Risk Management

Last month, the newsletter included an article on ISO 31000:2009, Risk Management – Principles and Guidelines. The article also referenced a supporting standard, ISO 31010:2009, Risk Management – Risk Assessment Techniques. These two risk management standards provide organizations of all types with a well-stocked toolbox for tackling situations that could affect the achievement of their objectives.

Risks affecting organizations may have consequences in terms of:

  • societal, environmental, technological, safety, and security outcomes
  • commercial, financial, and economic disciplines
  • social, cultural, and political reputation impacts

When risks occur, organizations always have to ask the question: “Is the level of risk tolerable or acceptable, and does it require further treatment?”

Risk assessment is an integral part of risk management which provides a structured process for organizations to identify how objectives may be affected. It is used to analyze the risk in terms of consequences and their probabilities, before the organization decides on further treatment, if required.

Risk assessment provides decision-makers and responsible parties with an improved understanding of risks that could affect achievement of objectives, as well as, of the adequacy and effectiveness of controls already in place. The ISO 30010 standard provides a basis for decision about the most appropriate approach to be used to treat particular risks and to select between options.

ISO 31010 will assist organizations in implementing the risk management principles and guidelines provided by ISO 31000, itself complemented by ISO Guide 73:2009 on risk management vocabulary. ISO 30010 deals with:

  • Risk assessment concepts
  • Risk assessment process
  • Selection of risk assessment techniques.

The standard reflects current good practice and answers the following questions:

  • What can happen and why?
  • What are the consequences?
  • What is the probability of their future occurrence?
  • Are there any factors that mitigate the consequences of the risk or that reduce the probability of the risk?

The application of a range of techniques is introduced, with specific references to other International Standards where the concept and application of techniques are described in greater detail. Risk assessment is not a stand-alone activity and should be fully integrated into the other components in the risk management process.

ISO 31010 has been developed for application by both the risk management novice and the seasoned risk professional. It forms part of an integrated risk management structure of standards, developed with a view to providing a ‘best practice’ approach.

ISO 31000:2009 and ISO 31010:2009 can be ordered at theĀ ANSI Web Store.