limitations of such information. 7. Human and cultural factors. Human behavior and culture affect all facets and each level of risk management. 8. Continual improvement. Learning and experience constantly improve risk management.
The risk management process consists of the following elements
1. To improve understanding of risks and decisions made, communication to raise awareness and consultation to obtain feedback and information require ongoing, structured coordination with stakeholders.
scope, context, and criteria
2. The scope, context, and criteria should be established to customize risk management. This element includes defining the scope of the risk management process, understanding its external and internal context, and defining risk criteria. a. The context of the risk management process derives from the understanding of the specific external and internal environment of the organization.
performance measurement system
A critical aspect of the maturity model approach is that risk management performance and progress in executing the risk management plan should be linked with a performance measurement system, which typically consists of 1. Performance standards, 2. Criteria on how the standards can be satisfied, 3. A method of comparing actual performance with each standard, 4. A method of recording and reporting performance and improvements in performance, and 5. Periodic independent verification of management's assessment.
capability maturity model (CMM)
An example maturity curve (i.e., maturity model) is the capability maturity model (CMM). It consists of the following maturity levels presented in order of maturity: initial, repeatable, defined, managed, and optimizing. Level 1: Initial - Few processes are defined. Level 2: Repeatable - Basic processes are established Level 3: Defined - Standards are developed. Level 4: Managed - Performance measures are defined. Level 5: Optimizing - Continuous improvement is enabled.
ISO 31000 - Assurance Approaches
ISO 31000 describes three approaches to providing assurance on the risk management process: (1) key principles, (2) process element, and (3) maturity model. 1. The key principles approach evaluates whether the risk management principles are in practice. 2. The process element approach evaluates whether the risk management elements have been put into practice.
ISO 31000 - Principles, Framework, and Process
ISO 31000 is a principles-based approach to risk management. Its principles are the foundation for risk management. They also communicate the characteristics, value, and purpose of effective and efficient risk management. Value creation and protection are the purposes of risk management. The principles are described below:
Turnbull Risk Management Framework
In contrast with the ISO 31000 principles-based approach, the Turnbull risk management framework emphasis is on internal control, the assessment of its effectiveness, and risk analysis.
Capability Maturity Model Integration (CMMI) Development V2.0
The Capability Maturity Model Integration (CMMI) Development V2.0 focuses on organizational performance at each maturity level. This model consists of the following maturity levels presented in order of maturity: incomplete, initial, managed, defined, quantitatively managed, and optimizing. Level 0: Incomplete - Whether work can be completed is not known. Level 1: Initial - Work can be completed, but not on time or within the budget. Level 2: Managed - Projects are planned, implemented, managed, and monitored. Level 3: Defined - Standards for projects are defined throughout the organization. Level 4: Quantitatively managed - The organization quantifies performance improvement goals to meet stakeholders needs. Level 5: Optimizing - The organization pursues continuous improvement, responds to change, and innovates.
leadership and commitment
The board and senior management demonstrate leadership and commitment by implementing the framework's components; adopting a policy that establishes a risk management plan or approach; committing resources to risk management; and assigning accountability, authority, and responsibility at each organizational level.
ISO 31000 - Responsibilities for Risk Management
The board is responsible for overseeing risk management and has overall responsibility for ensuring that risks are managed and the risk management system is effective.
design
The design of the framework involves the following: a. Understanding the organization and its context b. Articulating commitment to risk management c. Assigning and communicating authorities, responsibilities, and accountabilities for risk management roles at all levels d. Allocating resources (e.g., people, experience, processes, and information systems) to support risk management while recognizing the limitations of existing resources e. Establishing communication and consultation
evaluation
The evaluation of the framework's effectiveness involves measuring performance against expectations.
implementation
The implementation of the framework can be achieved by developing a plan; identifying decision making processes; modifying decision making processes as change occurs; and ensuring stakeholders' understanding of, and engagement with, the organization's risk management arrangement.
improvement
The improvement of the framework is through monitoring and updating the framework in response to changes, thereby enhancing organization performance.
integration
The integration of the framework into all facets of an organization, including its objectives, structure, governance, and culture, is a dynamic process. All personnel in the organization are responsible for managing risks.
internal audit activity
The internal audit activity is responsible for providing assurance regarding the entire risk management system.
maturity model
The maturity model approach is based on the principle that effective risk management processes develop and improve with time as value is added at each phase in the maturation process. The basic principle is that risk management must add value.
Risk analysis
examines the nature, characteristics, and level of risk. It considers such factors as likelihood of events and consequences, control effectiveness, and confidence level.
Risk treatment
is a repetitive process of selecting risk treatments (e.g., accept, avoid, reduce, share, or pursue), implementing the treatment, assessing the treatment's effectiveness, determining whether the residual risk is acceptable, and adopting another treatment if the first was unacceptable.
A risk management framework
is a set of components that includes leadership and commitment, integration, design, implementation, evaluation, and improvement of risk management. The six components are described as follows:
Management
is responsible for setting the organization's risk attitude, which is defined by ISO as an "organization's approach to assess and eventually pursue, retain, take, or turn away from risk." Management also identifies and manages risks.
Risk assessment
is the process of identifying, analyzing, and evaluating risk. Risk identification finds risks that can contribute to or prevent achieving organizational objectives. For example, it considers risk sources, changes in context, threats and opportunities, emerging risk indicators, and consequences and their effects on objectives.
Recording and reporting
of the risk management process and its results should be facilitated to communicate and improve risk management activities, support decisions, and enhance communications with stakeholders.
Monitoring and review
should occur in all phases of the risk management process to improve its quality and effectiveness.
Risk evaluation
supports decision making by comparing the defined risk criteria with the outcome of risk analysis and determining whether any action is required.
According, this approach determines where
the risk management process is on the maturity curve and evaluates whether it (1) is progressing as expected, (2) adds value, and (3) meets organizational needs.
