Page 29 - Insurance Times November 2022
P. 29
Risk analysis: Risk analysis involves the development of organization articulates its objectives, defines the external
understanding of the risk, consideration of the causes and internal parameters to be taken into account when
and risk sources, their positive and negative managing risk, and sets the scope and risk criteria for the
consequences, the likelihood that those consequences remaining process.
can occur, provides an input to risk evaluation and
decision whether risks need to be treated, and on the Link between ISO 31000 and other
most appropriate risk treatment strategies and methods.
standards
Risk evaluation: The purpose of this step is to assist in
ISO 31000 can be easily linked with other Risk Management
decision making about which risks need treatment and
standards, like ISO Guide 73:2009 - Risk management
priority for treatment implementation.
vocabulary, and ISO/IEC 31010:2009 - Risk management -
Risk assessment techniques. ISO/IEC 31010 is a supporting
Risk treatment: Risk treatment options should be selected
standard for ISO 31000 and provides guidance on selection
based on the outcome of the risk assessment, the expected
and application of systematic techniques for risk assessment.
cost for implementing and benefiting from these options.
Link with ISO 27005
Monitoring and review: Monitoring and review can be
periodic or ad hoc, and should be a planned part of the risk Based on the ISO 31000 framework, the ISO 27005 standard
management process. explains in detail how to conduct a risk assessment and a risk
treatment, within the context of information security.
Recording the risk management process: Risk
management activities should be traceable. In the risk Risk management - the business benefits
management process, records provide the foundation for
As with all major undertakings within an organization, it is
improvement in methods and tool, as well as in the overall
essential to gain the backing and sponsorship of executive
process.
management. By far the best way to achieve this, rather
than through highlighting the negative aspects of not having
Monitoring and review: Monitoring and review can be
risk management, is to illustrate the positive gains of having
periodic or ad hoc, and should be a planned part of the risk
an effective risk management framework in place.
management process.
Risk management allows an organization to ensure that it
Recording the risk management process: Risk
knows and understands the risks it faces. The adoption of an
management activities should be traceable. In the risk
effective risk management process within an organization
management process, records provide the foundation for
will have benefits in a number of areas, examples of which
improvement in methods and tool, as well as in the overall
include:
process.
Increased likelihood of achieving objectives
Clause 5: Process Encouraged proactive management
ISO 31000 states that the success of risk management will Awareness of the need to identify and treat risk
depend on the effectiveness of the management throughout the organization
The risk management process should be:
Improved identification of opportunities and threats
1. An integral part of management;
Compliance with relevant legal and regulatory
2. Embedded in the culture and practices;
requirements and international norms
3. Tailored to the business processes of the
Improved mandatory and voluntary reporting
organization.
Improved governance
Risk management process comprises the following
Improved stakeholder confidence and trust
activities:
Establishment of a reliable basis for decision making and
Communication and consultation: Communication and planning
consultation with external and internal stakeholders should
Improved controls
take place during all stages of the risk management process.
Effective allocation and use of resources for risk
Establishing the context: By establishing the context, the treatment.
The Insurance Times November 2022 25
