Implementing a Risk Management System based on the ISO 31000

© March 2018 Bureau Veritas
•Continuity and Resilience (CORE)
•ISO 22301 BCM Consulting Firm
•Presentations by speakers at the
7th
ME Business & IT Resilience Summit
March 11, 2018 at The Address Hotel, Duabi Mall, Dubai, UAE
Our Contact Details:
UAE INDIA
Continuity and Resilience
Website: www.coreconsulting.ae
Tel: +971 2 6594006
PO Box: 25722, Abu Dhabi, United Arab Emirates
Email: info@continuityandresilience.com
Tel: +91 11 41055534 | Direct: +91 11 6467 9380
Level 15, Eros Corporate Towers, Nehru Place, New Delhi
– 110019, India

IMPLEMENTING RISK MANAGEMENT
SYSTEM
(Based on ISO 31000: 2018 Risk Management – Guidelines)

3IMPLEMENTING RISK MANAGEMENT SYSTEM© March 2018 Bureau Veritas
Managing Risk
The Challenge !!!
►We live in an ever-changing world
where we are forced to deal with
uncertainty every day.
Why ?
Organizations of all types and sizes
face external and internal factors and
influences that make it uncertain
whether they will achieve their
objectives.

Success
What Predicts Success ??
►How an organization tackles that
uncertainty can be a key predictor of
its success
Source : ISO 31000
Managing Risk

Why Risk Management ?
Preparing for and responding to negative
events, from the predictable to the unforeseen,
from the mundane to the catastrophic, has
become a fact of life for businesses and
governments around the world.
Tackling these risks requires an integrated
and holistic framework with the capability to
identify, evaluate and adequately define
responses to the circumstances
This holistic approach gives organizations a
better framework for mitigating risk while
advancing their goals and opportunities in the
face of business threats
Source : ISO 31000

Why ISO 31000 ?
►Risk is a necessary part of doing business and in a world
where enormous amounts of data are being processed at
increasingly rapid rates, identifying and mitigating risks is a
challenge for any company.
►Many contracts and insurance agreements require solid
evidence of good risk management practice.
►ISO 31000 provides direction on how companies can
integrate risk-based decision making into an organization’s
governance, planning, management,reporting, policies, values
and culture
Source : ISO 31000

ISO 31000:2018 Risk management
►This provides Guidelines on Managing risk faced by
organizations.
►The application of these guidelines can be
customized to any organization and its context.
►This document provides a common approach to
managing any type of risk and is not industry or sector
specific.
►This document can be used throughout the life of the
organization and can be applied to any
activity,including decision-making at all levels.
Source : ISO 31000

Implementing Risk Management
►is iterative and assists organizations in setting strategy,
achieving objectives and making informed decisions.
►is part of governance and leadership, and is fundamental to how
the organization is managed at all levels. It contributes to the
improvement of management systems.
►is part of all activities associated with an organization and
includes interaction with stakeholders
►considers the external and internal context of the organization,
including human behaviour and cultural factors
►is based on the principles, framework and process.
►These components might already exist in full or in part within the
organization, however, they might need to be adapted or improved
so that managing risk is efficient, effective and consistentSource : ISO 31000

Principles, framework and process

Step 1 Define Risk Management Principles
►The purpose of risk management is the
creation and protection of value.
► It improves performance, encourages
innovation and supports the
achievement of objectives.
Source : ISO 31000

ISO 31000
Principles for risk management
►Risk management creates and protects value
Contributes to the demonstrable achievement of objectives and
improvement of performance in, for example, human health and
safety, security, legal and regulatory compliance, public
acceptance, environmental protection, product quality, project
management, efficiency in operations, governance and reputation.
►Risk management is an integral part of all organizational processes
Part of the responsibilities of management and of all organizational
processes including strategic planning and project and change
management processes.
►Risk management is part of decision making
Helps decision makers make informed choices, prioritize actions
and distinguish among alternative courses of action.
►Risk management explicitly addresses uncertainty
Takes account of uncertainty, the nature of that uncertainty, and
how it can be addressed.
Source : ISO 31000

Principles for risk management, continued ..
►Risk management is systematic, structured and timely
A systematic, timely and structured approach contributes to efficiency
and to consistent, comparable and reliable results.
►Risk management is based on the best available information
The Inputs to the process are based on information sources such as
historical data, experience, stakeholder feedback, observation, forecasts
and expert judgment.
►Risk management is tailored.
It is aligned with the organization's external and internal context and risk
profile.
►Risk management takes human and cultural factors into account
recognizes the capabilities, perceptions and intentions of external and
internal people that can facilitate or hinder achievement of the
organization's objectives.
Source : ISO 31000

Principles for risk management, continued …
►Risk management is transparent and inclusive.
Appropriate and timely involvement of stakeholders and, in particular,
decision makers at all levels of the organization, ensures that risk
management remains relevant and up-to-date. Involvement also allows
stakeholders to be properly represented and to have their views taken into
account in determining risk criteria.
►Risk management is dynamic, iterative and responsive to change.
Risk management continually senses and responds to change. As external
and internal events occur, context and knowledge change, monitoring and
review of risks take place, new risks emerge, some change, and others
disappear.
►Risk management facilitates continual improvement of the
organization
Organizations should develop and implement strategies to improve their
risk management maturity alongside all other aspects of their organization.
Source : ISO 31000

Step 2 Develop Risk Management Framework
•The purpose of the risk management
framework is to assist the organization in
integrating risk management into
significant activities and functions.
•The effectiveness of risk management will
depend on its integration into the
governance of the organization, including
decision-making.
•This requires support from stakeholders,
particularly top management.
•Framework development encompasses
integrating, designing, implementing,
evaluating and improving risk management
across the organization.
Components of Framework
Source : ISO 31000

Step 3 Establish Risk Management process
The risk management process involves the
systematic application of policies,
procedures and practices to the activities
of :
•Communicating and consulting,
•Establishing the context and
•Assessing, treating, monitoring,
•Reviewing, recording and
•Reporting risk.
Source : ISO 31000

Establish Risk Management process
•The risk management process should
be an integral part of management and
decision-making and integrated into the
structure, operations and processes of
the organization.
•It can be applied at strategic,
operational, programme or project
levels.
Source : ISO 31000

Step 4 Communication and consultation
Communication and consultation aims
to:
•bring different areas of expertise
together for each step of the risk
management process;
•ensure that different views are
appropriately considered when defining
risk criteria and when evaluating risks;
• provide sufficient information to
facilitate risk oversight and decision-
making;
•build a sense of inclusiveness and
ownership among those affected by risk.
Source : ISO 31000

Step 5 Establishing the context
•The purpose of establishing the scope,
the context and criteria is to customize
the risk management process, enabling
effective risk assessment and
appropriate risk treatment.
•Scope, context and criteria involve
defining the scope of the process, and
understanding the external and internal
context.
Source : ISO 31000

Step 6 Perform Risk assessment
•Risk assessment is the overall process
of risk identification, risk analysis and
risk evaluation.
•Risk assessment should be conducted
systematically, iteratively and
collaboratively, drawing on the
knowledge and views of stakeholders.
•It should use the best available
information, supplemented by further
enquiry as necessary.
Source : ISO 31000

Step 7 Risk Treatment
•The purpose of risk treatment is to
select and implement options for
addressing risk.
•Risk treatment involves an iterative
process of:
• formulating and selecting risk treatment
options;
• planning and implementing risk treatment;
• assessing the effectiveness of that
treatment;
• deciding whether the remaining risk is
acceptable;
• if not acceptable, taking further treatment.
Source : ISO 31000

Step 8 Monitor and review Risk Management Process
•The purpose of monitoring and review
is to assure and improve the quality and
effectiveness of process design,
implementation and outcomes.
•Ongoing monitoring and periodic review
of the risk management process and its
outcomes should be a planned part of
the risk management process, with
responsibilities clearly defined..
Source : ISO 31000

Step 9 Recording and reporting outcomes
•The risk management process and its
outcomes should be documented and
reported through appropriate
mechanisms.
•Recording and reporting aims to:
• communicate risk management activities and
outcomes across the organization;
• provide information for decision-making;
• improve risk management activities;
• assist interaction with stakeholders, including
those with responsibility and accountability for
risk management activities.
Source : ISO 31000

ISO 31000 Relationship with other management systems
► Leadership (corporate Governance) of an organisation is performed by
Top Management and high level personnel of the different departments.
► To direct management and employees for common objectives and
behaviours a policy of the organisation is deployed, communicated and
implemented.
► Management Systems arrange the organisations different control
mechanisms.
► Management-Information-Systems measure the activities in the organization
and present the results with quantitative and financial indicators.
► All activities of the organisation must comply to statutory and regulatory
requirements.
Source : ISO 31000

ISO 31000
Connection with Other Management instruments
Top Management
“Corporate Governance“
Integrated
Management-
system
Organizations
policy
Risk management
Customer, statutory, regulatory and standardized requirements
Management
information
system
(with internal
Controlling)
Source : ONR 49000

Risk Management and other related standards
ISO 27001 :
INFORMATION
SECURITY
MANAGEMENT
SYSTEM
ISO 22301 :
BUSINESS
CONTINUITY
MANAGEMENT
ISO 31000 : RISK MANAGEMENT GUIDELINES
ISO27001:A.14.1
Information
security aspects of
business continuity
management
harmonize risk management processes in existing and future standards,
dealing with specific risks and/or sectors, and does not replace those
standards
preservation of confidentiality,
integrity and availability of
information
strategic and tactical capability of the
organization to plan for and respond to
incidents and business disruptions in
order to continue business operations at
an acceptable pre-defined level
Also the QMS, EMS,OHSMS,ASSET MANAGEMENT to name a few in ISO series
Requires Risk Management

Thank You

•Process Excellence and Resilience...
• Creating Corporate Sustainability© March 2018 Bureau Veritas
Continuity and Resilience (CORE)
•ISO 22301 BCM Consulting Firm
•Presentations by our partners and extended
team of industry experts
UAE INDIA
Tel: +971 2 6594006
PO Box: 25722, Abu Dhabi, United Arab Emirates
Tel: +91 11 41055534 | Direct: +91 11 6467 9380
Level 15, Eros Corporate Towers, Nehru Place, New Delhi –
110019, India

Implementing a Risk Management System based on the ISO 31000

More Related Content

What's hot (20)

Similar to Implementing a Risk Management System based on the ISO 31000 (20)

More from Continuity and Resilience (20)

Recently uploaded (20)

Implementing a Risk Management System based on the ISO 31000

Editor's Notes