4.3: ISO 31000 Risk Management Framework
What are the principles of the ISO 31000 framework
1) Integrated 2) Structured and comprehensive 3) Customized 4) Inclusive 5) Dynamic 6) Best available information 7) Human and cultural factors 8) Continual improvement
What are the three approaches to ISO 31000 describes to provide assurance on the risk management process:
1) Key principles 2) Process Element 3) Maturity model
Risk management performance and progress in executing the risk management plan should be linked with a performance measurement system which consists of the following:
1) Performance standards 2) Criteria on how the standards can be satisfied 3) A method fo comparing actual performance with each standard 4) A method of recording and reporting performance improvements in performance 5) Periodic independent verification of management's assessment
What are the elements of the risk management process:
1) Scope, context, criteria 2) Risk assessment 3) Risk identification 4) Risk analysis 5) Risk evaluation 6) Risk treatment 7) Monitoring and review 8) Recording and reporting
Risk treatment:
A repetitive process of selecting risk treatments (Accept, avoid, reduce, share, or pursue), implementing the treatment, assessing the treatment's effectiveness, determining whether residual risk is acceptable, and adopting another treatment if the first response is unacceptable.
Define a risk management framework:
A set of components that includes: leadership and commitment, integration, design, implementation, evaluation, and improvement of risk management.
Define the maturity model:
Based on the principle that effective risk management processes develop and improve with time as value is added at each phase in the maturation process. Basic principle is it must ADD VALUE
The Implementation component of the risk ISO 31000 framework:
Can be achieved by: 1) Developing a plan 2) Identifying decision making processes 3) Modifying decision making processes 4) Ensuring stakeholders' understanding of and engagement with risk management practices
Capability Maturity Model (CMM)
Consists of the following maturity levels: 1) Initial 2) Repeatable 3) Defined 4) Managed 5) Optimizing
Risk attitude
Defined by ISO as: organization's approach to assess and eventually pursue, retain, take, or turn away from risk.
Turnbull Risk Management Framework
Emphasis is on internal controls, the assessment of its effectiveness, and risk analysis
Risk analysis:
Examines the nature, characteristics, and level of risk. (Likelihood and impact).
Risk identification:
Finds risks that can contribute to or prevent organizational objectives.
Capability Maturity Model Integration (CMMI)
Focuses on organization performance at each maturity level. Consists of the following levels: 0) Incomplete 1) Initial 2) Managed 3) Defined 4) Quantitively managed 5) Optimizing
The design component of the risk ISO 31000 framework:
Involves the following: 1) Understanding the organization and its context 2) Articulating commitment to risk Management 3) Assigning and communicating authorities, responsibilities, and accountability for risk management roles. 4) Allocating resources 5) Establishing communication and consultation
ISO 31000
Is a principles-based approach to risk management. Its principles are the foundation for risk management. Value creation and protection are the purposes of risk management.
ISO 31000 responsibilities for risk management - Board
Responsible for overseeing risk Management and has overall responsibility for ensuring that risks are managed and the risk management system is effective
ISO 31000 responsibilities for risk management - Internal Audit Activity
Responsible for providing assurance regarding the entire risk management system
ISO 31000 responsibilities for risk management - Management
Responsible for setting the organizations risk attitude. Management also identifies and manages risk
Recording and reporting:
Should be facilitated to communicate and improve risk management activities, support decisions, and enhance communications with stakeholders.
Monitoring and review:
Should occur in all phases of the risk management process.
Risk evaluation:
Supports decision making by comparing the defined risk criteria with the outcome of risk analysis and determining whether any action is required.
