This is the third post in a five-part series from an article first published in the June 2016 issue of MultiLingual magazine and reproduced here with their permission.
The second part already published presented the the Project Management Institute (PMI) approach, while this deals with the generic framework provided by the ISO 31000 standard.
The ISO 31000 approach
The standard ISO 31000 : 2009 ‘Risk management — Principles and guidelines’ was issued by the International Organization for Standardization (ISO) with the purpose of providing “the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope and context. ” It is, therefore, not specific to any industry or sector.
This standard describes risk as the effect of uncertainty on objectives. Uncertainty is defined as a deficiency of information, understanding or knowledge of an event, its consequence, or likelihood.
Risk management includes the coordinated activities to direct and control an organization with regard to risk. It is based on a risk management framework, the purpose of which is to integrate the process for managing risk into the organization’s overall governance, strategy and planning, management, reporting processes, policies, values and culture.
The standard describes the relationship among:
a set of principles that need to be satisfied to make risk management effective,
the project management framework, and
the risk management processes displayed in figure 3 and defined below.
Communication and consultation with external and internal stakeholders should take place during all stages of risk management. They should address the risks, their causes and consequences, and the measures taken to treat them. Stakeholders make judgements based on their perceptions of risk.
Establishing the context enables the organization to articulate its objectives, risk management parameters and the scope and risk criteria for the remaining process. This is similar to the PMI’s plan risk management process.
Risk assessment is the overall process of risk identification, risk analysis and risk evaluation. Each one of these processes is described below:
Risk identification is very similar to the PMI’s Identify risks described above.
Risk analysis involves developing an understanding of the risk in order to provide an input to risk evaluation. It is similar to the PMI’s qualitative and quantitative analysis processes.
Risk evaluation aims to assist in making decisions based on the outcomes of risk analysis, defining which risks need treatment and the prioritization of treatment implementation.
Risk treatment involves selecting one or more options for modifying risks and implementing those options. It is similar to PMI’s plan risk responses process.
Monitoring and review is similar to PMI’s control risk process.
This article first appeared in the June 2016 issue of MultiLingual magazine. Reproduced with permission.
NEXT: READ PART FOUR >>