Establishing the context is necessary to customise the risk management process to meet an organisation's needs and enable effective risk assessment and appropriate risk treatment.
Establishing the context involves:
- defining the purpose and scope of risk management activities, including relevant objectives
- defining the internal and external context of the organisation
- defining the risk criteria to be used to evaluate the significance of risks and to support decision-making processes.
ISO Guide 73:2009 defines establishing the context as “defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria (188.8.131.52) for the risk management policy (2.1.2)”.
Further definition and guidance on establishing the context is provided in:
- AS ISO 31000:2018, Risk management – Guidelines (6.3)
- IEC/ISO 31010:2009, Risk management – Risk assessment techniques (4.3.3)
Setting the Context for Risk Assessment
For a specific risk assessment, establishing the context should include:
confirming the purpose and scope, including identification of:
- the relevant objectives
- the decisions that need to be made
- scope inclusions and exclusions
- appropriate assumptions and the basis of those assumptions
- relevant stakeholders and the extent of their influence on, and input to, the risk management process
- appropriate risk assessment tools and techniques
- required resources
- required investigations or research
- interdependencies with other projects, processes or activities.
- establishing an understanding of an organisation’s internal characteristics and their influence on the management of risk, including organisational values and culture, governance arrangements, policies and procedures, and decision-making processes
- identifying significant factors in the external environment that give rise to uncertainty, including the social, regulatory, cultural, physical, financial and political environment; external stakeholders; and key external organisational drivers
- agreement on the risk criteria to be applied – including consequence and likelihood definitions, method for determining the level of risk, criteria for deciding when a risk requires treatment, the impact of risk timeframes (urgency) and existing risk controls, and how combinations of risks will be taken into account.
The content on this page was primarily sourced from the following:
- Material provided by Peter Flanagan, Capital Insight
- ISO Guide 73:2009
- AS ISO 31000:2018, Risk management – Guidelines
- IEC/ISO 31010:2009, Risk management – Risk assessment techniques