Welcome!

Welcome!
Please keep visiting this blog and keep commenting too. Please make your reactions to the posts. Experts and authors are invited to share their articles/views. Suggestions for improvement are invited.
Thanks,
Keshav Ram Singhal

Thursday, December 12, 2013

Risk Management Process – Defining Risk Criteria



Risk Management – Article 13

Risk Management Process – Defining Risk Criteria

Keshav Ram Singhal

First we should understand what risk criteria means. ISO Guide 73:2009 has defined risk criteria as terms of reference against which the significance of a risk (i.e. effect of uncertainty on objectives) is evaluated. It is also clarified that:
- Risk criteria are based on organizational objectives and external and internal context.
- Risk criteria can be derived from standards, laws, policies and other requirements.

Significance of risk needs to be evaluated, so there is a need to define risk criteria to be used. The organization should define risk criteria that reflect the organization’s values, objectives and resources. The organization may impose or derive some risk criteria from legal (statutory and legal) requirements and other requirements to which the organization subscribes.

The organization should consider relevant factors to define risk criteria including:
- The nature and types of causes and consequences that can occur and their measurement way
- The process defining likelihood
- The timeframe of the likelihood/consequences
- The process determining the level of risk
- Stakeholders’ views
- Risk level at which risk becomes acceptable or tolerable
- Whether to consider combination of multiple risks, and if so, which combination to consider and how

The organization should ensure the following with regard to risk criteria:
- Risk criteria should be consistent with the organization’s risk management policy.
- Risk criteria should be defined at the beginning of any risk management process.
- Risk criteria should be continually reviewed.

Next write-up …. Risk Assessment - An Overview


Tuesday, December 10, 2013

Risk Management Process – Establishing the Context of the Risk Management Process


Risk Management – Article 12

Risk Management Process – Establishing the Context of the Risk Management Process

Keshav Ram Singhal

Sub-clauses 5.3.4 of ISO 31000:2009 standard provides guidelines on establishing the context of the risk management process.

We need to understand the context of the risk management process of the organization and it varies according to the needs of the organization. The context of the risk management process of an organization can involve the following:
- Defining goals and objectives of risk management activities
- Defining responsibilities for and within the risk management activities
- Defining the scope (with depth and breadth including specific inclusions and exclusions) of the risk management activities to be carried out
- Defining the risk criteria (evaluation terms of reference against risk reference) of the risk management policy
- Defining the activity, process, function, project, product, service or asset in terms of time and location
- Defining relationships between (i) a particular project and other projects, (ii) a process and other processes, or (iii) an activity and other activities of the organization
- Defining risk assessment methodologies
- Defining performance and effectiveness evaluation process in the management of risk
- Identifying and specifying decisions to be made
- Identifying, scoping or framing studies needed, their extent and objectives, and the resources required for such studies

The organization should provide its attention to above factors (not limited to) to ensure that risk management approach adopted in the organization should be appropriate to the:
- Circumstances
- Organization
- Risks affecting the achievement of objectives

The organization should establish the (i) objectives, (ii) strategies, (iii) scope, and (iv) parameters of the activities or those parts of the organization where the risk management process is being applied.

The organization should undertake risk management by considering the need to justify the resources used in risk management process. The organization should specify the resources required, responsibility and authority, and the records to be maintained.

Next write-up …. Risk Management Process – Defining Risk Criteria

Monday, November 25, 2013

Risk Management Process – Establishing the Internal Context


Risk Management – Article 11

Risk Management Process – Establishing the Internal Context

Keshav Ram Singhal


Sub-clauses 5.3.3 of ISO 31000:2009 standard provides guidelines on establishing the internal context. Internal context of an organization is its internal environment in which the organization seeks to achieve organization’s objectives. Internal context is anything within the organization and it should include but not limited to:

- Organizational governance
(The system of rules, practices and processes by which an organization is directed and controlled may be referred as organizational governance. Organizational governance essentially involves balancing of interests of its stakeholders.)

- Organizational structure, and within which roles, authority and accountability in the organization
(Organizational structure determines how the roles, authority and responsibilities are assigned, controlled and coordinated, and how information flows within the organization. An organizational chart illustrates the organizational structure.)

- Organization’s policies

- Organization’s objectives

- Organization’s strategies

- Organization’s resources and knowledge capabilities, such as capital, time, people (human), processes, systems , technologies

- Information systems

- Information flows

- Formal and informal decision-making processes

- Relationship with internal stakeholders

- Perceptions and values of internal stakeholders

- Organization’s culture

- Standards, guidelines and models adopted by the organization

- Form and extent of contractual relationship


Risk management system of an organization operates within the parameters of the organization’s culture, processes, structure and study. Understanding the internal context is fundamental to risk management process. The risk management process should be aligned with the organization’s culture, processes, structure and strategy. Anything within the organization can influence the risk management process of the organization. Factors influencing the risk management process should be established as the risk management in the organization takes place in the context of organization’s objectives. Organization should consider objectives and criteria of a particular project, process or activity in light of organization’s overall objectives. Organization should recognize opportunities to achieve organization’s strategic, project or business objectives as these may affect ongoing organizational commitment, credibility, trust and value.

Sunday, November 24, 2013

Risk Management Process – Establishing the External Context


Risk Management – Article 10

Risk Management Process – Establishing the External Context

Keshav Ram Singhal

Sub-clauses 5.3.2 of ISO 31000:2009 standard provides guidelines on establishing the external context. External context of an organization is the external environment of the organization in which the organization seeks to achieve organization’s objectives. External context of an organization can include but not limited to:

- Cultural environment
(We should understand the major elements of culture that may include material culture, language, aesthetics, education, religion, attitudes, values and social organizations.)

- Social environment
(Business of an organization does not function in a vacuum and it works in societies and therefore societies affect business. The social environment of business can be cutthroat. An organization has to act and react what happens outside the premises of the organization.)

- Political environment
(The political environment in a country affects its economic environment that, in turn, affects the performance of business organization.)

- Statutory and regulatory (legal) environment
(Every country has its own legal framework that governs and affects the business too. Government could change its rules and regulations, and this could an effect on business.)

- Financial environment
(Financial environment is the outcome of a range of functions of the economy on all financial outcomes in a country. It includes forex markets, bond markets, stock markets and commodity markets. Financial environment affects the business performance of an organization.)

- Economic environment
(Economic environment influences the business of an organization to a great extent. It refers to all those economic factors that affect the functioning of a business organization.)

- Natural and competitive environment
(The natural and competitive environment is a dynamic system in which business of an organization competes. It may also be known as market structure. World economic conditions may increase or decrease the prices of raw materials that might force an organization to increase or decrease its prices.)

- Key drivers having impact on the objectives of the organization
(A key business driver is something that has a major impact on the business and its objectives. Identifying and monitoring the key drivers of any business organization is critical to remain in business.)

- Trends having impact on the objectives of the organization
(Trends have a significant impact on organization’s business.It is important to understand whether the business of the organization is exploiting trends or trends are exploiting the business of the organization. It is better not to let the business of the organization get caught up in trends.)

- Relationship with external stakeholders
(Building trust with stakeholders makes relationship more productive and fosters partnership between the organization and stakeholders.)

- Perceptions and values of external stakeholders
(Building trust with stakeholders makes relationship more productive and fosters partnership between the organization and stakeholders. It is better to understand perceptions and values of stakeholders.)

It is important to understand external context. By understanding the external context, the organization ensures considering objectives and external stakeholders’ concern in the process of developing risk criteria. Establishing the external context specific to the scope of the risk management process is based on the organization-wide context, but it should be:

- With specific details of statutory and regulatory (legal) requirements
- With specific details of stakeholders’ perceptions
- With specific details of other aspects of risks specific to the scope of the risk management process

The process of establishing the external context should be done by understanding the external context and external environment (including key drivers, trends, relationships, perceptions and values). In this regard organization needs to continually monitor the external environment and it is not a one-time process or activity.

Saturday, November 23, 2013

Risk Management Process – Establishing the context – An Overview



Risk Management – Article 9

Risk Management Process – Establishing the context – An Overview

Keshav Ram Singhal

Sub-clauses to clause 5.3 of ISO 31000:2009 standard provides guidelines on establishing the context, which are as under:

5.3 – Establishing the context
5.3.1 – General
5.3.2 – Establishing the external context
5.3.3 – Establishing the internal context
5.3.4 – Establishing the context of the risk management process
5.3.5 – Defining risk criteria

The objectives of establishing the context of the organization are mentioned in sub-clause 5.3.1 of the standard and these may be summarized as:

- By establishing the context the organization articulates its objectives
- By establishing the context the organization defines parameters (external and internal) to consider to manage risks
- By establishing the context the organization sets the scope and risk criteria for risk management process

During the process of establishing the context, the organization should consider in a wide spread way and to a higher degree than is usual or average so as to provide special emphasis to the point that how the people in the organization relate the context for the risk management process to the scope of the particular risk management process.

The whole process of establishing the context includes establishing the external context, establishing the internal context, establishing the context of the risk management process and defining risk criteria, which we will discuss in forthcoming articles.

Friday, November 22, 2013

Risk Management Process – Communication and Consultation


Risk Management – Article 8

Risk Management Process – Communication and Consultation

Keshav Ram Singhal

Clause 5.2 of ISO 31000:2009 standard provides guidelines on communication and consultation in risk management process. During all stages of the risk management process, there should be regular communication and consultation with all stakeholders (internal as well as external). In this regard the organization should develop plans for communication and consultation at an early stage. The plans should address issues related to risks, their causes, their known effects and results (typically that may be unwelcome or unpleasant) and measures to be initiated and taken to treat risks. The communication and consultation with stakeholders should be effective to ensure understanding of the basis of decisions taken and the reasons of the particular reasons by all stakeholders and personnel accountable for implementing the risk management process.


Organizations need an effective consultation team approach in communication and consultation in risk management process. An effective consultation team approach is helpful in risk management process. An effective consultative team approach leads to many benefits. It helps to establish the organization’s context properly. It ensures understanding stakeholders’ interests. It also ensures considering stakeholders’ interests. An effective consultative team approach helps ensuring adequately identifying risks. It brings together expertise pertaining to different areas for risk analysis. It ensures appropriately considering different views while defining risk criteria. It also ensures appropriately considering different views in evaluating risks. It secures endorsing and supporting a plan for risk management treatment. An effective consultative team approach supports and enhances appropriate change management during the risk management process. It develops appropriate communication (external and internal) plan. It develops appropriate consultation (external and internal) plan.


Stakeholders make their judgements about risk based on their perceptions of risk, therefore communication and consultation is important in risk management process. Perceptions of stakeholders may vary due to differences in shareholders’ values, needs, assumptions, concepts and concerns. Shareholders’ views can have a significant impact on the decisions made on risk management process, therefore there is need to identify the perception of stakeholders, record and consider the same.

In the communication and consultation process with the stakeholders, considering the confidentiality and personal integrity aspect, exchange of information between organization and stakeholders should be:
- Truthful
- Relevant
- Accurate
- Understandable

Communication and consultation in risk management process may be summarized as under:
- Identify all stakeholders (internal and external)
- Develop plans for communication and consultation
- Apply an effective consultative team approach
- Identify stakeholders’ perceptions, record and consider the same

Thursday, November 21, 2013

An Overview of Risk Management Process


Risk Management – Article 7

An Overview of Risk Management Process

Keshav Ram Singhal

ISO 31000:2009 Standard has provided a definition of the risk management process and also the guidelines for the same. The definition given in the standard is as per ISO Guide 73:2009 that provides basic vocabulary to develop common understanding on risk management concepts and terms.. Risk management process is defined as the systematic application of management policies, procedures and practices to various activities. These various activities relate to:

- Communicating, consulting and establishing the context of the organization, and
- Identifying, analyzing, evaluating, treating, monitoring and reviewing risk.

Clause 5 of ISO 31000:2009 standard provides guidelines on risk management process and in this regard sub-clauses are as under:
5.1 – General

5.2 – Communication and consultation

5.3 – Establishing the context
5.3.1 – General
5.3.2 – Establishing the external context
5.3.3 – Establishing the internal context
5.3.4 – Establishing the context of the risk management process
5.3.5 – Defining risk criteria

5.4 – Risk assessment
5.4.1 – General
5.4.2 – Risk identification
5.4.3 – Risk analysis
5.4.4 – Risk evaluation

5.5 – Risk treatment
5.5.1 – General
5.5.2 – Selection of risk treatment options
5.5.3 – Preparing and implementing risk treatment plans

5.6 – Monitoring and review

5.7 – Recording the risk management process


Risk management process – General

The risk management process of an organization should be an integral part of the organization’s management. It should be fixed firmly and deeply in the culture and practices of the organization and tailored to the business processes of the organization.

(Diagram Courtesy WHO Website)

The ISO 31000:2009 standard has provided the risk management process diagram (figure 3 in the standard) that shows the inter-relation between various activities of risk management process. As per the diagram given in the standard, communication and consultation process is interrelated to establishing context, risk management activities (risk identification, risk analysis and risk evaluation) and risk treatment. Monitoring and review of risk management process is also interrelated to establishing the context, risk assessment activities (risk identification, risk analysis and risk evaluation) and risk treatment.

The risk management process comprises to the activities related to different activities as described in various sub-clauses of clause 5 of ISO 31000:2009. We will discuss these activities in forthcoming articles.

Monday, November 4, 2013

Monitoring, Review and Continual Improvement of Risk Management Framework



Risk Management – Article 6

Monitoring, Review and Continual Improvement of Risk Management Framework

Keshav Ram Singhal

Clause 4.5 of ISO 31000:2009 deals with guidelines for monitoring and review of risk management framework and Clause 4.6 of the standard deals with guidelines for continual improvement of the framework.

Monitoring and review of risk management framework

It is necessary that risk management in the organization remains effective and support continuously its performance, so the organization should:
- Measure risk management performance against periodically reviewed indicators for appropriateness
- Periodically measure progress against the risk management plan to find deviation from the risk management plan
- Periodically review appropriateness of risk management framework, policy and plan in organization’s internal and external context.
- Report risks
- Report progress of risk management against its plan
- Report following-up of the risk management policy in the organization
- Review risk management framework effectiveness

Continual improvement of risk management framework

Decision for continual improvement of the risk management framework, policy and plan should be taken based on results of monitoring and reviews. Such decisions should be implemented to achieve improvement in organization’s risk management and its culture.


Saturday, November 2, 2013

Linkedin Group on Risk Management




Keshav Ram Singhal

Alex Dali, on March 05, 2009 created a professional group ‘G31000 – ISO 31000 Risk Management Standard’ with an objective to promote the use of the ISO 31000:2009 Risk Management standard as the international reference for Risk Management. Presently there are about 30,000 members in this group that shows its popularity. This group also has six subgroups as ISO 31000 study groups that provide valuable information, knowledge and experience with regard to risk management. Alex Dali, the Moderator of the ISO 31000 Risk Management Standard group, is also the President of Global Institute for Risk Management Standards – G31000, a non-profit organization for raising awareness on ISO 31000 Risk Management Standard.

Readers of this blog are recommended to refer to discussions in the Linkedin professional group ‘G31000 – ISO 31000 Risk Management Standard’ and its study groups.

Implementing Risk Management



Risk Management – Article 5

Implementing Risk Management

Keshav Ram Singhal

Clause 4.4 of ISO 31000:2009 deals with guidelines for implementing risk management and processes to implement risk management mentioned in sub-clauses are related to:
4.4.1 – Implementing the framework for managing risk
4.4.2 – Implementing the risk management process

Implementing risk management framework

To implement risk management framework, the organization should:

- Define the appropriate timing for implementing risk management framework
- Define the strategy for implementing risk management framework
- Apply organization’s risk management policy to organizational processes
- Apply organization’s risk management process to organizational processes
- Comply statutory and regulatory requirements
- Ensure developing and setting of objectives and decision-making supporting (aligning) with organization’s risk management processes results
- Keep and maintain information and training sessions
- Communicate and consult with stakeholders to ensure risk management framework to be appropriate

Implementing risk management process

Risk management process should be implemented:

- Through a risk management plan as per guidelines given in clause 5 of ISO 31000:2009 standard
- Ensuring implementation of the risk management process at all relevant levels and functions of the organization
- Ensuring implementation of the risk management process as part of the organization’s process and practice.

Thursday, October 31, 2013

Designing Risk Management Framework




Risk Management – Article 4

Designing Risk Management Framework

Keshav Ram Singhal

Clause 4.3 of ISO 31000:2004 deals with guidelines for design of framework for managing risk and processes to design risk management framework mentioned in sub-clauses are related to:
4.3.1 – Understanding of the organization and its context
4.3.2 – Establishing risk management policy
4.3.3 – Ensuring accountability
4.4.4 – Integrating into organizational processes
4.4.5 – Allocating resources
4.4.6 – Establishing internal communication and reporting mechanisms
4.4.7 – Establishing external communication and reporting mechanisms

Understanding – Organization and its context

It is important to examine and understand the internal and external context of the organization. Internal and external contexts are important factors that can significantly influence the design of the framework for managing risk in an organization. As such there is need to understand these context.
To understand internal context we need to understand the internal environment in which the organization attempts to achieve its objectives and the internal environment of the organization may include:
- Governance in the organization
- Organizational structure
- Roles, accountability and responsibility in the organization
- Organization’s policies, objectives and strategies
- Organization’s capabilities – knowledge and resources, such as capital, time, people, processes, systems, technologies
- Information systems
- Information flows
- Formal and informal decision-making processes
- Relationship with internal stakeholders
- Internal stakeholders’ perceptions and values
- Organization’s culture
- Standards, guidelines, norms, models etc. adopted by the organization
- Contractual relationships form and its extent

To understand external context we need to understand the external environment in which the organization attempts to achieve its objectives and the external environment of the organization may include cultural environment, social environment, political environment, statutory and regulatory (legal) environment, financial environment, technological environment, economic environment, natural and competitive environment that may be international, national, regional or local. The external environment of an organization may also include key drivers and trends having impact on organization’s objectives, relationship with external stakeholders, and perceptions and values of external stakeholders.

Before starting the design of framework for managing risk and its implementation, the organization should evaluate and understand both its external and internal environment (context). All the factors mentioned above and other relevant factors to external and internal context should be evaluated.

Establishing – Risk management policy

The organization should take steps to establish risk management policy that should clearly state the organization’s objectives for risk management and also the organization’s commitment to risk management. The risk management policy should typically address:
- Organization’s set of reasons or logical basis for a course of action or belief (rationale) for managing risk
- Relationship between organization’s policies (and objectives) and organization’s risk management policy
- Responsibility, authority and accountability for managing risk
- Process solution (way) to deal with conflicting interests
- Commitment to provide necessary resources for managing risk
- Risk management performance measurement and reporting process
- Commitment to review and improve the risk management policy and framework periodically and in response to an event or change in circumstances

The organization should communicate appropriately the risk management policy within the organization and to its stakeholders.

Ensuring – Responsibility, authority and accountability

The organization should ensure responsibility, authority, accountability and appropriate competence for implementing and maintaining risk management process to manage risk. The organization should ensure adequacy, effectiveness and efficiency of its controls to risk management process by:
- Identifying risk owners having responsibility, authority and accountability to manage risk
- Identifying the personnel accountable for developing, implementing and maintaining risk management framework
- Identifying responsibility of personnel at all levels in the organization for risk management process
- Establishing performance measurement
- Establishing external and internal reporting
- Establishing escalation processes
- Ensuring recognition at appropriate levels

By building a culture of accountability, the organization moves towards minimizing risks in the organization.

Integrating – Risk management into organizational processes

Risk management must be integrated into organizational processes to achieve objectives and goals of the organization. Integration to risk management in all organization’s practices and processes should be relevant, effective and efficient and should be firmly integrated. The risk management process should become part of organizational processes. Especially (in particular) risk management should be firmly fixed into:
- Development of organization’s policy
- Organization’s business and strategic planning and review
- Organization’s change management processes

Organization-wide risk management plan should ensure implementation of its risk management policy and firmly integration of risk management in all organization’s practices and processes. Risk management plan of an organization should be integrated into organization’s strategic or other plans.

Allocating – Resources for risk management

It is necessary to allocate suitable and proper resources for risk management considering the following:
- Human resources and their skills, experience and competence
- Resources needed for each step of the risk management
- Resources needed for organization’s processes, methods and tools
- Organization’s processes and procedures
- Organization’s information system and knowledge management systems
- Training programmes

Establishing – Internal communication, external communication and reporting mechanisms

In order to support and encourage accountability and ownership of risk, the organization should establish:
- Internal communication
- External communication
- Reporting mechanisms

The organization should establish process for internal communication and reporting that should ensure appropriately communicating key components of the risk management framework and subsequent modifications. Internal reporting on the framework, its effectiveness and outcomes should be adequate. Relevant information derived from the risk management application should be available at appropriate levels and appropriate times. There should be processes for consultation with internal stakeholders, such as employees, management, unions etc.

There is a need to develop and implement plan that provides ways to communicate with external stakeholders and this should involve:
- Engaging appropriate external stakeholders
- Ensuring an effective exchange of information
- External reporting to act in accordance with statutory, regulatory and governance requirements
- Providing feedback and reporting on communication and consultation
- Using communication to build confidence in the organization
- Communicating with stakeholders when there is crisis or contingency

Reporting mechanism should appropriately include processes to consolidate risk information from various sources and to consider information sensitivity.





Mandate and commitment for risk management framework


Risk Management – Article 3

Mandate and commitment for risk management framework

Keshav Ram Singhal

Clause 4.2 of ISO 31000:2004 deals with guidelines for mandate and commitment for risk management framework.

Mandate = the authority to carry out

Commitment = state of being dedicated to = dedication

To be certain that risk management remains continuing effective in an organization, the organization needs:
- Robust (powerful) and continuing dedication (commitment) of the management
- Strategic and rigorous planning to achieve the dedication (commitment) at all levels within the organization

Organization’s management should:
- Define risk management policy
- Declare and support publically the risk management policy
- Make it certain that culture of organization is aligned with organization’s risk management policy
- Determine risk management performance indicators (and such risk management performance indicators should be aligned with organization’s performance indicators)
- Align risk management objectives with organization’s objectives and strategies
- Make it certain to comply statutory and regulatory norms
- Assign accountability, responsibility and authority at appropriate levels within the organization
- Make it sure to allocate necessary resources
- Communicate risk management benefits to all stakeholders
- Make it sure that risk management framework remains appropriate

A risk management policy as a management prime statement serves two purposes: first, It speaks about to identify, reduce and prevent undesirable incidents or outcomes, and second, it mentions to review past incidents to implement changes to prevent or reduce future incidents.

An organization may utilize its management risk policy in order to continually analyze and improve its strategy, policy and practices that affect the organization’s performance. To write a risk management policy, identify potential risks in context of organization’s processes and state the purpose in clear and simple terms in brief.

A good risk management is supported to determine risk management performance indicators. Capturing, modeling and reporting risk indicators allow a risk practitioner to focus on leading factors in risk management. Risk factors or indicators can be signature or driver of risk. Risk factors or indicators that contribute to causing a risk event or outcome are active indicators. A change in performance indicators, positive or negative, could be an indication of risk. Risk indicators should be timely, relevant and bring insight to the issue.

There is a need to assign accountability and responsibility, without which risk management tasks can easily be missed. An organization’s top management should assign accountability and responsibility to risk management personnel, departmental heads, stakeholders etc. It is important to ensure that the personnel having the assigned accountability and responsibility should have the authority to complete the task or take appropriate action to the task.

Without allocating resources it is difficult to achieve desired goals and objectives, the top management should determine, allocate and provide necessary resources for risk management. Risk communication is powerful exchange of information about risks between interested parties (stakeholders). Risk communication is the act of conveying or transmitting information between stakeholders about a range of areas including levels of risks, significance of risks, and decisions, actions or policies aimed at managing or controlling risks. Interested parties (stakeholders) may include government organizations, corporations, industry groups, unions, society and individuals. Continuing reciprocal communication among all stakeholders is an integral part of risk management process. Risk communication is more than the dissemination of information and a major function is the process by which information and opinion essential to effective risk management is incorporated into the decision.

The management of the organization should make sure that the risk management framework remains continuing effective in the organization.





Wednesday, October 30, 2013

An Introduction to Risk Management Framework



Risk Management – Article 2

An Introduction to Risk Management Framework

Keshav Ram Singhal

Every organization, whether it is small, medium or large, private or public, manufacturing or service, faces various factors and influences that may be internal and external. Internal and external factors and influences in an organization lead to uncertainty with regard to achievement of organization’s objectives. The effect of uncertainty on the organization’s objectives is termed as risk. Thus risk is an effect of uncertainty on objectives. An effect is a deviation from the expected. The effect may be positive and/or negative. To manage risk, an organization needs to carry out coordinated activities. Risk management is a process that is underpinned by a set of principles. Also it needs to be supported by a structure that should be appropriate to the organization, its environment and context. International Organization for Standardization (ISO) in 2009 has published an International Standard ISO 31000 that describes Risk management – Principles and guidelines. ISO 31000:2009 standard targets the quality of an organization’s management and suggests risk management frameworks, processes and activities that should be followed to help organizations better meet their goals and objectives.

Clause 4 of ISO 31000:2009 describes risk management framework guidelines. An essential supporting structure for risk management in an organization can be termed as risk management framework. Success of risk management in an organization depends on the effectiveness of the risk management framework. Risk management framework should provide foundations (underlying base) and arrangements (plans or preparations for future) that should firmly and deeply present throughout the organization at all levels. The supporting structure for risk management assists in managing risks effectively. It can be done through the application of the risk management process in the organization at varying levels and within specific context. Clause 5 of ISO 31000:2009 standard provides guidelines for risk management process. An organization should derive information from risk management process of the organization and such information should be adequately reported. The supporting structure (framework) for risk management should ensure adequately reported information be used as a basis for taking decision and accountability in the organization at relevant levels.

The necessary components of the supporting structure (framework) for managing risk in an organization and their interrelation are described in clause 4 that include:
- Mandate and commitment
- Framework design for managing risk – (i) Understanding the organization and its context, (ii) Risk management policy, (iii) Accountability, (iv) Risk management integration into organization’s processes, (v) Resources, (vi) Internal communication and reporting mechanism, (vii) External communication and reporting mechanism
- Risk management implementation – (i) Framework implementation for managing risk, (ii) Process implementation for risk management
- Framework monitoring and its review
- Continual improvement of the framework

It is not the intention of the supporting structure (framework) to prescribe a management system. The supporting structure (framework) for managing risk should be integrated into organization’s management system and the organization should adapt the necessary components of the supporting structure (framework) into its specific needs.
Annex A of ISO 31000:2009 mentions characteristics of enhanced risk management. The organization, adopting formal risk management process, should review and assess risk management practices and processes against ISO 31000:2009 standard and its annex A enabling the organization’s adequacy and effectiveness for risk management.

Characteristics of enhanced risk management include: (i) Continual improvement, (ii) Comprehensive, defined and accepted accountability for risks, controls and risk treatment tasks, (iii) Risk management in decision making, (iv) Continual communication, (v) Risk management integration in governance structure.

Organization, wishes to manage risks, should develop a framework that should be effective. In this regard guidelines given in clause 4 of ISO 31000:2009 standard are relevant and helpful in managing risks.

Alex Dali (President, Global Institute for Risk Management Standards - A Non-profit organization for raising awareness on ISO 31000) writes



Excellent initiative, Keshav.

I am pleased to inform you that your contacts should have a copy of the ISO 31000 risk management standard adopted in India as
IS/ISO 31000. For Indian citizens, the Indian Standard is free of charge for educational purpose:

https://law.resource.org/pub/in/bis/S07/is.iso.31000.2009.pdf

BUREAU OF INDIAN STANDARDS. Headquarters: Manak Bhavan, 9 Bahadur Shah Zafar Marg, New
Delhi 110002. Telephones: 2323 0131, 2323 3375, 2323 9402 Website: www.bis.org.in

Feel free to include this reference in your campaign. You have my full support.

Best regards
Alex Dali
President
Global Institute for Risk Management Standards
Non-profit organization for raising awareness on ISO 31000

Risk Management Principles



Risk Management – Article 1
Risk Management Principles

Keshav Ram Singhal

Every organization, whether it is small, medium or large, private or public, manufacturing or service, faces various factors and influences that may be internal and external. Internal and external factors and influences in an organization lead to uncertainty with regard to achievement of organization’s objectives. The effect of uncertainty on the organization’s objectives is termed as risk. Thus risk is an effect of uncertainty on objectives. An effect is a deviation from the expected. The effect may be positive and/or negative. To manage risk, an organization needs to carry out coordinated activities. Risk management is a process that is underpinned by a set of principles. Also it needs to be supported by a structure that should be appropriate to the organization, its environment and context. International Organization for Standardization (ISO) in 2009 has published an International Standard ISO 31000 that describes Risk management – Principles and guidelines. ISO 31000:2009 standard targets the quality of an organization’s management and suggests risk management frameworks, processes and activities that should be followed to help organizations better meet their goals and objectives.

Clause 3 of ISO 31000:2009 describes eleven risk management principles that an organization should comply at all levels for effective risk management and these are:
1. Risk management creates and protects value
2. Risk management is an integral part of all organizational processes
3. Risk management is part of decision making
4. Risk management explicitly addresses uncertainty
5. Risk management is systematic, structured and timely
6. Risk management is based on the best available information
7. Risk management is tailored
8. Risk management takes human and cultural factors into account
9. Risk management is transparent and inclusive
10. Risk management is dynamic, iterative and responsive to change.
11. Risk management facilitates continual improvement of the organization

Creating and protecting value

Risk management creates and protects value. It contributes to achievement of organization’s objectives and improvement of performance within the organization. Organization’s objectives and performance may relate:
- Human health and safety
- Security
- Statutory and regulatory compliances
- Public acceptance
- Environmental protection
- Product quality
- Project management
- Operational efficiency
- Good governance and reputation

The goal of risk management is to increase the likelihood that the organization will achieve its objectives by managing risks to be within the stakeholders’ appetite for risk. Risk management done correctly not only protects but creates value for achievement of objectives and improvement of performance.

Organizational processes and risk management

Risk management is an integral part of all organizational processes. It should include strategic planning, all projects and change management processes. It is not a stand-alone activity. It is not separated from the main activities and processes of the organization. It is part of the organization’s management responsibility.

Risk management and decision making

Risk management is part of decision making. Risk management helps management to take decisions. It helps in identifying informed choices, prioritize action and differentiate among alternative actions.

Risk management and uncertainty

Risk management clearly and in detail describes uncertainty (state of being uncertain – what may happen in future) and its nature.

Risk management approach

Risk management is a systematic, timely and structured approach. It contributes to efficiency and timely action that lead to consistent, comparable and reliable results.

Risk management and information

Risk management is based on the best available information. Information is the input to the risk management and such information is sourced from various information sources that may be from:
- Historical data
- Experience
- Stakeholder feedback
- Observation
- Forecasts
- Judgement from an expert

Decision makers in risk management should be careful and take into account any limitations of the data used, modeling used or possibility of divergence among experts.

Tailoring risk management

Risk management is tailored aligning with internal and external context and risk profile of the organization.

Human and cultural factors in risk management

Risk management takes human and cultural factor into account. It recognizes human capabilities, perceptions and intentions.

Transparency in risk management

Risk management is transparent and inclusive. Risk management requires appropriate and timely involvement of stakeholders including decision makers at all levels of the organization ensuring risk management relevant and up-to-date. To determine risk criteria, involvement of stakeholder include properly representing them and taking their views taken into account.

Risk management responsive to change

Risk management is dynamic, iterative and responsive to change. It continually senses and responds to change. New risks emerge and/or some risks change and/or other risks disappear with occurring of external/internal events, change of context and knowledge, monitoring and review of risks.

Risk management leads improvement

Risk management facilitates continual improvement of the organization. An organization can improve its risk management maturity and other aspects by developing and implementing strategies. Continual improvement in risk management is emphasized and it can be achieved by:
- Setting of organizational goals
- Measurement, review and change (modification) of processes, systems, resources, capabilities and skills.

Conclusion

Risk management principles are helpful in managing effective risk management in an organization and guidelines mentioned in ISO 31000:2009 standard are developed on the basis of risk management principles.

ISO 31000:2009 standard is available from International Organization for Standardization (ISO). Please visit ISO website iso.org.

Preface



Dear readers,

Greetings!

I am starting a new blog on 'Risk Management Awareness' with an objective to create awareness on standards, vocabulary, guidelines, principles, risk assessment techniques etc. I request risk management professionals and experts to please share their views and articles through this blog.

Every organization in the world, whether it is small, medium or big, faces many factors and influences that make uncertain achieving organization's objectives. I hope that this blog will serve its purpose to create awareness.

Any accomplishment requires the effort of many people and this blog is no different. Suggestions for improvements are welcomed.

Best wishes,

Keshav Ram Singhal
Editor