Wednesday, December 15, 2010

Risk management

John Shortreed At the end of 2009, the International Organization for Standardization (ISO) issued a new set of principles and guidelines that should benefit all organizations confronting the always problematic challenges of managing risk:
Title/Link Date of Issue
ISO 31000:2009 Risk management - Principles and guidelines Nov 13, 2009
ISO Guide 73:2009 Risk management - Vocabulary Nov 13, 2009
ISO/IEC 31010:2009 Risk management - Risk assessment techniques Dec 1, 2009
Standard ISO 31000 provides principles and generic guidelines on risk management and is not intended for the purpose of certification. ISO/IEC 31010:2009 describes more than thirty tools to use for risk assessment and explains their application. The ISO Guide 73:2009 contains risk management terminology and definitions. These three standards can be applied to any type of risk, whatever its nature, by organizations of any type or by individuals.
Risk, as defined by the ISO Guide 73:2009, is the impact of uncertainty on objectives. It is very important to emphasize that the impact of uncertainty can be positive as well as negative. "Not pursuing an opportunity" is also a risk.
John Shortreed **, PhD, who served on the ISO technical committees for Guide 73 (Risk Management—Vocabulary, 2002) and its revision (2009) as well as for ISO 31000 (2009), listed the following seven innovations introduced by ISO series 31000:
1. Formal principles for risk management and ERM (Enterprise Risk Management) that can be used for measuring the risk maturity of an organization.
2. Consideration of any risks or uncertainty that affects objectives of the organization, whether they have positive or negative consequences.
3. Organizational ability to tailor risk management to its own internal structure and governance processes.  
4. Principle-based rather than performance-based.
5. Requires an organization to formalize and continuously improve a framework for ERM that integrates the management of risk into all processes in the organization.
6. Updates the risk management process used for assisting any decision through the five steps of context, risk assessment, risk treatment, communication, and consultation, followed by formal monitoring and review.
7. Requires accountability for any and all risks through the designation of a “risk owner” whose annual performance partly depends on how well risk is managed.