Project 2 Cloud computing
cyberspin
RiskManagementwithISO31000.pdf
2/11/2021 Risk Management with ISO 31000
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-resource-list/risk-management-with-iso-31000.html?ou=… 1/14
Risk Management with ISO 31000
Managing risks is important because it focuses attention on the uncertainties that matter.
The international risk standard ISO 31000:2009 Risk Management - Principles and
Guidelines says risk is "effect of uncertainty on objectives," and the Project Management
Institute's Practice Standard for Project Risk Management defines risk as an "uncertain
event or condition that, if it occurs, has a positive or negative effect on a project's
objectives." These definitions implicitly contain three elements:
an uncertain event or condition (situation) that may occur in the future
the likelihood of occurrence of the situation
the effect (positive or negative) that the occurrence would have on one or more of
the project's (or program's) objectives
For each objective, there are likely to be various risks of different types that might affect
it.
Who Manages Risk?
The short answer is everyone, starting from the "governing body" and the executive.
Unfortunately, too many managers believe that offloading the risk management process to
a risk manager or maintaining the risk register is synonymous with risk management. This
is a dangerous misconception; while having an effective risk register is important, it is only
one part of an effective risk management system. Certainly, it is important for someone to
be responsible for running the risk processes, to make sure that they happen smoothly
and effectively, to ensure adherence to standards, to encourage and inspire people to be
involved and committed to managing risk, and to coordinate data management and risk
reporting. However, it is misleading to call this person the risk manager. A more accurate
job title could be risk coordinator, risk facilitator, risk champion, or risk process manager.
These names explain what the role actually does and prevents people from expecting
someone else to manage their risks for them.
Learning Resource
2/11/2021 Risk Management with ISO 31000
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-resource-list/risk-management-with-iso-31000.html?ou=… 2/14
An equally dangerous proposition is establishing a "chief risk officer" (CRO) with a
centralized "control" of the risk management processes. The function of the CRO's office
should be to oversee the functioning of the enterprise risk management (ERM) system
and liaise with the governing body; not the centralized management of "all risk," which
easily can lead to nonrealistic outputs. An effective ERM system decentralizes the
management of risk through the creation of a coherent top-down hierarchy of objectives
at multiple levels throughout the business, with lower-level objectives aligned to the
strategic objectives of the overall organization. It is then possible to manage risk at each
level, linking risks to the objectives at that level.
The function coordinates the various levels of risk management, ensuring that common
standards are applied, and escalating risks as required. The organization's overall risk
policies and standards should be set at ERM level, allowing lower levels of organization
the freedom to tailor their risk approach within the overall minimum requirements set by
the ERM system and to develop their own specific risk procedures to deal with specific
circumstances. Effective risk management is not a "one-size-fits-all" function.
The reason decentralization is important is that given any specific risk is an uncertainty
that matters, then the risk only really matters to the person whose objective is at risk. And
that person should take responsibility for managing the risks that affect the objectives
(although that person might involve other people to help) by implementing the processes
defined in an ERM system and discussed in this paper.
The right culture is needed to support the effective management of risk, which is of itself
a governance issue. The culture has to allow people to identify, quantify, and manage the
real risks even if they are politically unpopular. This needs a change of perspective, away
from risk management and toward risk leadership. Risk leadership is needed to develop
and maintain an effective risk culture within an organization by:
giving overall strategic direction and vision in relation to risk and setting the right
ethical and governance framework
defining the risk appetite for the organization, providing the broad outline of how
risk will be addressed, how much risk is acceptable, and what degree of risk
exposure will be tolerated
identifying and requiring appropriate risk management processes (see below)
leading by example and modeling a mature approach to risk and using the risk
management processes as a tool rather than a straitjacket by demonstrating a
flexible risk attitude, being prepared to take risk when that is appropriate, and being
prepared to act more cautiously if necessary
2/11/2021 Risk Management with ISO 31000
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-resource-list/risk-management-with-iso-31000.html?ou=… 3/14
inspiring the same flexibility in others by rewarding good risk management behavior
and encouraging people to adopt the right risk attitude to meet each changing
circumstance. The skill is identifying the right risks to accept that allow growth and
improvement and managing these effectively. Trying to avoid all risk is impossible
and a recipe for failure.
Accepting risk means accepting the possibility of failure. But this approach is far better
than pretending there are no risks or that every risk can be managed to the point where it
is inconsequential.
Risk Management Processes
The core elements of risk management are set out in different ways in standards and
guides (some of the key ones are referenced below); they all include the basic steps set
out in this paper, but the language varies.
Initiating the Risk Management Process. Risks only exist in relation to defined objectives;
therefore, to frame any particular risk process, you need to:
Clearly define the scope and objectives that are at risk (i.e., the project or program
scope and objectives).
Define or ascertain the levels of risk key stakeholders are prepared to accept (their
risk appetite); this determines the target threshold for risk exposure.
Develop a risk management plan that defines the scope, objectives, and parameters
of the risk process to be used on the project and the responsible managers. (see
below: Defining the Appropriate Level of Risk Management).
Identify any organizational assets or procedures that support or overlap with the
current initiation (see below: The Principles of Effective Risk Management).
Identify the Risks. Based on the defined scope and objectives, start identifying risks:
Risks are uncertainties that might affect either the scope or the objectives of the
work, and include both threats and opportunities.
Organizations with effective knowledge management systems can use the lessons
learned on previous projects as the starting point.
Use a variety of techniques to help find as many risks as possible.
The use of "risk metalanguage" in the form: If a <one or more causes>, caused
by <uncertain situation> occurs, it may cause <one or more effects>.
2/11/2021 Risk Management with ISO 31000
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-resource-list/risk-management-with-iso-31000.html?ou=… 4/14
Record the risks in an effective risk register and identify a risk owner.
Assess and Prioritize Risks. Risks should be analyzed and prioritized for action. The
assessment process may be qualitative or quantitative. The outcome is a prioritized list of
risks for action:
Qualitative characteristics include:
How likely the event is to happen.
The likely effect on objectives.
How much influence we have on the event.
How easy is the risk to detect as it is emerging? Easy-to-detect risks (obvious
early warning indicators) are easier to deal with than risks that just occur
without warning.
When the event may happen (near term or distant future).
Quantitative methods use data to analyze risk exposure.
The magnitude of individual risks are calculated (time, value, other).
Anticipate the incidence of recurring problems by using the concept of risk
coefficients. Risks, such as bad weather, illnesses, tasks taking longer (or
occasionally less) than planned, and changes, are so frequent that
organizations often have statistics on their occurrence. Good plans model their
occurrence and incorporate their effect.
Probability can be separate or cumulative.
Contingency allowances for time and cost may be estimated based on the
whole set of risks.
The risk statement can now be expanded to include: If a <one or more
causes>, caused by <uncertain situation> occurs, it may cause <one or more
effects>. The impact of this <threat / opportunity> is <assessed effect on
objectives>.
Determine Risk Responses (Planning). High-priority risks that matter need to be actively
managed. Planning determines who, what, when, and how.
Each risk needs an owner responsible for managing the risk.
Appropriate responses should be determined and implemented by the risk owner.
Note: if the risk exceeds the tolerances allowed for the project and cannot be
avoided, transferred or mitigated, and/or it affects other parts of the organization,
2/11/2021 Risk Management with ISO 31000
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-resource-list/risk-management-with-iso-31000.html?ou=… 5/14
management of the risk should be escalated to the appropriate management level
for direction or management.
Response options include:
Establishing contingencies;
Changing aspects of the project to enhance the likelihood of a benefit or
mitigate the effect of a threat;
Using contract provisions or insurances to transfer the effect (opportunity or
threat) to a third party; or
Changing the project to eliminate threats by not doing whatever causes the
threat, or to lock in opportunities so they do occur;
Escalating risks we have identified that may not affect our objectives, but that
could affect some other part of the organization. Risk escalation is used to pass
the risk to the person or party who would be affected if the risk (opportunity
or threat) happened—organizational systems are needed with designated
thresholds and contact points defined for effective risk escalation.
Risk Response Actions (Treatment). The planned responses must be implemented by the
risk owner to change the overall risk exposure of the project.
The implementation of each risk response should be incorporated in the project plan
and action taken based on the plan.
The results of each response should be monitored to ensure that they are having the
desired effect.
The consequence of the response may introduce new risks to be identified and
addressed (secondary risks).
Accepted risks, residual risks (any risk remaining after treatment) and unforeseen
risks may occur. The effect of a risk when it occurs has to be managed to maximize
the benefits or minimize the consequences:
Risk response plans may be available for accepted risks; these should be
implemented (accepted risks are risks that have been identified but the cost of
mitigating or avoiding the risk was deemed too high).
All other occurrences need to be proactively managed using workarounds.
Various stakeholders are interested in risk at different levels, and it is important to
report to them on the risks and the plans to address them.
2/11/2021 Risk Management with ISO 31000
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-resource-list/risk-management-with-iso-31000.html?ou=… 6/14
Risk Communication: Inform stakeholders about the current risk exposure and its
implications for project success.
Regular Risk Reviews. The overall risk profile of the project should be managed and
reviewed on a regular basis. Topics for the review include:
assessing whether the implemented actions have worked as expected
monitoring the consumption of reserves and contingencies as risk events occur
identifying new and changed risks
recognizing sentinel events
reprioritizing all remaining risks
assessing of appropriate treatments, actions, and escalations
appointing a risk owner to any new risks (and noting any changes to existing risk
owners)
including new or revised treatments into the overall project plan for action
Lessons-Learned Review: As part of the overall project process, identify risk-related
lessons to be learned for future projects.
Issues Management: Realized risks become issues. An issue is a risk with a 100 percent
probability of occurring, either because it has already happened or because it will
inevitably happen. The issues management process may be integral to the risk
management process or a separate process. In either situation, the preparatory planning
undertaken during risk management is actioned to minimize the impact of the risk event.
Defining the Appropriate Level of Risk Management
Projects and programs are exposed to different levels of risk, so the risk management
process needs to be appropriately adapted to meet the risk challenge. Scalable elements
include:
Risk responsibilities: In the simplest case, the project manager may undertake all the
elements of the risk process as part of the overall responsibility for managing the
project, without using a risk specialist such as a risk champion or risk coordinator. At
the other extreme, a complex risky project may require input from people with
particular risk skills, and a dedicated risk team may be employed, either from within
the organization or from outside.
2/11/2021 Risk Management with ISO 31000
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-resource-list/risk-management-with-iso-31000.html?ou=… 7/14
Methodology and processes: A low-risk project may be able to incorporate the risk
process within the overall project management process, without the need for
specific risk management activities. A more risky project may need to use a defined
risk process, perhaps following a recognized risk methodology.
Tools and techniques: The simplest risk process might involve a team brainstorm as
part of another project meeting recording risks in a Microsoft Word document, and
monitoring actions through the regular project review meetings. More risky projects
may require a series of meetings, a spreadsheet with some basic calculations, and
mitigation plans with assigned risk owners. The most risky projects may require a
wide range of techniques and specialist tools for risk identification, assessment, and
control, to ensure that all aspects of risk exposure are captured and dealt with
appropriately.
Supporting infrastructure: The lowest-risk projects may require no dedicated risk
infrastructure, whereas high-risk projects demand robust support from integrated
toolkits with high levels of functionality. It is important to get the level of
infrastructure right, as too much support can strangle the risk process and too little
support can leave it unable to function.
Reporting requirement: For some projects, the risk reporting can be incorporated
into routine project reports, whereas others may demand a variety of specific risk
reports targeted to the needs of different stakeholders, providing each group of
stakeholders with risk information that matches interest in the project.
Review and update frequency: It may be sufficient on low-risk or short duration
projects to update the risk assessment only once or twice during the life of the
project. Other projects which are more risky or of longer duration may need a
regular risk update cycle, say monthly or quarterly, depending on the project's
complexity and rate of change.
Decisions on each of these scalable aspects should be documented in the project's risk
management plan as part of the risk process initiation step as agreed upon by the sponsor
or client.
Dealing with Opportunities
Typically, about 80 percent or more of the risks recorded in risk registers are threats
(negative risks), with less than 20 percent opportunities (positive risks). Ideally, this needs
to change. Even if you cannot completely reverse the 80/20 balance, you need to work to
fundamentally change the attitudes of internal stakeholders toward risk identification.
2/11/2021 Risk Management with ISO 31000
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-resource-list/risk-management-with-iso-31000.html?ou=… 8/14
Actively seek opportunities: To promote this approach, ask your teams to view the project
as a bank account. Every threat corresponds to a withdrawal or an additional charge, and
each opportunity is a deposit or added income. Most people understand that in order to
preserve and enhance the overall value of the account, it is important to focus on
increasing gains as well as reducing charges. To achieve this, you need to encourage
people to take risks.
Set opportunity-based risk thresholds: Asking people to take risks requires limits to be of
what is acceptable. All business investments and projects are carried out to create value
for stakeholders. Risk thresholds can only be determined by considering the potential for
both value creation and value destruction for the organization and using this to define
acceptable risk thresholds. Based on these values, people can concentrate on maximizing
value creation through controlled risk-taking.
Use value-focused risk management: Value is defined as any desirable result for a
stakeholder in a given context. Once the anticipated value is defined, risk process can be
focused on enhancing the main value-creating opportunities, while at the same time
addressing the principal threats that would undermine value for stakeholders.
Implement success-oriented risk response planning: Focus risk management on taking
action in order to win, rather than hoping not to lose. In the traditional threat-based
approach to risk management, people aim to protect themselves at all costs; this purely
precautionary approach is always inefficient and often ends up protecting from things that
are unlikely to happen. By focusing action plans on creating value, it creates a win-win
situation with the stakeholders involved.
The Principles of Effective Risk Management
The UK's Office of Government Commerce's (OGC) M_o_R (management of risk)
principles have very broad applicability (Office of Government Commerce, 2010):
1. Risk management aligns continually with organizational objectives. Risk
is uncertainty that matters, and it only matters if it could affect achievement of the
objectives of the organization. We need to understand our objectives, define how
much risk is acceptable, and decide how to manage risk within those limits. When
objectives or risk tolerances change, the risk process must change, too.
2. Risk management is designed to fit the current context. Organizations operate in an
external context (markets, competition, regulation, etc.) as well as an internal
context (culture, people, and processes). Risk management must recognize and
respond to the context, and change when it changes.
2/11/2021 Risk Management with ISO 31000
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-resource-list/risk-management-with-iso-31000.html?ou=… 9/14
3. Risk management engages stakeholders and deals with differing perceptions of
risk. Different stakeholders see risk differently, and the risk approach must take
account of these perceptions. We need to recognize and counter bias, and manage
stakeholder expectations regarding risk.
4. Risk management provides clear and coherent guidance to stakeholders. Clarity
means that everyone knows what the risks are and how they are being addressed.
Coherence occurs when risk is managed consistently across all levels of the
organization and when it is communicated properly across organizational
boundaries.
5. Risk management is linked to and informs decision making across the organization.
We have to make decisions with incomplete or imperfect information, which makes
decisions risky. The best decisions are made when we understand the risks that are
associated with different options.
6. Risk management uses historical data and facilitates learning and continual
improvement. We can improve the way we manage risk by identifying generic
sources of risk and developing effective generic responses. The aim is to become
more mature in our risk culture and practice.
7. Risk management creates a culture that recognizes uncertainty and supports
considered risk-taking. Every significant activity involves uncertainty and requires us
to take risk. But we need to take the right level of risk, balancing risk-taking with
reward. This requires a risk-mature culture that rewards proactive risk management.
8. Risk management enables achievement of measurable organizational value. The risk
process should result in fewer threats turning into real problems. It should also help
us to turn more opportunities into real benefits. Both of these will create
measurable value for the organization.
The OGC M_o_R principles provide a framework to challenge the way organizations
manage (not avoid) risk. ISO31000:2009 (below), covers similar territory, but as 11
principles.
The core principles defined in ISO 31000:2009 Risk Management - Principles and
Guidelines are (International Organization for Standardization, n.d.):
1. Risk management creates and protects value. Value is created when we achieve our
objectives, and risk management helps us to optimize our performance. It also
protects value by minimizing the effect of downside risk, avoiding waste and rework.
2. Risk management is an integral part of all organizational processes. Risk
management is not a stand-alone activity, and it should be "built in, not bolt on."
2/11/2021 Risk Management with ISO 31000
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-resource-list/risk-management-with-iso-31000.html?ou… 10/14
Everything we do should take account of risk.
3. Risk management is part of decision making. When we are faced with important
situations that involve significant uncertainty, our decisions need to be risk-
informed.
4. Risk management explicitly addresses uncertainty. All sources and forms of
uncertainty need to be considered, not just risk events. This includes ambiguity,
variability, complexity, change, etc.
5. Risk management is systematic, structured, and timely. The risk process should be
conducted in a disciplined way to maximize its effectiveness and efficiency.
6. Risk management is based on the best available information. We will never have
perfect information, but we should always be sure to use every source, being aware
of its limitations.
7. Risk management is tailored. There is no "one-size-fits-all" approach. We need to
adjust the process to match the specific risk challenge that we face.
8. Risk management accounts for human and cultural factors. Risk is managed by
people, not processes or techniques. We need to recognize the existence of
different risk perceptions and risk attitudes.
9. Risk management is transparent and inclusive. We must communicate honestly
about risk to our stakeholders and decision makers, even if the message is
unwelcome to some.
10. Risk management is dynamic, iterative, and responsive to change. Risk changes
constantly, and the risk process needs to stay up-to-date, reviewing existing risks
and identifying new ones.
11. Risk management facilitates continual improvement of the organization. Our
management of risk should improve with time as we learn lessons from the past in
order to benefit the future.
Organizational Governance. Risk management is part of the overall governance structure
of the organization. The project and program risk processes should be part of and
integrate with the organization's risk management system. Some of the key elements
include:
2/11/2021 Risk Management with ISO 31000
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-resource-list/risk-management-with-iso-31000.html?ou… 11/14
The Risk Management Process Area of Capability Maturity Model Integration
Capturing lessons learned. At the end of the project or program, or after a risk event
has occurred, time should be taken to think about what worked well and what needs
improvement, while recording the conclusions in a way that makes the lessons
learned readily available in an effective knowledge management system.
Reporting and understanding systemic risk factors and the impact of the project's
risks on the overall organization's risk profile
Supporting organizational audit and compliance requirements through accurate and
transparent risk recording and reporting processes.
Unplanned Risk Events
It is impossible to know what you do not know. Many risk events will occur during the
course of the project that were not identified, listed, or planned. For any organization,
system, or project team to withstand the impact of unexpected events, two elements are
needed. First, the team needs to have a level of resilience that allows the impact to be
absorbed, managed, and dealt with. Building resilience into any team or system is not
simple and requires an organic capability to respond creatively and effectively. The team
2/11/2021 Risk Management with ISO 31000
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-resource-list/risk-management-with-iso-31000.html?ou… 12/14
and system need some spare capacity (even if this is achieved by extraordinary effort),
good internal communications, trust in each other, and a clear understanding of how
things work.
The second element is practiced agility in dealing with potential scenarios. The actual
event will be different to the scenarios practiced, but the response processes should be
established. Some of the key elements include:
senior management commitment to support the team
established processes and a core administrative team
a rapid response plan that may include:
classification and trigger points – you need to recognize you have a problem
a medical emergency
a system failure
an external threat – fire, bomb, storm, etc.
call out procedures to assemble the response team
immediate actions to protect and preserve
team roles and responsibilities
strategies to deal with foreseeable threats
strategies to deal with stakeholders, the media, and regulatory authorities
recovery and continuity plans
There is no point in having a plan if it is not practiced; rehearsal and drills are important.
Depending on the severity of the risk, options include desktop exercises through full dress
rehearsals. Risk management and crisis management are closely aligned—a significant risk
event will trigger a crisis.
Risk Management Health Checks
An effective risk culture that proactively identifies all risk and accepts the right risks to
support the development of the organization is a core business activity. The key questions
the governing board needs to ask regularly are:
1. Does everyone speak the same risk language and understand the risk culture of the
organization?
2/11/2021 Risk Management with ISO 31000
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-resource-list/risk-management-with-iso-31000.html?ou… 13/14
2. Has risk management degenerated into a "box ticking" process or a "form-filling"
bureaucracy? Or is there proactive debate over key risk decisions?
3. Do we have the right controls in place, or are there too many restrictions?
4. Do we learn from our mistakes and improve the system by sharpening focus, or does
another layer of bureaucracy get added each time a mistake is identified?
5. Does our risk management framework extend to our strategic decision making and
align with our strategic objectives?
6. Is everybody accountable for managing risks?
Risk Management Standards
Published standards and guides assist in developing an effective risk management system
for the organization. Some of the key risk management standards include:
ISO 31000 Risk Management. ISO 31000 is intended to be a family of standards
relating to risk management. Available from http://infostore.saiglobal.com/store/
AS/NZS 4360:2004, Risk management. The Australian standard for risk management
including guidelines. Available from http://infostore.saiglobal.com/store/
PMI Practice Standard for Risk Management. Supports and extends the risk
management aspects of the PMBOK Guide, 4th Edition. Available from
http://www.mosaicprojects.com.au/Book_Sales.html#PMI
Project Risk Analysis and Management (PRAM Guide). Available from
http://www.apm.org.uk/
Prioritising Project Risks, A short guide to useful techniques. Available from
http://www.apm.org.uk/
Interfacing Risk and Earned Value Management. Available from
http://www.apm.org.uk/
Management of Risk (M_o_R). Available from http://www.mor-
officialsite.com/home/home.asp
References
International Organization for Standardization (ISO). (n.d.). ISO 31000:2009 Risk
management - principles and guidelines. Retrieved from https://www.iso.org/iso-
31000-risk-management.html
2/11/2021 Risk Management with ISO 31000
https://leocontent.umgc.edu/content/umuc/tgs/cca/cca610/2211/learning-resource-list/risk-management-with-iso-31000.html?ou… 14/14
UK Office of Government Commerce (OGC). (2010). Management of risk: Guidance for
practitioners (3rd Ed.). London, UK: The Stationery Office. ISBN 978-0-11-
331274-0
Licenses and Attributions
Risk Management
(http://www.mosaicprojects.com.au/WhitePapers/WP1047_Risk_Management.pdf) fro
m Mosaic is available under a Creative Commons Attribution 3.0 Unported
(https://creativecommons.org/licenses/by/3.0/) license. UMGC has modified this work
and it is available under the original license.
© 2021 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
