Risk management under ISO31000 provides an informed point for generic risk assessments to confirm the current controls for mitigating risks and consequences. The risk process spans horizontally from Inherent to Residual to Target Risks, whilst having depth that accounts for the consequences and controls associated with each risk. You decide how much of the risk process should be dealt with, making it manageable as well as understandable for staff. This process allows a staged approach to be taken, adding more aspects later. The risk process leads to a series of fields that become populated and in turn reflected in KnowRisk. Staff will become familiar with these fields according to the role they play in the process and become more knowledgeable about risk management through applying the process in their work.
Setting the Scope of the Broad-Brush Method
The risk management process shows the level of risk in conjunction with controls that currently exist or with future controls. An organisation cannot claim the level of future or target risk as the residual risk until the additional controls have been completed and are shown to be working effectively. The following diagram shows the 3 stages of performing risk assessment and analysis:
Setting the Context of Risk
Context of risk is often a difficult concept to grasp, yet its a must to learn and to understand in order to arrange the profile structure in a correct way and to gain full benefit of the overall risk management picture.
Risk management starts with "setting the context" in the sense that this provides the boundary for bringing into view the threats that face the business. It makes it easier for everyday staff, who may not initially be familiar with risk management concepts, to feel comfortable to identify the risks that exist according to the context.
Some examples of Context include:
These Contexts are arranged in meaningful combinations that form a logical/intuitive hierarchical structure reflecting real world operations.
ISO31000 advocates that establishing the context defines the basic parameters within risks must be managed and sets the scope for the rest of the risk management process. This assists to minimise any risks being overlooked.
It will also be necessary to consider the external environment in which you operate. This may, for example, include:
Establishing the external context is important to ensure that stakeholders and their objectives are considered when developing risk management criteria and that externally generated threats and opportunities are properly taken into account.
Likewise for internal context, it is necessary to understand the key areas that could influence the way risk management is conducted. Exmaples include:
Identify Risks & Consquences then Classify
Once the Context has been established, the next part of the process is to identify the risks and the consequences should these risks occur. Using a well-structured systematic process is necessary to avoid excluding risks that could be significant. Whilst setting the context will already have set the agenda for risk identification, there are some other aspects that will assist:
The KnowRisk Risk Managment module also provides separate fields of information for staff to document the background information to the risks and consequences. KnowRisk also supports the Risk Manager together with the Risk Analysts and Risk Coordinators to build a representative list of root causes to risks, as this will provide management with another reporting dimension to understand how key risks can be prevented from occurring.
Risk Assessment & Analysis
Risks may be assessed before controls (Inherent Risk) or after controls (Residual Risk), this depends on the method being used. Working from Inherent Risk involves:
Even if the values given are not as accurate as they could be, this will be corrected with the use of Knowledge Base which provides a feedback loop to improving the assessments given to risks.
By following the generic risk process, the residual risk is derived from identifying existing controls and assessing their effectiveness in relation to each inherent risk and associated consequences.
Having assessed the level of risk for each risk, it is possible to perform an analysis across the range of risks in context to bring out more meaningful results to assist the company/stakeholder under which risks require to be managed more effectively. Risk analysis must be consistent with the risk criteria developed as part of a standardised methodology to arrive at consistent results across your businesses.
KnowRisk helps you perform varying degrees of detail depending upon the risk, the purpose of the analysis, and the information and resources available. Analysis may be qualitative, semi-quantitative or quantitative or a combination of these, depending on the circumstances. The risk framework sets the pathway for increasing the sophistication and by implication the accuracy of the analysis.
Identifying Controls & Assessing their Effectiveness
The focus must distinguish between controls that actually exist from those the business would like to have. Controls represent the policies and procedures, processes, devices or practices that are designed to make the business operate effectively. It follows that controls will reduce the risks and consequences, however the degree of this depends on how efficiently the control is performed and how well it is designed.
The purpose of risk evaluation is to make decisions based on the outcomes of risk analysis about which risks need treatment. Since controls are in effect resources that cost money directly or indirectly, care is needed to decide where certain risks are above tolerances and additional controls may be needed to reduce the risk and its consequences to a more acceptable levels.
KnowRisk has a comprehansive way of resolving risk, assessing those options and the preparation and implementation of treatment plans. No company has unlimited resources to apply to situations where there may be opportunities to exploit.
Risk Management Process
This is a typical Risk Management Process found in KnowRisk, however you can set your own.
During the implementation stage, the above process is extended to become more sophisticated and adapted into other risk management strategies. This facilitates embedding risk management within your business-as per usual activities.