When Recognition Matters WHITEPAPER ISO 31000 RISK MANAGEMENT PRINCIPLES AND GUIDELINES. www.pecb.com

Similar documents
This is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines

Risk Management Basics - ISO Standard. Louis Kunimatsu, CRISC IT Security & Strategy, Ford Motor Company

ENTERPRISE RISK MANAGEMENT FRAMEWORK

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Disclosure to Promote the Right To Information

ISO 31000: ISO/IEC & ISO Guide 73: New Standards for the Management of Risk

This is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines

ISO/IEC 27001:2013 Your implementation guide

Risk, Risk Assessments and Risk Management. Christopher Bowler CPA, CISA August 10, 2015

Enterprise Risk Management: Taking the First Steps

Risk Management Policy Adopted by:

Information Security Management Systems

Commonwealth Risk Management Policy

TG TRANSITIONAL GUIDELINES FOR ISO/IEC :2015, ISO 9001:2015 and ISO 14001:2015 CERTIFICATION BODIES

Risk Management Policy

APES 325 Risk Management for Firms

Understanding Enterprise Risk Management. Presented by Dorothy Gjerdrum Arthur J Gallagher

Confident in our Future, Risk Management Policy Statement and Strategy

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

Foreword Introduction - The Global Food Safety Initiative (GFSI) Scope Section Overview Normative References...

NEW SCHEME FOR THE INFORMATION SECURITY MANAGEMENT WITH ISO 27001:2013

ISO 9001:2015 Your implementation guide

Risk Management Policy

Need to protect your information? Take action with BSI s ISO/IEC

ISO 14001:2015 How your ISO audit will be different. Whitepaper

ISO 9001: 2008 Boosting quality to differentiate yourself from the competition. xxxx November 2008

Avondale College Limited Enterprise Risk Management Framework

ISO & ISO Legal Compliance Know Your Risk - Reduce your Risk"

Risk management systems of responsible entities

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

Risk Management Policy

IRAP Policy and Procedures up to date as of 16 September 2014.

Qualification details

Need to protect your business from potential disruption? Prepare for the unexpected with ISO

V1.0 - Eurojuris ISO 9001:2008 Certified

Title: Rio Tinto management system

POLICY. Number: Title: Enterprise Risk Management. Authorization

Integrated Risk Management Policy

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

FSSC Q. Certification module for food quality in compliance with ISO 9001:2008. Quality module REQUIREMENTS

Preparing yourself for ISO/IEC

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

In this document you will find additional information on each plug in by clicking the appropriate box.

Fraud Risk Management

Enterprise Risk Management Framework Strengthening our commitment to risk management

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

ISO/IEC/IEEE The New International Software Testing Standards

National Institute of Justice

Solihull Clinical Commissioning Group

Training Catalogue

ISO 14001: White Paper on the Changes to the ISO Standard on Environmental Management Systems JULY 2015

ISO 9001:2015 Overview of the Revised International Standard

Log management and ISO 27001

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

Contact address: Global Food Safety Initiative Foundation c/o The Consumer Goods Forum 22/24 rue du Gouverneur Général Eboué Issy-les-Moulineaux

BSO Board Director of Human Resources & Corporate Services Business Continuity Policy. 28 February 2012

Chapter 2 ISO 9001:2008 QMS

Information technology Security techniques Information security management systems Overview and vocabulary

Risk Management Policy and Process Guide

IFAD Policy on Enterprise Risk Management

ISO 14001:2004 vs. ISO 14001:2015

Space project management

A&CS Assurance Review. Accounting Policy Division Rule Making Participation in Standard Setting. Report

Voluntary Certification Scheme for Traditional Health Practitioner

Business Continuity Policy. Version 1.0

IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems

Business Continuity Management

Corporate Governance and Enterprise Risk Management Derek Jackson, Senior Manager 5 September 2005

Overview of GFSI and Accredited Certification

PRINCE2:2009 Glossary of Terms (English)

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

ASTRAZENECA GLOBAL POLICY SAFETY, HEALTH AND ENVIRONMENT (SHE)

Project Management (PMI Based)

Corporate Risk Management Policy

The Lowitja Institute Risk Management Plan

Leveraging Effective Risk Management and Internal Control

IAF Mandatory Document

Bawden Contracting Services Ltd Job Profile. Contracts Manager. Purpose of the Job

ISO 14001:2015 Client Transition Checklist

RISK MANAGEMENT FRAMEWORK

Xavier Catholic College Risk Management - Policy & Procedure

ISO 9001:2015 Revision Frequently Asked Questions

BUSINESS CONTINUITY POLICY

ISO and SANAS guidelines for use of reference materials and PT scheme participation Shadrack Phophi

International Accreditation Forum, Inc.

WINS QMS Quality Management System Manual. WINS PROPRIETARY INFORMATION Rev.12.0

A Risk Management Standard

ISO Revisions Whitepaper

ISO 9001:2008 Quality Management System Requirements (Third Revision)

of bioenergy and actions

GENERIC STANDARDS CUSTOMER RELATIONSHIPS FURTHER EXCELLENCE CUSTOMISED SOLUTIONS INDUSTRY STANDARDS TRAINING SERVICES THE ROUTE TO

Achieve. Performance objectives

IAF Mandatory Document

Competency Unit: Exemplar Global SCY Security Management Systems Auditing

How to manage the transition successfully ISO 9001:2015 TOP MANAGEMENT - QUALITY MANAGERS TECHNICAL GUIDE. Move Forward with Confidence

BUILD YOUR CYBERSECURITY SKILLS WITH NRB

Transcription:

When Recognition Matters WHITEPAPER ISO 31000 RISK MANAGEMENT PRINCIPLES AND GUIDELINES www.pecb.com

CONTENT 3 4 4 5 7 7 7 7 8 Introduction An overview of ISO 31000:2009 Structure of ISO 31000:2009 Key clauses of ISO 31000:2009 Link between iso 31000 and other standards Link with ISO 27005 Risk Management The Business Benefits Implementation of Risk Management with PECB Risk Management Framework Training and certification of professionals PRINCIPAL AUTHORS Eric LACHAPELLE, PECB Besnik HUNDOZI, PECB 2 ISO 31000 // RISK MANAGEMENT PRINCIPLES AND GUIDELINES

INTRODUCTION ISO 31000 is an international standard issued in 2009 by ISO (International Organization for Standardization), and it is intended to serve as a guide for the design, implementation and maintenance of risk management. All types and sizes of organizations face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organization s objectives is risk. Risk is involved in any activity of an organization. ISO 31000:2009 describes a systematic and logical process, during which organizations manage risk by identifying it, analyzing and then evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria. Risk management can be applied to an entire organization, at its many areas and levels, at any time, as well as to specific functions, projects and activities. RISK Effect of uncertainty on objectives 1. Positive view Potential gain 2. Neutral view Probability of events RISK 3. Negative view Harmful event ISO 31000 // RISK MANAGEMENT PRINCIPLES AND GUIDELINES 3

AN OVERVIEW OF ISO 31000:2009 ISO 31000 provides principles and generic guidelines to assist organizations in establishing, implementing, operating, maintaining and continually improving their risk management framework. It is not specific to any industry or sector, so it can be used by any public, private or community enterprise, association, group or individual. This standard can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets. This standard is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed. WHAT IS RISK MANAGEMENT? Risk management is defined as a set of coordinated activities to direct and control an organization with regard to risk. STRUCTURE OF ISO 31000 This figure shows the relationships between the risk management principles, framework and process. Risk assessment a) Creates and protects calue b) Integral part of organizational processes c) Part of decision makring d) Explicitly addresses uncertaingy e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Take human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative nad resoinsive to change k) Facilitates continual improvement and enhancement of the organaization Continual improvement of the framework (4.6) Mandate and commitment (4.2) Design of framework for managing risk (4.3) Monitoring and riview of the framework (4.5) Implementing risk managment (4.4) Communication and consultion (52) Establishing the context (5.3) Risk identification (5.4.2) Risk analysis (5.4.3) Risk evalution (5.4.4) Risk treatment (5.5) Monitoring and review (5.6) Principles (clause3) Framework (clause 4) Process (clause 5) 4 ISO 31000 // RISK MANAGEMENT PRINCIPLES AND GUIDELINES

KEY CLAUSES OF ISO 31000:2009 ISO 31000 is organized into the following main clauses: Clause 3: Principles Clause 4: Framework Clause 5: Process Each of these key activities is listed below. CLAUSE 3: PRINCIPLES OF RISK MANAGEMENT In order to have an effective risk management, an organization has to comply with these 11 principles. 1. Risk management creates and protects value; 2. Risk management is an integral part of all organizational processes; 3. Risk management is part of decision making; 4. Risk management explicitly addresses uncertainty; 5. Risk management is systematic, structured and timely; 6. Risk management is based on the best available information; 7. Risk management is tailored; 8. Risk management takes human and cultural factors into account; 9. Risk management is transparent and inclusive; 10. Risk management is dynamic, iterative and responsive to change; 11. Risk management facilitates continual improvement of the organization. ISO 31000 // RISK MANAGEMENT PRINCIPLES AND GUIDELINES 5

CLAUSE 4: FRAMEWORK ISO 31000 states that the success of risk management will depend on the effectiveness of the management framework providing the foundations and arrangements what will embed it throughout the organization at all levels. The framework: assists in managing risks effectively through the application of the risk management process; ensures that information about risk derived from the risk management process is adequately reported; and ensures that these information is used as a basis for decision making and accountability at all relevant organizational levels. This clause describes the necessary components of the framework for managing risk and the way in which they interrelate in an iterative manner. Mandate and commitment: Management of the organization needs to demonstrate a strong and sustained commitment to risk management by defining risk management policy, objectives, ensuring legal and regulatory compliance, ensuring necessary resources are allocated to risk management, communicating the benefits of risk management to all stakeholders. Design of framework for managing risk: Before the implementation, the organization must design a framework for managing risk. This includes: Understanding of the organization and its context Establishing risk management policy Ensuring accountability, authority and appropriate competence for risk management Integrating risk management into organizational processes Allocating appropriate resources Establishing internal and external communication and reporting mechanisms Implementing risk management: The organization must implement the framework for managing risk and risk management process. Monitoring and review of the framework: To ensure effectiveness of the risk management the organization should measure risk management performance and progress, review whether the risk management framework, policy and plan are still appropriate and review the effectiveness of the risk management framework. Continual improvement of the framework: Based on results of monitoring and review, decisions should be made on how the risk management framework, policy and plan can be improved. Risk assessment: Risk assessment is the overall process of risk identification, analysis and evaluation. Risk identification: Through applying risk identification tools and techniques, the organization should identify risk sources, areas of impacts, events and causes, and their potential consequences. Risk analysis: Risk analysis involves the development of understanding of the risk, consideration of the causes and risk sources, their positive and negative consequences, the likelihood that those consequences can occur, provides an input to risk evaluation and decision whether risks need to be treated, and on the most appropriate risk treatment strategies and methods. Risk evaluation: The purpose of this step is to assist in decision making about which risks need treatment and priority for treatment implementation. Risk treatment: Risk treatment options should be selected based on the outcome of the risk assessment, the expected cost for implementing and benefiting from these options. 6 ISO 31000 // RISK MANAGEMENT PRINCIPLES AND GUIDELINES

Monitoring and review: Monitoring and review can be periodic or ad hoc, and should be a planned part of the risk management process. Recording the risk management process: Risk management activities should be traceable. In the risk management process, records provide the foundation for improvement in methods and tool, as well as in the overall process. CLAUSE 5: PROCESS ISO 31000 states that the success of risk management will depend on the effectiveness of the management The risk management process should be: An integral part of management; Embedded in the culture and practices; Tailored to the business processes of the organization. Risk management process comprises the following activities: Communication and consultation: Communication and consultation with external and internal stakeholders should take place during all stages of the risk management process. Establishing the context: By establishing the context, the organization articulates its objectives, defines the external and internal parameters to be taken into account when managing risk, and sets the scope and risk criteria for the remaining process. LINK BETWEEN ISO 31000 AND OTHER STANDARDS ISO 31000 can be easily linked with other Risk Management standards, like ISO Guide 73:2009 Risk management vocabulary, and ISO/IEC 31010:2009 Risk management Risk assessment techniques. ISO/IEC 31010 is a supporting standard for ISO 31000 and provides guidance on selection and application of systematic techniques for risk assessment. LINK WITH ISO 27005 Based on the ISO 31000 framework, the ISO 27005 standard explains in detail how to conduct a risk assessment and a risk treatment, within the context of information security. RISK MANAGEMENT THE BUSINESS BENEFITS As with all major undertakings within an organization, it is essential to gain the backing and sponsorship of executive management. By far the best way to achieve this, rather than through highlighting the negative aspects of not having risk management, is to illustrate the positive gains of having an effective risk management framework in place. Risk management allows an organization to ensure that it knows and understands the risks it faces. The adoption of an effective risk management process within an organization will have benefits in a number of areas, examples of which include: Increased likelihood of achieving objectives Encouraged proactive management Awareness of the need to identify and treat risk throughout the organization Improved identification of opportunities and threats Compliance with relevant legal and regulatory requirements and international norms Improved mandatory and voluntary reporting Improved governance Improved stakeholder confidence and trust Establishment of a reliable basis for decision making and planning Improved controls Effective allocation and use of resources for risk treatment ISO 31000 // RISK MANAGEMENT PRINCIPLES AND GUIDELINES 7

Risk Assessment 3. Risk Identification 4. Risk Analysis 5. Risk Evaluation 6. Risk Treatment 1. Risk Management Framework 2. Context Establishment 3.1. Identification of sources of risk, events and consequences 4.1. Assessment of consequences 4.2. Assessment of incident likelihood 4.3. Level or risk determination 5.1 Evaluation of levels of risk based on risk evalution criteria 6.1 Risk treatment options 6.2 Risk treatment plan 6.3 Evaluation of residual risk 7. Risk Communication and Consultation 8. Risk Monitoring and Review IMPLEMENTATION OF RISK MANAGEMENT WITH PECB RISK MANAGEMENT FRAMEWORK Making the decision to implement a risk management framework based on ISO 31000 is often a very simple one, as the benefits are well documented. By following a structured and effective methodology, an organization can be sure to cover all minimum practices required for the implementation of risk management programme. There is no single blueprint for implementing ISO 31000 that will work for every company, but there are some common steps that will allow you to balance the often conflicting requirements and prepare you for a successful certification audit. PECB has developed a framework for risk management. It is called PECB Risk Management Framework and is based on applicable best practices. TRAINING AND CERTIFICATION OF PROFESSIONALS PECB has created a recommended training roadmap and a number of personnel certification schemes for managers of an organization that wishes to demonstrate compliance to ISO 31000. Although ISO 31000 is not intended to be used as a basis for certification of organizations, some of them are practicing it as it provides evidence that they developed standardized processes based on best practices. Certification of individuals serves as a documented evidence of professional competencies and experience for/of those individuals that has previously attended the related courses and exam. 8 ISO 31000 // RISK MANAGEMENT PRINCIPLES AND GUIDELINES

It serves to demonstrate that the certified professional holds defined competencies based on best practices. It also allows organizations to make an informed selection of employees or services based on the competencies that are represented by the certification designation. Finally, it provides incentives to the professional to constantly improve his/her skills and knowledge and serves as a tool for employers to ensure that training and awareness have been effective. PECB training courses are offered globally through a network of authorized training providers and they are available in several languages. The table below gives a short description on PECB s official training courses for risk management based on ISO 31000. Training title Short description Who should attend? ISO 31000 Introduction ISO 31000 Risk Manager One day training Introduction to concepts of risk management Does not lead to certification Three day training Manage the implementation and management of risk management framework 2 hour exam Practitioners wanting to understand ISO 31000 and gain a deeper knowledge of the risk management processes as described in the international standard Staff involved in any stage of risk management program Risk managers Business Process Owners Business Finance Managers Business Risk Managers Regulatory Compliance Managers Project Management CHOOSING THE RIGHT CERTIFICATION: The certified ISO 31000 Risk Manager credential is a professional certification for professionals needing to demonstrate the competence to implement, maintain and manage a risk management program according to ISO 31000. Credential Exam Professional experience Risk assessment experience Provisional Risk Manager Certified ISO 31000 Risk Manager Exam None None Risk Manager Certified ISO 31000 Risk Manager Exam Two years One year of risk management related work experience Risk management activities totaling 200 hours ISO 31000 // RISK MANAGEMENT PRINCIPLES AND GUIDELINES 9

+1-844-426-7322 customer@pecb.com Customer Service www.pecb.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information