Risk Management Process

According to ISO 31000:2018, the risk management “process” involves the systematic application of policies, procedures, and practices to the activities of communicating and consulting, establishing the context, and assessing, treating, monitoring, reviewing, recording, and reporting risk.

The risk management process should be an integral part of management and decision-making and integrated into the structure, operations, and processes of the organization. It can be applied at strategic, operational, program, or project levels.

The dynamic and variable nature of human behavior and culture should be considered throughout the risk management process.

Communication and consultation
The purpose of communication and consultation is to assist relevant stakeholders in understanding risk, the basis on which decisions are made, and the reasons why particular actions are required.

Communication seeks to promote awareness and understanding of risk, whereas consultation involves obtaining feedback and information to support decision-making. Close coordination between the two should facilitate factual, timely, relevant, accurate, and understandable exchange of information, taking into account the confidentiality and integrity of information, as well as, the privacy rights of individuals.

Scope
The organization should define the scope of its risk management activities. The risk management process may be applied at strategic, operational, program, and project levels. It is important to be clear about the scope under consideration, the relevant objectives to be considered, and their alignment with organizational objectives.

Context
The external and internal context is the environment in which the organization seeks to define and achieve its objectives. The context of the risk management process should be established from the understanding of the external and internal environment in which the organization operates and should reflect the specific environment of the activity to which the risk management process is to be applied.

Criteria
The organization should specify the amount and type of risk that it may or may not take, relative to objectives. It should also define criteria to evaluate the significance of risk and to support decision-making processes. The risk criteria should be aligned with the risk management “framework” (see the earlier article) and customized to the specific purpose and scope of the activity under consideration.

The risk criteria should reflect the organization’s values, objectives, and resources and be consistent with the policies and statements about risk management. The criteria should be defined taking into consideration the organization’s obligations and the views of stakeholders.

Assessment
Risk assessment is the overall process of risk identification, analysis, and evaluation. An assessment should be conducted systematically, iteratively, and collaboratively, drawing on the knowledge and views of stakeholders.

Identification
The purpose of risk identification is to find, recognize, and describe risks that might help or prevent an organization achieving its objectives. Relevant, appropriate, and up-to-date information is important in identifying risks.

Analysis
The purpose of risk analysis is to comprehend the nature of risk and its characteristics including, where appropriate, the level of risk. Risk analysis involves a detailed consideration of uncertainties, risk sources, consequences, likelihood, events, scenarios, controls, and their effectiveness. An event can have multiple causes and consequences and can affect multiple objectives.

Risk analysis provides an input to risk evaluation, to decisions on whether risk needs to be treated and how, and on the most appropriate risk treatment strategy and methods. The results provide insight for decisions, where choices are being made, and the options involve different types and levels of risk.

Evaluation
The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required. This can lead to a decision to:
1) do nothing further;
2) consider risk treatment options;
3) undertake further analysis to better understand the risk;
4) maintain existing controls;
5) reconsider objectives.

Treatment
Selecting the most appropriate risk treatment option involves balancing the potential benefits derived in relation to the achievement of the objectives against costs, effort, or disadvantages of implementation.

Options for treating risk may involve one or more of the following:
1) avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
2) taking or increasing the risk in order to pursue an opportunity;
3) removing the risk source;
4) changing the likelihood;
5) changing the consequences;
6) sharing the risk (e.g., through contracts, buying insurance);
7) retaining the risk by informed decision.

Monitoring and review
Risk treatments, even if carefully designed and implemented, might not produce the expected outcomes and could produce unintended consequences. Monitoring and review need to be an integral part of the risk treatment implementation to give assurance that the different forms of treatment become and remain effective.

Recording and reporting
The risk management process and its outcomes should be documented and reported. Reporting is an integral part of the organization’s governance and should enhance the quality of dialogue with stakeholders and support top management and oversight bodies in meeting their responsibilities.

ISO 31000:2018
See ISO 31000:2018, “Risk Management – Guidelines”, for more details on establishing a risk management program. You can order the standard at this ISO web page for about $90.