Uncategorized

ISO 31000 Risk Management internal auditor training

Posted on by owner

Courtesy: ISO 31000 Risk Management internal auditor training

Opportunity cost represents a unique challenge for risk managers. It can be difficult to determine when to put resources toward risk management and when to use those resources elsewhere. Again, ideal risk management minimizes spending (or manpower or other resources) and also minimizes the negative effects of risks.

Risk is defined as the possibility that an event will occur that adversely affects the achievement of an objective. Uncertainty, therefore, is a key aspect of risk. Systems like the Committee of Sponsoring Organizations of the Treadway Commission Enterprise Risk Management (COSO ERM), can assist managers in mitigating risk factors. Each company may have different internal control components, which leads to different outcomes. For example, the framework for ERM components includes Internal Environment, Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information and Communication, and Monitoring

Risks vs. opportunities

Opportunities first appear in academic research or management books in the 1990s. The first PMBoK Project Management Body of Knowledge draft of 1987 doesn’t mention opportunities at all.

Modern project management school does recognize the importance of opportunities. Opportunities have been included in project management literature since the 1990s, e.g. in PMBoK, and became a significant part of project risk management in the years 2000s, when articles titled “opportunity management” also begin to appear in library searches. Opportunity management thus became an important part of risk management.

Modern risk management theory deals with any type of external events, positive and negative. Positive risks are called opportunities. Similarly to risks, opportunities have specific mitigation strategies: exploit, share, enhance, ignore.

In practice, risks are considered “usually negative”. Risk-related research and practice focus significantly more on threats than on opportunities. This can lead to negative phenomena such as target fixation

Method

For the most part, these methods consist of the following elements, performed, more or less, in the following order:

  1. Identify the threats
  2. Assess the vulnerability of critical assets to specific threats
  3. Determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets)
  4. Identify ways to reduce those risks
  1. Prioritize risk reduction measures

The Risk management knowledge area, as defined by the Project Management Body of Knowledge PMBoK, consists of the following processes:

  1. Plan Risk Management – defining how to conduct risk management activities.
  2. Identify Risks – identifying individual project risks as well as sources.
  3. Perform Qualitative Risk Analysis – prioritizing individual project risks by assessing probability and impact.
  4. Perform Quantitative Risk Analysis – numerical analysis of the effects.
  5. Plan Risk Responses – developing options, selecting strategies and actions.
  6. Implement Risk Responses – implementing agreed-upon risk response plans. In the 4th Ed. of PMBoK, this process was included as an activity in the Monitor and Control process, but was later separated as a distinct process in PMBoK 6th Ed.
  7. Monitor Risks – monitoring the implementation. This process was known as Monitor and Control in the previous PMBoK 4th Ed., when it also included the “Implement Risk Responses” process
owner