RFE ISO 31000 Risk Managment

Uncertainty is the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or likelihood. • If we replace this meaning of uncertainty in the definition of risk, we come up with: Risk = The effect of ignorance on objectives.

RISK MANAGEMENT ISO 31000

www. Rigfab.com Visit Our Website

WHAT IS RISK ?

"Effect of uncertainty on objectives" • "Uncertainty" pertains less to the manner in which events will unfold and more to our level of understanding. It primarily reflects our "lack of knowledge" regarding the outcome of events. • Events will happen, we just don't know which, how and when. • Uncertainty is our ignorance. • Uncertainty is the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or likelihood. • If we replace this meaning of uncertainty in the definition of risk, we come up with: Risk = The effect of ignorance on objectives.

But what about "effect"? What does this word mean? • ISO 31000 defines effect as "a deviation from the expected - positive or negative". • So if we use that definition, and insert it into the definition of risk, we get: Risk = The deviation from the expected, due to our ignorance on objectives.

• Coordinated activities to direct and control an organization with regard to risk. It is an integrated and joined up approach to managing risk across an organization and its extended networks. WHAT IS RISK MANAGEMENT ?

INVOLVEMENT OF RISK MANAGEMENT

Risk management involves understanding, analyzing and addressing risk to make sure organizations achieve their objectives. So it must be proportionate to the complexity and type of organization involved.

From energy to infrastructure, supply chains to airport security, hospitals to housing, effectively managed risks help societies achieve.

Risk is part of all our lives. As a society, we need to take risks to grow and develop.

We need to make sure we manage risks so that we minimize their threats and maximize their potential.

In our fast paced world, the risks we have to manage evolve quickly.

• A number of standards have been developed worldwide to help organisations implement risk management systematically and effectively. • Commonly used standards include: • ISO 31000:2009 – Risk Management Principles and Guidelines • A Risk Management Standard – IRM/Alarm/AIRMIC 2002 – UK’s 3 main risk organisations. • COSO 2004 - Enterprise Risk Management - Integrated Framework • OCEG “Red Book” 2.0: 2009 - a Governance, Risk and Compliance Capability Model RISK MANAGEMENT STANDARDS

Risk Management Principles and Guidelines ISO 31000:2009

• ISO 31000:2009 Risk management - Principles and guidelines • ISO/CD 31000 Risk management - Principles and guidelines • ISO/TR 31004:2013 Risk management - Guidance for the implementation of ISO 31000 • IEC 31010:2009 Risk management - Risk assessment techniques • ISO/NP 31020 Risk Management - Managing Disruption Related Risk • ISO/AWI 31021 Managing Supply Chain Risk - A Compilation of Best Practices • ISO/AWI 31022 Guidelines for Implementation of Enterprise Legal Risk Management ISO 31000 FAMILY

EXECUTIVE SUMMARY

• ISO 31000 is a generic risk management standard, defines a set of guidelines. • We refer to them as guidelines because they’re voluntary. They’re not requirements or contractual obligations. • These risk management guidelines are discussed in the following sections:

Clause 3. Risk Management Principles Clause 4. Risk Management Framework Clause 5. Risk Management Process

CONTENTS OF ISO 31000

1 Scope 2 Terms and definitions 3 Principles 4 Framework 4.1 General

4.2 Mandate and commitment 4.3 Design of framework for managing risk 4.4 Implementing risk management 4.5 Monitoring and review of the framework 4.6 Continual improvement of the framework 5 Process 5.1 General 5.2 Communication and consultation 5.3 Establishing the context 5.4 Risk assessment 5.5 Risk treatment 5.6 Monitoring and review 5.7 Recording the risk management process

• ISO 31000 is an international risk management standard. • It can be used by any organization no matter what size it is or what it does. • It can be used by both public and private organizations and by groups, associations, and enterprises of all kinds. • It is not specific to any sector or industry and can be applied to any type of risk. SCOPE OF ISO 31000

SCOPE OF ISO 31000

• ISO 31000 can be applied to the achievement of any and all types of objectives at all levels and areas within an organization. • It can be used at a strategic or organizational level to help make decisions and can be applied to all types of activities. • It can be used to help manage processes, operations, functions, projects, programs, products, services, and assets. • However, exactly how the organization apply ISO 31000 is up to the organization and will depend on the organization’s needs, objectives, and challenges, and should reflect what it does and how it operates.

ISO 31000 can be used by a wide range of stakeholders, including people who need to: • Establish a risk management policy (top management). • Evaluate risk management practices and processes (assessors). • Manage and control risk within an organization (managers). • Explain how risk should be managed and controlled (trainers - consultants). • Develop risk management procedures and guides (implementers). • Prepare related standards and codes of practice (experts). WHO SHOULD USE ISO 31000?

RISK MANAGEMENT ARCHITECTURE

• The standard starts by listing a set of risk management principles.

• Use these principles to guide the establishment of the risk management framework.

• Then use the framework to guide the establishment of the risk management process.

Together these three sections make up what ISO 31000 calls a risk management architecture.

RISK MANAGEMENT ARCHITECTURE

RISK MANAGEMENT PRINCIPLES

RISK MANAGEMENT FRAMEWORK

RISK MANAGEMENT PROCESS

THE 11 RISK MANAGEMENT PRINCIPLES

3A. SHOULD CREATE & PROTECT VALUE

3B. SHOULD BE PART OF ALL PROCESSES

3C. SHOULD BE PART OF THE DECISION MAKING

3D. SHOULD BE USED TO HANDLE UNCERTAINTY

3E. SHOULD BE SYSTEMATIC AND TIMELY

3F. SHOULD BE BASED ON THE BEST DATA

3G. SHOULD BE TAILORED TO THE ENVIRONMENT

3H. SHOULD CONSIDER HUMAN FACTORS

3K. SHOULD SUPPORT CONTINUAL IMPROVEMENT

3I. SHOULD BE TRANSPARENT AND INCLUSIVE

3J. SHOULD BE RESPONSIVE AND ITERATIVE

4.2 Make a commitment to risk management

Risk Management Framework

4.3 Design the risk management framework

4.6 Improve the risk management framework

4.4 Implement the approach to risk management

4.5 Monitor the risk management framework

RISK MANAGEMENT PROCESS

5.3 Establish your unique risk management context

5.4 Carry out your risk assessment process 5.4.1 Identify, analyze, and evaluate risks

5.2 Communicate & Consult with your Interested parties

5.6 Monitor & Review your Risk Management Process

5.4.2 Identify your organization’s risk

5.4.3 Analyse your organization’s risk

5.4.4 Evaluate your organization’s risk

5.5 Formulate & Implement your risk treatment plans

RELATIONSHIPS BETWEEN THE RISK MANAGEMENT PRINCIPLES, FRAMEWORK AND PROCESS

CONTENTS

4. RISK MANAGEMENT FRAMEWORK 4.1 ESTABLISH A RISK MANAGEMENT FRAMEWORK 4.2 MAKE A COMMITMENT TO RISK MANAGEMENT 4.3.1 UNDERSTAND THE ORGANIZATION'S CONTEXT 4.3.2 FORMULATE THE RISK MANAGEMENT POLICY 4.3.3 MAKE PEOPLE ACCOUNTABLE FOR MANAGING RISK 4.3.5 ALLOCATE RESOURCES FOR RISK MANAGEMENT 4.3.4 BUILD RISK MANAGEMENT INTO THE ORGANIZATION 4.3.6 ESTABLISH INTERNAL COMMUNICATION MECHANISMS 4.3.7 DEVELOP AN EXTERNAL COMMUNICATION PLAN

ASSESSMENT

PLANNING

ANALYSIS

TRAINING

4. RISK MANAGEMENT FRAMEWORK

REVIEW

CONTINUITY

CONTENTS

ASESSMENT 4. RISK MANAGEMENT FRAMEWORK 4.1 ESTABLISH A RISK MANAGEMENT FRAMEWORK 4.2 MAKE A COMMITMENT TO RISK MANAGEMENT 4.3.1 UNDERSTAND THE ORGANIZATION'S CONTEXT 4.3.2 FORMULATE THE RISK MANAGEMENT POLICY 4.3.3 MAKE PEOPLE ACCOUNTABLE FOR MANAGING RISK 4.3.5 ALLOCATE RESOURCES FOR RISK MANAGEMENT 4.3.4 BUILD RISK MANAGEMENT INTO THE ORGANIZATION 4.3.6 ESTABLISH INTERNAL COMMUNICATION MECHANISMS 4.3.7 DEVELOP AN EXTERNAL COMMUNICATION PLAN

PLANNING

4.1 ESTABLISH A RISK MANAGEMENT FRAMEWORK

IDENTIFY RISK

REPORT RISK

EVALUATE RISK

• Make risk management part of the management system.

OPERATIONAL RISK MANAGEMENT

• Establish an effective risk management framework.

MONITOR RISK

CONTROL RISK

• Use the framework to support risk management process.

MEASURE RISK

RISK MANAGEMENT FRAMEWORK

Risk management framework is a set of components that support and sustain risk management throughout an organization.

PLANNING

ASSESSMENT

There are two types of components: foundations and organizational arrangements.

ANALYSIS

TRAINING

• Foundations include the risk management policy, objectives, mandate, and commitment.

RISK MANAGEMENT FRAMEWORK

REVIEW

CONTINUITY

And

• Organizational arrangements include the plans, relationships, accountabilities, resources, processes, and activities the organization use to manage the organization’s risk.

CONTENTS

• Define the organization’s risk management policy. 4.2 MAKE A COMMITMENT TO RISK MANAGEMENT

• Establish risk management performance indicators.

• Formulate risk management objectives.

• Assign risk management responsibilities.

• Allocate risk management resources.

• Communicate risk management benefits.

• Support the risk management framework.

CONTENTS

4.3.1 UNDERSTAND THE ORGANIZATION'S CONTEXT

• Evaluate and understand the organization’s external context and then use this knowledge to design the risk management framework. • Evaluate and understand the external environment. • Evaluate and understand the external stakeholders. • Evaluate and understand the external influences. • Evaluate and understand the organization’s internal context and then use this knowledge to design the risk management framework. • Understand the organization’s internal stakeholders. • Understand the organization’s governance. • Understand the organization’s capabilities.

• Understand the organization’s culture. • Understand the organization’s standards. • Understand the organization’s contracts.

INTERNAL CONTEXT

• An organization’s internal context includes all of the internal environmental parameters and factors that influence how it manages risk and tries to achieve its objectives. • It includes its internal stakeholders, its approach to governance, its contractual relationships, and its capabilities, culture, and standards. • Governance includes the organization’s structure, policies, objectives, roles, accountabilities, and decision making process, and capabilities include its knowledge and human, technological, capital, and systemic resources.

STAKEHOLDER

• A stakeholder is a person or an organization that can affect or be affected by a decision or an activity. • Stakeholders also include those who have the perception that a decision or an activity can affect them.

• ISO 31000 distinguishes between external and internal stakeholders.

CONTENTS

4.3.2 DESIGN THE RISK MANAGEMENT FRAMEWORK

• Establish a risk management policy for the organization.

• Make a clear commitment to risk management.

• Define the risk management objectives.

• Explain how the policy will be implemented.

• Communicate the risk management policy.

RISK MANAGEMENT POLICY

CREDIT RISK

COMPANY RISK

OPERATION RISK

• A policy statement defines a general commitment, direction, or intention.

REGULATORY AND LEGAL RISK

COMMODITY MARKET RISK

• A risk management policy statement expresses an

OPERATIONAL RISK

RISK POLICY

CREDIT RISK

organization’s commitment to risk management and clarifies its general direction or intention.

REGULATORY & LEGAL RISK

COMMODITY MARKET RISK

CONTENTS

4.3.3 MAKE PEOPLE ACCOUNTABLE FOR MANAGING RISK

• Identify the organization’s risk owners. • Give risk owners the authority to manage risk. • Make risk owners accountable for managing risk. • Establish risk management performance measurement methods. • Develop risk management reporting and escalation processes.

Accountability - Empowerment = Blame

Empowerment - Accountability = Low Performance

Accountability + Empowerment = High Performance

CONTENTS

RISK OWNER

A risk owner is a person or entity that has been given the authority to manage a particular risk and is accountable for doing so.

4.3.4 BUILD RISK MANAGEMENT INTO THE ORGANIZATION

• Make risk management a part of all processes and practices. • Develop an organization-wide risk management plan.

IDENTIFY

ASSESS

ANALYZE

RISK MANAGEMENT

REDUCE

CONTROL

TRANSFER

RISK MANAGEMENT PLAN

• An organization’s risk management plan describes how it intends to manage risk. • It describes the management components, the approach, and the resources that will be used to manage risk. • Typical management components include procedures, practices, responsibilities, and activities (including their sequence and timing). • Risk management plans can be applied to products, processes, and projects, or to an entire organization or to any part of it.

CONTENTS

4.3.5 ALLOCATE RESOURCES FOR RISK MANAGEMENT

• Allocate appropriate resources to support the organization’s risk management activities. • Consider providing people who can support the organization’s risk management activities. • Consider providing resources needed to support each step of the risk management process. • Consider providing information and knowledge management systems to support risk management. • Consider providing risk management procedures and processes. • Consider providing appropriate risk management methods and tools.

CONTENTS

• Establish internal risk management communication and reporting processes and mechanisms. 4.3.6 ESTABLISH INTERNAL COMMUNICATION MECHANISMS

CONTENTS

4.3.7 DEVELOP AN EXTERNAL COMMUNICATION PLAN

• Develop a plan that describes how the organization intend to communicate with the external stakeholders. • Implement the risk management communication plan.

RISK ASSESSMENT (SCIENCE BASED)

RISK MANAGEMENT (POLICY BASED)

RISK COMMUNICATION INTERACTIVE EXCHANGE OF INFORMATION & OPINIONS CONCERNING RISK

4.4.1 IMPLEMENT THE RISK MANAGEMENT FRAMEWORK 4.4.2 IMPLEMENT THE RISK MANAGEMENT PROCESS 4.5 MONITOR THE RISK MANAGEMENT FRAMEWORK 4.6 IMPROVE THE RISK MANAGEMENT FRAMEWORK CONTENTS

• Develop a strategy to implement the organization’s framework. • Implement the organization’s risk management framework. 4.4.1 IMPLEMENT THE RISK MANAGEMENT FRAMEWORK • Develop a plan that explains how the organisation intend to apply the organization’s risk management process (Part 5). • Use the risk management plan to implement the organization’s risk management process (Part 5). 4.4.2 IMPLEMENT THE RISK MANAGEMENT PROCESS

4.4.1 IMPLEMENT THE RISK MANAGEMENT FRAMEWORK 4.4.2 IMPLEMENT THE RISK MANAGEMENT PROCESS 4.5 MONITOR THE RISK MANAGEMENT FRAMEWORK 4.6 IMPROVE THE RISK MANAGEMENT FRAMEWORK CONTENTS

• Evaluate the ongoing effectiveness of the organization’s risk management framework. • Prepare reports on the effectiveness of the organization’s risk management framework. 4.5 MONITOR THE RISK MANAGEMENT FRAMEWORK • Study the results of the organization’s risk management monitoring and review activities (see Part 4.5, above). • Figure out how the organization is going to improve the risk management framework. 4.6 IMPROVE THE RISK MANAGEMENT FRAMEWORK

5. RISK MANAGEMENT PROCESS 5.1 APPLY THE RISK MANAGEMENT PROCESS 5.2 COMMUNICATE AND CONSULT WITH THE STAKEHOLDERS 5.3.1 ESTABLISH THE RISK MANAGEMENT PARAMETERS 5.3.2 ESTABLISH THE ORGANIZATION'S EXTERNAL CONTEXT 5.3.3 ESTABLISH THE ORGANIZATION'S INTERNAL CONTEXT 5.3.4 ESTABLISH THE CONTEXT OF THE RISK MANAGEMENT PROCESS 5.3.5 ESTABLISH THE ORGANIZATION'S RISK CRITERIA

5.1 APPLY THE RISK MANAGEMENT PROCESS

IDENTIFY RISK

• Apply the risk management process (see Part 5.2 to 5.6).

RISK ASSESS & ANALYZE

• Make the risk management process part of the organization’s management approach. • Make the risk management process part of the organization’s unique culture.

MEASURE, CONTROL & MONITOR

PLAN ACTION

IMPLEMENT

5.2 COMMUNICATE AND CONSULT WITH THE STAKEHOLDERS

• Communicate and consult with stakeholders during all stages of the risk management process. • Use a consultative team approach to communicate and consult with the organization’s stakeholders.

RISK MANAGEMENT PROCESS

5.3 Establish your unique risk management context

5.4 Carry out your risk assessment process 5.4.1 Identify, analyze, and evaluate risks

5.2 Communicate & Consult with your Interested parties

5.6 Monitor & Review your Risk Management Process

5.4.2 Identify your organization’s risk

5.4.3 Analyse your organization’s risk

5.4.4 Evaluate your organization’s risk

5.5 Formulate & Implement your risk treatment plans

COMMUNICATION AND CONSULTATION

• Communication and consultation is a dialogue between an organization and its stakeholders. • This dialogue is both continual and iterative. It is a two-way process that involves both sharing and receiving information about the management of risk. However, this is not joint decision making. • Once communication and consultation is finished, decisions are made and directions are established by the organization, not by stakeholders. • Discussions could be about the existence of risks, their nature, form, likelihood, and significance, as well as whether or not risks are acceptable or should be treated, and what treatment options should be considered.

5.3.1 ESTABLISH THE ORGANIZATION'S EXTERNAL CONTEXT

• Identify and understand the parameters and variables that influence and control how the organization manages risk. • Define the organization’s external context (see Part 5.3.2). • Define the organization’s internal context (see Part 5.3.3).

QUALITY

RESOURCES

TIME

SCOPE

RISK MANAGEMENT PROCESS

5.3 Establish your unique risk management context

5.4 Carry out your risk assessment process 5.4.1 Identify, analyze, and evaluate risks

5.2 Communicate & Consult with your Interested parties

5.6 Monitor & Review your Risk Management Process

5.4.2 Identify your organization’s risk

5.4.3 Analyse your organization’s risk

5.4.4 Evaluate your organization’s risk

5.5 Formulate & Implement your risk treatment plans

5.3.2 ESTABLISH THE ORGANIZATION'S EXTERNAL CONTEXT • Identify and understand the organization’s external context and consider the influence it could have on its ability to manage risk and achieve its objectives. • Identify and understand environmental conditions and consider the influence they could have on the organization’s ability to achieve its objectives. • Identify and understand key external factors and consider the influence they could have on the organization’s ability to achieve its objectives. • Identify and understand the relationships the organisation have with external stakeholders and consider the influence they could have on the organization’s ability to achieve its objectives. • Consider the organization external context when the organization develop risk criteria (see Part 5.3.5 for details). • Consider the concerns, objectives, and perceptions of external stakeholders when the organization formulate the risk criteria.

5.3.3 ESTABLISH THE ORGANIZATION'S EXTERNAL CONTEXT

• Identify and understand your organization’s internal context and consider the influence it could have on its ability to manage risk and achieve objectives. • Understand your organization’s internal stakeholders. • Understand your organization’s governance structure. • Understand your organization’s capabilities.

• Understand your organization’s culture. • Understand your organization’s standards. • Understand your organization’s contracts

5.3.4 ESTABLISH THE CONTEXT OF THE RISK MANAGEMENT PROCESS • Establish the unique context of the risk management process. • Adopt a risk management approach that is appropriate to the circumstances and consistent with the context. • Identify the organizational areas or parts that will participate in the risk management process and make sure to organization understands what they do and how they do it. • Clarify how each specific risk management process or activity should be organized and managed. • Define the goals and objectives of the risk management activities and projects the organization intend to carry out. • Define the resources that the risk management activities and projects will need. • Define the risk management responsibilities and authorities of all process participants. • Define the focus of each risk management project including where and when it will be carried out. • Define the decisions that will need to be made as the organization carry out each risk management process. • Define the risk assessment methodologies that the organization intend to use for each risk management process or project. • Define how the risk management process is related to the organization’s other processes. • Define the studies that the organization intend to carry out to support each risk management process.

• Define how risk management process performance and effectiveness will be evaluated. • Define the records that each risk management process or activity should maintain.

ESTABLISHING THE CONTEXT

• To establish the context means to define the external and internal parameters that organizations must consider when they manage risk. • An organization’s external context includes its external stakeholders, its local, national, and international environment, as well as any external factors that influence its objectives. • An organization’s internal context includes its internal stakeholders, its approach to governance, its contractual relationships, and its capabilities, culture, and standards. • ISO 31000 expects the organization to consider the organization’s context when the organization define the scope of its risk management program, when the organization formulate its risk management policy, and when the organization establish its risk criteria.

IDENTIFY THE RISKS

ANALYZE THE RISKS

EVALUATE THE RISKS

TREAT THE RISKS

• When defining the risk criteria: • Consider the organization and how it functions • When defining the risk criteria: • Consider the views of the organization’s stakeholders • When defining the risk criteria: • Consider the nature and type of causes • When defining the risk criteria: • Consider the consequences and impacts that could occur. • When defining the risk criteria: • Consider how likelihood or probability will be determined. • When defining the risk criteria: • Consider how the level of risk will be determined. • When defining the risk criteria: • Consider whether combinations of multiple risks should be taken into account. • When defining the risk criteria: • Review and periodically update the risk criteria. 5.3.5 ESTABLISH THE ORGANIZATION'S RISK CRITERIA

RISK CRITERIA • Risk criteria are terms of reference and are used to evaluate the significance or importance of an organization’s risks. • They are used to determine whether a specified level of risk is acceptable or tolerable. • Risk criteria should reflect the organization’s values, policies, and objectives, should be based on its external and internal context, should consider the views of stakeholders, and should be derived from standards, laws, policies, and other requirements.

LEVEL OF RISK • The level of risk is its magnitude. • It is estimated by considering and combining consequences and likelihoods. • A level of risk can be assigned to a single risk or to a combination of risks. • A consequence is the outcome of an event and has an effect on objectives. • Likelihood is the chance that something might happen.

CONSEQUENCE

• A consequence is the outcome of an event and has an effect on objectives. • A single event can generate a range of consequences which can have both positive and negative effects on objectives. • Initial consequences can also escalate through knock-on effects.

LIKELIHOOD

• Likelihood is the chance that something might happen. • Likelihood can be defined, determined, or measured objectively or subjectively and can be expressed either qualitatively or quantitatively (using mathematics).

5.4 CARRY OUT THE ORGANIZATION’S RISK ASSESSMENT PROCESS 5.4.1 IDENTIFY, ANALYZE, AND EVALUATE RISKS 5.4.2 IDENTIFY THE ORGANIZATION'S RISKS 5.4.3 ANALYZE YOUR ORGANIZATION'S RISKS 5.4.4 EVALUATE THE ORGANIZATION'S RISKS 5.5.1 EXPLORE THE ORGANIZATION'S RISK TREATMENT OPTIONS 5.5.2 SELECT THE ORGANIZATION'S RISK TREATMENT OPTIONS 5.5.3 PREPARE RISK TREATMENT IMPLEMENTATION PLANS 5.6 MONITOR AND REVIEW THE RISK MANAGEMENT PROCESS 5.7 MAINTAIN A RECORD OF RISK MANAGEMENT ACTIVITIES

• Carry out the risk assessment process. • Identify the organization’s risks (see Part 5.4.2 for details). • Analyze the organization’s risks (see Part 5.4.3 for details). • Evaluate the organization’s risks (see Part 5.4.4 for details). 5.4.1 IDENTIFY, ANALYZE, AND EVALUATE RISKS

RISK ASSESSMENT

• Risk assessment is a process that is, in turn, made up of three processes: risk identification, risk analysis, and risk evaluation. • Risk identification is a process that is used to find, recognize, and describe the risks that could affect the achievement of objectives. • Risk analysis is a process that is used to understand the nature, sources, and causes of the risks that the organization have identified and to estimate the level of risk. It is also used to study impacts and consequences and to examine the controls that currently exist. • Risk evaluation is a process that is used to compare risk analysis results with risk criteria in order to determine whether or not a specified level of risk is acceptable or tolerable.

RISK ASSESSMENT

RISK IDENTIFICATION

RISK ANALYSIS

RISK EVALUATION

• Choose suitable risk identification tools and techniques. • Select suitable people to identify the organization’s risks. • Use the tools and techniques to identify the risks that could affect the achievement of the organization’s objectives. • Generate a comprehensive list of risks that could affect the achievement of the organization’s objectives. 5.4.2 IDENTIFY THE ORGANIZATION'S RISKS

RISK MANAGEMENT PROCESS

5.3 Establish your unique risk management context

5.4 Carry out your risk assessment process 5.4.1 Identify, analyze, and evaluate risks

5.2 Communicate & Consult with your Interested parties

5.6 Monitor & Review your Risk Management Process

5.4.2 Identify your organization’s risk

5.4.3 Analyse your organization’s risk

5.4.4 Evaluate your organization’s risk

5.5 Formulate & Implement your risk treatment plans

RISK IDENTIFICATION

• Risk identification is a process that involves finding, recognizing, and describing the risks that could affect the achievement of an organization’s objectives. • It is used to identify possible sources of risk in addition to the events and circumstances that could affect the achievement of objectives. • It also includes the identification of possible causes and potential consequences. • The organization can use historical data, theoretical analysis, informed opinions, expert advice, and stakeholder input to identify the organization’s risks.

RISK SOURCE

• A risk source has the intrinsic potential to give rise to risk. • A risk source is where a risk originates. • It’s where it comes from.

• Potential sources of risk include at least the following: commercial relationships and obligations, legal expectations and liabilities, economic shifts and circumstances, technological innovations and upheavals, political changes and trends, natural events and forces, human frailties and tendencies, and management shortcomings and excesses. • All of these elements could potentially generate a risk that must be managed.

EVENT

• An event could be one occurrence, several occurrences, or even a nonoccurrence (when something doesn’t happen that was supposed to happen). • It can also be a change in circumstances. • Events are sometimes referred to as incidents or accidents. • Events always have causes and usually have consequences. • Events without consequences are sometimes referred to as near-misses, near-hits, or close-calls.

• Analyze the risks that your organization faces. • Estimate your organization’s level of risk. 5.4.3 ANALYZE YOUR ORGANIZATION'S RISKS

• Specify how much confidence you have in your analysis. • Use your risk analysis to understand your organization’s risks. • Communicate the results of your risk analysis.

RISK ANALYSIS

• Risk analysis is a process that is used to understand the nature, sources, and causes of the risks that the organization have identified and to estimate the level of risk. • It is also used to study impacts and consequences and to examine the controls that currently exist. • How detailed the risk analysis ought to be will depend upon the risk, the purpose of the analysis, the information the organisation have, and the resources available.

LEVEL OF RISK

• The level of risk is its magnitude. • It is estimated by considering and combining consequences and likelihoods. • A level of risk can be assigned to a single risk or to a combination of risks. • A consequence is the outcome of an event and has an effect on objectives. • Likelihood is the chance that something might happen.

5.4.4 EVALUATE THE ORGANIZATION'S RISKS

• Use the risk analysis results to evaluate the organization’s risks. • Use the risk analysis results to consider the risk treatment options

RISK MANAGEMENT PROCESS

5.3 Establish your unique risk management context

5.4 Carry out your risk assessment process 5.4.1 Identify, analyze, and evaluate risks

5.2 Communicate & Consult with your Interested parties

5.6 Monitor & Review your Risk Management Process

5.4.2 Identify your organization’s risk

5.4.3 Analyse your organization’s risk

5.4.4 Evaluate your organization’s risk

5.5 Formulate & Implement your risk treatment plans

RISK EVALUATION

• Risk evaluation is a process that is used to compare risk analysis results with risk criteria in order to determine whether or not a specified level of risk is acceptable or tolerable.

5.5.1 EXPLORE THE ORGANIZATION'S RISK TREATMENT OPTIONS

• Establish a cyclical risk treatment process. • Consider the organization’s risk treatment options.

CONTEXT

RISK IDENTIFICATION

ANALYSIS + EVALUATION NO TREATMENT

ANALYSIS + EVALUATION TREATMENT 1

ANALYSIS + EVALUATION TREATMENT 2

ETC

CONTEXT

RISK MANAGEMENT PROCESS

5.3 Establish your unique risk management context

5.4 Carry out your risk assessment process 5.4.1 Identify, analyze, and evaluate risks

5.2 Communicate & Consult with your Interested parties

5.6 Monitor & Review your Risk Management Process

5.4.2 Identify your organization’s risk

5.4.3 Analyse your organization’s risk

5.4.4 Evaluate your organization’s risk

5.5 Formulate & Implement your risk treatment plans

CONTROL

• A control is any measure or action that modifies risk. • Controls include any policy, procedure, practice, process, technology, technique, method, or device that modifies or manages risk. • Risk treatments become controls, or modify existing controls, once they have been implemented.

5.5.2 SELECT THE ORGANIZATION'S RISK TREATMENT OPTIONS

• Select the most appropriate risk treatment options. • Plan the implementation of the risk treatments.

AVOID

REDUCE

RISK

TRANSFER

• Document the organization’s risk treatment plans. • Discuss risk treatment plans with all participants. • Carry out the risk treatment implementation plans. 5.5.3 PREPARE RISK TREATMENT IMPLEMENTATION PLANS • Plan the risk management monitoring and review processes. • Monitor and review all aspects of the risk management process. • Record the organization’s monitoring and review results. • Report the risk management monitoring and review results. 5.6 MONITOR AND REVIEW THE RISK MANAGEMENT PROCESS

RISK MANAGEMENT PROCESS

5.3 Establish your unique risk management context

5.4 Carry out your risk assessment process 5.4.1 Identify, analyze, and evaluate risks

5.2 Communicate & Consult with your Interested parties

5.6 Monitor & Review your Risk Management Process

5.4.2 Identify your organization’s risk

5.4.3 Analyse your organization’s risk

5.4.4 Evaluate your organization’s risk

5.5 Formulate & Implement your risk treatment plans

• Create and maintain records to support risk management process. • Use the records to support the risk management process. 5.7 MAINTAIN A RECORD OF RISK MANAGEMENT ACTIVITIES

RISK ASSESSMENT TECHNIQUES

Risk assessment is that part of risk management which provides a structured process that identifies how objectives may be affected, and analyses the risk in term of consequences and their probabilities before deciding on whether further treatment is required. Risk assessment attempts to answer the following fundamental questions: • What can happen and why (by risk identification)? • What are the consequences? • What is the probability of their future occurrence? • Are there any factors that mitigate the consequence of the risk or that reduce the probability of the risk? • Is the level of risk tolerable or acceptable and does it require further treatment? RISK ASSESSMENT

• Risk assessment may be undertaken in varying degrees of depth and detail and using one or many methods ranging from simple to complex. • The form of assessment and its output should be consistent with the risk criteria developed as part of establishing the context. • In general terms, suitable techniques should exhibit the following characteristics: • It should be justifiable and appropriate to the situation or organization under consideration; • It should provide results in a form which enhances understanding of the nature of the risk and how it can be treated; • It should be capable of use in a manner that is traceable, repeatable and verifiable. SELECTION OF RISK ASSESSMENT TECHNIQUES

TYPES OF RISK ASSESSMENT TECHNIQUES

1. Brainstorming 2. Structured or semi-structured Interviews 3. Delphi 4. Check-lists 5. Primary hazard analysis 6. Hazard and operability studies (HAZOP) 7. Hazard Analysis and Critical Control Points (HACCP) 8. Environmental risk assessment 9. Structure « What if? » (SWIFT) 10. Scenario analysis

11. Business impact analysis (BIA) 12. Root cause analysis (RCA) 13. Failure mode effect analysis (FMEA) 14. Fault tree analysis 15. Event tree analysis 16. Cause and consequence analysis 17. Cause-and-effect analysis 18. Layer protection analysis (LOPA) 19. Decision tree 20. Human reliability analysis

21. Bow tie analysis 22. Reliability centered maintenance 23. Sneak circuit analysis 24. Markov analysis 25. Monte Carlo simulation 26. Bayesian statistics and Bayes Nets 27. FN curves 28. Risk indices 29. Consequence/probability matrix 30. Cost/benefit analysis 31. Multi-criteria decision analysis (MCDA)

APPLICABILITY OF TOOLS USED FOR RISK ASSESSMENT

THANK YOU

www. Rigfab.com Visit Our Website

Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49 Page 50 Page 51 Page 52 Page 53 Page 54 Page 55 Page 56 Page 57 Page 58 Page 59 Page 60 Page 61 Page 62 Page 63 Page 64 Page 65 Page 66 Page 67 Page 68 Page 69 Page 70 Page 71 Page 72 Page 73 Page 74 Page 75 Page 76 Page 77 Page 78 Page 79 Page 80 Page 81 Page 82 Page 83 Page 84 Page 85 Page 86 Page 87 Page 88 Page 89 Page 90 Page 91 Page 92 Page 93 Page 94 Page 95 Page 96 Page 97 Page 98 Page 99

www.rigfab.com

Made with FlippingBook - Share PDF online