risk manegment report

profilemidooo_nz
mane.zip

mane/.DS_Store

__MACOSX/mane/._.DS_Store

mane/Engineering projects_edit.pdf

Content

• Block structure • Engineering Projects • Project life cycle • Defining the project

Block Structure

• Lecture 1 Defining Project • Tutorial 1 Estimating Project and Costs • Lecture 2 Risk Management • Tutorial 2 Risk Assessment Techniques • Lecture 3 Guest Speaker

“Risk Management in AMA” • Tutorial 3 Risk Management Case Study

Defining Project

• Describe a range of engineering projects • Specify engineering project scope

Estimating Project Costs

• Estimating guidelines for time, costs, and resources.

• Methods of estimating project costs

Risk Management

• Risk management framework • Risk management process

Risk Assessment Techniques

• Qualitative risk assessment • Quantitative risk assessment

Case Study

• Risk management analysis • Additional Auckland Harbour Crossing

Resources

• Project Management: The Managerial Process

• Chapters 1, 2, 4

ENGINEERING PROJECTS

What is a project?

• A complex, non-routine, one-time effort

limited by time, budget, resources and

performance specifications designed

to meet customer needs.

Major Characteristics

• Has an established objectives • Has a defined life span with a

beginning and an end • Requires across-the-

organisation participation • Typically involves doing something

that has never been done before • Has specify time, cost and

performance requirements

Range of Engineering Projects

• International Space Station – Fifteen nations taking part in the programme

– Permanent accommodation for six, short-term

accommodation for up to fifteen. – Largest space project so far – Biggest structure ever to orbit the Earth

Range of Engineering Projects

• Burj Khalifa

– The tallest building in the

world (829.8m)

– Cost: USD$1.5 billion

Range of Engineering Projects

• Millau Viaduct – The tallest bridge in the world (343m) – Time to build: 3 years – Cost: €400 million – 16 lanes of traffic, 10,000 to 25,000

vehicles per day

Importance of Project Management

• compression of the product life cycle • knowledge explosion • triple bottom line (planet, people, profit) • corporate downsizing • increased customer focus • small projects represent big problems

PROJECT LIFE CYCLE

Project Life Cycle

Project Life Cycle

• Defining • Planning • Executing • Closing

Project Life Cycle

Defining the Project

• The identification of Need(s) • Specifying key project requirements • Scoping and Formation of “TEAM“ -

selection of Advisers, Consultants, and

preferably, Constructors/Implementers.

Defining the Project

• Project feasibility

– Definition of project goals and objectives

– Developing outline programme and budget.

– Technical Alternatives

– Considering financing requirements and sources.

– Initiating planning and statutory approvals.

– Formulating contractual arrangements and purchasing methods.

– Preparing for OWNER’s "Go/No Go" decision.

Planning the Project

• Confirming contracts with “PROJECT TEAM". • Planning and Design

Scheme Design Design

Documentation Development

• Cost Planning - Evaluation of costs to optimise methods and resource use.

• Finalising reporting system for costs, progress, etc.

• Selecting and ordering long lead items.

Executing the Project

• Project tender • Project construction

Project Tender

• Pre-qualifying contract / sub-contract bidders.

– Open, Selective and Negotiated Tenders • Receiving and reviewing contract/sub-contract bids.

– Tender Analyses • Recommending & Letting of contracts/sub-contracts.

– Lump Sum (with or without fluctuations)

– Measure and Value

– Cost Reimbursable

Project Construction

• Physical execution of project according to programme.

• Monitoring of costs, progress,

quality control, etc. • Payments to Contractors. • Compliances and Statutory Approvals

Closing the Project

• Ensuring satisfactory performance of installations • Cataloguing and handing over service manuals. • Completion of as-built drawings/designs. • Checking off on final performance –

Project Engineer checks-off completion • Final certification and settlement of all

financial matters (project close-out). • Handing-over project to OWNER.

DEFINING THE PROJECT

Key Steps

Step 1: Defining the project scope

Step 2: Establishing project priorities

Step 3: Creating the work breakdown structure (WBS)

Step 4: Integrating the WBS with the organisation

Step 5: Coding the WBS for the information system

Step 1: Defining the Project Scope

• Project scope

A definition of the end result or mission of

the project—a product or service for the

client/customer—in specific, tangible and

measurable terms

Step 1: Defining the Project Scope

• Purpose of the scope statement • To clearly define the deliverable(s) for the end user

• To focus the project on successful

completion of its goals

• To be used by the project owner and participants as a planning tool and for measuring project success

Step 1: Defining the Project Scope

• Project scope checklist 1. Project objective

2. Deliverables

3. Milestones

4. Technical requirements

5. Limits and exclusions

6. Reviews with customer

Step 2: Establishing Priorities

• Project trade-offs

Step 2: Establishing Priorities

• Causes of project trade-offs • Shifts in the relative importance of criteria related

to cost, time and performance parameters

» Budget–Cost

» Schedule–Time

» Performance–Scope

Step 2: Establishing Priorities

Step 3: Creating WBS

• Work breakdown structure (WBS) • A hierarchical outline (map) that identifies the

products and work elements involved in a project

• Defines the relationship of the final deliverable

(the project) to its subdeliverables and in turn

their relationships to work packages

• Best suited for design and build projects that have

tangible outcomes rather than process-oriented

projects

Step 3: Creating WBS

Step 4: Integrating WBS

• Integrating the WBS with the organisation

Step 5: Coding WBS for

Information System

• WBS coding system • Defines:

– levels and elements of the WBS

– organisation elements

– work packages

– budget and cost information

• Allows reports to be consolidated at any level in the

organisation structure

Step 5: Coding WBS for

Information System

• Responsibility matrix (RM) – Also called a linear responsibility chart – Summarises the tasks to be accomplished and who is responsible for

what on the project: • lists project activities and participants

• clarifies critical interfaces between units and individuals that

need coordination

• provides a means for all participants to view their responsibilities and agree on their assignments

• clarifies the extent or type of authority that can be exercised by

each participant

Step 5: Coding WBS for

Information System

Step 5: Coding WBS for

Information System

• Project communication plan

– What information needs to be collected and when?

– Who will receive the information? – What methods will be used to gather and store

information? – What are the limits, if any, on who has access

to certain kinds of information? – When will the information be communicated? – How will it be communicated?

__MACOSX/mane/._Engineering projects_edit.pdf

mane/ISO_31000_2009_eng.pdf

Joint Australian New Zealand International Standard

Risk management – Principles and guidelines Superseding AS / NZS 4360:2004

AS / NZS ISO 31000:2009

A S

/N ZS

IS O

31000:2009

Copyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

AS/NZS ISO 31000:2009 This Joint Australian/New Zealand Standard was prepared by Joint Technical Committee OB-007, Risk Management. It was approved on behalf of the Council of Standards Australia on 6 November 2009 and on behalf of the Council of Standards New Zealand on 16 October 2009. This Standard was published on 20 November 2009.

The following are represented on Committee OB-007:

Australian Computer Society Commerce Commission New Zealand Committee IT-012 Department of Education and Early Childhood Development Victoria Emergency Management Australia Engineers Australia Environmental Risk Management Authority New Zealand Financial Services Institute of Australia The Institute of Internal Auditors – Australia Institution of Professional Engineers New Zealand International Association of Emergency Managers La Trobe University Law Society of New South Wales Massey University Minerals Council of Australia Ministry of Economic Development (New Zealand) New Zealand Society for Risk Management Risk Management Institution of Australasia The University of New South Wales University of Canterbury New Zealand

Keeping Standards up-to-date Standards are living documents which reflect progress in science, technology and systems. To maintain their currency, all Standards are periodically reviewed, and new editions are published. Between editions, amendments may be issued. Standards may also be withdrawn. It is important that readers assure themselves they are using a current Standard, which should include any amendments which may have been published since the Standard was purchased. Detailed information about joint Australian/New Zealand Standards can be found by visiting the Standards Web Shop at www.saiglobal.com.au or Standards New Zealand web site at www.standards.co.nz and looking up the relevant Standard in the on-line catalogue. For more frequent listings or notification of revisions, amendments and withdrawals, Standards Australia and Standards New Zealand offer a number of update options. For information about these services, users should contact their respective national Standards organization. We also welcome suggestions for improvement in our Standards, and especially encourage readers to notify us immediately of any apparent inaccuracies or ambiguities. Please address your comments to the Chief Executive of either Standards Australia or Standards New Zealand at the address shown on the title page.

This Standard was issued in draft form for comment as DR 09063.

Copyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

--`,,,,,,,,`,,```,,,`,,`,`,,,,-`-`,,`,,`,`,,`---

AS/NZS ISO 31000:2009

Australian/New Zealand Standard™

Risk management—Principles and guidelines

COPYRIGHT © Standards Australia/Standards New Zealand

All rights are reserved. No part of this work may be reproduced or copied in any form or by any means, electronic or mechanical, including photocopying, without the written permission of the publisher.

Jointly published by Standards Australia, GPO Box 476, Sydney, NSW 2001 and Standards New Zealand, Private Bag 2439, Wellington 6140.

ISBN 978-1-86975-127-2

Originated as AS/NZS 4360:1995. Third edition 2004. Revised and redesignated as AS/NZS ISO 31000:2009.

Copyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ii

PREFACE

This Standard was prepared by Joint Standards Australia/Standards New Zealand Committee

OB-007, Risk Management to supersede AS/NZS 4360:2004, Risk management.

When AS/NZS 4360:1999 was revised in 2004 (as part of a routine five yearly revision), it was

decided by the Joint Australian/New Zealand Committee OB-007 that rather than undertake a

similar revision in 2009, Standards Australia and Standards New Zealand would promote the

development of an international standard on risk management which would then be adopted.

In 2005 the International Organization for Standardization (ISO) established a working group to

develop the first international risk management standard using AS/NZS 4360:2004 as the first

draft. The standard development process included extensive public consultation in Australia and

New Zealand and resulted in the publication of ISO 31000:2009.

The main variations to AS/NZS 4360:2004, as outlined in the Introduction, are as follows:

(a) Risk is now defined in terms of the effect of uncertainty on objectives.

(b) The principles that organizations must follow to achieve effective risk management have

now been made explicit.

(c) There is much greater emphasis and guidance on how risk management should be

implemented and integrated into organizations through the creation and continuous

improvement of a framework.

(d) An informative Annex describes the attributes of enhanced risk management and

recognizes that while all organizations manage risk in some way and to some extent this

may not always be optimal.

The process described for managing risk is identical to that in AS/NZS 4360:2004.

This Standard is identical with, and has been reproduced from ISO 31000:2009, Risk

management—Principles and guidelines. Minor changes have been made to the Introduction to

address the application of the Standard in Australia and New Zealand.

As this Standard is reproduced from an International Standard, the following applies:

(i) Its number does not appear on each page of text and its identity is shown only on the

cover and title page.

(ii) In the source text ‘this International Standard’ should read ‘this Australian/New Zealand

Standard’.

The term ‘informative’ is used to define the application of the annex to which it applies. An

informative annex is only for information and guidance.

ii

Copyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

iii

CONTENTS

Page

ISO 31000:2009(E)

© ISO 2009 – All rights reserved iii

Contents Page

Foreword ............................................................................................................................................................iv Introduction.........................................................................................................................................................v 1 Scope ......................................................................................................................................................1 2 Terms and definitions ...........................................................................................................................1 3 Principles................................................................................................................................................7 4 Framework .............................................................................................................................................8 4.1 General ...................................................................................................................................................8 4.2 Mandate and commitment ....................................................................................................................9 4.3 Design of framework for managing risk............................................................................................ 10 4.3.1 Understanding of the organization and its context .........................................................................10 4.3.2 Establishing risk management policy ............................................................................................... 10 4.3.3 Accountability ......................................................................................................................................11 4.3.4 Integration into organizational processes ........................................................................................ 11 4.3.5 Resources ............................................................................................................................................11 4.3.6 Establishing internal communication and reporting mechanisms ................................................ 12 4.3.7 Establishing external communication and reporting mechanisms ............................................... 12 4.4 Implementing risk management ........................................................................................................ 12 4.4.1 Implementing the framework for managing risk ..............................................................................12 4.4.2 Implementing the risk management process ...................................................................................13 4.5 Monitoring and review of the framework .......................................................................................... 13 4.6 Continual improvement of the framework ........................................................................................13 5 Process.................................................................................................................................................13 5.1 General .................................................................................................................................................13 5.2 Communication and consultation ..................................................................................................... 14 5.3 Establishing the context .....................................................................................................................15 5.3.1 General .................................................................................................................................................15 5.3.2 Establishing the external context ......................................................................................................15 5.3.3 Establishing the internal context .......................................................................................................15 5.3.4 Establishing the context of the risk management process ............................................................16 5.3.5 Defining risk criteria............................................................................................................................17 5.4 Risk assessment .................................................................................................................................17 5.4.1 General .................................................................................................................................................17 5.4.2 Risk identification................................................................................................................................17 5.4.3 Risk analysis ........................................................................................................................................18 5.4.4 Risk evaluation ....................................................................................................................................18 5.5 Risk treatment......................................................................................................................................18 5.5.1 General .................................................................................................................................................18 5.5.2 Selection of risk treatment options ................................................................................................... 19 5.5.3 Preparing and implementing risk treatment plans .......................................................................... 20 5.6 Monitoring and review ........................................................................................................................20 5.7 Recording the risk management process......................................................................................... 21 Annex A (informative) Attributes of enhanced risk management................................................................22 Bibliography......................................................................................................................................................24

iii

Copyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

iv

INTRODUCTION

Organizations of any kind face internal and external factors and influences that make it

uncertain whether, when and the extent to which they will achieve or exceed their objectives.

The effect this uncertainty has on the organization’s objectives is “risk”.

All activities of an organization involve risk. Organizations manage risk by anticipating,

understanding and deciding whether to modify it. Throughout this process they communicate

and consult with stakeholders and monitor and review the risk and the controls that are

modifying the risk. This Standard describes this systematic and logical process in detail.

This is a new standard for managing risk that supersedes AS/NZS 4360:2004. It builds upon the

processes contained in the superseded standard.

While all organizations manage risk to some degree, this Standard establishes a number of

principles that need to be satisfied before risk management will be effective. This Standard

recommends that organizations should have a framework that integrates the process for

managing risk into the organization's overall governance, strategy and planning, management,

reporting processes, policies, values and culture.

Risk management can be applied across an entire organization, to its many areas and levels, as

well as to specific functions, projects and activities.

Although the practice of risk management has been developed over time and within many

sectors to meet diverse needs, the adoption of consistent processes within a comprehensive

framework helps ensure that risk is managed effectively, efficiently and coherently across an

organization. The generic approach described in this Standard provides the principles and

guidelines for managing any form of risk in a systematic, transparent and credible manner and

within any scope and context.

The relationship between the principles for managing risk, the framework in which it occurs and

the risk management process described in this Standard is shown in Figure 1.

When implemented and maintained in accordance with this Standard, the management of risk

enables all organizations to, for example—

(a) increase the likelihood of achieving objectives;

(b) encourage proactive management;

(c) be aware of the need to identify and treat risk throughout the organization;

(d) improve the identification of opportunities and threats;

(e) achieve compatible risk management practices between organisations and nations;

(f) comply with relevant legal and regulatory requirements and international norms;

(g) improve financial reporting;

(h) improve governance;

(i) improve stakeholder confidence and trust;

(j) establish a reliable basis for decision making and planning;

(k) improve controls;

(l) effectively allocate and use resources for risk treatment;

(m) improve operational effectiveness and efficiency;

(n) enhance health and safety performance as well as environmental protection;

(o) improve loss prevention and incident management;

iv

Copyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

--`,,,,,,,,`,,```,,,`,,`,`,,,,-`-`,,`,,`,`,,`---

v

(p) minimize losses;

(q) improve organizational learning; and

(r) improve organizational resilience.

This Standard is intended to meet the needs of a wide range of stakeholders including—

(i) those accountable for achieving objectives and therefore ensuring that risk is effectively

managed within the organization as a whole or within a specific area, project or activity;

(ii) those responsible for developing risk management policy within their organization;

(iii) those who need to evaluate an organization effectiveness in managing risk; and

(iv) developers of standards, guides, procedures, and codes of practice that in whole or in part

set out how risk is to be managed within the specific context of these documents.

Organizations with existing risk management processes can use this Standard to critically

review, align and improve their existing practices. Those whose risk management framework

has been based on AS/NZS 4360:2004 will thereby benefit from the additional concepts and

practices in this Standard.

In this Standard, the expressions “risk management” and “managing risk” are both used. In

general terms, “risk management” refers to the architecture (principles, framework and process)

for managing risks effectively, and “managing risk” refers to applying that architecture to

particular risks.

v

Copyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

© ISO 2009 – All rights reserved vii

M an

da te

an

d co

m m

itm en

t ( 4.

2) Im pl

em en

tin g

ri sk

m

an ag

em en

t (4

.4 )

D es

ig n

of

fr am

ew or

k fo

r m

an ag

in g

ri sk

(4 .3

)

C on

tin ua

l im

pr ov

em en

t of

th e

fr am

ew or

k (4

.6 )

M on

ito ri

ng

an d

re vi

ew

of th

e fr

am ew

or k

(4 .5

)

Fr am

ew or

k (C

la us

e 4)

a) C

re at

es v

al ue

b) In

te gr

al p

ar t o

f or

ga ni

za tio

na l p

ro ce

ss es

c) P

ar t o

f d ec

is io

n m

ak in

g

d) E

xp lic

itl y

ad dr

es se

s un

ce rt

ai nt

y

e) S

ys te

m at

ic , s

tr uc

tu re

d an

d tim

el y

f) B

as ed

o n

th e

be st

av

ai la

bl e

in fo

rm at

io n

g) T

ai lo

re d

h) T

ak es

h um

an a

nd

cu ltu

ra l f

ac to

rs in

to

ac co

un t

i) T

ra ns

pa re

nt a

nd in

cl us

iv e

j) D

yn am

ic , i

te ra

tiv e

an d

re sp

on si

ve to

c ha

ng e

k) F

ac ili

ta te

s co

nt in

ua l

im pr

ov em

en t a

nd

en ha

nc em

en t o

f t he

or

ga ni

za tio

n

P ri

nc ip

le s

(C la

us e

3) P

ro ce

ss (C

la us

e 5)

E st

ab lis

hi ng

th e

co nt

ex t

(5 .3

)

R is

k a

ss es

sm en

t ( 5.

4)

R is

k id

en tif

ic at

io n

(5 .4

.2 )

R is

k an

al ys

is (5

.4 .3

)

R is

k ev

al ua

tio n

(5 .4

.4 )

R is

k tr

ea tm

en t (

5. 5)

Communication and consultation (5.2)

Monitoring and review (5.6)

Figure 1 — Relationships between the risk management principles, framework and process

vi

Copyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

1

AUSTRALIAN/NEW ZEALAND STANDARD

Risk management—Principles and guidelines

INTERNATIONAL STANDARD ISO 31000:2009(E)

© ISO 2009 – All rights reserved 1

Risk management — Principles and guidelines

1 Scope

This International Standard provides principles and generic guidelines on risk management.

This International Standard can be used by any public, private or community enterprise, association, group or individual. Therefore, this International Standard is not specific to any industry or sector.

NOTE For convenience, all the different users of this International Standard are referred to by the general term “organization”.

This International Standard can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.

This International Standard can be applied to any type of risk, whatever its nature, whether having positive or negative consequences.

Although this International Standard provides generic guidelines, it is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed.

It is intended that this International Standard be utilized to harmonize risk management processes in existing and future standards. It provides a common approach in support of standards dealing with specific risks and/or sectors, and does not replace those standards.

This International Standard is not intended for the purpose of certification.

2 Terms and definitions

For the purposes of this document, the following terms and definitions apply.

2.1 risk effect of uncertainty on objectives

NOTE 1 An effect is a deviation from the expected — positive and/or negative.

NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).

NOTE 3 Risk is often characterized by reference to potential events (2.17) and consequences (2.18), or a combination of these.

NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (2.19) of occurrence.

1

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

2 © ISO 2009 – All rights reserved

NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood.

[ISO Guide 73:2009, definition 1.1]

2.2 risk management coordinated activities to direct and control an organization with regard to risk (2.1)

[ISO Guide 73:2009, definition 2.1]

2.3 risk management framework set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring (2.28), reviewing and continually improving risk management (2.2) throughout the organization

NOTE 1 The foundations include the policy, objectives, mandate and commitment to manage risk (2.1).

NOTE 2 The organizational arrangements include plans, relationships, accountabilities, resources, processes and activities.

NOTE 3 The risk management framework is embedded within the organization's overall strategic and operational policies and practices.

[ISO Guide 73:2009, definition 2.1.1]

2.4 risk management policy statement of the overall intentions and direction of an organization related to risk management (2.2)

[ISO Guide 73:2009, definition 2.1.2]

2.5 risk attitude organization's approach to assess and eventually pursue, retain, take or turn away from risk (2.1)

[ISO Guide 73:2009, definition 3.7.1.1]

2.6 risk management plan scheme within the risk management framework (2.3) specifying the approach, the management components and resources to be applied to the management of risk (2.1)

NOTE 1 Management components typically include procedures, practices, assignment of responsibilities, sequence and timing of activities.

NOTE 2 The risk management plan can be applied to a particular product, process and project, and part or whole of the organization.

[ISO Guide 73:2009, definition 2.1.3]

2.7 risk owner person or entity with the accountability and authority to manage a risk (2.1)

[ISO Guide 73:2009, definition 3.5.1.5]

2

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

--`,,,,,,,,`,,```,,,`,,`,`,,,,-`-`,,`,,`,`,,`---

ISO 31000:2009(E)

© ISO 2009 – All rights reserved 3

2.8 risk management process systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring (2.28) and reviewing risk (2.1)

[ISO Guide 73:2009, definition 3.1]

2.9 establishing the context defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria (2.22) for the risk management policy (2.4)

[ISO Guide 73:2009, definition 3.3.1]

2.10 external context external environment in which the organization seeks to achieve its objectives

NOTE External context can include:

⎯ the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local;

⎯ key drivers and trends having impact on the objectives of the organization; and

⎯ relationships with, and perceptions and values of external stakeholders (2.13).

[ISO Guide 73:2009, definition 3.3.1.1]

2.11 internal context internal environment in which the organization seeks to achieve its objectives

NOTE Internal context can include:

⎯ governance, organizational structure, roles and accountabilities;

⎯ policies, objectives, and the strategies that are in place to achieve them;

⎯ the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);

⎯ information systems, information flows and decision-making processes (both formal and informal);

⎯ relationships with, and perceptions and values of, internal stakeholders;

⎯ the organization's culture;

⎯ standards, guidelines and models adopted by the organization; and

⎯ form and extent of contractual relationships.

[ISO Guide 73:2009, definition 3.3.1.2]

2.12 communication and consultation continual and iterative processes that an organization conducts to provide, share or obtain information and to engage in dialogue with stakeholders (2.13) regarding the management of risk (2.1)

3

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

4 © ISO 2009 – All rights reserved

NOTE 1 The information can relate to the existence, nature, form, likelihood (2.19), significance, evaluation, acceptability and treatment of the management of risk.

NOTE 2 Consultation is a two-way process of informed communication between an organization and its stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is:

⎯ a process which impacts on a decision through influence rather than power; and

⎯ an input to decision making, not joint decision making.

[ISO Guide 73:2009, definition 3.2.1]

2.13 stakeholder person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity

NOTE A decision maker can be a stakeholder.

[ISO Guide 73:2009, definition 3.2.1.1]

2.14 risk assessment overall process of risk identification (2.15), risk analysis (2.21) and risk evaluation (2.24)

[ISO Guide 73:2009, definition 3.4.1]

2.15 risk identification process of finding, recognizing and describing risks (2.1)

NOTE 1 Risk identification involves the identification of risk sources (2.16), events (2.17), their causes and their potential consequences (2.18).

NOTE 2 Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholder's (2.13) needs.

[ISO Guide 73:2009, definition 3.5.1]

2.16 risk source element which alone or in combination has the intrinsic potential to give rise to risk (2.1)

NOTE A risk source can be tangible or intangible.

[ISO Guide 73:2009, definition 3.5.1.2]

2.17 event occurrence or change of a particular set of circumstances

NOTE 1 An event can be one or more occurrences, and can have several causes.

NOTE 2 An event can consist of something not happening.

NOTE 3 An event can sometimes be referred to as an “incident” or “accident”.

NOTE 4 An event without consequences (2.18) can also be referred to as a “near miss”, “incident”, “near hit” or “close call”.

[ISO Guide 73:2009, definition 3.5.1.3]

4

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

© ISO 2009 – All rights reserved 5

2.18 consequence outcome of an event (2.17) affecting objectives

NOTE 1 An event can lead to a range of consequences.

NOTE 2 A consequence can be certain or uncertain and can have positive or negative effects on objectives.

NOTE 3 Consequences can be expressed qualitatively or quantitatively.

NOTE 4 Initial consequences can escalate through knock-on effects.

[ISO Guide 73:2009, definition 3.6.1.3]

2.19 likelihood chance of something happening

NOTE 1 In risk management terminology, the word “likelihood” is used to refer to the chance of something happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period).

NOTE 2 The English term “likelihood” does not have a direct equivalent in some languages; instead, the equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it should have the same broad interpretation as the term “probability” has in many languages other than English.

[ISO Guide 73:2009, definition 3.6.1.1]

2.20 risk profile description of any set of risks (2.1)

NOTE The set of risks can contain those that relate to the whole organization, part of the organization, or as otherwise defined.

[ISO Guide 73:2009, definition 3.8.2.5]

2.21 risk analysis process to comprehend the nature of risk (2.1) and to determine the level of risk (2.23)

NOTE 1 Risk analysis provides the basis for risk evaluation (2.24) and decisions about risk treatment (2.25).

NOTE 2 Risk analysis includes risk estimation.

[ISO Guide 73:2009, definition 3.6.1]

2.22 risk criteria terms of reference against which the significance of a risk (2.1) is evaluated

NOTE 1 Risk criteria are based on organizational objectives, and external (2.10) and internal context (2.11).

NOTE 2 Risk criteria can be derived from standards, laws, policies and other requirements.

[ISO Guide 73:2009, definition 3.3.1.3]

5

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

6 © ISO 2009 – All rights reserved

2.23 level of risk magnitude of a risk (2.1) or combination of risks, expressed in terms of the combination of consequences (2.18) and their likelihood (2.19)

[ISO Guide 73:2009, definition 3.6.1.8]

2.24 risk evaluation process of comparing the results of risk analysis (2.21) with risk criteria (2.22) to determine whether the risk (2.1) and/or its magnitude is acceptable or tolerable

NOTE Risk evaluation assists in the decision about risk treatment (2.25).

[ISO Guide 73:2009, definition 3.7.1]

2.25 risk treatment process to modify risk (2.1)

NOTE 1 Risk treatment can involve:

⎯ avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;

⎯ taking or increasing risk in order to pursue an opportunity;

⎯ removing the risk source (2.16);

⎯ changing the likelihood (2.19);

⎯ changing the consequences (2.18);

⎯ sharing the risk with another party or parties (including contracts and risk financing); and

⎯ retaining the risk by informed decision.

NOTE 2 Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.

NOTE 3 Risk treatment can create new risks or modify existing risks.

[ISO Guide 73:2009, definition 3.8.1]

2.26 control measure that is modifying risk (2.1)

NOTE 1 Controls include any process, policy, device, practice, or other actions which modify risk.

NOTE 2 Controls may not always exert the intended or assumed modifying effect.

[ISO Guide 73:2009, definition 3.8.1.1]

2.27 residual risk risk (2.1) remaining after risk treatment (2.25)

NOTE 1 Residual risk can contain unidentified risk.

NOTE 2 Residual risk can also be known as “retained risk”.

[ISO Guide 73:2009, definition 3.8.1.6]

6

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

© ISO 2009 – All rights reserved 7

2.28 monitoring continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected

NOTE Monitoring can be applied to a risk management framework (2.3), risk management process (2.8), risk (2.1) or control (2.26).

[ISO Guide 73:2009, definition 3.8.2.1]

2.29 review activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives

NOTE Review can be applied to a risk management framework (2.3), risk management process (2.8), risk (2.1) or control (2.26).

[ISO Guide 73:2009, definition 3.8.2.2]

3 Principles

For risk management to be effective, an organization should at all levels comply with the principles below.

a) Risk management creates and protects value.

Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation.

b) Risk management is an integral part of all organizational processes.

Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.

c) Risk management is part of decision making.

Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action.

d) Risk management explicitly addresses uncertainty.

Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed.

e) Risk management is systematic, structured and timely.

A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable and reliable results.

f) Risk management is based on the best available information.

The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts.

7

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

8 © ISO 2009 – All rights reserved

g) Risk management is tailored.

Risk management is aligned with the organization's external and internal context and risk profile.

h) Risk management takes human and cultural factors into account.

Risk management recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organization's objectives.

i) Risk management is transparent and inclusive.

Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organization, ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria.

j) Risk management is dynamic, iterative and responsive to change.

Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear.

k) Risk management facilitates continual improvement of the organization.

Organizations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organization.

Annex A provides further advice for organizations wishing to manage risk more effectively.

4 Framework

4.1 General

The success of risk management will depend on the effectiveness of the management framework providing the foundations and arrangements that will embed it throughout the organization at all levels. The framework assists in managing risks effectively through the application of the risk management process (see Clause 5) at varying levels and within specific contexts of the organization. The framework ensures that information about risk derived from the risk management process is adequately reported and used as a basis for decision making and accountability at all relevant organizational levels.

This clause describes the necessary components of the framework for managing risk and the way in which they interrelate in an iterative manner, as shown in Figure 2.

8

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

--`,,,,,,,,`,,```,,,`,,`,`,,,,-`-`,,`,,`,`,,`---

Copyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

10 © ISO 2009 – All rights reserved

⎯ assign accountabilities and responsibilities at appropriate levels within the organization;

⎯ ensure that the necessary resources are allocated to risk management;

⎯ communicate the benefits of risk management to all stakeholders; and

⎯ ensure that the framework for managing risk continues to remain appropriate.

4.3 Design of framework for managing risk

4.3.1 Understanding of the organization and its context

Before starting the design and implementation of the framework for managing risk, it is important to evaluate and understand both the external and internal context of the organization, since these can significantly influence the design of the framework.

Evaluating the organization's external context may include, but is not limited to:

a) the social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local;

b) key drivers and trends having impact on the objectives of the organization; and

c) relationships with, and perceptions and values of, external stakeholders.

Evaluating the organization's internal context may include, but is not limited to:

⎯ governance, organizational structure, roles and accountabilities;

⎯ policies, objectives, and the strategies that are in place to achieve them;

⎯ capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);

⎯ information systems, information flows and decision making processes (both formal and informal);

⎯ relationships with, and perceptions and values of, internal stakeholders;

⎯ the organization's culture;

⎯ standards, guidelines and models adopted by the organization; and

⎯ the form and extent of contractual relationships.

4.3.2 Establishing risk management policy

The risk management policy should clearly state the organization's objectives for, and commitment to, risk management and typically addresses the following:

⎯ the organization's rationale for managing risk;

⎯ links between the organization's objectives and policies and the risk management policy;

⎯ accountabilities and responsibilities for managing risk;

⎯ the way in which conflicting interests are dealt with;

10

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

© ISO 2009 – All rights reserved 11

⎯ commitment to make the necessary resources available to assist those accountable and responsible for managing risk;

⎯ the way in which risk management performance will be measured and reported; and

⎯ commitment to review and improve the risk management policy and framework periodically and in response to an event or change in circumstances.

The risk management policy should be communicated appropriately.

4.3.3 Accountability

The organization should ensure that there is accountability, authority and appropriate competence for managing risk, including implementing and maintaining the risk management process and ensuring the adequacy, effectiveness and efficiency of any controls. This can be facilitated by:

⎯ identifying risk owners that have the accountability and authority to manage risks;

⎯ identifying who is accountable for the development, implementation and maintenance of the framework for managing risk;

⎯ identifying other responsibilities of people at all levels in the organization for the risk management process;

⎯ establishing performance measurement and external and/or internal reporting and escalation processes; and

⎯ ensuring appropriate levels of recognition.

4.3.4 Integration into organizational processes

Risk management should be embedded in all the organization's practices and processes in a way that it is relevant, effective and efficient. The risk management process should become part of, and not separate from, those organizational processes. In particular, risk management should be embedded into the policy development, business and strategic planning and review, and change management processes.

There should be an organization-wide risk management plan to ensure that the risk management policy is implemented and that risk management is embedded in all of the organization's practices and processes. The risk management plan can be integrated into other organizational plans, such as a strategic plan.

4.3.5 Resources

The organization should allocate appropriate resources for risk management.

Consideration should be given to the following:

⎯ people, skills, experience and competence;

⎯ resources needed for each step of the risk management process;

⎯ the organization's processes, methods and tools to be used for managing risk;

⎯ documented processes and procedures;

⎯ information and knowledge management systems; and

⎯ training programmes.

11

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

12 © ISO 2009 – All rights reserved

4.3.6 Establishing internal communication and reporting mechanisms

The organization should establish internal communication and reporting mechanisms in order to support and encourage accountability and ownership of risk. These mechanisms should ensure that:

⎯ key components of the risk management framework, and any subsequent modifications, are communicated appropriately;

⎯ there is adequate internal reporting on the framework, its effectiveness and the outcomes;

⎯ relevant information derived from the application of risk management is available at appropriate levels and times; and

⎯ there are processes for consultation with internal stakeholders.

These mechanisms should, where appropriate, include processes to consolidate risk information from a variety of sources, and may need to consider the sensitivity of the information.

4.3.7 Establishing external communication and reporting mechanisms

The organization should develop and implement a plan as to how it will communicate with external stakeholders. This should involve:

⎯ engaging appropriate external stakeholders and ensuring an effective exchange of information;

⎯ external reporting to comply with legal, regulatory, and governance requirements;

⎯ providing feedback and reporting on communication and consultation;

⎯ using communication to build confidence in the organization; and

⎯ communicating with stakeholders in the event of a crisis or contingency.

These mechanisms should, where appropriate, include processes to consolidate risk information from a variety of sources, and may need to consider the sensitivity of the information.

4.4 Implementing risk management

4.4.1 Implementing the framework for managing risk

In implementing the organization's framework for managing risk, the organization should:

⎯ define the appropriate timing and strategy for implementing the framework;

⎯ apply the risk management policy and process to the organizational processes;

⎯ comply with legal and regulatory requirements;

⎯ ensure that decision making, including the development and setting of objectives, is aligned with the outcomes of risk management processes;

⎯ hold information and training sessions; and

⎯ communicate and consult with stakeholders to ensure that its risk management framework remains appropriate.

12

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

© ISO 2009 – All rights reserved 13

4.4.2 Implementing the risk management process

Risk management should be implemented by ensuring that the risk management process outlined in Clause 5 is applied through a risk management plan at all relevant levels and functions of the organization as part of its practices and processes.

4.5 Monitoring and review of the framework

In order to ensure that risk management is effective and continues to support organizational performance, the organization should:

⎯ measure risk management performance against indicators, which are periodically reviewed for appropriateness;

⎯ periodically measure progress against, and deviation from, the risk management plan;

⎯ periodically review whether the risk management framework, policy and plan are still appropriate, given the organizations' external and internal context;

⎯ report on risk, progress with the risk management plan and how well the risk management policy is being followed; and

⎯ review the effectiveness of the risk management framework.

4.6 Continual improvement of the framework

Based on results of monitoring and reviews, decisions should be made on how the risk management framework, policy and plan can be improved. These decisions should lead to improvements in the organization's management of risk and its risk management culture.

5 Process

5.1 General

The risk management process should be

⎯ an integral part of management,

⎯ embedded in the culture and practices, and

⎯ tailored to the business processes of the organization.

It comprises the activities described in 5.2 to 5.6. The risk management process is shown in Figure 3.

13

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

--`,,,,,,,,`,,```,,,`,,`,`,,,,-`-`,,`,,`,`,,`---

Copyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

© ISO 2009 – All rights reserved 15

⎯ enhance appropriate change management during the risk management process; and

⎯ develop an appropriate external and internal communication and consultation plan.

Communication and consultation with stakeholders is important as they make judgements about risk based on their perceptions of risk. These perceptions can vary due to differences in values, needs, assumptions, concepts and concerns of stakeholders. As their views can have a significant impact on the decisions made, the stakeholders' perceptions should be identified, recorded, and taken into account in the decision making process.

Communication and consultation should facilitate truthful, relevant, accurate and understandable exchanges of information, taking into account confidential and personal integrity aspects.

5.3 Establishing the context

5.3.1 General

By establishing the context, the organization articulates its objectives, defines the external and internal parameters to be taken into account when managing risk, and sets the scope and risk criteria for the remaining process. While many of these parameters are similar to those considered in the design of the risk management framework (see 4.3.1), when establishing the context for the risk management process, they need to be considered in greater detail and particularly how they relate to the scope of the particular risk management process.

5.3.2 Establishing the external context

The external context is the external environment in which the organization seeks to achieve its objectives.

Understanding the external context is important in order to ensure that the objectives and concerns of external stakeholders are considered when developing risk criteria. It is based on the organization-wide context, but with specific details of legal and regulatory requirements, stakeholder perceptions and other aspects of risks specific to the scope of the risk management process.

The external context can include, but is not limited to:

⎯ the social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local;

⎯ key drivers and trends having impact on the objectives of the organization; and

⎯ relationships with, perceptions and values of external stakeholders.

5.3.3 Establishing the internal context

The internal context is the internal environment in which the organization seeks to achieve its objectives.

The risk management process should be aligned with the organization's culture, processes, structure and strategy. Internal context is anything within the organization that can influence the way in which an organization will manage risk. It should be established because:

a) risk management takes place in the context of the objectives of the organization;

b) objectives and criteria of a particular project, process or activity should be considered in the light of objectives of the organization as a whole; and

c) some organizations fail to recognize opportunities to achieve their strategic, project or business objectives, and this affects ongoing organizational commitment, credibility, trust and value.

15

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

16 © ISO 2009 – All rights reserved

It is necessary to understand the internal context. This can include, but is not limited to:

⎯ governance, organizational structure, roles and accountabilities;

⎯ policies, objectives, and the strategies that are in place to achieve them;

⎯ capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);

⎯ the relationships with and perceptions and values of internal stakeholders;

⎯ the organization's culture;

⎯ information systems, information flows and decision making processes (both formal and informal);

⎯ standards, guidelines and models adopted by the organization; and

⎯ form and extent of contractual relationships.

5.3.4 Establishing the context of the risk management process

The objectives, strategies, scope and parameters of the activities of the organization, or those parts of the organization where the risk management process is being applied, should be established. The management of risk should be undertaken with full consideration of the need to justify the resources used in carrying out risk management. The resources required, responsibilities and authorities, and the records to be kept should also be specified.

The context of the risk management process will vary according to the needs of an organization. It can involve, but is not limited to:

⎯ defining the goals and objectives of the risk management activities;

⎯ defining responsibilities for and within the risk management process;

⎯ defining the scope, as well as the depth and breadth of the risk management activities to be carried out, including specific inclusions and exclusions;

⎯ defining the activity, process, function, project, product, service or asset in terms of time and location;

⎯ defining the relationships between a particular project, process or activity and other projects, processes or activities of the organization;

⎯ defining the risk assessment methodologies;

⎯ defining the way performance and effectiveness is evaluated in the management of risk;

⎯ identifying and specifying the decisions that have to be made; and

⎯ identifying, scoping or framing studies needed, their extent and objectives, and the resources required for such studies.

Attention to these and other relevant factors should help ensure that the risk management approach adopted is appropriate to the circumstances, to the organization and to the risks affecting the achievement of its objectives.

16

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

--`,,,,,,,,`,,```,,,`,,`,`,,,,-`-`,,`,,`,`,,`---

ISO 31000:2009(E)

© ISO 2009 – All rights reserved 17

5.3.5 Defining risk criteria

The organization should define criteria to be used to evaluate the significance of risk. The criteria should reflect the organization's values, objectives and resources. Some criteria can be imposed by, or derived from, legal and regulatory requirements and other requirements to which the organization subscribes. Risk criteria should be consistent with the organization's risk management policy (see 4.3.2), be defined at the beginning of any risk management process and be continually reviewed.

When defining risk criteria, factors to be considered should include the following:

⎯ the nature and types of causes and consequences that can occur and how they will be measured;

⎯ how likelihood will be defined;

⎯ the timeframe(s) of the likelihood and/or consequence(s);

⎯ how the level of risk is to be determined;

⎯ the views of stakeholders;

⎯ the level at which risk becomes acceptable or tolerable; and

⎯ whether combinations of multiple risks should be taken into account and, if so, how and which combinations should be considered.

5.4 Risk assessment

5.4.1 General

Risk assessment is the overall process of risk identification, risk analysis and risk evaluation.

NOTE ISO/IEC 31010 provides guidance on risk assessment techniques.

5.4.2 Risk identification

The organization should identify sources of risk, areas of impacts, events (including changes in circumstances) and their causes and their potential consequences. The aim of this step is to generate a comprehensive list of risks based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives. It is important to identify the risks associated with not pursuing an opportunity. Comprehensive identification is critical, because a risk that is not identified at this stage will not be included in further analysis.

Identification should include risks whether or not their source is under the control of the organization, even though the risk source or cause may not be evident. Risk identification should include examination of the knock-on effects of particular consequences, including cascade and cumulative effects. It should also consider a wide range of consequences even if the risk source or cause may not be evident. As well as identifying what might happen, it is necessary to consider possible causes and scenarios that show what consequences can occur. All significant causes and consequences should be considered.

The organization should apply risk identification tools and techniques that are suited to its objectives and capabilities, and to the risks faced. Relevant and up-to-date information is important in identifying risks. This should include appropriate background information where possible. People with appropriate knowledge should be involved in identifying risks.

17

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

18 © ISO 2009 – All rights reserved

5.4.3 Risk analysis

Risk analysis involves developing an understanding of the risk. Risk analysis provides an input to risk evaluation and to decisions on whether risks need to be treated, and on the most appropriate risk treatment strategies and methods. Risk analysis can also provide an input into making decisions where choices must be made and the options involve different types and levels of risk.

Risk analysis involves consideration of the causes and sources of risk, their positive and negative consequences, and the likelihood that those consequences can occur. Factors that affect consequences and likelihood should be identified. Risk is analyzed by determining consequences and their likelihood, and other attributes of the risk. An event can have multiple consequences and can affect multiple objectives. Existing controls and their effectiveness and efficiency should also be taken into account.

The way in which consequences and likelihood are expressed and the way in which they are combined to determine a level of risk should reflect the type of risk, the information available and the purpose for which the risk assessment output is to be used. These should all be consistent with the risk criteria. It is also important to consider the interdependence of different risks and their sources.

The confidence in determination of the level of risk and its sensitivity to preconditions and assumptions should be considered in the analysis, and communicated effectively to decision makers and, as appropriate, other stakeholders. Factors such as divergence of opinion among experts, uncertainty, availability, quality, quantity and ongoing relevance of information, or limitations on modelling should be stated and can be highlighted.

Risk analysis can be undertaken with varying degrees of detail, depending on the risk, the purpose of the analysis, and the information, data and resources available. Analysis can be qualitative, semi-quantitative or quantitative, or a combination of these, depending on the circumstances.

Consequences and their likelihood can be determined by modelling the outcomes of an event or set of events, or by extrapolation from experimental studies or from available data. Consequences can be expressed in terms of tangible and intangible impacts. In some cases, more than one numerical value or descriptor is required to specify consequences and their likelihood for different times, places, groups or situations.

5.4.4 Risk evaluation

The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation.

Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered. Based on this comparison, the need for treatment can be considered.

Decisions should take account of the wider context of the risk and include consideration of the tolerance of the risks borne by parties other than the organization that benefits from the risk. Decisions should be made in accordance with legal, regulatory and other requirements.

In some circumstances, the risk evaluation can lead to a decision to undertake further analysis. The risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing controls. This decision will be influenced by the organization's risk attitude and the risk criteria that have been established.

5.5 Risk treatment

5.5.1 General

Risk treatment involves selecting one or more options for modifying risks, and implementing those options. Once implemented, treatments provide or modify the controls.

18

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

--`,,,,,,,,`,,```,,,`,,`,`,,,,-`-`,,`,,`,`,,`---

ISO 31000:2009(E)

© ISO 2009 – All rights reserved 19

Risk treatment involves a cyclical process of:

⎯ assessing a risk treatment;

⎯ deciding whether residual risk levels are tolerable;

⎯ if not tolerable, generating a new risk treatment; and

⎯ assessing the effectiveness of that treatment.

Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. The options can include the following:

a) avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;

b) taking or increasing the risk in order to pursue an opportunity;

c) removing the risk source;

d) changing the likelihood;

e) changing the consequences;

f) sharing the risk with another party or parties (including contracts and risk financing); and

g) retaining the risk by informed decision.

5.5.2 Selection of risk treatment options

Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the natural environment. Decisions should also take into account risks which can warrant risk treatment that is not justifiable on economic grounds, e.g. severe (high negative consequence) but rare (low likelihood) risks.

A number of treatment options can be considered and applied either individually or in combination. The organization can normally benefit from the adoption of a combination of treatment options.

When selecting risk treatment options, the organization should consider the values and perceptions of stakeholders and the most appropriate ways to communicate with them. Where risk treatment options can impact on risk elsewhere in the organization or with stakeholders, these should be involved in the decision. Though equally effective, some risk treatments can be more acceptable to some stakeholders than to others.

The treatment plan should clearly identify the priority order in which individual risk treatments should be implemented.

Risk treatment itself can introduce risks. A significant risk can be the failure or ineffectiveness of the risk treatment measures. Monitoring needs to be an integral part of the risk treatment plan to give assurance that the measures remain effective.

Risk treatment can also introduce secondary risks that need to be assessed, treated, monitored and reviewed. These secondary risks should be incorporated into the same treatment plan as the original risk and not treated as a new risk. The link between the two risks should be identified and maintained.

19

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

20 © ISO 2009 – All rights reserved

5.5.3 Preparing and implementing risk treatment plans

The purpose of risk treatment plans is to document how the chosen treatment options will be implemented. The information provided in treatment plans should include:

⎯ the reasons for selection of treatment options, including expected benefits to be gained;

⎯ those who are accountable for approving the plan and those responsible for implementing the plan;

⎯ proposed actions;

⎯ resource requirements including contingencies;

⎯ performance measures and constraints;

⎯ reporting and monitoring requirements; and

⎯ timing and schedule.

Treatment plans should be integrated with the management processes of the organization and discussed with appropriate stakeholders.

Decision makers and other stakeholders should be aware of the nature and extent of the residual risk after risk treatment. The residual risk should be documented and subjected to monitoring, review and, where appropriate, further treatment.

5.6 Monitoring and review

Both monitoring and review should be a planned part of the risk management process and involve regular checking or surveillance. It can be periodic or ad hoc.

Responsibilities for monitoring and review should be clearly defined.

The organization's monitoring and review processes should encompass all aspects of the risk management process for the purposes of:

⎯ ensuring that controls are effective and efficient in both design and operation;

⎯ obtaining further information to improve risk assessment;

⎯ analyzing and learning lessons from events (including near-misses), changes, trends, successes and failures;

⎯ detecting changes in the external and internal context, including changes to risk criteria and the risk itself which can require revision of risk treatments and priorities; and

⎯ identifying emerging risks.

Progress in implementing risk treatment plans provides a performance measure. The results can be incorporated into the organization's overall performance management, measurement and external and internal reporting activities.

The results of monitoring and review should be recorded and externally and internally reported as appropriate, and should also be used as an input to the review of the risk management framework (see 4.5).

20

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

© ISO 2009 – All rights reserved 21

5.7 Recording the risk management process

Risk management activities should be traceable. In the risk management process, records provide the foundation for improvement in methods and tools, as well as in the overall process.

Decisions concerning the creation of records should take into account:

⎯ the organization's needs for continuous learning;

⎯ benefits of re-using information for management purposes;

⎯ costs and efforts involved in creating and maintaining records;

⎯ legal, regulatory and operational needs for records;

⎯ method of access, ease of retrievability and storage media;

⎯ retention period; and

⎯ sensitivity of information.

21

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

22 © ISO 2009 – All rights reserved

Annex A (informative)

Attributes of enhanced risk management

A.1 General

All organizations should aim at the appropriate level of performance of their risk management framework in line with the criticality of the decisions that are to be made. The list of attributes below represents a high level of performance in managing risk. To assist organizations in measuring their own performance against these criteria, some tangible indicators are given for each attribute.

A.2 Key outcomes

A.2.1 The organization has a current, correct and comprehensive understanding of its risks.

A.2.2 The organization's risks are within its risk criteria.

A.3 Attributes

A.3.1 Continual improvement

An emphasis is placed on continual improvement in risk management through the setting of organizational performance goals, measurement, review and the subsequent modification of processes, systems, resources, capability and skills.

This can be indicated by the existence of explicit performance goals against which the organization's and individual manager's performance is measured. The organization's performance can be published and communicated. Normally, there will be at least an annual review of performance and then a revision of processes, and the setting of revised performance objectives for the following period.

This risk management performance assessment is an integral part of the overall organization's performance assessment and measurement system for departments and individuals.

A.3.2 Full accountability for risks

Enhanced risk management includes comprehensive, fully defined and fully accepted accountability for risks, controls and risk treatment tasks. Designated individuals fully accept accountability, are appropriately skilled and have adequate resources to check controls, monitor risks, improve controls and communicate effectively about risks and their management to external and internal stakeholders.

This can be indicated by all members of an organization being fully aware of the risks, controls and tasks for which they are accountable. Normally, this will be recorded in job/position descriptions, databases or information systems. The definition of risk management roles, accountabilities and responsibilities should be part of all the organization's induction programmes.

The organization ensures that those who are accountable are equipped to fulfil that role by providing them with the authority, time, training, resources and skills sufficient to assume their accountabilities.

22

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

© ISO 2009 – All rights reserved 23

A.3.3 Application of risk management in all decision making

All decision making within the organization, whatever the level of importance and significance, involves the explicit consideration of risks and the application of risk management to some appropriate degree.

This can be indicated by records of meetings and decisions to show that explicit discussions on risks took place. In addition, it should be possible to see that all components of risk management are represented within key processes for decision making in the organization, e.g. for decisions on the allocation of capital, on major projects and on re-structuring and organizational changes. For these reasons, soundly based risk management is seen within the organization as providing the basis for effective governance.

A.3.4 Continual communications

Enhanced risk management includes continual communications with external and internal stakeholders, including comprehensive and frequent reporting of risk management performance, as part of good governance.

This can be indicated by communication with stakeholders as an integral and essential component of risk management. Communication is rightly seen as a two-way process, such that properly informed decisions can be made about the level of risks and the need for risk treatment against properly established and comprehensive risk criteria.

Comprehensive and frequent external and internal reporting on both significant risks and on risk management performance contributes substantially to effective governance within an organization.

A.3.5 Full integration in the organization's governance structure

Risk management is viewed as central to the organization's management processes, such that risks are considered in terms of effect of uncertainty on objectives. The governance structure and process are based on the management of risk. Effective risk management is regarded by managers as essential for the achievement of the organization's objectives.

This is indicated by managers' language and important written materials in the organization using the term “uncertainty” in connection with risks. This attribute is also normally reflected in the organization's statements of policy, particularly those relating to risk management. Normally, this attribute would be verified through interviews with managers and through the evidence of their actions and statements.

23

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

ISO 31000:2009(E)

24 © ISO 2009 – All rights reserved

Bibliography

[1] ISO Guide 73:2009, Risk management — Vocabulary

[2] ISO/IEC 31010, Risk management — Risk assessment techniques

24

COPYRIGHTCopyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

NOTES

25

Copyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

--`,,,,,,,,`,,```,,,`,,`,`,,,,-`-`,,`,,`,`,,`---

NOTES

26

Copyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

--`,,,,,,,,`,,```,,,`,,`,`,,,,-`-`,,`,,`,`,,`---

Standards Australia

Standards Australia is an independent company, limited by guarantee, which prepares and publishes

most of the voluntary technical and commercial standards used in Australia. These standards are

developed through an open process of consultation and consensus, in which all interested parties are

invited to participate. Through a Memorandum of Understanding with the Commonwealth

government, Standards Australia is recognized as Australia’s peak national standards body.

Standards New Zealand

The first national Standards organization was created in New Zealand in 1932. The Standards

Council of New Zealand is the national authority responsible for the production of Standards.

Standards New Zealand is the trading arm of the Standards Council established under the Standards

Act 1988.

Australian/New Zealand Standards

Under a Memorandum of Understanding between Standards Australia and Standards New Zealand,

Australian/New Zealand Standards are prepared by committees of experts from industry,

governments, consumers and other sectors. The requirements or recommendations contained

in published Standards are a consensus of the views of representative interests and also take

account of comments received from other sources. They reflect the latest scientific and industry

experience. Australian/New Zealand Standards are kept under continuous review after publication

and are updated regularly to take account of changing technology.

International Involvement

Standards Australia and Standards New Zealand are responsible for ensuring that the Australian

and New Zealand viewpoints are considered in the formulation of international Standards and that

the latest international experience is incorporated in national and Joint Standards. This role is vital

in assisting local industry to compete in international markets. Both organizations are the national

members of ISO (the International Organization for Standardization) and IEC (the International

Electrotechnical Commission).

Visit our web sites

www.standards.org.au www.standards.co.nz

www.standards.com.au

Copyright Standards New Zealand Provided by IHS under license with SNZ Licensee=Unitec Inst of Technology/5911177001

Not for Resale, 01/14/2010 23:56:14 MSTNo reproduction or networking permitted without license from IHS

- - ` , , , , , , , , ` , , ` ` ` , , , ` , , ` , ` , , , , - ` - ` , , ` , , ` , ` , , ` - - -

  • Committee OB-007
  • Keeping Standards up-to-date
  • COPYRIGHT
  • PREFACE
  • CONTENTS
  • INTRODUCTION
  • 1 Scope
  • 2 Terms and definitions
  • 3 Principles
  • 4 Framework
    • 4.1 General
    • 4.2 Mandate and commitment
    • 4.3 Design of framework for managing risk
    • 4.4 Implementing risk management
    • 4.5 Monitoring and review of the framework
    • 4.6 Continual improvement of the framework
  • 3 — Risk management process
  • 5 Process
    • 5.1 General
    • 5.2 Communication and consultation
    • 5.3 Establishing the context
    • 5.4 Risk assessment
    • 5.5 Risk treatment
    • 5.6 Monitoring and review
    • 5.7 Recording the risk management process
  • Annex A(informative)Attributes of enhanced risk management
  • Bibliography
  • Standards Australia
  • Standards New Zealand
  • Australian/New Zealand Standards
  • International Involvement
  • web sites
  • Figure
    • 1 — Relationships between the risk management principles, framework and process
    • 2 – Relationship between the components of the framework for managing risk

__MACOSX/mane/._ISO_31000_2009_eng.pdf

mane/Organisational Scenario2.pdf

Organisational Scenario:

Waterview Connection

Costing NZ$1.4b, the Waterview Connection project is one of the most important infrastructure

developments ever to take place in New Zealand. It is a motorway section under construction through west/central Auckland. The project connects State Highway 20 in the south at Mt Roskill to state Highway

16 in the west at Point Chevalier. It is a part of the Western Ring Route. Completing a motorway ring route around the city, it will unlock Auckland’s potential to become a truly world class city.

The world’s 10th largest tunnel boring machine, named Alice, is constructing twin tunnels up to 40m below ground. Each tunnel will carry three lanes of traffic. By 2026, it is expected to carry 83,000 vehicles a day (“Agency chided over pollution figures”, 2010).

The project includes construction of a giant interchange near the northern entrance to the tunnels to connect the two motorways. It will also deliver community-based facilities for walkers and cyclists, sports amenities, playgrounds and parks.

The project is being constructed for the NZ Transport Agency by the Well-Connected Alliance – the alliance includes the Transport Agency and New Zealand and overseas companies with expertise in infrastructure, tunnelling and design.

https://www.nzta.govt.nz/projects/the-western-ring-route/waterview-connection/

Requirements:

As an engineering management consultant you are required to prepare a risk management report about Waterview Connection Project.

The aim is to achieve an understanding of the risk management process, tools and techniques. You are required to follow the risk management process specified in “Risk Management-Principles and guidelines AS/NZS 31000:2009”.

The risk management process

Question 1 Project Context:

Critically analyse the project context (from a risk management perspective). Provide a summary of the project context in report format, suitable as a briefing for key stakeholders.

Question 2 Risk Identification:

Identify the risks of the proposed project. Produce an overall summary of risks identified and categorised the risks into main categories, such as technical, external, organisational, and project management. You should identify at least ONE risk for EACH CATEGORY.

Question 3 Risk Analysis and Evaluation:

Fully analysis and evaluate each risk (four risk factors in total) using either a qualitative or quantitative analysis method.

Question 4 Risk Treatment:

Examine the best way of treating your chosen four risks from Question 3. Develop and present a fully detailed Risk Treatment Plan, justifying the reasons for your treatment choices.

Data Sources

Under no circumstances should you approach the agencies or any of the parties involved in the project for any reason.

Additional Information

Here are some additional resources to use as a starting point only.

https://www.facebook.com/AliceTBM/

http://www.fletcherconstruction.co.nz/projects.php?action=search&id=467

http://www.stuff.co.nz/auckland/80912488/Aucklands-Waterview-Connection-on-schedule-to-open- in-early-2017

https://www.nzta.govt.nz/resources/risk-management-process-manual/

https://www.nzta.govt.nz/assets/resources/risk-management-framework/docs/risk- management-framework.pdf

Appropriate Secondary Data Sources

It is suggested that secondary data sources are extensively utilised e.g. electronic library sources / hard

copy data / articles in academic journals / business press such as Journal of civil engineering and

management – class notes should not be referenced and the ‘popular press’ not be used. Wikipedia

references are not considered to be of the required standard and hence should not be included.

Final Reports

As in all decision making in business, generally there are no right and wrong solutions. Good risk

management report are generally recognised as those where there has been identification of wide range of

risks, consideration of the likelihood and consequence of each risk, and a convincing justification for why

the chosen risk treatment is likely to deal with the negative impacts posed by the risks.

The range of risk issues that are to be addressed in the risk management plan presented, and the relative

emphasis that is given to each risk, should be decided by you, this in itself part of the assignment. Your risk

attitude is differ from your peer, than thus the content of your individual report will not be the same as other

candidates, there is definitely not one “right answer”.

Requirements

This has to be submitted in report format and as such should have a formal structure and layout. It should be presented as a professional electronic document.

The total submission should not exceed 2,500 words. This word limit is plus or minus 10% ( this is a typical academic

standard) and excludes contents page, reference list and any appendices Exceeding the word limit by more than 10% will lead to the deduction of marks All submissions shall have a bibliography of references and sources used in the preparation of the project It should be in APA referencing system when citing literature sources. APA referencing (You should have 10 references minimum and 13 maximum)

Assessment criteria

You are advised to consider the assessment criteria and ensure that these areas are covered in your report. Assessment grading will be according to the following criteria:

Criteria Marks Remarks

a) Project Context 20% Provide a summary of the project context from a risk management perspective with details, such

as the project objective, scope, stakeholders, time, cost, quality, and deliverables.

b) Risk Identification 20% Classify the risks into four main categories (namely technical, external, organisational, and project

management), with justification of the importance of these risks.

c) Risk Analysis and 20% Use either a qualitative or quantitative analysis method analysis and evaluate each risk.

Evaluation

d) Risk Treatment 20% Identify the risk treatment for the four risks analysed and evaluated. Full justify your choices,

based upon your answers and reflection your answers to question 1 to 3.

d) Presentation of report 10% Presentation means clearly and neatly presented material with good use of English, layout, clear

and logical structure, visual presentation, and clarity of expression. Any written work should

read well and be concise as well as logical. Spelling should be accurate and the overall appearance,

including any graphical material, should be of good quality to a professional standard.

e) Additional reading 10% Additional background and supplementary reading should be undertaken and incorporated into

demonstrated to show deep

the work. The report should contain references to relevant published material which underpins

knowledge and

the work. Correct use of the APA referencing system when citing literature sources is

understanding, with rewarded. referencing and supporting published material

__MACOSX/mane/._Organisational Scenario2.pdf

mane/risk management lecture (1).pdf

Learning outcomes

• Describe the risk management process • Identify different kinds of risks • Illustrate approaches for risk

identification, analysis, and assessment • Suggest approaches for responding

to project risks and opportunities

Resources

• Project Management: The Managerial Process

• Chapters 7

Resources

• Risk Management – Principles and guidelines

ISO_31000_2009_eng

Resources

• A Guide to the Project Management Body of Knowledge

PROJECT RISK

Project Risk

• Definition

“Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect

on one or more project objectives such as

scope, schedule, cost, and quality.” (PMI, 2013)

Project Risk

• Deviation from the expected • Positive or negative • Objectives can have different

aspects (financial, health and safety,

and environmental goals) • Apply at different levels (strategic,

organisation-wide, project, product and process) (NZS ISO 31000:20090)

Project Risk

Risk Management

• A proactive attempt to recognize and manage internal events and external threats that affect the likelihood of a project’s success.

– What can go wrong (risk event). – How to minimize the risk event’s impact

(consequences).

– What can be done before an event occurs (anticipation).

– What to do when an event occurs (contingency

plans).

Risk Management

• Risk is often characterised by reference

to potential events and consequences

(effects).

Risk and Uncertainty

• Certainty (knowns): decision-maker aware of alternatives and outcomes

• Uncertainty (unknown unknowns) – the

future is unknowable so the probabilities

and consequences remain unknown • Risk (known unknowns) – situation

where the future can be analysed and

planned for

Benefits of Risk Management

• A proactive rather than reactive approach • Reduces surprises and negative consequences • Prepares the project manager to take

advantage of appropriate risks • Provides better control over the future • Improves chances of reaching project

performance objectives within budget and on time

RISK MANAGEMENT PROCESS

Risk Management Process

Risk Management Process

Step 1

Step 2

Step 3

Step 4

Step 5

• Planning and context • Risk identification • Risk analysis and evaluation • Risk treatment • Implementation and control

RISK PLANNING AND CONTEXT

Planning and Context

• Determine and document the objectives,

scope and process fro risk management.

Risk Management Plan

Includes

• Objectives • Methodology • Roles and responsibilities • Budgeting, timing • Risk categories • Scoring interpretation • Tolerance thresholds • Reporting formats • Tracking

Establishing the Context

• The external context (the environment

such as political, social, legal,

financial and geographical) • The organisational context (culture,

values, governance, capabilities,

policies, processes, strategic objectives) • The project context (full set of objectives

and project outcomes)

RISK IDENTIFICATION

Risk Identification

• The process of finding, recognising and

describing risk and their key causes.

Risk Identification Tools

• Personal experiences • Individual pondering • Group processes • Structured interviews • Project information • Checklists • Risk breakdown structure (RBS)

Risk Breakdown Structure

Risk Registers

RISK ANALYSIS AND EVALUATION

Risk Assessment

• Risk assessment is about developing an understanding of the risk.

• The purpose of risk assessment is based

on the outcomes of risk analysis, to

assist in making decisions about

– which risks need treatment, and – the priority for treatment implementation

Risk Analysis

• Risk analysis is the process of

understanding and deducing the level

of risk.

– Likelihood – Consequences

• Qualitative • Quantitative

Risk Analysis

Risk Analysis

Risk Analysis Techniques

• Qualitative techniques that employ

subjective scoring techniques. • Quantitative techniques using

statistical and probabilistic approaches.

Risk Evaluation

• The process of comparing the level of risk against risk criteria.

– Do I need to do anything about this risk? – Classify, e.g. intolerable,

undesirable, acceptable, negligible – Determine risk tolerance – Know your risk appetite

Risk Appetite

Risk Averse Risk Taking

Risk Neutral

RISK TREATMENT

Risk Treatment

• The process of identifying and assessing

options for treating risks and then

planning their implementation.

Risk Treatment

• Avoidance: changing the plan to eliminate the threat. Refusing to accept the risk.

• Reduction: reduce the likelihood or consequences of the

risk, pre- or post-risk. Contingency plans. • Retention: accepting the risk and exposure with no

further action to manage. Often for low risk. • Transfer: shifts responsibility and consequences to

another party (contract or insurance) though the risk still

exists.

Principles for Treatment Selection

Risk Treatment Plans

• Purpose: how the chosen treatments will be implemented. – The reasons for treatment selection – Who are accountable for approving the plan – Who are accountable for implementing the plan – Proposed actions – Resource required – Performance measures and constraints – Reporting and monitoring requirements – Timing and schedule

RISK IMPLEMENTATION AND CONTROL

Risk Implementation and Control

• Monitoring and review of the risk management process

Responsibility for Risk Monitoring

• Ensuring that controls are effective and efficient

• Obtaining further information to improve risk assessment

• Analysing and learning lessons from events, changes, trends successes and failure

• Detecting changes in the context • Identifying emerging risks

Responsibility for Risk Recording

• Risk management activities should be

traceable. Records provide the foundation

for improvement in methods and tools, as

well as in the overall process.

__MACOSX/mane/._risk management lecture (1).pdf

mane/Tutorial 2 Q.pdf

Qualitative and Quantitative Risk

Assessment

Content

• Qualitative vs.. Quantitative • Qualitative Risk Assessment • Quantitative Risk Assessment

Qualitative vs. Quantitative

• Qualitative techniques that employ

subjective scoring techniques. • Quantitative techniques using

statistical and probabilistic approaches.

Qualitative vs. Quantitative

• Outcomes of qualitative risk analysis – Overall risk ranking for the project – List of prioritised risks – List of risks for additional analysis

and management – Trends in qualitative risk analysis results

Qualitative vs. Quantitative

• Outcomes of quantitative risk analysis – Prioritised list of quantified risks – Probability analysis of the project – Probability of achieving the cost and

time objectives – Trends in quantitative risk analysis results

Qualitative vs. Quantitative

Qualitative Risk Assessment

• One way to determine the importance of addressing specific risks and guiding risk responses.

• Requires that the probability and consequences of the risks be evaluated using established qualitative- analysis methods and tools.

• Indicate the need for more or less risk-management action.

Qualitative Risk Assessment

• Risk probability is the likelihood that a risk will occur.

• Risk consequences is the effect on project objectives if the risk event occurs.

• Risk probability and risk consequences may be described in qualitative terms such as very high, moderate, low, and very low.

• Probability and impact are assessed for each individual risk.

Qualitative Risk Assessment

Qualitative Risk Assessment

Qualitative Risk Assessment

Question 1

• Qualitative measure of person impact

Level Descriptor Detail

1 Insignificant No injuries

2 Minor First aid treatment

3 Moderate Medical treatment required

4 Major Extensive injuries

5 Catastrophic Death

Question 1

• Qualitative measure of likelihood

Level Descriptor Detail

A Almost certain Is expected to occur in most circumstances

B Likely Will probably occur in most

circumstances

C Possible Might occur at some time

D Unlikely Could occur at some time

E Rare May only occur in exceptional

circumstances

Question 1

• Rank the risk factors:

– Risk factor 1: Likely to happen, with moderate impact

– Risk factor 2: Rarely happen,

with catastrophic consequence – Risk factor 3: Possible, with major impact

Question 1

Likelihood Consequences

Insignificant Minor Moderate Major Catastrophic

1 2 3 4 5

A H H E E E

Almost certain

B M H H E E

Likely

C L M H E E

Possible

D L L M H E

Unlikely

E L L M H H

Rare

Probability And Impact Matrix

• Ratings are assigned to risks based on their assessed probability of occurrence and impact on an objective if it does occur.

• Evaluation of each risk’s importance is conducted using a probability and impact matrix.

• Both descriptive terms or numeric values can be used depending on organisational preference.

Probability And Impact Matrix

NZTA Risk Management Process Manual

Figure (Next page )

Quantitative Risk Assessment

• The process of numerically analysing

the effect of identified risks on overall

project objectives. • Produce quantitative risk information to

support decision making in order to

reduce project uncertainty.

Quantitative Risk Assessment

• Probabilistic Risk Assessment – characterising the likely impacts of the risk – Evaluating whether risk is tolerable

or acceptable

Quantitative Risk Assessment

• In compliance with all rules, assumptions,

limitations or constraints introduced • The analysis is relevant and useful. • The analysis and results are reliable

and valid.

Quantitative risk analysis

• Expected Value • Decision tree analysis • Sensitivity analysis • Modelling and simulation

Expected Value

• In a choice situation, select the alternative that promises

to bring the highest payoff or expected value (EV). EV is

determined by two factors:

– (a) the likelihood that a particular action will lead to various outcomes

– (b) the value of those outcomes.

Question 2

• What is the expected value of “buy insurance” and “don’t buy insurance”?

Question 3

• What is the expected value of event A?

Event A

Outcome #1 Outcome #2 Outcome #3 NB = $10,000 NB = $50,000 NB = $70,000

ρ = 0.3 ρ = 0.5 ρ = 0.2

Decision Tree Analysis

• Flowchart-like structure • Nodes, representing a “test” • Branches, representing the outcome of the

“test” • Leaves, representing a decision

Question 4

• Using Expected Value to determine the best options

What Really Matters

• Risk assessment is to support decision- making.

• Quantitative analysis supports

decision-making in order to reduce

project uncertainty. • Qualitative analysis supports decision-

making in order to prioritise the risks.

What Really Matters (for assignment 2)

• Assumptions justifying the levels assigned – Probabilities (levels: low/high/medium,

reasons, references) – Impacts (specify the impacts of each

level, reasons, references) • Technique used to assess the risk

– Quantitative (formulas) – Qualitative (matrix)

• Consequence

__MACOSX/mane/._Tutorial 2 Q.pdf

mane/Tutorial 3 Q.pdf

Risk Management

Risk Management Process

Risk Management Process

Step 1

Step 2

Step 3

Step 4

Step 5

• Planning and context • Risk identification • Risk analysis and evaluation • Risk treatment • Implementation and control

Additional Waitemata Crossing

NZ Transport Agency, 2015

Additional Waitemata Crossing

New Zealand Transport Agency (NZTA)

prepared the business case looking at a

range of public transport options,

including heavy rail. The Transport

Agency and Auckland Transport is

working together on this part of the

project, including any necessary route

protection for public transport.

Additional Waitemata Crossing

In 2013, the Government announced its support for a tunnel in preference to a bridge, to work in conjunction with the existing Auckland Harbour Bridge. The preferred route for the additional crossing is a tunnel running underground just south of the Onewa Road interchange on the North Shore and reach the isthmus at depth under Westhaven Marina. An additional crossing is likely to cost between $4 billion and $6 billion, and is likely to be needed between 2025 and 2030.

Additional Waitemata Crossing

The creation of an additional harbour

crossing to carry the bulk of SH1 traffic

offers flexibility for the transport system to

evolve over time and maximise benefits of

infrastructural investment. The existing

harbour bridge, for example, could be

used to extend the Northern Busway into

the CBD.

Planning and Context

• External • Organisational

– Political – Culture

– Social – Values

– Legal – Governance

– Financial – Strategic objectives

– Geographical

Risk Identification

• Technical • External • Organisational • Project management

Risk Analysis and Evaluation

• Matrix (Transit New Zealand, 2004

Risk Analysis and Evaluation

• Likelihood

(Transit New Zealand, 2004

Risk Analysis and Evaluation

• Consequence

(Transit New Zealand, 2004

Risk Treatments

• Risk treatments selection (ALARP) • Residual risk

Risk Treatments

Risk Treatments

• ALARP

– Trade-off between resources and risk

– ALARP level is reached when efforts of

future risk reduction measures become

unreasonably disproportionate to the benefits

– Deciding whether a risk is ALARP –

referring to ‘good practice’

__MACOSX/mane/._Tutorial 3 Q.pdf