Implementing Enterprise Risk Management with ISO 31000:2009

1. 1. Implementing Enterprise Risk Management with ISO 31000:2009 Lead by Goutama

Bachtiar www.about.me/goudotmobi 2013
2. 2. Introduction 2 Dec 2013 Developed by @goudotmobi

3. 3. Training Lead Profile A seasoned advisor, auditor, consultant, trainer, courseware

developer and writer with 15 years of experiences in advisory, consulting, audit, training and
education as well as project management. As of now, he has delivered and hosted in 200+
sessions with 7,000+ attendees and 5000+ hours of training, lecture, conference, workshop,
seminar across Indonesia and outside the country for around 70 institutions and companies.
Today he has written and edited 300+ articles and manuscripts concerning ICT and
management in more than 20 local and international leading media, companies, journals and
conferences. On top of that, he is a speaker, moderator and panelist in various national and
international conference, workshop and seminar with over than 65 international certifications
on tech and management spaces are under his belt. A guest lecturer at top-tier Indonesian
and American universities for their master and undergraduate programs. 3 Dec 2013
Developed by @goudotmobi
4. 4. Training Agenda Day One Understanding, Valuing and Raising Risk Management,
Enterprise Risk Management and ISO 31000:2009 Awareness Time Topics Opening, SelfIntroduction and Exploring Enterprise Risk Management Delivery 09.30 10.00
Understanding ISO 31000:2009 Classical 10.00 10.15 First Coffee Break N/A 10.15
12.00 Navigating ISO 31000:2009 Principles and Guidelines Classical 12.00 13.00 Lunch
Break N/A 13.00 15.00 Understanding ISO 31000 Clauses 1st Session Classical 15.00
15.15 Second Coffee Break N/A 15.15 16.00 Understanding ISO 31000 Clauses 2nd
Session Classical 16.00 16.30 Understanding Relationship Between ISO 15378 and ISO
31000 Classical 16.30 17.00 Question and Answer, Wrap-Up Day One 09.00 09.30 4
Dec 2013 Developed by @goudotmobi Classical Individual Participation
5. 5. Training Agenda (contd) Day Two Exploring and Utilizing Risk Assessment Techniques
Time Topics Delivery 09.00 09.30 Day One Review Valuing ISO31010: Risk Assessment
and its Techniques 1st Session Classical Classical, Group Discussion 10.00 10.15 First
Coffee Break N/A 10.15 12.00 Valuing ISO31010: Risk Assessment and its Techniques
2nd Session Classical, Group Discussion 12.00 13.00 Lunch Break N/A 13.00 14.00
Utilizing Risk Assessment Techniques Workshop, Group Discussion 14.00 15.00 Analyzing
and Evaluating Risk Assessment Result 1st Session Group Presentation, Group
Discussion 15.00 15.15 Second Coffee Break N/A 15.15 16.00 Analyzing and Evaluating
Risk Assessment Result 2nd Group Presentation, Session Group Discussion 16.00
17.00 Question and Answer, Wrap Up Day Two, Quiz 09.30 10.00 5 Dec 2013 Developed
by @goudotmobi Individual Participation
6. 6. Training Agenda (contd) Day Three Exploring and Utilizing Risk Registration as well as
Monitoring and Managing ERM Time Delivery 09.00 09.30 Day Two Review Classical
09.30 10.00 Understanding Risk Register Entry Classical 10.00 10.15 First Coffee Break
N/A 10.15 12.00 Utilizing Risk Register Entry Workshop, Group Discussion 12.00 13.00
Lunch Break N/A 13.00 15.00 Discussing and Implementing Risk Register Workshop,
Group Presentation 15.00 15.15 Second Coffee Break N/A 15.15 16.00 Monitoring and
Managing ERM Classical 16.00 17.00 6 Topics Post-Test, Training Evaluation, Wrap Up
Day Three, Closing Individual Participation Dec 2013 Developed by @goudotmobi

7. 7. Rule of The Game Attendance: Participant is required to attend the training in three full
day to attain training certificate Weight for the training mark: - Attendance: 10% - Quiz (Day
Two): 40% - Final Test (Day Three): 50% 7 Dec 2013 Developed by @goudotmobi
8. 8. Exploring Enterprise Risk Management 8 Dec 2013 Developed by @goudotmobi
9. 9. What Risk is All About Risks have consequences in terms of societal, environmental,
technological, safety and security outcomes; They have commercial, financial and
economic results They also have social, cultural and political reputation impacts ISO
31000:2009 helps organizations of all types and sizes to manage risk effectively 9 Dec 2013
Developed by @goudotmobi
10. 10. What Is Risk Management? Risk The effect of uncertainty on the ability of an
organisation to meet its objectives Risk Management The range of activities that an
organisation intentionally undertakes to understand and reduce these effects Effective Risk
Management Executing these activities efficiently and in a way that actually and
demonstrably improves the ability of the organisation to meet its objectives in a repeatable
fashion 10 Dec 2013 Developed by @goudotmobi
11. 11. Risk Management with ISO ISO 31000:2009 Principles and Guidelines on
Implementation (20 November 2009) ISO/IEC 31010:2009 Risk Assessment Techniques
(1 December 2009) ISO Guide 73:2009 Vocabulary (15 November 2009) HB 327:2010
Communicating and consulting about risk (23 February 2010) 11 Dec 2013 Developed by
@goudotmobi
12. 12. Risk Management with ISO (contd) AS/NZS 5050:2010 Business continuity
Managing disruption-related risk (28 June 2010) HB 266:2010 Guide for managing risk in
not-for-profit organizations (12 August 2010) HB 246:2010 Guidelines for managing risk in
sport and recreation organizations (18 August 2010) 12 Dec 2013 Developed by
@goudotmobi
13. 13. Understanding ISO 31000 13 Dec 2013 Developed by @goudotmobi
14. 14. Understanding ISO 31000 Provides principles, a framework and a process for
managing any form of risk in a transparent, systematic and credible manner within any scope
or context It recommends that organizations develop, implement and continuously improve
a risk management framework as an integral component of their management system In
concrete, its a practical document that seeks to assist organizations in developing their own
approach to the management of risk 14 Dec 2013 Developed by @goudotmobi
15. 15. Understanding ISO 31000 (contd) This is NOT a standard that organizations can seek
certification to Organizations can compare their risk management practices with an
internationally recognized benchmark It provides sound principles for effective
management ISO Guide 73:2009 provide a collection of terms and definitions relating to
the management of risk ISO 31000 is designed to help organizations 15 Dec 2013
Developed by @goudotmobi
16. 16. What Is ISO 31000? ISO 31000:2009: An international standard that provides principles
and guidelines for effective risk management Not specific to any industry or sector Able to
be applied to any kind of risk Able to be applied to any kind of organisation Intended to be
tailored to meet the needs of the organisation The generic approach described in this

17.

18.

19.

20.

21.

22.

23.

standard provides the principles and guidelines for managing any form of risk in a
systematic, transparent and credible manner and within any scope and context. 16 Dec
2013 Developed by @goudotmobi
17. History of ISO 31000 AS/NZS 4360:1999 was developed by Australia and NZ in 1999
Revised and reissued as AS/NZS 4360:2004 in 2004 No agreed de jure or de facto
international standard in place at this stage A small number of competing frameworks
which were regarded as unsatisfactory International Standards Organisation started work
on ISO 31000 using AS/NZS 4360:2004 in 2005 as its first draft ISO 31000 was issued
worldwide in 2009 17 Dec 2013 Developed by @goudotmobi
18. What Does ISO 31000 Cover of? ISO 31000:2009 contains: A set of risk management
terms and their definitions A set of principles for guiding and informing effective risk
management for an enterprise An outline and process for creating a risk management
framework An outline and process for creating a risk management process ISO 31000 is:
Clear Sensible Brief (34 pages) 18 Dec 2013 Developed by @goudotmobi
19. What Does ISO 31000 Cover of? (contd) Scope of this approach is enabling all strategic,
management and operational tasks throughout projects, functions, and processes to be
aligned to risk management objectives It is intended for stakeholder group like: Executive
level Appointment holders in ERM group Risk analysts and management officers Line
managers and project managers Compliance and internal auditors Independent
practitioners 19 Dec 2013 Developed by @goudotmobi
20. What ISO 31000 Doesnt Cover? Detailed instructions on how to manage risk A
complete risk management framework A complete risk management process Formats or
attributes for describing risks Templates Guidance on how to identify risks Advice on how
to manage risks for a specific domain 20 Dec 2013 Developed by @goudotmobi
21. ISO 31000 Will Help Us To Increase the likelihood of achieving objectives
Encourage proactive management Identify and treat risk throughout the organization
Improve the identification of opportunities and threats Comply with relevant legal and
regulatory requirements and international norms Improve financial reporting Improve
governance 21 Dec 2013 Developed by @goudotmobi
22. ISO 31000 Will Help To (contd) Improve stakeholder confidence and trust
Establish a reliable basis for decision making and planning Improve controls Effectively
allocate and use resources for risk treatment Improve operational effectiveness and
efficiency Enhance health and safety performance, as well as environmental protection
Improve loss prevention and incident management Minimize losses Improve
organizational learning and resilience 22 Dec 2013 Developed by @goudotmobi
23. Why Use ISO 31000? Save ourselves time and effort: Using the terms, principles and
guidelines in ISO 31000 means you dont have to spend time and effort creating your own.
You can spend time on the things that really add value managing the actual risks.
Facilitate communication: Avoid misunderstandings by using concepts and terms that are
well known in the risk management community. Provide higher quality output: Take
advantage of the significant expertise in risk management that the ISO has used in coming

24.

25.

26.

27.
28.

29.

30.

31.

32.

up with the standard. Ensure you dont miss out any aspects of risk management by using
the standard as a checklist. 23 Dec 2013 Developed by @goudotmobi
24. How Do I Apply ISO 31000? When should I use ISO 31000? When you are asked to
identify or assess risks When you are asked to manage risks When you are asked to
assess a risk management framework or process How should I use ISO 31000 Use it to
frame the scope of the work Use it to guide the engagement Use it to create a risk
management process 24 Dec 2013 Developed by @goudotmobi
25. ISO 31000 In Short It gives you a structured, credible foundation for discussions with
about risk and risk management It gives you a starting point for a risk management
process if you dont have one It gives you a standard vocabulary for talking about risks and
risk management It gives you a baseline for comparisons and assessments of risk
management processes 25 Dec 2013 Developed by @goudotmobi
26. ISO 31000 in Diagram Principles guide the creation of the framework Principles The
framework defines the process Framework Process The performance of the process feeds
back into the framework 26 Dec 2013 Developed by @goudotmobi
27. Navigating ISO 31000 Principles and Guidelines 27 Dec 2013 Developed by
@goudotmobi
28. Whats inside ISO 31000:2009 It consists of three major parts 11 principles for
managing risk (Clause 3) 5 (five) components to the framework for managing risk (Clause
4) 5 (five) processes for managing risks (Clause 6) 28 Dec 2013 Developed by
@goudotmobi
29. ISO 31000 Principles Risk Management Principles Creates and protects value Based on
the best information Integral part of organisational processes Tailored Part of decision
making Takes human and cultural factors into account Explicitly addresses uncertainty
Transparent and inclusive Systematic, structured, and timely Dynamic, iterative and
responsive to change Facilitates continual improvement of the organisation 29 Dec 2013
Developed by @goudotmobi
30. Creates and Protects Value Risk management contributes to the demonstrable
achievement of objectives and improvement of performance in, for example, human health
and safety, security, legal and regulatory compliance, public acceptance, environmental
protection, product quality, project management, efficiency in operations, governance and
reputation. 30 Dec 2013 Developed by @goudotmobi
31. Integral Part of Organizational Processes Risk management is not a stand-alone activity
that is separate from the main activities and processes of the organisation. Risk
management is part of the responsibilities of management and an integral part of all
organisational processes, including strategic planning and all project and change
management processes. 31 Dec 2013 Developed by @goudotmobi
32. Part of Decision Making Risk management helps decision makers make informed
choices, prioritise actions and distinguish among alternative courses of action. 32 Dec 2013
Developed by @goudotmobi

33. 33. Explicitly Addresses Uncertainty Risk management explicitly takes account of
uncertainty, the nature of that uncertainty, and how it can be addressed. 33 Dec 2013
Developed by @goudotmobi
34. 34. Systematic, Structured and Timely A systematic, timely and structured approach to risk
management contributes to efficiency and to consistent, comparable and reliable results. 34
Dec 2013 Developed by @goudotmobi
35. 35. Based on the Best Information The inputs to the process of managing risk are based on
information sources such as historical data, experience, stakeholder feedback, observation,
forecasts and expert judgement. However, decision makers should inform themselves of, and
should take into account, any limitations of the data or modelling used or the possibility of
divergence among experts. 35 Dec 2013 Developed by @goudotmobi
36. 36. Tailored Risk management is aligned with the organisation's external and internal context
and risk profile. 36 Dec 2013 Developed by @goudotmobi
37. 37. Tailored Risk management is aligned with the organisation's external and internal context
and risk profile. 37 Dec 2013 Developed by @goudotmobi
38. 38. Takes Human and Cultural Factors into Account Risk management recognises the
capabilities, perceptions and intentions of external and internal people that can facilitate or
hinder achievement of the organisation's objectives. 38 Dec 2013 Developed by
@goudotmobi
39. 39. Transparent and Inclusive Appropriate and timely involvement of stakeholders and, in
particular, decision makers at all levels of the organisation, ensures that risk management
remains relevant and up-to-date. Involvement also allows stakeholders to be properly
represented and to have their views taken into account in determining risk criteria. 39 Dec
2013 Developed by @goudotmobi
40. 40. Dynamic, Iterative and Responsive to Change Risk management continually senses and
responds to change. As external and internal events occur, context and knowledge change,
monitoring and review of risks take place, new risks emerge, some change, and others
disappear. 40 Dec 2013 Developed by @goudotmobi
41. 41. Facilitates Continual Improvement of the Organisation Organisations should develop and
implement strategies to improve their risk management maturity alongside all other aspects
of their organisation. 41 Dec 2013 Developed by @goudotmobi
42. 42. Risk Management Framework Set of components that provide the foundations and
organizational arrangements for designing, implementing, monitoring, reviewing and
continually improving risk management throughout the organization The foundations
include the policy, objectives, mandate and commitment to manage risk The organizational
arrangements include plans, relationships, accountabilities, resources, processes and
activities RMF is embedded within the organization's overall strategic and operational
policies and practices 42 Dec 2013 Developed by @goudotmobi
43. 43. ISO 31000 Framework Mandate and commitment Design of framework for managing risk
Understanding the organisation and its context Establishing risk management policy
Accountability Integration into organisational processes Resources Establishing internal
communication and reporting mechanisms Establishing external communication and
reporting mechanisms Implementing risk management Continual improvement of the

44.

45.

46.

47.

48.

49.

50.

framework Implementing the framework for managing risk Implementing the risk
management process Monitoring and review of the framework 43 Dec 2013 Developed by
@goudotmobi
44. Mandate and Commitment Introducing risk management and ensuring its ongoing
effectiveness require strong and sustained commitment by management, as well as strategic
and rigorous planning to achieve commitment at all levels Management should: Define
and endorse the risk management policy Ensure that the organization's culture and risk
management policy are aligned Determine risk management performance indicators that
align with performance indicators of the organization 44 Dec 2013 Developed by
@goudotmobi
45. Mandate and Commitment (contd) Align risk management objectives with the
objectives and strategies of the organization Ensure legal and regulatory compliance
Assign accountabilities and responsibilities at appropriate levels within the organization
Ensure that the necessary resources are allocated to risk management Communicate the
benefits of risk management to all stakeholders Ensure that the framework for managing
risk continues to remain appropriate 45 Dec 2013 Developed by @goudotmobi
46. Understanding the Organization and Its Context Evaluating organization's external
context may include, but is not limited to: Social and cultural, political, legal, regulatory,
financial, technological, economic, natural and competitive environment, whether
international, national, regional or local Key drivers and trends having impact on the
objectives of the organization Relationships with, and perceptions and values of, external
stakeholders 46 Dec 2013 Developed by @goudotmobi
47. Understanding the Organization and Its Context (contd) Evaluating the organization's
internal context may include, but is not limited to: Governance, organizational structure,
roles and accountabilities Policies, objectives, and the strategies that are in place to
achieve them Capabilities, understood in terms of resources and knowledge (e.g. capital,
time, people, processes, systems and technologies) 47 Dec 2013 Developed by
@goudotmobi
48. Understanding the Organization and Its Context (contd) Information systems,
information flows and decision making processes (both formal and informal) Relationships
with, and perceptions and values of, internal stakeholders Organization's culture
Standards, guidelines and models adopted by the organization The form and extent of
contractual relationships 48 Dec 2013 Developed by @goudotmobi
49. Establishing Risk Management Policy It should clearly state organization's objectives for,
and commitment to, and addresses: the organization's rationale for managing risk links
between the organization's objectives and policies and the risk management policy
accountabilities and responsibilities for managing risk the way in which conflicting
interests are dealt with 49 Dec 2013 Developed by @goudotmobi
50. Establishing Risk Management Policy (contd) commitment to make the necessary
resources available to assist those accountable and responsible for managing risk the way
in which risk management performance will be measured and reported commitment to
review and improve the risk management policy and framework periodically and in response
to an event or change in circumstances 50 Dec 2013 Developed by @goudotmobi

51. 51. Accountability Accountability, authority and appropriate competence for managing risk
which is facilitated by: Identifying risk owners that have the accountability and authority to
manage risks Identifying who is accountable for development, implementation and
maintenance of framework for managing risk Identifying other responsibilities of people at
all levels for risk management process Establishing performance measurement and
external and/or internal reporting and escalation processes Ensuring appropriate levels of
recognition 51 Dec 2013 Developed by @goudotmobi
52. 52. Resources The organization should allocate appropriate resources for risk management
such as: people, skills, experience and competence resources needed for each step of
the risk management process the organization's processes, methods and tools to be used
for managing risk documented processes and procedures information and knowledge
management systems training program 52 Dec 2013 Developed by @goudotmobi
53. 53. Establishing Internal Communications and Reporting Mechanisms It is to support and
encourage accountability and ownership of risk as well as ensure: Key components of risk
management framework, and any subsequent modifications, are communicated
appropriately There is adequate internal reporting on framework, its effectiveness and
outcomes Relevant information derived from the application of risk management is
available at appropriate levels and times There are processes for consultation with internal
stakeholders 53 Dec 2013 Developed by @goudotmobi
54. 54. Establishing Internal Communications and Reporting Mechanisms (contd) It should
involve: Engaging appropriate external stakeholders and ensuring an effective exchange of
information External reporting to comply with legal, regulatory, and governance
requirements Providing feedback and reporting on communication and consultation Using
communication to build confidence Communicating with stakeholders in the event of a
crisis or contingency 54 Dec 2013 Developed by @goudotmobi
55. 55. Implementing Framework for Managing Risk In implementing framework for managing
risk, the organization should: Define appropriate timing and strategy for implementing the
framework Apply risk management policy and process to the organizational processes
Comply with legal and regulatory requirements 55 Dec 2013 Developed by @goudotmobi
56. 56. Implementing Framework for Managing Risk (contd) Ensure that decision making,
including the development and setting of objectives, is aligned with risk management
processes outcomes Hold information and training sessions Communicate and consult
with stakeholders to ensure that its risk management framework remains appropriate 56 Dec
2013 Developed by @goudotmobi
57. 57. Risk Management Process Systematic application of management policies, procedures
and practices to the activities of communicating, consulting, establishing the context, and
identifying, analyzing, evaluating, treating, monitoring and reviewing risk 57 Dec 2013
Developed by @goudotmobi
58. 58. Monitoring and Reviewing Framework In order to ensure that risk management is
effective and continues to support organizational performance, the organization should:
Measure risk management performance against indicators, which are periodically reviewed

59.

60.

61.

62.

63.

64.

65.

66.

67.
68.
69.

for appropriateness Periodically measure progress against, and deviation from, the risk
management plan 58 Dec 2013 Developed by @goudotmobi
59. Monitoring and Reviewing Framework (contd) Periodically review whether risk
management framework, policy and plan are still appropriate, given the organizations'
external and internal context Report on risk, progress with risk management plan and how
well risk management policy is being followed Review risk management framework
effectiveness 59 Dec 2013 Developed by @goudotmobi
60. ISO 31000 Process Establishing the context Risk assessment Risk identification
Communication and consultation Risk analysis Risk evaluation Risk treatment 60 Dec 2013
Developed by @goudotmobi Monitoring and review
61. Risk Management: Establishing the Context Defining the external and internal
parameters to be taken into account when managing risk, and setting the scope and risk
criteria for the risk management policy. 61 Dec 2013 Developed by @goudotmobi
62. Risk Management: Establishing the Context (contd) External context Legal, Regulatory,
Financial International, National, Regional or Local Relationships with, perceptions and
values of external stakeholders Internal context Organizational objectives Project,
process, or activity objectives Policy, standards, guidelines and models adopted by the
organization Contractual relationships 62 Dec 2013 Developed by @goudotmobi
63. Risk Management: Establishing the Context (contd) Process context Objectives,
scope, responsibilities, methods Defining risk criteria - Measures - Tolerance levels - Views
of stakeholders 63 Dec 2013 Developed by @goudotmobi
64. Monitoring and Review Ensuring that controls are effective and efficient in both design
and operation Obtaining further assessment information to improve risk Analyzing and
learning lessons from events (including near-misses), changes, trends, successes and
failures Detecting changes in the external and internal context, including changes to risk
criteria and the risk itself which can require revision of risk treatments and priorities
Identifying emerging risks 64 Dec 2013 Developed by @goudotmobi
65. Recording Risk Management Process Objectives Organization's needs for continuous
learning Benefits of re-using information for management purposes Costs and efforts in
creating and maintaining records Legal, regulatory and operational needs for records
Method of access, ease of retrievability and storage media Retention period Sensitivity
of information 65 Dec 2013 Developed by @goudotmobi
66. ISO 31000 Key Success Factors Risk Management (RM) should function within a Risk
Management Framework (RMF) The framework provides necessary foundations and
organizational arrangements to embed RM throughout all levels within the organization
This foundation can assist organizations in managing risk effectively through application of
RM process at varying levels and within specific contexts RMF ensure risk information is
adequately reported and used as a basis for decision making and accountability at all
relevant organizational levels 66 Dec 2013 Developed by @goudotmobi
67. Question and Answer 67 Dec 2013 Developed by @goudotmobi
68. Wrap Up Day One 68 Dec 2013 Developed by @goudotmobi
69. Day One Review 69 Dec 2013 Developed by @goudotmobi

70. 70. Valuing ISO31010: Risk Assessment and its Techniques 70 Dec 2013 Developed by
@goudotmobi
71. 71. Rehearsing ISO/IEC 31010: 2009 A supporting standard for AS/NZS ISO 31000:2009
It provides guidance on selection and application of systematic techniques for risk
assessment The application of a range of techniques is introduced, with specific references
to other international standards Concept and application of techniques are described in
greater detail This standard does not provide specific criteria for identifying need for risk
analysis It also doesnt specify type of risk analysis method required for a particular
application 71 Dec 2013 Developed by @goudotmobi
72. 72. Rehearsing ISO Guide 73:2009 It provides the definitions of generic terms related to
risk management Aimed to encourage a mutual and consistent understanding of, and a
coherent approach to, the description of activities relating to the management of risk Aimed
to encourage the use of uniform risk management terminology in processes and frameworks
dealing with the management of risk 72 Dec 2013 Developed by @goudotmobi
73. 73. Risk Assessment ISO/IEC 31010:2009, Risk assessment techniques, jointly developed
by ISO and IEC (International Electrotechnical Commission) A structured process for
organizations to identify how objectives may be affected Analyze risk in terms of
consequences and their probabilities, before further action taken up Provides better
understanding on risks affecting achievement of objectives, as well as adequacy and
effectiveness of controls already in place 73 Dec 2013 Developed by @goudotmobi
74. 74. Risk Assessment (contd) In short, Risk Assessment is overall process of risk
identification, risk analysis and risk evaluation Risk Identification Process of finding,
recognizing and describing risks involving identification of risk sources, events, causes and
potential consequences. It involves historical data, theoretical analysis, informed and expert
opinions, and stakeholder's needs. 74 Dec 2013 Developed by @goudotmobi
75. 75. Risk Source and Event Risk Source: element which alone or in combination has the
intrinsic potential to give rise to risk (tangible or intangible) Event Occurrence or change of
a particular set of circumstances: It could be one or more occurrences, and can have
several causes It could consist of something not happening Sometimes be referred to as
incident or accident 75 Dec 2013 Developed by @goudotmobi
76. 76. Consequences Outcome of an event affecting objectives An event can lead to a range
of consequences A consequence can be certain or uncertain and can have positive or
negative effects on objectives Consequences can be expressed qualitatively or
quantitatively Initial consequences can escalate through knock-on effects 76 Dec 2013
Developed by @goudotmobi
77. 77. Risk Analysis Process to comprehend the nature of risk and to determine the level of
risk It involves consideration of the causes and sources of risk, their positive and negative
consequences, and the likelihood that those consequences can occur Provides the basis
for risk evaluation and decisions about risk treatment It includes risk estimation as well 77
Dec 2013 Developed by @goudotmobi
78. 78. Risk Analysis (contd) 78 Dec 2013 Developed by @goudotmobi

79. 79. Risk Criteria and Level of Risk Risk criteria Terms of reference against which the
significance of a risk is evaluated: Based on organizational objectives, and external and
internal context It can be derived from standards, laws, policies and other requirements
Level of risk Magnitude of a risk or combination of risks, expressed in terms of the
combination of consequences and their likelihood 79 Dec 2013 Developed by @goudotmobi
80. 80. Risk Evaluation Process of comparing the results of risk analysis with risk criteria to
determine whether the risk and/or its magnitude is acceptable or tolerable. Risk evaluation
assists in the decision about risk treatment. 80 Dec 2013 Developed by @goudotmobi
81. 81. Risk Treatment Process to modify risk that can involve: avoiding the risk by deciding
not to start or continue with the activity that gives rise to the risk taking or increasing risk in
order to pursue an opportunity removing the risk source changing the likelihood
changing the consequences 81 Dec 2013 Developed by @goudotmobi
82. 82. Risk Treatment (contd) sharing the risk with another party or parties (including
contracts and risk financing) retaining the risk by informed decision Risk treatments that
deal with negative consequences are sometimes referred to as risk mitigation, risk
elimination, risk prevention and risk reduction It can create new risks or modify existing
risks 82 Dec 2013 Developed by @goudotmobi
83. 83. Residual Risk Risk remaining after risk treatment It can contain unidentified risk It
can also be known as retained risk 83 Dec 2013 Developed by @goudotmobi
84. 84. Risk Assessment Three Bands 84 Dec 2013 Developed by @goudotmobi
85. 85. Utilizing Risk Assessment Techniques 85 Dec 2013 Developed by @goudotmobi
86. 86. Risk Assessment Techniques Risk identification Risk analysis consequence
analysis Risk analysis qualitative, semi-quantitative or quantitative probability estimation
Risk analysis assessing the effectiveness of any existing controls Risk analysis
estimation the level of risk Risk evaluation 86 Dec 2013 Developed by @goudotmobi
87. 87. Factors Influenced The Selection Complexity of the problem and the methods needed
to analyze it The nature and degree of uncertainty of the risk assessment based on the
amount of Information available and what is required to satisfy objectives The extent of
resources required in terms of time and level of expertise, data needs or cost Whether the
method can provide a quantitative output 87 Dec 2013 Developed by @goudotmobi
88. 88. Tools used For Risk Assessment Referred to Table A.1 at ISO 31010 on Applicability of
tools used for risk assessment Referred to Table A.2 at ISO 31010 on Attributes of risk
assessment tools Details at Annex B (Informative) at ISO 31010 88 Dec 2013 Developed
by @goudotmobi
89. 89. Analyzing and Evaluating Risk Assessment Result 89 Dec 2013 Developed by
@goudotmobi
90. 90. Risk Identification Process of finding, recognizing and describing risks
Comprehensive list of risks based on events that might create, enhance, prevent, degrade,
accelerate or delay achievement of objectives Identify risks associated with not pursuing an
opportunity A risk that is not identified at this stage will not be included in further analysis
Identification should include risks whether or not their source is under the control of the
organization 90 Dec 2013 Developed by @goudotmobi

91. 91. Risk Evaluation The purpose of risk evaluation is to assist in making decisions, based
on the outcomes of risk analysis, about which risks need treatment and the priority for
treatment implementation Decisions should take account of the wider context of the risk
and include consideration of the tolerance of the risks borne by parties other than the
organization that benefits from the risk 91 Dec 2013 Developed by @goudotmobi
92. 92. Risk Evaluation (contd) Decisions should be made in accordance with legal, regulatory
and other requirements In some circumstances, the risk evaluation can lead to a decision
to undertake further analysis The risk evaluation can also lead to a decision not to treat the
risk in any way other than maintaining existing controls 92 Dec 2013 Developed by
@goudotmobi
93. 93. Risk Evaluation (contd) Decisions should take account of the wider context of the risk
and include consideration of the tolerance of the risks borne by parties other than the
organization that benefits from the risk Decisions should be made in accordance with legal,
regulatory and other requirements The purpose of risk evaluation is to assist in making
decisions, based on the outcomes of risk analysis, about which risks need treatment and the
priority for treatment implementation 93 Dec 2013 Developed by @goudotmobi
94. 94. Risk Evaluation (contd) Decisions should be made in accordance with legal, regulatory
and other requirements In some circumstances, the risk evaluation can lead to a decision
to undertake further analysis The risk evaluation can also lead to a decision not to treat the
risk in any way other than maintaining existing controls 94 Dec 2013 Developed by
@goudotmobi
95. 95. Managing Risk A list in order of preference on how to deal with risk Avoiding by not to
start or continue the activity that rise to the risk Accepting or increasing risk in order to
pursue an opportunity Removing risk source Changing likelihood and consequences
Sharing risk with another party/parties such as contracts and risk financing Retaining risk
by informed decision 95 Dec 2013 Developed by @goudotmobi
96. 96. Risk Treatment Risk treatment involves selecting one or more options for modifying
risks, and implementing those options Risk treatment options are not necessarily mutually
exclusive The options can include the following: - TRANSFER Sharing the risk with another
party or parties (including contracts and risk financing) 96 Dec 2013 Developed by
@goudotmobi
97. 97. Risk Treatment (contd) - AVOID Avoiding the risk by deciding not to start or continue with
the activity that gives rise to the risk Removing the risk source - MITIGATE Changing the
likelihood Changing the consequences (impact) - ACCEPT Retaining the risk by informed
decision Taking or increasing the risk in order to pursue an opportunity 97 Dec 2013
Developed by @goudotmobi
98. 98. Risk Treatment (contd) Selecting the most appropriate risk treatment option involves
balancing the costs and efforts of implementation against the benefits derived, with regard to
legal, regulatory, and other requirements such as social responsibility and the protection of
the natural environment A number of treatment options can be considered and applied
either individually or in combination 98 Dec 2013 Developed by @goudotmobi

99. 99. Risk Treatment (contd) Risk treatment itself can introduce risks A significant risk can
be the failure or ineffectiveness of the risk treatment measures Monitoring needs to be an
integral part of the risk treatment plan to give assurance that the measures remain effective
99 Dec 2013 Developed by @goudotmobi
100.
100. Analyzing and Evaluating Risk Assessment Result 100 Dec 2013 Developed by
@goudotmobi
101.
101. Question and Answer 101 Dec 2013 Developed by @goudotmobi
102.
102. Wrap Up Day Two 102 Dec 2013 Developed by @goudotmobi
103.
103. Quiz Time 103 Dec 2013 Developed by @goudotmobi
104.
104. Day Two Review 104 Dec 2013 Developed by @goudotmobi
105.
105. Understanding Risk Register Entry 105 Dec 2013 Developed by @goudotmobi
106.
106. What Is Risk Register? Record of information about identified risks 106 Dec
2013 Developed by @goudotmobi
107.
107. Risk Register Should Contain A unique code for each risk A description of
each risk and its potential consequences (operational and strategic) Actions and controls
that currently exist to mitigate risks Factors that may impact upon the likelihood and
consequence of the residual risk Risk grade (priority) Whether the risk grade is
acceptable Early warning factors and upward reporting thresholds 107 Dec 2013
Developed by @goudotmobi
108.
108. Risk Treatment Action Shall Include Planned actions to reduce the likelihood
a negative risk will occur and/or reduce the seriousness should it occur (What should you do
now?) Contingency actions - planned actions to reduce the immediate seriousness of a
negative risk when it does occur. (What should you do when?) Recovery actions - planned
actions taken once a negative risk has occurred to allow you to move on. (What should you
do after?) Risk Transfer (e.g. Through responsibilities or insurance. assignment of
contractual Actions necessary to ensure the realisation of opportunities (positive risks) 108
Dec 2013 Developed by @goudotmobi
109.
109. Sample of Risk Registers 109 Dec 2013 Developed by @goudotmobi
110.
110. Utilizing Risk Register Entry 110 Dec 2013 Developed by @goudotmobi
111.
111. Discussing and Implementing Risk Register 111 Dec 2013 Developed by
@goudotmobi
112.
112. Monitoring and Managing Risk Management 112 Dec 2013 Developed by
@goudotmobi
113.
113. Monitoring and Reviewing Risk Monitoring Continual checking, supervising,
critically observing or determining the status in order to identify change from the performance
level required or expected Can be applied to a risk management framework, risk
management process, risk or control Reviewing Activity undertaken to determine
suitability, adequacy and effectiveness of subject matter to achieve established objectives
Can be applied to a risk management framework, risk management process, risk or control
113 Dec 2013 Developed by @goudotmobi
114.
114. Monitoring and Reviewing Risk (contd) An integral part of the risk
management process involving regular checking or surveillance Ensure controls are

effective & efficient Detect change in external or internal context Analysis, lessons
learned, continuous improvement Identify emerging risks 114 Dec 2013 Developed by
@goudotmobi
115.
115. Post Test 115 Dec 2013 Developed by @goudotmobi
116.
116. 116 Dec 2013 Developed by @goudotmobi
117.
117. Question and Answer 117 Dec 2013 Developed by @goudotmobi