Risk Management Cycle: Process and Framework Explained

Risk Management - Generic Terms and Definitions

• The risk owner is defined as a “person or entity with the accountability and authority to manage risk.” This definition will help the risk manager reinforce to management that risk ownership must be with management and not with the risk manager.
  
• Risk appetite is an area that many organizations struggle with and while risk appetite, is not defined in ISO 31000 (it is in ISO Guide 73:2009), the Standard defines risk attitude as the organization’s “approach to assess and eventually pursue, retain, take or turn away from risk.”
  
• Risk management policy is also defined as a “statement of the overall intentions and direction of an organization related to risk management.”
  
• The risk management plan should specify the “approach, the management components, and resources to be applied to the management of risk.” ISO has released ISO Risk management Guide 73:2009 - Vocabulary to provide further guidance concerning generic terms and definitions relating to risk management to support consistency. It contains some of the definitions now deleted from ISO 31000.

Risk Management Framework

The relationships between the various components of managing risks, including the risk management framework, are better highlighted and illustrated in ISO 31000, as shown in the figure below.

Mandate and Commitment

Risk management is not off-project activity; it is an ongoing activity requiring an ongoing commitment. It must be mandated from the Board (or equivalent), implemented by senior management, and supported by all levels of management and risk owners to be sustainable.

Design of Framework for Risk Management

Like all good projects, processes, and strategies, risk management processes must be well designed to support effective implementation. Defining the context of the risk management framework, formulating a Risk management policy, embedding processes into practice, assigning resources, and determining responsibility are all key elements of designing an effective framework to manage risk. Well designed periodic reporting to stakeholders and effective communication mechanisms will support effective implementation.

Implementing Risk Management

Once the framework has been designed, implementation is about putting the theory into practice and bringing the risk management framework to life. Specifically, this is about ensuring the risk management process is understood by risk owners (through excellent communication and training), and risk management activities take place (through risk assessments, risk workshops, internal controls, etc.), and decisions and business processes factor in risk thinking.

Monitoring and Review

Involves confirmation that the various risk management elements and activities are working effectively in line with expectations. Any gaps identified will need to be documented and re-mediated.

Continual Improvement

This is about continuing to “tweak” and enhance key elements of the risk management framework to either improve current processes and/or progress towards a more mature risk management framework. A highly committed organization will improve both its processes and maturity over time.

 
Integrated Risk Management Principles, Framework, and Processes 

Risk Management Process – Explained

ISO 31000 recognizes the importance of feedback by way of two mechanisms. These are monitoring and review of performance and communication and consultation. Monitoring and review ensure that the organization monitors risk performance and learns from experience. Communication and consultation are presented in ISO 31000 as part of the risk management process, but it may also be considered to be part of the supporting framework. Reporting and disclosure are only very briefly mentioned in ISO 31000, and they are not included in the process shown in the diagram below. Also, the monitoring and review feedback activities set out in ISO 31000 do not explicitly mention the tasks of monitoring risk performance and reviewing the risk management framework.

After considering numerous options and variants, ISO 31000:2009 largely adopted the same broad process as AS/NZS 4360:2004 for managing risk, as shown in the above diagram. While the process essentially steps like, in practice, there is considerable iteration between the steps and between the continuously applied elements of communication and consultation and monitoring and review. Drawing a picture of this is difficult, and for this reason, the diagram used in the standard was deliberately not shown as a flow chart. Its purpose is to show the relationship between the clauses of the standard that describe the process. The standard gives a set of general options to be considered when risk is treated.

The order of the list reflects preference. Importantly, the options deal with both risks that have a downside and/or upside consequences. The general options are:

1. Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
2. Taking or increasing the risk to pursue an opportunity
3. Removing the risk source
4. Changing the likelihood
5. Changing the consequences
6. Sharing the risk with another party or parties (including contracts and risk financing)
7. Retaining the risk by informed decision.

Source – ISO 31000 standard

PMP® and PMI® are registered trademarks of the Project Management Institute, Inc.