Search the Community
Showing results for tags 'iso 31000'.
Introduction Risk is a dynamic concept that is influenced by constantly changing external and internal environments – with project environments typically experiencing the highest rate of change. Therefore, organisations should monitor and review the performance of their risk management process as well as the potential impact of environmental changes. Organisations should also identify emerging risks and monitor changes to the likelihood and impact of identified risks. Keeping track of the effectiveness and adequacy of existing controls, associated risk treatment plans and the management processes for controlling their implementation is also important. Definition ISO Guide 73:2009 defines monitoring as “continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected”. The same reference defines review as “activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives”. Further definition and guidance on monitoring and review is provided in: AS ISO 31000:2018, Risk Management – Guidelines (6.6) IEC/ISO 31010:2009, Risk Management – Risk Assessment Techniques (5.6) Guidance HB 158—2010, Delivering Assurance Based on ISO 31000:2009 Risk Management Principles and Guidelines provides a guide to assessing the adequacy of the risk management framework and process. It also describes how to use the risk management process to: develop a risk-based assurance strategy and program plan an assurance engagement report the assurance program design controls. Sources: The content on this page was primarily sourced from the following: Material provided by Peter Flanagan, Capital Insight ISO Guide 73:2009 AS ISO 31000:2018, Risk Management – Guidelines IEC/ISO 31010:2009, Risk Management – Risk Assessment Techniques AS HB 158—2010, Delivering Assurance Based on ISO 31000:2009 Risk Management Principles and Guidelines
Introduction Establishing the context is necessary to customise the risk management process to meet an organisation's needs and enable effective risk assessment and appropriate risk treatment. Establishing the context involves: defining the purpose and scope of risk management activities, including relevant objectives defining the internal and external context of the organisation defining the risk criteria to be used to evaluate the significance of risks and to support decision-making processes. Definition ISO Guide 73:2009 defines establishing the context as “defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria (184.108.40.206) for the risk management policy (2.1.2)”. Further definition and guidance on establishing the context is provided in: AS ISO 31000:2018, Risk management – Guidelines (6.3) IEC/ISO 31010:2009, Risk management – Risk assessment techniques (4.3.3) Setting the Context for Risk Assessment For a specific risk assessment, establishing the context should include: confirming the purpose and scope, including identification of: the relevant objectives the decisions that need to be made scope inclusions and exclusions appropriate assumptions and the basis of those assumptions relevant stakeholders and the extent of their influence on, and input to, the risk management process appropriate risk assessment tools and techniques required resources required investigations or research interdependencies with other projects, processes or activities. establishing an understanding of an organisation’s internal characteristics and their influence on the management of risk, including organisational values and culture, governance arrangements, policies and procedures, and decision-making processes identifying significant factors in the external environment that give rise to uncertainty, including the social, regulatory, cultural, physical, financial and political environment; external stakeholders; and key external organisational drivers agreement on the risk criteria to be applied – including consequence and likelihood definitions, method for determining the level of risk, criteria for deciding when a risk requires treatment, the impact of risk timeframes (urgency) and existing risk controls, and how combinations of risks will be taken into account. Sources: The content on this page was primarily sourced from the following: Material provided by Peter Flanagan, Capital Insight ISO Guide 73:2009 AS ISO 31000:2018, Risk management – Guidelines IEC/ISO 31010:2009, Risk management – Risk assessment techniques