ISO-31000-Lecture.pdf

ISO 31000 Principles

Dr. Ronald Menold [email protected]

ISO 31000

▪ ISO Standard for Risk Management – Principles and Guidelines

▪ Commonly used framework for simple enterprise risk management

▪ Declares 11 principles which ISO 31000 claims to cover

▪ The next 11 slides are directly from ISO 31000:2009

1) Risk management creates and protects value

▪ Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example – Human health and safety – Security – Legal and regulatory compliance – Public acceptance – Environmental protection – Product quality – Project management – Efficiency in operations – Governance – Reputation.

2) Risk management is an integral part of all organizational processes

▪ Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization.

▪ Risk management is part of the responsibilities of management

▪ It is an integral part of all organizational processes, including strategic planning and all project and change management processes.

3) Risk management is part of decision making

▪ Risk management helps decision makers – Make informed choices – Prioritize actions – Distinguish among alternative courses of action.

4) Risk management explicitly addresses uncertainty

▪ Risk management explicitly takes account of – Uncertainty – The nature of that uncertainty – How it can be addressed

5) Risk management is systematic, structured and timely

▪ A systematic approach to risk management which is – Timely – Structured

▪ Contributes to – Efficiency – Results which are

▪ Consistent ▪ Comparable ▪ Reliable

6) Risk management is based on the best available information

▪ The inputs to the process of managing risk are based on – Information sources such as

▪ Historical data ▪ Experience ▪ Stakeholder feedback ▪ Observation ▪ Forecasts ▪ Expert judgement

▪ However, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts

7) Risk management is tailored

▪ Risk management is aligned with organization’s – External context – Internal context – Risk profile.

8) Risk management takes human and cultural factors into account

▪ Risk management recognizes the – Capabilities – Perceptions – Intentions of

▪ External people ▪ Internal people that can

– Facilitate – Hinder

▪ achievement of the organization's objectives.

9) Risk management is transparent and inclusive

▪ Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organization, ensures that risk management remains relevant and up-to-date

▪ Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria.

10) Risk management is dynamic, iterative and responsive to change

▪ Risk management continually senses and responds to change

▪ When the following occur – External events – Internal events – Context and knowledge change – Monitoring and review of risks take place

▪ New risks emerge ▪ Some risks change ▪ Others disappear

11) Risk management facilitates continual improvement of the organization

▪ Organizations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organization

Topic Choosing

▪ Group Order – https://www.google.com/search?q=6%20value%20spinner

▪ Topic Pick – https://www.google.com/search?q=11%20value%20spinner

Assignments

▪ Group 1 – Topic

▪ Group 2 – Topic

▪ Group 3 – Topic

▪ Group 4 – Topic

▪ Group 5 – Topic

▪ Group 6 – Topic