The ISO 31000 standard - Risk Engineering

1 The ISO 31 000 standardon risk managementEric Govern well thy appetite, lest SinSurprise thee, and her black attendant Death. John Milton, Paradise LostTheISO31000standard An international standard that providesprinciplesandguidelinesforeffect ive risk management published in 2009, revised in 2018 Generic approach: not specific to any industry or sector can be applied to any type of risk (financial, technological, natural, project) can be applied to any type of organization A brief standard (24 pages) Provides foundations for discussing risk management and undertaking acritical review of an organization s risk management process2 / 30 TheISO31000standard:scope Includes: definitionsand terms relevant to risk management a set ofprinciplesthat inform effective risk management recommendations for establishing arisk management framework recommendations for establishing arisk management process Does not include: detailed instructions/guidance on how to manage specific risks advice relevant to any specific domain any elements related to certification3 / 30 Relatedstandards The International Organization for Standardization (iso) is aninternational, membership-basedngo based in Geneva, represented in 165 member countries has published over 19 000 international standards isoGuide 73.

2 2009 onRisk management Vocabulary provides definitions for commonly used terminology in risk management andrisk assessment iso31004:2013 onRisk management Guidance for the implementation ofISO 31000 how do I implementiso31000 in my organization? iso31010:2009 onRisk management Risk assessment techniques guidance on selecting and applying systematic techniques for risk assessment4 / 30 BackgroundtodevelopmentofISO31000standar d Thecosoframework on Enterprise Risk management mostly internal control/auditing: sees risk management primarily as acomplianceactivity iso 31000sees risk management as astrategic processfor makingrisk-adjusted decisions The Australian/New Zealand risk management standard ,as/nzs 4360 Work started oniso 31000in 2005, usingas/nzs 4360as a first draft consensus-driven process with input from risk management professionalsaround the world standard published in 2009, well received by critics revised version published in 2018 (simplifications)5 / 30 Somecontroversyinthestandard screation TheiecAdvisory Committee on Safetyremoved its support fromtheisoworking group, arguing that.

3 Safety risks are a special case and should be excluded from ageneral-purpose risk management process any risk to people is unacceptable Position of theisoworking group on risk: most human activities lead to some safety risks a uniform process for managing risks is usefulIEC: InternationalElectrotechnicalCommissionS ource: Purdy (2010).ISO 31000 :2009 Setting a new standard for risk management , Risk Analysis 30:66 / 30 NewnotionsintheISO31000standard7 / 30 What snew? A new definition of risk The notion ofrisk appetite Therisk management framework A management philosophy where riskmanagement is an inseparable aspect of managingchange and other forms of decision-making8 / 30 TheclassicaldefinitionofriskRisk: a combination of the probability and scope of the consequences.

4 Isorisk management vocabulary, 2002 More precisely, after Kaplan and Garrick, we ask: What can go wrong? How likely is it to go wrong? If it does go wrong, what are the consequences?Further reading: Kaplan & Garrick (1984),On the quantitative definition of risk, Risk Analysis 1:19 / 30 Theclassicaldefinitionofrisk:exampleScen arioAnnual probabilityConsequencesFire on tank 10 43 killed, 20 M lossFire on tank 10 41 injured, 20 M lossSmall leak on pipe D3 10 31 M equivalent of environmental damageLarge leak on pipe D1 10 320 M equivalent of environmental on this installation is the set of all the lines in this / 30 ClassicaldefinitionandfinancialrisksRisk = set of triples scenario , ,consequence For financial risks (where consequences can be all uncontroversiallybe expressed in monetary units), can be converted into is then the mathematical expectation of the total loss.

5 ( )= consequence This definition also works whensome consequences are positive11 / 30 ClassicaldefinitionandsafetyrisksPlace each scenario in your organization s risk matrix, according to itsprobability and level of whether the sum of possible outcomes is risks as low as reasonably practicableAcceptableFrequencyvery infrequent infrequentfairly frequentfrequentvery frequentcatastrophicvery largelargemediumsmallFor safety risks , all consequencesare negative12 / 30 AnewdefinitionofriskRisk: theeffectofuncertaintyon an organization s ability to meetitsobjectives13 / 30 AnewdefinitionofriskRisk: theeffectofuncertaintyon an organization s ability to meetitsobjectivesAn effect is adeviationfrom what was expected,which can be positive or risks are generally negative (losses, deaths,pollution).

6 Financial risks may be positive. Thisdefinition is relevant for safety, financial risks ,strategic risks , project / 30 AnewdefinitionofriskRisk: theeffectofuncertaintyon an organization s ability to meetitsobjectivesLack of informationor knowledge concerning anevent, its consequences or its likelihood13 / 30 AnewdefinitionofriskRisk: theeffectofuncertaintyon an organization s ability to meetitsobjectivesMakes the role of objectives explicit: an activity is onlyundertaken to reach some goal. Objectives can be financial,health and safety, environmental goals. They can apply at astrategic level, or per project, per product, per definition leads to more transparency in discussionswith stakeholders because objectives (possibly competing)are made / 30 Anewdefinitionofrisktime 0 1startobjective The organization establishes itsobjectives: at time 1it wants tobe at position.

7 The presence of uncertaintymeans thatunexpectedperturbationscan causedeviations from the plan definedat 0. If unchecked, these wouldmean that the organizationdoes not achieve its objectiveof reaching position .This isrisk, the effect ofuncertainty on the possibilityof reaching your risk management activityconsists of trying to anticipateand looking out for deviationsfrom the plan, and implementingcorrective actionsso that theorganization s objectives arereached despite the adapted from slides by Prof. G. Motet (INSA Toulouse)14 / 30 Anewdefinitionofrisktime 0 1startobjective The organization establishes itsobjectives: at time 1it wants tobe at position .It establishes anaction plantomove from its current position toposition.

8 The presence of uncertaintymeans thatunexpectedperturbationscan causedeviations from the plan definedat 0. If unchecked, these wouldmean that the organizationdoes not achieve its objectiveof reaching position .This isrisk, the effect ofuncertainty on the possibilityof reaching your risk management activityconsists of trying to anticipateand looking out for deviationsfrom the plan, and implementingcorrective actionsso that theorganization s objectives arereached despite the adapted from slides by Prof. G. Motet (INSA Toulouse)14 / 30 AnewdefinitionofrisktimeThe presence of uncertaintymeans thatunexpectedperturbationscan causedeviations from the plan definedat 0. If unchecked, these wouldmean that the organizationdoes not achieve its objectiveof reaching position.

9 This isrisk, the effect ofuncertainty on the possibilityof reaching your risk management activityconsists of trying to anticipateand looking out for deviationsfrom the plan, and implementingcorrective actionsso that theorganization s objectives arereached despite the adapted from slides by Prof. G. Motet (INSA Toulouse)14 / 30 AnewdefinitionofrisktimeThe presence of uncertaintymeans thatunexpectedperturbationscan causedeviations from the plan definedat 0. If unchecked, these wouldmean that the organizationdoes not achieve its objectiveof reaching position .This isrisk, the effect ofuncertainty on the possibilityof reaching your risk management activityconsists of trying to anticipateand looking out for deviationsfrom the plan, and implementingcorrective actionsso that theorganization s objectives arereached despite the adapted from slides by Prof.

10 G. Motet (INSA Toulouse)14 / 30 Riskappetite15 / 30 Conceptof riskappetite Risk appetite: the amount and type of risk that an organization isprepared to pursue, retain or take in pursuit of its objectives Represents a balance between the potential benefits of innovation (andrisk) and the threats that change inevitably brings Helps to guide people within the organization on the level of riskpermitted and encourage consistency of approach across an organization Generally expressed (for a company) by a broad statement of approach,which is written by the board16 / 30 Expressinganorganization sriskappetite:example The Organization operates within a low overall risk range. TheOrganization s lowest risk appetite relates to safety and complianceobjectives, including employee health and safety, with a marginallyhigher risk appetite towards its strategic, reporting, and operationsobjectives.