Scribd
Upload
28 views

Risks ISO 31000 (1) Uncertainty (2) : Risk Management Is The Identification, Assessment, and Prioritization

Risk management involves identifying, assessing, and prioritizing risks, then applying resources to minimize their impact or probability. It aims to ensure uncertainty does not prevent an organization from achieving its goals. Risks can come from various sources, both negative events and positive opportunities. There are several standards for risk management but methods vary depending on the specific context. Key aspects involve identifying risk sources, strategies for addressing threats and opportunities, and ensuring resources are allocated appropriately.

Uploaded by

shyamgopi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
28 views

Risks ISO 31000 (1) Uncertainty (2) : Risk Management Is The Identification, Assessment, and Prioritization

Risk management involves identifying, assessing, and prioritizing risks, then applying resources to minimize their impact or probability. It aims to ensure uncertainty does not prevent an organization from achieving its goals. Risks can come from various sources, both negative events and positive opportunities. There are several standards for risk management but methods vary depending on the specific context. Key aspects involve identifying risk sources, strategies for addressing threats and opportunities, and ensuring resources are allocated appropriately.

Uploaded by

shyamgopi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 3

Risk management is the identification, assessment, and prioritization

of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by


coordinated and economical application of resources to minimize, monitor, and
control the probability and/or impact of unfortunate events[1] or to maximize the
realization of opportunities. Risk managements objective is to
assure uncertainty does not deflect the endeavor from the business goals.[2]
Risks can come from various sources including uncertainty in financial markets,
threats from project failures (at any phase in design, development, production, or
sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and
disasters, deliberate attack from an adversary, or events of uncertain or
unpredictable root-cause. There are two types of events i.e. negative events can be
classified as risks while positive events are classified as opportunities. Several risk
management standards have been developed including the Project Management
Institute, the National Institute of Standards and Technology, actuarial societies, and
ISO standards.[3][4] Methods, definitions and goals vary widely according to whether
the risk management method is in the context of project management,
security, engineering, industrial processes, financial portfolios, actuarial assessments,
or public health and safety.
Risk sources are identified and located in human factor variables, mental states and
decision making as well as infrastructural or technological assets and tangible
variables. The interaction between human factors and tangible aspects of risk
highlights the need to focus closely on human factors as one of the main drivers for
risk management, a "change driver" that comes first of all from the need to know how
humans perform in challenging environments and in face of risks (Daniele Trevisani,
2007). As the author describes, it is an extremely hard task to be able to apply an
objective and systematic self-observation, and to make a clear and decisive step from
the level of the mere "sensation" that something is going wrong, to the clear
understanding of how, when and where to act. The truth of a problem or risk is often
obfuscated by wrong or incomplete analyses, fake targets, perceptual illusions,
unclear focusing, altered mental states, and lack of good communication and
confrontation of risk management solutions with reliable partners. This makes the
Human Factor aspect of Risk Management sometimes heavier than its tangible and
technological counterpart[5]
Strategies to manage threats (uncertainties with negative consequences) typically
include avoiding the threat, reducing the negative effect or probability of the threat,
transferring all or part of the threat to another party, and even retaining some or all of
the potential or actual consequences of a particular threat, and the opposites for
opportunities (uncertain future states with benefits).
Certain aspects of many of the risk management standards have come under criticism
for having no measurable improvement on risk; whereas the confidence in estimates
and decisions seem to increase.[1] For example, it has been shown that one in six IT
projects experience cost overruns of 200% on average, and schedule overruns of 70%
A widely used vocabulary for risk management is defined by ISO Guide 73:2009,
"Risk management. Vocabulary."[3]
In ideal risk management, a prioritization process is followed whereby the risks with
the greatest loss (or impact) and the greatest probability of occurring are handled first,

and risks with lower probability of occurrence and lower loss are handled in
descending order. In practice the process of assessing overall risk can be difficult, and
balancing resources used to mitigate between risks with a high probability of
occurrence but lower loss versus a risk with high loss but lower probability of
occurrence can often be mishandled.
Intangible risk management identifies a new type of a risk that has a 100% probability
of occurring but is ignored by the organization due to a lack of identification ability.
For example, when deficient knowledge is applied to a situation, a knowledge risk
materializes. Relationship risk appears when ineffective collaboration occurs.
Process-engagement risk may be an issue when ineffective operational procedures are
applied. These risks directly reduce the productivity of knowledge workers, decrease
cost-effectiveness, profitability, service, quality, reputation, brand value, and earnings
quality. Intangible risk management allows risk management to create immediate
value from the identification and reduction of risks that reduce productivity.
Risk management also faces difficulties in allocating resources. This is the idea
of opportunity cost. Resources spent on risk management could have been spent on
more profitable activities. Again, ideal risk management minimizes spending (or
manpower or other resources) and also minimizes the negative effects of risks.
According to the definition to the risk, the risk is the possibility that an event will
occur and adversely affect the achievement of an objective. Therefore, risk itself has
the uncertainty. Risk management such as COSO ERM, can help managers have a
good control for their risk. Each company may have different internal control
components, which leads to different outcomes. For example, the framework for ERM
components includes Internal Environment, Objective Setting, Event Identification,
Risk Assessment, Risk Response, Control Activities, Information and
Communication, and Monitoring.

Method[edit]
For the most part, these methods consist of the following elements, performed, more
or less, in the following order.
1. identify, characterize threats
2. assess the vulnerability of critical assets to specific threats
3. determine the risk (i.e. the expected likelihood and consequences of
specific types of attacks on specific assets)

4. identify ways to reduce those risks


5. prioritize risk reduction measures based on a strategy

Principles of risk management[edit]


The International Organization for Standardization (ISO) identifies the following
principles of risk management:[7]
Risk management should:

create value resources expended to mitigate risk should be less than the
consequence of inaction
be an integral part of organizational processes
be part of decision making process
explicitly address uncertainty and assumptions
be a systematic and structured process

be based on the best available information


be tailorable
take human factors into account
be transparent and inclusive
be dynamic, iterative and responsive to change
be capable of continual improvement and enhancement
be continually or periodically re-assessed

You might also like