UCT RM Module 2 - Notes (Part 2)
UCT RM Module 2 - Notes (Part 2)
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)
Table of contents
1. Introduction ................................................................................................................. 3
2. ISO 31000..................................................................................................................... 3
2.1 A standardised risk framework........................................................................................ 5
2.1.1 External context........................................................................................................ 5
2.1.2 Internal context ........................................................................................................ 5
2.1.3 Accountability ........................................................................................................... 5
2.1.4 Organisational integration........................................................................................ 6
2.1.5 Resources ................................................................................................................. 6
2.1.6 Internal reporting mechanisms ................................................................................ 6
2.1.7 External reporting mechanisms................................................................................ 7
2.2 A standardised risk management process....................................................................... 7
2.2.1 Communication and consultation ............................................................................ 9
2.2.2 Establishing the context ........................................................................................... 9
2.2.3 Risk identification ................................................................................................... 11
2.2.4 Risk analysis ............................................................................................................ 11
2.2.5 Risk evaluation........................................................................................................ 12
2.2.6 Risk treatment ........................................................................................................ 13
2.2.7 Selecting the relevant risk treatment option ......................................................... 15
2.2.8 Preparing and implementing risk treatment plans ................................................ 15
2.2.9 Monitoring and review ........................................................................................... 16
3. Conclusion ................................................................................................................. 18
4. Bibliography ............................................................................................................... 18
Page 2 of 18
Learning outcome:
LO3: Use the ISO 31000 international standard for risk management.
1. Introduction
Risk management practices have systematically been formalised and adopted across various
industries in an attempt to standardise best practices in this field. As mentioned in Part 1,
there are several important documents that assisted in this process of formalisation and
adoption; documents that were drafted specifically to establish risk management as a
distinct and necessary part of business practices. Parts 2 and 3 will give you an overview of
these documents and explain how they impacted risk management practices internationally
and nationally. Further, attention is paid to the way in which risk management practices are
adopted and implemented by organisations in accordance with risk management best
practices.
2. ISO 31000
The International Organisation for Standardisation (ISO) is an international standard-setting
body, with delegates and representatives from various national standards organisations
across the world. It was formed in 1947 with the help of the (then newly formed) United
Nations in order to become a global standardisation institute. The function of this
organisation is to promote worldwide propriety, or conformity to the same set of standards,
with a specific focus on industrial and commercial pursuits. This is to ensure that
international standards by which individual organisations can be measured exist for all
aspects of industry. ISO standards are continuously updated to reflect changes across
industries worldwide, meaning that standard business practices are constantly developing,
thus allowing organisations to adapt to a changing world.
Page 3 of 18
Figure 1: The icon of the International Organisation for Standardisation. (Source:
http://www.iso.org/iso/home.html)
In 2009, ISO 31000 was released as a set of standards related to risk management. The
purpose of ISO 31000 is to provide principles and generic guidelines on the practice of risk
management that can act as the international standard for business pursuits. This is done to
streamline the risk management process, since currently an enormous variety of risk
management standards, methodologies and procedures relating to various industries, fields,
and regions are in existence. ISO 31000 integrates all these practices, resulting in an
implementable international standard for the risk management process.
The focus of ISO 31000 is the incorporation of risk management strategies and procedures
across all aspects of a company in an integrated manner. In the introduction to this set of
standards, the aim is defined as follows: “This International Standard recommends that
organisations develop, implement and continuously improve a framework whose purpose is
to integrate the process for managing risk into the organisation’s overall governance,
strategy and planning, management, reporting process, policies, values and culture.”
Further, ISO 31000 was developed in such a way that any kind of organisation, regardless of
their industry, size or structure, can benefit from implementing the standards it sets forth.
ISO 31000 has a dual focus of setting standards for a risk management framework, and
setting standards for the actual risk management process. The following section draws on
ISO 31000 to give you a comprehensive understanding of the international standard risk
management framework and process. This is essentially a map for all of your risk
management practices, and you should familiarise yourself with this in order to bring your
business’s risk-related activities up to standard.
Page 4 of 18
2.1 A standardised risk framework
The framework within which the risk management process is executed can determine its
efficacy and success. The framework is what allows the process to be embedded into all
aspects of an organisation.
To design a framework that will meet the needs of your organisation, you need to
understand the internal and external context within which your organisation functions, as
these can significantly affect the framework you develop.
• Key drivers and trends that impact on the objectives your organisation has set; and
• Policies and objectives, as well as the strategies you have in place to reach them;
2.1.3 Accountability
Another important aspect of a risk management framework is the accountability systems
that you have in place. An organisation should ensure that those who manage organisational
risks have the authority, the competency and the accountability to do so effectively. To do
this, your organisation should:
Page 5 of 18
• Identify risk owners who are in an appropriate position to manage particular risks;
• Identify the risk management responsibilities of each person at every level of the
organisation; and
This gives your risk management practices a human face. Knowing who is accountable for
the various aspects of planning and implementation assists you in understanding your
process. If you know who is doing what, you can keep track of what is being done.
2.1.5 Resources
Resource allocation towards risk management processes is another aspect of the framework
that benefits from standardisation. If you don’t have strategically allocated resources, you
will not be in a position to respond to risks in a timeous and efficient manner. Resources you
should consider include:
• The material resources necessary for the implementation of your various risk
management processes;
• Information and knowledge management systems that help you streamline your
processes; and
Page 6 of 18
information can be easily informed. An added benefit is that the chosen framework will
constantly be re-evaluated to determine whether it is still effective and meeting its
outcomes. Finally, you should have consultation processes in place, which will allow all
internal risk management process stakeholders to meet and discuss any matters arising from
their duties.
It is important to note that the risk management process should form an integral part of
your management duties (a previously mentioned idea that will also resurface in all of the
further foundational documents discussed). Risk management should not be regarded as a
separate business function, but should rather be integrated into every facet of your
managerial responsibilities. By default, this means that it should also be embedded in your
business’s culture and specifically tailored to the processes and needs of your business. The
ISO standards set out below should be developed in a manner that will make them relevant
and useful within the context of your business as a whole. This overview of the process
should act as a broader guide for you to tailor to the specific requirements of your business.
Page 7 of 18
Figure 2: The ISO 31000 risk management process overview (Source:
https://ppl.app.uq.edu.au/content/1.80.01-enterprise-risk-management)
Each step of the process is displayed in this overview. In the centre of the diagram, the area
outlined in blue indicates the actual process of assessing risks, which includes Risk
Identification, Risk Analysis and Risk Evaluation. To the left you will see that each step of the
assessment process relies on the Communication and Consultation process. This means that
before each of the steps in the process, there is an additional communication and
consultation process that needs to be followed in order to keep everyone informed of the
ongoing process.
To the right of the risk assessment steps is a Monitoring and Review process. Again, this
means that for each step in the process, there is a subsequent phase in which the steps are
reviewed and monitored to ensure that everything ran according to plan. The monitoring
and review process is also cyclical, in that it feeds back into the top of the process. In other
words, once your risk assessment process is complete, you feed the information you
gathered from that process back into the process, so that you can learn from mistakes, build
on previous progress and continue to develop your process as you go.
Finally, you will see that above and below the risk management process there are two
contextual steps - Establishing the Context and Risk Treatment. The former involves putting
the whole risk management process into perspective and defining where in your business
activities you will situate the risk management process. The latter refers to the actual
treatment of the risks once all the subsequent steps have been completed.
Page 8 of 18
Below you can find an explanation of the various steps in the process as set forth in ISO
31000. This overview was developed as the international standard, and should form a solid
foundation for your own risk management process.
Remember that, ultimately, people make risk management decisions. Their perspectives on
how to manage those risks will differ depending on the quality and quantity of information
they have access to. The best precautionary measure for any business is to ensure that
people are as informed as possible when it is time to make such decisions, and that they
have a breadth of relevant skills and experience. All communication should facilitate
truthful, relevant, coherent and accurate exchanges of information.
• Defining the goals and objectives of your risk management activities, as well as
allocating various responsibilities in your process;
Page 9 of 18
• Defining the depth, breadth and scope of the risk management activities to be
performed;
• Defining your risk assessment methodologies, so that you have a logical system to
assist you in assessing risks;
• Defining the way in which you will measure and evaluate the performance and
effectiveness of your risk management activities so that you know when your risk
management practices are successful;
• Identifying the decisions that you will have to make regarding the risks and how
you will manage them; and
• Identifying the scope and context of any studies you will have to conduct and
information you will have to gather to perform your risk management duties.
If you effectively define and establish the context of your risk management practices within
your business, you will be better equipped to understand the process you have to follow in
order to manage your risks effectively.
• What are the causes of these risks, and what are their consequences, but also how
will you measure their impact;
• How will you determine what the level or severity of risk is that you attach to each
possibility;
• At what level does this risk become acceptable to your business, or at what level
will you be able to tolerate it even if it negatively affects you; and
Page 10 of 18
• Are there any risks that you should consider in combination since they can
potentially affect you together or be negated by the same remedies. You must
then also determine how you will consider and address these combinations.
Sections 4.2.1 and 4.2.2 deal with the steps in the process that happen prior to the steps
that follow here. Next, we move into the actual risk assessment part of the process.
Risks that originate from within and without your organisation should be included in this list,
even if the actual cause or source of the risk is not clear to you. When looking for risks to
identify, you should cast your gaze widely, considering a diverse range of potential
consequences even if their source or cause is not evident to you. The more comprehensive
the list of risks, the better you can prepare yourself with the risk management process. You
should also consider the fact that some consequences may have a knock-on or cascading
effect, where one thing that goes wrong can cause another and another and another, greatly
increasing the damage that can be caused. Any significant causes and consequences should
be considered and no potential risk, no matter how seemingly irrelevant, can be safely
ignored without due consideration.
There are various risk identification tools and techniques that you will be able to use during
this step of the process. You will have to determine which ones are most relevant in which
scenarios to help you identify the risk and its possible outcomes. Another thing to remember
is ensuring that the right people are consulted throughout this step, since they may have
knowledge that can help you to identify further risks or consequences that you may not
foresee. The tools and techniques used to identify risks are discussed in detail in Module 6,
which delves into the practical side of the risk identification process.
Page 11 of 18
1. The cause and source of the risk. In other words, where is this risk coming from and
what caused it in the first place?
2. The positive and negative consequences of this risk. That is, if this risk actually
happens, what impact, for better or worse, will that have on your business?
3. The probability that any of these consequences will occur. Meaning, what is the
probability that any of the potential consequences you identified end up actually
happening?
While doing the risk analysis you should also keep in mind that these factors are not stable
or stationary influences. The cause or consequence of a risk, or the probability that it
happens, can change or be influenced by other changing factors. This sensitivity to
preconditions can mean that what you think is a small risk with a small probability of
happening, can eventually turn into a significant risk with a high probability of happening.
Importantly, you should ensure that when you inform relevant stakeholders about these
risks, you also inform them of how they are sensitive to changes, as well as which
assumptions you make about them. Since you cannot predict the future with absolute
certainty, you will have to make some assumptions about the risk or its consequences, and it
is important that you explain the assumptive perspective from which you analyse each risk.
This will ensure that other stakeholders understand the context of your analysis and realise
where the margins for error lie.
The actual practice of this analysis entails several possible methods, which you can apply in
varying degrees of detail. Ultimately, though, your analysis will either be qualitative, semi-
qualitative, quantitative or a combination of these three, depending on the circumstances
you find yourself in. Furthermore, to analyse the consequences and their probabilities, you
may model the outcomes of a set of events, or make extrapolations from experimental
studies or whatever other data you can gather.
The details of the risk analysis process will be explained in a lot more depth in Module 6,
where you learn exactly how to go about evaluating the risks that you have identified.
In practice, evaluating risks means comparing the level of risk found during your analysis
phase with the risk criteria that you established when you determined the context of risk
management within your business. When you know what level of threat a risk poses, and
you know what levels of risk you can and cannot accept, you can determine which of the
risks need to be responded to, and how urgently.
Page 12 of 18
As in the above consideration, the decision you make about each risk here is also influenced
by legislation and regulations that apply to your field, and you should also consider the risk
that external parties will be exposed to as a result of the action you take.
If during this evaluation phase you find that you cannot reach a clear decision, you can also
decide that further analysis is necessary. You may conclude that the best course of action is
to keep the controls and measures in place as they are, and that no further action is
required to address an identified risk. This will all depend on your business’ attitude towards
and appetite for risk.
These three steps above form the Risk Assessment part of the risk management process.
Once the risk has been fully assessed (identified, analysed and evaluated), you can move
onto the next phase, which is risk treatment.
The risk treatment process is cyclical in nature, feeding back into itself, keeping the process
constantly repeating. The steps sound simple but they all require further effort and
attention:
• You must assess the risk treatment option to determine if it will address the risk
sufficiently;
• You must make a decision about whether the levels of risk involved are acceptable
to your business;
• If it is not tolerable, you must alter your treatment option or develop a new one to
address the risk; and
• Assess the efficiency of the new treatment plan, and repeat the above steps until
the risk has been satisfactorily managed.
There is a limited number of treatments that you can implement to address a risk. But they
are neither mutually exclusive nor are all viable options for every type of risk. You can use
them to varying degrees as the situation requires to create the most suitable treatment
option. ISO 31000 explicitly says that businesses usually benefit from a combination of these
treatment options, so you are strongly advised to make use of all of them in your risk
management pursuits.
But you should also keep in mind that all of these options require trade-offs. To lesser or
greater degrees, they require resources to implement, and when used ineffectively can not
only waste said resources, but also expose you to the risk they did not help treat. So, it is up
to you to weigh up the benefits and shortcomings of each option, and to then put them,
alone or in conjunction, to their greatest use. The risk treatment options available to you
are:
Page 13 of 18
1. Avoiding the risk entirely by deciding to not pursue it, or to stop performing the
activity that exposes you to the risk in the first place. This is most useful when the
risk is internal, or in your sphere of influence. When you can make the decision
about whether or not the event is a risk to your business, you will be able to avoid it.
An example of this would be if you decide to not pursue a specific project or investment if
you determine that it is too risky for the level of risk your business can accept or if the return
is insufficient.
For example, if you chose to invest in a project that has a small probability of success, but
where success would significantly benefit your business. In this case you act in a risk-seeking
manner, determining that the potential benefits are worth the risk.
For example, stopping the production of a certain product if the production thereof is
known to be potentially hazardous, or is negatively affecting your business in some manner.
Another example is if you withdraw from a specific investment, if that investment is deemed
to be too risky for your business’ risk appetite.
For example, if you decided to allocate more resources and personnel to a specific project, if
your current estimates indicate that the probability of successfully completing that project is
too low. More resources and effort, if used correctly, could ensure that the project has
greater chances of success.
An example of this would be that instead of producing 100 units of a risky product, you only
produce 50, thereby limiting the potential negative consequences.
6. Sharing the risk with another party or parties, which includes contracts with external
parties and risk financing mechanisms.
For example, if you took out insurance for a specific risk, which means that negative
consequences will now be carried by an insurer instead of your business. Taking out fire
insurance means that your insurer will bear the financial burden of a fire on your premises.
Another example is if you outsource a specific function of your business to another
company, say the software development side, so that the task and its associated risks are
handled by an outside party.
Page 14 of 18
For example, if you decide to pursue a project or an investment despite the potential risks
they expose you to. You would only do this if the risks are negligible, you have contingency
plans in place, or you would be able to weather the effects of the risk without severely
disrupting your business activities.
An example of two options with different levels of acceptability for a stakeholder, say a
shareholder in this case, would be an organisation maximising its profits through exploiting
child labour in the manufacture of goods versus providing a lower return, but investing in a
socially responsible manner.
The treatment plan you devise should also clearly reflect the order of prioritisation that you
attribute to each risk treatment option. So, you should detail which option should be
implemented, to what degree it should be implemented, and with what level of urgency.
Finally, ISO 31000 explains that it is important to remember that a risk treatment option can
expose you to further risks. On the one hand, the failure or ineffectiveness of a risk
treatment option could result in a new, more significant risk to arising. The previous risk you
faced could be exacerbated or a completely different one could arise as a result of the
ineffective treatment. On the other hand, risk treatments can also give rise to secondary
risks, which you will then have to assess, treat, monitor and review. But since these risks are
linked, you should identify and maintain the way in which they are connected, and treat the
secondary risk with the same treatment option you use for the primary risk. They should not
be treated as separate risks, since the one causes the other, so the same plan must be used
to address both. If not, you could find yourself in a position where your risk treatment
options create more risks in need of treatment, prompting you to go through this whole
process anew for each subsequent risk.
Page 15 of 18
implement. This will allow you to monitor and review your risk management efforts with
more accuracy, allowing you to look at the way you manage risks and to then make
adjustments when and where they are necessary. The information you record in the risk
treatment plan should include the following:
• The reason why you chose the treatment options in question, explaining what
benefits you expected to gain;
• Who is responsible and accountable for approving the plan, and who is responsible
for implementing the plan;
• What resources will be required to implement this option, also including whatever
resources will be required for a contingency plan;
• What system you will use to measure the performance of this option and what
constraints are there on your system;
• What requirements will there be for reporting and monitoring on the plan; and
• What the timeline of this option is, as well as the schedule that is being worked to.
These together form the content of the risk treatment plan that you will use to keep all
stakeholders informed. This treatment plan forms part of the greater integrated risk
management processes of your business, and should be shared and discussed with all
relevant stakeholders. They should also be informed of any residual risk that remains after
the completion of the risk treatment, and whatever risk remains should be monitored and
reviewed and, if necessary, treated.
Your organisation’s monitoring and review process should focus on every facet of your risk
management process, paying particular attention to the following:
• Ensuring that the controls in place are effective and efficient in the way they were
designed and implemented;
• Finding additional information that can be used to improve your process as you go;
Page 16 of 18
• Analysing and learning from events that transpire, which includes near-misses,
changes in the situation, trends in the market, successes achieved and failures
experienced;
• Detecting changes in the external or internal context as you originally defined it,
including such eventualities as the changing of the risk criteria or the nature of the
risk itself which will subsequently require changes to your risk treatment plan; and
• Identifying any risks that emerge from the implementation of your risk treatment
option.
• The benefits to be gained from re-using information from these actions in the
performance of your managerial duties;
• The cost and effort involved in the creation and maintenance of your records;
• The method by which these records can be accessed, how easy it is to retrieve this
information and how you will store it;
• How long you will keep these records for consultation purposes before they
become obsolete; and
This is then the current international standard for the risk management process. This
detailed overview of the stipulations of ISO 31000 should give you a strong framework for
your risk management activities. Admittedly, this is an intricate process, especially since it is
ongoing. But if you develop your risk management process to ensure that it incorporates all
of the aforementioned steps and factors, you will match up to international standards.
Consequently, your business will become more robust, able to adapt and survive, even
thrive, because you have an effective risk management system in place to guide you through
times of uncertainty.
Note:
All of the steps of the process will be fleshed out in the modules to come. This is important,
because you will need to understand exactly what each of the steps entail in practice in
order to effectively perform them. So whereas this is the overview of the process, the
practical details are still to come.
Page 17 of 18
3. Conclusion
The discussion on ISO 31000 provides insight into a clear model on which you can build your
own risk management system. If you think back on the framework and process as laid out in
ISO 31000 you will remember that your risk management system should include the
following steps:
• Establishing context
• Identifying risks
• Analysing risks
• Evaluating risks
• Treating risks
In Part 3 you will cover the important role of the highly-regarded King reports, as well as the
purpose of the Committee of Sponsoring Organisations of the Treadway Commission
(COSO), in the adoption of effective risk management strategies globally.
In Part 2 of the notes you found out how ISO 31000 established the international standard
risk management procedures and the specifics of the framework and process it formalised.
4. Bibliography
COSO. 2015. The Committee of Sponsoring Organisations of the Treadway Commission.
Available: http://www.coso.org/ [2015, 8 October].
The King III report. 2015. The King Committee on Corporate Governance. Available:
https://www.saica.co.za/Technical/LegalandGovernance/King/tabid/2938/language
/en-ZA/Default.aspx [2015, 8 October].
Page 18 of 18