Risk is a dynamic concept that is influenced by constantly changing external and internal environments – with project environments typically experiencing the highest rate of change. Therefore, organisations should monitor and review the performance of their risk management process as well as the potential impact of environmental changes.
Organisations should also identify emerging risks and monitor changes to the likelihood and impact of identified risks. Keeping track of the effectiveness and adequacy of existing controls, associated risk treatment plans and the management processes for controlling their implementation is also important.
ISO Guide 73:2009 defines monitoring as “continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected”.
The same reference defines review as “activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives”.
Further definition and guidance on monitoring and review is provided in:
- AS ISO 31000:2018, Risk Management – Guidelines (6.6)
- IEC/ISO 31010:2009, Risk Management – Risk Assessment Techniques (5.6)
HB 158—2010, Delivering Assurance Based on ISO 31000:2009 Risk Management Principles and Guidelines provides a guide to assessing the adequacy of the risk management framework and process.
It also describes how to use the risk management process to:
- develop a risk-based assurance strategy and program
- plan an assurance engagement
- report the assurance program
- design controls.
The content on this page was primarily sourced from the following: