Risk –Effect of uncertainty ( ISO 9000:2015 )

An effect is a deviation from the expected –

Positive or negative.
Although determining and addressing risks
and opportunities is a requirement,
undertaking formal risk management is not a
requirement.
Organizations are free to choose a particular
approach or methodology to address risks and
opportunities.
 While no specific risk management
approach or methodology is prescribed,
the organization may want consider using
ISO 31000:2018 - Risk management —guidelines

The organization needs to have some form

of systematic approach or methodology in
place to determine risks and opportunities.
 Risk management is the process for identifying,
analyzing and communicating risk and accepting,
avoiding, transferring or controlling it to an
acceptable level considering associated costs and
benefits of any actions taken.
The risk management process should be:
an integral part of management,

embedded in the culture and practices, and

 tailored to the business processes of the

organization.
Risk Management Process –ISO 31000:2018
.

Principle:
☼ Address
unaccept
able risks,
☼ Monitor
acceptabl
e risks.
1. Communication and consultation – Discuss Risks and
get Feedback from your Stakeholders
Communication and consultation is a dialogue between an
organization and its stakeholders and assists the relevant
stakeholders in understanding risk, the basis on which decisions
are made and the reasons why particular actions are required.
Communication seeks to promote awareness and
understanding of risk, whereas consultation involves
obtaining feedback and information to support decision-
making.
 1. Communication and consultation …
Organizations should:
Discuss risk at every step of the risk management
process,
Involve internal and external stakeholders at every
step,
Use Communication and consultation to support
their risk management process.
2. Scope, context and criteria – Define Scope, Context and
Criteria you intended to use
2.1 Define the overall scope of your organization's risk
management process.
The Scope is the boundaries of the system that limits what the
organization will need to address when implementing the Risk
Management Plan.
As the risk management process may be applied at different levels
(e.g. strategic, operational, program, project, or other activities), it
is important to be clear about the scope under consideration, the
relevant objectives to be considered and their alignment with
organizational objectives.
2.2Establishing the context
2.2.1 Establishing the external context
The external context is the external environment in which
the organization seeks to achieve its objectives.
The external context can include, but is not limited to:
 the social and cultural, political, legal, regulatory, financial,
technological, economic, natural and competitive environment,
whether international, national, regional or local;
 relationships with, perceptions and values of external
stakeholders.
2.2.2 Establishing the internal context
The internal context is the internal environment in which the
organization seeks to achieve its objectives.
The internal context can include, but is not limited to:
 governance, organizational structure, roles and accountabilities;
policies, objectives, and the strategies that are in place to achieve them;
capabilities, understood in terms of resources and knowledge (e.g. capital,
time, people, processes, systems and technologies);
 the relationships with and perceptions and values of internal stakeholders;
the organization's culture;
information systems, information flows and decision making processes
(both formal and informal);
standards, guidelines and models adopted by the organization; and
form and extent of contractual relationships.
 2.3.Defining risk criteria - Specify the Criteria that the organization
plans to use to evaluate its risks.
Risk criteria means terms of reference against which the significance
of a risk is evaluated and are used to evaluate the significance or
importance the organization’s Risks,
The organization should specify the amount and type of risk that it
may or may not take, relative to objectives.
It should also define criteria to evaluate the significance of risk and
to support decision making processes.
Risk criteria are based on organizational objectives, and external
and internal context .
Risk criteria can be derived from standards, laws, policies, product
or service specifications, accepted industry standards or legal
requirements and other requirements.
3. Risk assessment
Risk assessment is the overall process of risk identification, risk
analysis and risk evaluation.
3.1. Risk Identification
There are a variety of techniques and methodologies that can
be used to identify risks and opportunities.
The Common ones are:
Structured discussions using facilitated workshops,

Interviews,

Surveys and Questionnaires.

3.2 Risk analysis
Risk analysis is a process to comprehend the nature of risk and
to determine the level of risk.
 Risk analysis provides the basis for risk evaluation and
decisions about risk treatment
 Risk analysis includes risk estimation
Risk analysis can be undertaken with varying degrees of detail,
depending on the risk, the purpose of the analysis, and the
information, data and resources available.
3.3 Risk evaluation
Risk evaluation is a process of comparing the results
of risk analysis with risk criteria to determine whether
the risk and/or its magnitude is acceptable or
tolerable. Based on this comparison, the need for
treatment can be considered.
Risk Register Form
Risks for Rating Rating Risk Risk Risk Assessment Action
Business and its Risk Consequence Volume Index Type
processes Probability (1 to 5) PxC= Low - Med - High
(1 to 5) (1 to 25) (01-08) (09-15) (16-
25)

14
Risk Criteria - Rating of Risk Probability

Rating Probability Criteria (Likelihood of Risk Occurrence)

1 Rare Unlikely to occur, but possible

2 Unlikely Unlikely, but can be reasonably expected to

occur
3 Possible Will occur several times

4 Likely Will occur frequently

5 Almost Continually experienced

Certain

15
Risk Criteria - Rating of Risk Consequences
Rating Consequence Criteria -Impact of Risk to :

Business Legal & Health and Reputation

Compliance Safety
1 Insignificant Negligible Nothing No injuries to Isolated
business reportable employees or staff
impact. to regulator third parties dissatisfacti
on.
2 Minor Slight Reportable Minor Some
business incident to injuries to morale
impact. regulator employees or problems
with no third parties. and
follow-up. turnover
increase.

16
Risk Criteria - Rating of Risk Consequences
Rating Consequen Criteria -Impact of Risk to :
ce
Business Legal & Health and Reputation
Compliance Safety
3 Moderate Limited Report of Out-patient Short-term
business breach to medical negative
impact. regulator treatment media
with for coverage,
immediate employees Widespread
correction. or third staff morale
parties. problems and
high
turnover.

17
Risk Criteria - Rating of Risk Consequences
Rating Conseque Criteria -Impact of Risk to :
nce
Business Legal & Health and Reputation
Compliance Safety
4 Major Serious Report to Severe Negative
business regulator irreversib media
impact/ requiring le coverage,
Significan major disability Loss of
t loss of correctiv to one or Shareholder,
market e action. more High
share persons. turnover of
experienced
staff.

18
Risk Criteria - Rating of Risk
Consequences
Rating Conseque Criteria -Impact of Risk to :
nce
Business Legal & Health and Reputation
Compliance Safety
5 Catastro Disastrous Significan Fatalities Long-term
phic business t litigation, to negative
impact/Dram prosecutio employees media
atic loss of n, or fines, or third coverage,
market Custodial parties. Total loss of
share/Potenti sentence shareholder
al closure of for Support,
business company CEO departs
executive. and Board is
restructured.
19
 Risk Matrix
5
Very High 5 10 15 20 25
.
4
High 4 8 12 16 20
I
M 3
Moderate 3 6 9 12 15
P 2
2 4 6 8 10
A Low

C 1
Very Low 1 2 3 4 5
T 1 2 3 4 5
Very Low Low Moderate High Very High

PROBABILITY
 Risk Index
Risk Index is the risk exposure that the Company willing to bear in pursuit of
strategic objectives. The Company processes may adopt the risk index levels as
defined in the risk index table below:

Risk
Index
Colour Code Risk Index level Description
MINOR – Low Risk 1-8 These risks can be managed by
routine procedures

MODERATE- Medium 9-15 Management responsibility

risk must be specified

CRITICAL- High risk Senior management attention

needed. Immediate action is
21 16 -25 required.
 Risk Treatment

Risk Treatment options

☺ Remove Risk to Activity,
☺ Transfer Risk to another part of the organization or
third party,
☺ Cease or change the activity,
☺ Control or mitigate,
☺ Financing/Insurance,
☺ Acceptance.

22
 Action Type
Type Option Description
1 Avoid Risk Withdraw from the activity
(Quit the product or the service involving high risk)
2 Eliminate Risk Eliminate the risk source; for example, by using
documented procedures to assist persons in the organization
with less experience
3 Change Risk Change probability or consequence
(Selecting reliable suppliers)
4 Share Risk Outsource risk or insure against it
(Contract agreement for risk sharing with stakeholders) or
transfer it to the customer, supplier or to the insurance
company)
5 Retain Risk Accept risk by informed management decision
(last option)

23