ISO 31000 Risk management internal auditor training

Courtesy: ISO 31000 Risk management internal auditor training

Principles

The International Organization for Standardization (ISO) identifies the following principles of risk management:

Risk management should:

• Create value – resources expended to mitigate risk should be less than the consequence of inaction
• Be an integral part of organizational processes
• Be part of decision-making process
• Explicitly address uncertainty and assumptions
• Be a systematic and structured process
• Be based on the best available information
• Be tailorable
• Take human factors into account
• Be transparent and inclusive
• Be dynamic, iterative and responsive to change
• Be capable of continual improvement and enhancement
• Be continually or periodically re-assessed

Mild versus wild risk

Benoit Mandelbrot distinguished between “mild” and “wild” risk and argued that risk assessment and management must be fundamentally different for the two types of risk. Mild risk follows normal or near-normal probability distributions, is subject to regression to the mean and the law of large numbers, and is therefore relatively predictable. Wild risk follows fat-tailed distributions, e.g., Pareto or power-law distributions, is subject to regression to the tail (infinite mean or variance, rendering the law of large numbers invalid or ineffective), and is therefore difficult or impossible to predict. A common error in risk assessment and management is to underestimate the wildness of risk, assuming risk to be mild when in fact it is wild, which must be avoided if risk assessment and management are to be valid and reliable, according to Mandelbrot.

Process

According to the standard ISO 31000 – “Risk management – Principles and guidelines on implementation,” the process of risk management consists of several steps as follows:

Establishing the context

This involves:

1. observing the context
   • the social scope of risk management
   • the identity and objectives of stakeholders
   • the basis upon which risks will be evaluated, constraints.
2. defining a framework for the activity and an agenda for identification
3. developing an analysis of risks involved in the process
4. mitigation or solution of risks using available technological, human and organizational resources

Identification

After establishing the context, the next step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, cause problems or benefits. Hence, risk identification can start with the source of problems and those of competitors (benefit), or with the problem’s consequences.

• Source analysis – Risk sources may be internal or external to the system that is the target of risk management (use mitigation instead of management since by its own definition risk deals with factors of decision-making that cannot be managed).

Some examples of risk sources are: stakeholders of a project, employees of a company or the weather over an airport.

• Problem analysis – Risks are related to identified threats. For example: the threat of losing money, the threat of abuse of confidential information or the threat of human errors, accidents and casualties. The threats may exist with various entities, most important with shareholders, customers and legislative bodies such as the government.

When either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated. For example: stakeholders withdrawing during a project may endanger funding of the project; confidential information may be stolen by employees even within a closed network; lightning striking an aircraft during takeoff may make all people on board immediate casualties.