Managing uncertainty has become an essential part of
ordinary organisational governance.
Today there are a number of recognised international and national
standards dealing with risk management.
 |
| Sometimes risk planning produces poor outcomes |
1. Risk Management Standard ISO 31000:2009 Principles
and guidelines on risk management.
This is the world standard on risk. Risk is defined as the “effect of uncertainty
on objectives” – emphasising the effect rather than an event. For example, risk
is not an earthquake but the chance that an earthquake might impact your
business’s objectives. Risk is not necessarily negative (to be avoided or
passed onto others). Risk may create strategic opportunities.
Risks may not just arise from sudden unexpected
circumstances – some of the circumstances may be entrenched or slow emerging –
some may be internal or specific to your organisation, some may be
widespread. However, in every case, risk
must be related to the circumstances of your organisation.
It emphasises the need for risk to be managed in an
integrated way. It consists of principles
for managing risk, a framework
for managing risk, and processes
for managing risks.
The principles
stress the need for risk management to:
1.
create value
2.
be an integral part of organizational processes
3.
be part of decision making
4.
explicitly address uncertainty
5.
be systematic, structured and timely
6.
be based on the best available information
7.
be aligned to a specific organisation and its
objectives
8.
take human and cultural factors into account
9.
be transparent and inclusive
1.
be dynamic, iterative and responsive
1.
facilitates continual improvement
The framework for managing risk emphasises the need for
the framework to be mandated and committed.
If these conditions are met, the framework proceeds through a cycle of
design, implementation, monitoring and continual improvement. The framework sets policy,
demonstrates commitment, provides resources, allocates responsibility and
monitors progress.
The processes for managing risk emphasises
communication and consultation as essential means of ensuring high quality
information. Risk assessment (risk
identification, analysis and evaluation) occurs within a specific context and
results in the treatment of the risk.
Core to this is the risk assessment methodology:
1 .
Identification:
What could happen?; How and where it could happen?; Why it could happen?; What
is the impact or potential impact?
2 .
Analysis:
Identify the causes, contributing factors and actual or potential consequences;
identify existing or current controls; assess the likelihood &
impact/consequence to determine the risk rating
3 .
Evaluation:
Is the risk acceptable or unacceptable?; Does the risk need treatment or further
action?; Do the opportunities outweigh the threats?
Specific guidance is provided for Enterprise Risk Management
and how risk should sit within an organisational framework.
ISO 31000-2009 provides basic guidelines for establishing
whole-of-enterprise risk management processes. Risk may managed through a
number of strategies, including risk avoidance, sharing, financing, retention,
acceptance or mitigation. These management strategies may include clear risk
management statements, formalising risk management processes, structuring
framework processes and continuous improvement.
A preferential list is given for managing risk:
1 .
Avoiding
the risk by deciding not to start or continue with the activity that gives rise
to the risk
2 .
Accepting
or increasing the risk in order to pursue an opportunity
3 .
Removing
the risk source
4 .
Changing
the likelihood
5 .
Changing
the consequences
6 .
Sharing
the risk with another party or parties (including contracts and risk financing)
7 .
Retaining
the risk by informed decision
Because of the different circumstances in which risk can
arise, the standard does not mandate uniformity nor certification. Released by the International Organisation
for Standardisation (ISO) on 15 November 2009.
2.
AS/NZS
ISO 31000:2009 – Risk management - Principles and guidelines (20
November, 2009)
Direct adoption of Risk Management Standard ISO 31000:2009
by Standards Australia. Replaces AS/NZS
4360 (1995), Risk Management (similar in many respects, however the older
standard defined risks in terms of events rather than effects).
3. ISO
Guide 73:2009 – Risk management – Vocabulary (15 November,
2009)
Provides definitions of generic terms related to risk
management.
4. IEC/ISO
31010:2009 – Risk Management – Risk Assessment Techniques (1
December, 2009)
Guidance on selection and application of systematic
techniques for risk assessment. Refers
to other international standards.
5.
HB
327:2010 – Communicating and consulting about risk (23
February, 2010)
A companion handbook to AS/NZS ISO 31000:2009 emphasising
the importance of continuous communication and consultation as part of risk
management. It considers how the flow of knowledge is impacted by the mix of
facts, uncertainties, perceptions, complexities, beliefs and values.
6. AS/NZS
5050:2010 Business continuity – Managing disruption-related risk (28
June, 2010)
This standard sets out detailed proposals for risk
management plans designed to reduce events that could cause disruption. It emphasises mandate and commitment,
monitoring and review and the continual improvement of the framework. The
approach increases resilience, aimed at stabilisation, resumption, recovery,
opportunities and assumption of new risk.
It emphasises the need to undertake proactive risk treatment
and preparation during periods of routine management before a risk event is
identified. These proactive controls can
minimise the occurrence or severity of future disruptive events (eg, building
evacuation drills, off-site computer backups).
Once an event commences, a non-routine management techniques need to be
embraced emphasising stability, continuance of critical business functions and
recovery, during the transition to routine management.
Adoption of an effective plan can demonstrate dependability
to stakeholders, better understand business and business opportunities, protect
commercial interests, protect customers, accept further risk and remain
compliant. The standard contributed to a
better understanding of non-routine management, including a better
understanding of the potential for disruption and the need to remain focussed
on business objectives.
7.
HB
266:2010 – Guide for managing risk in not-for-profit organisations
(12 August, 2010)
A companion handbook to AS/NZS ISO 31000:2009 dealing with
risk in not for profit organisations.
HB
246:2010 Guidelines for managing risk in sport and recreation organisations
(18 August, 2010)
A companion handbook to AS/NZS ISO 31000:2009 dealing with
risk in sport and recreation organisations.
Critique
ISO 31000-2009 and the related standards provide a sensible
basic and generic framework for risk management planning. They provide a basis for categorising some risk
types and planning to deal with risks.
However, as witnessed by the need for a subsequent standard
dealing with disruption-related risk (AS/NZS
5050:2010 Business continuity), this is still a developing area and there
remains debate about how the standards will change over time.
The existing standards give insufficient emphasis to undertaking proactive action prior to risks
emerging. Further, while useful
tools have emerged as a result of ISO 31000-2009, the reports generated using
it all too often end up collecting dust.
Peter Quinton
Palerang
October 2014
No comments:
Post a Comment