Risk Management Process – Establishing the Internal Context

Risk Management – Article 11

Risk Management Process – Establishing the Internal Context

Keshav Ram Singhal

Sub-clauses 5.3.3 of ISO 31000:2009 standard provides guidelines on establishing the internal context. Internal context of an organization is its internal environment in which the organization seeks to achieve organization’s objectives. Internal context is anything within the organization and it should include but not limited to:

- Organizational governance
(The system of rules, practices and processes by which an organization is directed and controlled may be referred as organizational governance. Organizational governance essentially involves balancing of interests of its stakeholders.)

- Organizational structure, and within which roles, authority and accountability in the organization
(Organizational structure determines how the roles, authority and responsibilities are assigned, controlled and coordinated, and how information flows within the organization. An organizational chart illustrates the organizational structure.)

- Organization’s policies

- Organization’s objectives

- Organization’s strategies

- Organization’s resources and knowledge capabilities, such as capital, time, people (human), processes, systems , technologies

- Information systems

- Information flows

- Formal and informal decision-making processes

- Relationship with internal stakeholders

- Perceptions and values of internal stakeholders

- Organization’s culture

- Standards, guidelines and models adopted by the organization

- Form and extent of contractual relationship


Risk management system of an organization operates within the parameters of the organization’s culture, processes, structure and study. Understanding the internal context is fundamental to risk management process. The risk management process should be aligned with the organization’s culture, processes, structure and strategy. Anything within the organization can influence the risk management process of the organization. Factors influencing the risk management process should be established as the risk management in the organization takes place in the context of organization’s objectives. Organization should consider objectives and criteria of a particular project, process or activity in light of organization’s overall objectives. Organization should recognize opportunities to achieve organization’s strategic, project or business objectives as these may affect ongoing organizational commitment, credibility, trust and value.

Risk Management Process – Establishing the External Context

Risk Management – Article 10

Risk Management Process – Establishing the External Context

Keshav Ram Singhal

Sub-clauses 5.3.2 of ISO 31000:2009 standard provides guidelines on establishing the external context. External context of an organization is the external environment of the organization in which the organization seeks to achieve organization’s objectives. External context of an organization can include but not limited to:

- Cultural environment
(We should understand the major elements of culture that may include material culture, language, aesthetics, education, religion, attitudes, values and social organizations.)

- Social environment
(Business of an organization does not function in a vacuum and it works in societies and therefore societies affect business. The social environment of business can be cutthroat. An organization has to act and react what happens outside the premises of the organization.)

- Political environment
(The political environment in a country affects its economic environment that, in turn, affects the performance of business organization.)

- Statutory and regulatory (legal) environment
(Every country has its own legal framework that governs and affects the business too. Government could change its rules and regulations, and this could an effect on business.)

- Financial environment
(Financial environment is the outcome of a range of functions of the economy on all financial outcomes in a country. It includes forex markets, bond markets, stock markets and commodity markets. Financial environment affects the business performance of an organization.)

- Economic environment
(Economic environment influences the business of an organization to a great extent. It refers to all those economic factors that affect the functioning of a business organization.)

- Natural and competitive environment
(The natural and competitive environment is a dynamic system in which business of an organization competes. It may also be known as market structure. World economic conditions may increase or decrease the prices of raw materials that might force an organization to increase or decrease its prices.)

- Key drivers having impact on the objectives of the organization
(A key business driver is something that has a major impact on the business and its objectives. Identifying and monitoring the key drivers of any business organization is critical to remain in business.)

- Trends having impact on the objectives of the organization
(Trends have a significant impact on organization’s business.It is important to understand whether the business of the organization is exploiting trends or trends are exploiting the business of the organization. It is better not to let the business of the organization get caught up in trends.)

- Relationship with external stakeholders
(Building trust with stakeholders makes relationship more productive and fosters partnership between the organization and stakeholders.)

- Perceptions and values of external stakeholders
(Building trust with stakeholders makes relationship more productive and fosters partnership between the organization and stakeholders. It is better to understand perceptions and values of stakeholders.)

It is important to understand external context. By understanding the external context, the organization ensures considering objectives and external stakeholders’ concern in the process of developing risk criteria. Establishing the external context specific to the scope of the risk management process is based on the organization-wide context, but it should be:

- With specific details of statutory and regulatory (legal) requirements
- With specific details of stakeholders’ perceptions
- With specific details of other aspects of risks specific to the scope of the risk management process

The process of establishing the external context should be done by understanding the external context and external environment (including key drivers, trends, relationships, perceptions and values). In this regard organization needs to continually monitor the external environment and it is not a one-time process or activity.

Risk Management Process – Establishing the context – An Overview

Risk Management – Article 9

Risk Management Process – Establishing the context – An Overview

Keshav Ram Singhal

Sub-clauses to clause 5.3 of ISO 31000:2009 standard provides guidelines on establishing the context, which are as under:

5.3 – Establishing the context
5.3.1 – General
5.3.2 – Establishing the external context
5.3.3 – Establishing the internal context
5.3.4 – Establishing the context of the risk management process
5.3.5 – Defining risk criteria

The objectives of establishing the context of the organization are mentioned in sub-clause 5.3.1 of the standard and these may be summarized as:

- By establishing the context the organization articulates its objectives
- By establishing the context the organization defines parameters (external and internal) to consider to manage risks
- By establishing the context the organization sets the scope and risk criteria for risk management process

During the process of establishing the context, the organization should consider in a wide spread way and to a higher degree than is usual or average so as to provide special emphasis to the point that how the people in the organization relate the context for the risk management process to the scope of the particular risk management process.

The whole process of establishing the context includes establishing the external context, establishing the internal context, establishing the context of the risk management process and defining risk criteria, which we will discuss in forthcoming articles.

Risk Management Process – Communication and Consultation

Risk Management – Article 8

Risk Management Process – Communication and Consultation

Keshav Ram Singhal

Clause 5.2 of ISO 31000:2009 standard provides guidelines on communication and consultation in risk management process. During all stages of the risk management process, there should be regular communication and consultation with all stakeholders (internal as well as external). In this regard the organization should develop plans for communication and consultation at an early stage. The plans should address issues related to risks, their causes, their known effects and results (typically that may be unwelcome or unpleasant) and measures to be initiated and taken to treat risks. The communication and consultation with stakeholders should be effective to ensure understanding of the basis of decisions taken and the reasons of the particular reasons by all stakeholders and personnel accountable for implementing the risk management process.

Organizations need an effective consultation team approach in communication and consultation in risk management process. An effective consultation team approach is helpful in risk management process. An effective consultative team approach leads to many benefits. It helps to establish the organization’s context properly. It ensures understanding stakeholders’ interests. It also ensures considering stakeholders’ interests. An effective consultative team approach helps ensuring adequately identifying risks. It brings together expertise pertaining to different areas for risk analysis. It ensures appropriately considering different views while defining risk criteria. It also ensures appropriately considering different views in evaluating risks. It secures endorsing and supporting a plan for risk management treatment. An effective consultative team approach supports and enhances appropriate change management during the risk management process. It develops appropriate communication (external and internal) plan. It develops appropriate consultation (external and internal) plan.

Stakeholders make their judgements about risk based on their perceptions of risk, therefore communication and consultation is important in risk management process. Perceptions of stakeholders may vary due to differences in shareholders’ values, needs, assumptions, concepts and concerns. Shareholders’ views can have a significant impact on the decisions made on risk management process, therefore there is need to identify the perception of stakeholders, record and consider the same.

In the communication and consultation process with the stakeholders, considering the confidentiality and personal integrity aspect, exchange of information between organization and stakeholders should be:
- Truthful
- Relevant
- Accurate
- Understandable

Communication and consultation in risk management process may be summarized as under:
- Identify all stakeholders (internal and external)
- Develop plans for communication and consultation
- Apply an effective consultative team approach
- Identify stakeholders’ perceptions, record and consider the same

An Overview of Risk Management Process

Risk Management – Article 7

An Overview of Risk Management Process

Keshav Ram Singhal

ISO 31000:2009 Standard has provided a definition of the risk management process and also the guidelines for the same. The definition given in the standard is as per ISO Guide 73:2009 that provides basic vocabulary to develop common understanding on risk management concepts and terms.. Risk management process is defined as the systematic application of management policies, procedures and practices to various activities. These various activities relate to:

- Communicating, consulting and establishing the context of the organization, and
- Identifying, analyzing, evaluating, treating, monitoring and reviewing risk.

Clause 5 of ISO 31000:2009 standard provides guidelines on risk management process and in this regard sub-clauses are as under:
5.1 – General

5.2 – Communication and consultation

5.3 – Establishing the context
5.3.1 – General
5.3.2 – Establishing the external context
5.3.3 – Establishing the internal context
5.3.4 – Establishing the context of the risk management process
5.3.5 – Defining risk criteria

5.4 – Risk assessment
5.4.1 – General
5.4.2 – Risk identification
5.4.3 – Risk analysis
5.4.4 – Risk evaluation

5.5 – Risk treatment
5.5.1 – General
5.5.2 – Selection of risk treatment options
5.5.3 – Preparing and implementing risk treatment plans

5.6 – Monitoring and review

5.7 – Recording the risk management process


Risk management process – General

The risk management process of an organization should be an integral part of the organization’s management. It should be fixed firmly and deeply in the culture and practices of the organization and tailored to the business processes of the organization.

(Diagram Courtesy WHO Website)

The ISO 31000:2009 standard has provided the risk management process diagram (figure 3 in the standard) that shows the inter-relation between various activities of risk management process. As per the diagram given in the standard, communication and consultation process is interrelated to establishing context, risk management activities (risk identification, risk analysis and risk evaluation) and risk treatment. Monitoring and review of risk management process is also interrelated to establishing the context, risk assessment activities (risk identification, risk analysis and risk evaluation) and risk treatment.

The risk management process comprises to the activities related to different activities as described in various sub-clauses of clause 5 of ISO 31000:2009. We will discuss these activities in forthcoming articles.

Monitoring, Review and Continual Improvement of Risk Management Framework

Risk Management – Article 6

Monitoring, Review and Continual Improvement of Risk Management Framework

Keshav Ram Singhal

Clause 4.5 of ISO 31000:2009 deals with guidelines for monitoring and review of risk management framework and Clause 4.6 of the standard deals with guidelines for continual improvement of the framework.

Monitoring and review of risk management framework

It is necessary that risk management in the organization remains effective and support continuously its performance, so the organization should:
- Measure risk management performance against periodically reviewed indicators for appropriateness
- Periodically measure progress against the risk management plan to find deviation from the risk management plan
- Periodically review appropriateness of risk management framework, policy and plan in organization’s internal and external context.
- Report risks
- Report progress of risk management against its plan
- Report following-up of the risk management policy in the organization
- Review risk management framework effectiveness

Continual improvement of risk management framework

Decision for continual improvement of the risk management framework, policy and plan should be taken based on results of monitoring and reviews. Such decisions should be implemented to achieve improvement in organization’s risk management and its culture.

Linkedin Group on Risk Management

Keshav Ram Singhal

Alex Dali, on March 05, 2009 created a professional group ‘G31000 – ISO 31000 Risk Management Standard’ with an objective to promote the use of the ISO 31000:2009 Risk Management standard as the international reference for Risk Management. Presently there are about 30,000 members in this group that shows its popularity. This group also has six subgroups as ISO 31000 study groups that provide valuable information, knowledge and experience with regard to risk management. Alex Dali, the Moderator of the ISO 31000 Risk Management Standard group, is also the President of Global Institute for Risk Management Standards – G31000, a non-profit organization for raising awareness on ISO 31000 Risk Management Standard.

Readers of this blog are recommended to refer to discussions in the Linkedin professional group ‘G31000 – ISO 31000 Risk Management Standard’ and its study groups.

Implementing Risk Management

Risk Management – Article 5

Implementing Risk Management

Keshav Ram Singhal

Clause 4.4 of ISO 31000:2009 deals with guidelines for implementing risk management and processes to implement risk management mentioned in sub-clauses are related to:
4.4.1 – Implementing the framework for managing risk
4.4.2 – Implementing the risk management process

Implementing risk management framework

To implement risk management framework, the organization should:

- Define the appropriate timing for implementing risk management framework
- Define the strategy for implementing risk management framework
- Apply organization’s risk management policy to organizational processes
- Apply organization’s risk management process to organizational processes
- Comply statutory and regulatory requirements
- Ensure developing and setting of objectives and decision-making supporting (aligning) with organization’s risk management processes results
- Keep and maintain information and training sessions
- Communicate and consult with stakeholders to ensure risk management framework to be appropriate

Implementing risk management process

Risk management process should be implemented:

- Through a risk management plan as per guidelines given in clause 5 of ISO 31000:2009 standard
- Ensuring implementation of the risk management process at all relevant levels and functions of the organization
- Ensuring implementation of the risk management process as part of the organization’s process and practice.