Whittington & Associates Newsletter

Newsletter sign-upSign up for our monthly email newsletter to get the latest guidance on ISO 9001, AS9100, AS9110, AS9120, ISO 13485, IATF 16949, ISO 14001, ISO 27001, ISO 45001, ISO 20000, and related ISO standards.

If you have any questions about the articles appearing in this issue, or you want to suggest topics for future issues, please let us know.

Risk Management Principles

Feb 1, 2019 in Newsletter | Comments Off on Risk Management Principles

As mentioned in the earlier Risk Terminology article, the purpose of risk management is the creation and protection of value. It improves performance, encourages innovation and supports the achievement of objectives.

ISO 31000:2018, “Risk Management – Guidance”, describes eight principles that provide guidance on the characteristics of effective and efficient risk management, communicating its value, and explaining its intention and purpose.

These principles are the foundation for managing risk and should be considered when establishing your risk management framework and and processes (see the other risk management articles in this newsletter issue). These principles should enable an organization to manage the effects of uncertainty on its objectives.

1. Integrated
Risk management is an integral part of all organizational activities.

2. Structured and comprehensive
A structured and comprehensive approach to risk management contributes to consistent and comparable results.

3. Customized
The risk management framework and process are customized and proportionate to the organization’s external and internal context related to its objectives.

4. Inclusive
Appropriate and timely involvement of stakeholders enables their knowledge, views, and perceptions to be considered. This results in improved awareness and informed risk management.

5. Dynamic
Risks can emerge, change, or disappear as an organization’s external and internal context changes. Risk management anticipates, detects, acknowledges, and responds to those changes and events in an appropriate and timely manner.

6. Best available information
The inputs to risk management are based on historical and current information, as well as, on future expectations. Risk management explicitly takes into account any limitations and uncertainties associated with such information and expectations. Information should be timely, clear, and available to relevant stakeholders.

7. Human and cultural factors
Human behavior and culture significantly influence all aspects of risk management at each level and stage.

8. Continual improvement
Risk management is continually improved through learning and experience.

ISO 31000:2018
See ISO 31000:2018, “Risk Management – Guidelines”, for more details on establishing a risk management program. You can order the standard at this ISO web page for about $90.

Risk Management Terminology

Feb 1, 2019 in Newsletter | Comments Off on Risk Management Terminology

According to ISO 31000:2018, risk management is the coordination of the activities that direct and control the risks faced by an organization. The purpose of risk management is to create and protect value. It improves performance, encourages innovation, and supports the achievement of objectives.

Organizations of all types and sizes must deal with external and internal factors that make it uncertain whether they will achieve their objectives. Managing risk is an iterative process and helps organizations to set strategy, achieve objectives, and make informed decisions.

Managing risk is therefore an integral part of governance and leadership. It is fundamental to how the organization is managed and should be included in all activities.

ISO 31000:2018, “Risk Management – Guidelines” describes the principles, framework, and process for managing risk. These components might exist in full or in part within an organization. However, they may need to be adapted or improved so that managing risk is efficient, effective, and consistent.

Risk is defined as the effect of uncertainty on objectives. An effect is a deviation from the expected. The effect can be positive, negative, or both. It can address, create, or result in opportunities and threats.

Risk is usually expressed in terms of risk sources, potential events, their consequence, and their likelihood.

  • Risk Source is an element which alone, or in combination, has the potential to give rise to risk. Organizational factors can be a source of risk.

  • An Event is an occurrence or change of a set of circumstances. An event can be something expected (which does not happen), or something not expected (which does happen). An event can be a risk source.
  • Consequence is an outcome of an event affecting objectives. A consequence can be certain or uncertain and can have positive or negative, direct or indirect, effects on objectives. Any consequence can escalate through cascading and cumulative effects.
  • Likelihood is the chance of something happening, for example, a probability or a frequency over a given time period.

ISO 31000:2018
See ISO 31000:2018, “Risk Management – Guidelines”, for more details on establishing a risk management program. You can order the standard at this ISO web page for about $90.

Risk Management Framework

Feb 1, 2019 in Newsletter | Comments Off on Risk Management Framework

The purpose of the risk management “framework” described in ISO 31000:2018 is to help the organization integrate risk management into its significant activities and functions.

The effectiveness of risk management depends on its integration into the governance of the organization, including decision-making, which requires support from top management.

Framework development includes 1) integrating, 2) designing, 3) implementing, 4) evaluating, and 5) improving risk management across the organization.

1. Integration
Integrating risk management relies on an understanding of organizational structures and context. These structures differ depending on your purpose, goals, and complexity. Risk is managed in every part of the organization’s structure. Everyone in an organization has responsibility for managing risk.
Integrating risk management is a dynamic and iterative process. It should be customized to the organization’s needs and culture. Risk management should be a part of, and not separate from, the organizational purpose, governance, leadership and commitment, strategy, objectives, and operations.

2. Design
When designing the framework for managing risk, the organization should examine and understand its external and internal context.

Top management should demonstrate and articulate their commitment to risk management through a policy, a statement, or other forms that clearly convey the organization’s objectives and commitment to risk management.

Top management should ensure that the responsibilities for relevant roles with respect to risk management are assigned and communicated at all levels of the organization.

Communication and consultation should be timely and ensure that relevant information is collected, collated, synthesized, and shared, as appropriate, and that feedback is provided, and improvements are made.

3. Implementation
The organization should implement the risk management framework by developing an appropriate plan including time and resources.

Successful implementation of the framework requires the engagement and awareness of stakeholders. This enables organizations to explicitly address uncertainty in decision-making, while also ensuring that any new or subsequent uncertainty can be taken into account as it arises.

Properly designed and implemented, the risk management framework will ensure that the risk management process is a part of all activities throughout the organization, including decision-making, and that changes in external and internal contexts will be adequately captured.

4. Evaluation
To evaluate the effectiveness of the risk management framework, the organization should periodically measure the risk management framework performance against its purpose, implementation plans, indicators, and expected behavior.

5. Improvement
The organization should continually monitor and adapt the risk management framework to address external and internal changes, and therefore improve its value.

The organization should continually improve the suitability, adequacy, and effectiveness of the risk management framework and the way the risk management process is integrated.

ISO 31000:2018
See ISO 31000:2018, “Risk Management – Guidelines”, for more details on establishing a risk management program. You can order the standard at this ISO web page for about $90.

Risk Management Process

Feb 1, 2019 in Newsletter | Comments Off on Risk Management Process

According to ISO 31000:2018, the risk management “process” involves the systematic application of policies, procedures, and practices to the activities of communicating and consulting, establishing the context, and assessing, treating, monitoring, reviewing, recording, and reporting risk.

The risk management process should be an integral part of management and decision-making and integrated into the structure, operations, and processes of the organization. It can be applied at strategic, operational, program, or project levels.

The dynamic and variable nature of human behavior and culture should be considered throughout the risk management process.

Communication and consultation
The purpose of communication and consultation is to assist relevant stakeholders in understanding risk, the basis on which decisions are made, and the reasons why particular actions are required.

Communication seeks to promote awareness and understanding of risk, whereas consultation involves obtaining feedback and information to support decision-making. Close coordination between the two should facilitate factual, timely, relevant, accurate, and understandable exchange of information, taking into account the confidentiality and integrity of information, as well as, the privacy rights of individuals.

The organization should define the scope of its risk management activities. The risk management process may be applied at strategic, operational, program, and project levels. It is important to be clear about the scope under consideration, the relevant objectives to be considered, and their alignment with organizational objectives.

The external and internal context is the environment in which the organization seeks to define and achieve its objectives. The context of the risk management process should be established from the understanding of the external and internal environment in which the organization operates and should reflect the specific environment of the activity to which the risk management process is to be applied.

The organization should specify the amount and type of risk that it may or may not take, relative to objectives. It should also define criteria to evaluate the significance of risk and to support decision-making processes. The risk criteria should be aligned with the risk management “framework” (see the earlier article) and customized to the specific purpose and scope of the activity under consideration.

The risk criteria should reflect the organization’s values, objectives, and resources and be consistent with the policies and statements about risk management. The criteria should be defined taking into consideration the organization’s obligations and the views of stakeholders.

Risk assessment is the overall process of risk identification, analysis, and evaluation. An assessment should be conducted systematically, iteratively, and collaboratively, drawing on the knowledge and views of stakeholders.

The purpose of risk identification is to find, recognize, and describe risks that might help or prevent an organization achieving its objectives. Relevant, appropriate, and up-to-date information is important in identifying risks.

The purpose of risk analysis is to comprehend the nature of risk and its characteristics including, where appropriate, the level of risk. Risk analysis involves a detailed consideration of uncertainties, risk sources, consequences, likelihood, events, scenarios, controls, and their effectiveness. An event can have multiple causes and consequences and can affect multiple objectives.

Risk analysis provides an input to risk evaluation, to decisions on whether risk needs to be treated and how, and on the most appropriate risk treatment strategy and methods. The results provide insight for decisions, where choices are being made, and the options involve different types and levels of risk.

The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required. This can lead to a decision to:
1) do nothing further;
2) consider risk treatment options;
3) undertake further analysis to better understand the risk;
4) maintain existing controls;
5) reconsider objectives.

Selecting the most appropriate risk treatment option involves balancing the potential benefits derived in relation to the achievement of the objectives against costs, effort, or disadvantages of implementation.

Options for treating risk may involve one or more of the following:
1) avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
2) taking or increasing the risk in order to pursue an opportunity;
3) removing the risk source;
4) changing the likelihood;
5) changing the consequences;
6) sharing the risk (e.g., through contracts, buying insurance);
7) retaining the risk by informed decision.

Monitoring and review
Risk treatments, even if carefully designed and implemented, might not produce the expected outcomes and could produce unintended consequences. Monitoring and review need to be an integral part of the risk treatment implementation to give assurance that the different forms of treatment become and remain effective.

Recording and reporting
The risk management process and its outcomes should be documented and reported. Reporting is an integral part of the organization’s governance and should enhance the quality of dialogue with stakeholders and support top management and oversight bodies in meeting their responsibilities.

ISO 31000:2018
See ISO 31000:2018, “Risk Management – Guidelines”, for more details on establishing a risk management program. You can order the standard at this ISO web page for about $90.

ISO/TS 27008:2019 Published

Feb 1, 2019 in Newsletter | Comments Off on ISO/TS 27008:2019 Published

ISO/TS 27008:2019, Edition 1, “Information technology – Security techniques – Guidelines for the assessment of information security controls”, is available and replaces ISO/TR 27008:2011.

The new technical specification supports the Information Security Risk Management process referenced in ISO 27001.

Information security controls should be

  • fit-for-purpose (appropriate and suitable mitigation of information risks),
  • effective (properly specified, designed, implemented, used, managed and maintained),
  • efficient (delivering net value to the organization).

ISO/TS 27008 explains how to assess an organization’s information security controls against those and other objectives in order either to confirm that they are indeed fit-for-purpose, effective, and efficient (providing assurance), and to identify the possible need for changes (improvement opportunities).

The ultimate aim is that the information security controls, as a whole, adequately mitigate information risks that the organization finds unacceptable and unavoidable, in a reasonably cost-effective and business-aligned manner.

ISO/TS 27001 offers the flexibility needed to customize the necessary reviews based on business missions and goals, organizational policies and requirements, known emerging threats and vulnerabilities, operational considerations, information system and platform dependencies, and the risk appetite of the organization.

Please refer to ISO 27007 for guidelines on information security management systems auditing and ISO 27006 for requirements for bodies providing audit and certification of information security management systems.

The 91-page ISO/TS 27008:2019 standard can be ordered at this ISO web page for $198.