How the ISO 31000 risk management process is involved in the organization.
By Global Trust Association
17 July, 2019 | 15:07hrs
Risk Management is a key component for decision making that should not be independent of the organization’s strategy and management but should be integrated with the other management components such as processes and operations. This means that its scope of action goes from the strategic to the operation level and its application is highly iterative, although its definition is based on processes often presented as sequential.
In that regard, ISO 31000 defines a 6-part risk management process which can be used as a reference framework to integrate with organizational processes or to be defined as an independent process to manage the company’s risks. As the standard says: “it involves the systematic application of policies, procedures and practices to communication and consultation activities, context establishment and assessment, treatment, monitoring, review, recording and reporting of risk.”
The process is composed as follows:
- Communication and consultation. It allows to promote risk awareness and understanding of appropriate internal and external stakeholders at each and every step of the risk management process.
- Scope, context and criteria. It enables the overall risk management process to be adapted in order to ensure effective risk assessment and treatment.
- Risk assessment. It involves the risk identification, analysis and assessment in a systematic, iterative and collaborative manner.
- Risk treatment. It allows to select and implement options to deal with the risk, also in an iterative way, which implies: formulate and select risk treatment options, plan and implement treatment, evaluate efficacy, decide whether residual risk is acceptable, otherwise perform additional treatment.
- Monitoring and review. It makes it possible to ensure and improve the design quality and efficiency.
- Recording and reporting. The activities, results as well as decision making of the risk management process should be documented, among others, to further improve risk management activities.