Risk Management – Article 7
An Overview of Risk Management Process
Keshav Ram Singhal
ISO 31000:2009 Standard has provided a definition of the risk management process and also the guidelines for the same. The definition given in the standard is as per ISO Guide 73:2009 that provides basic vocabulary to develop common understanding on risk management concepts and terms.. Risk management process is defined as the systematic application of management policies, procedures and practices to various activities. These various activities relate to:
- Communicating, consulting and establishing the context of the organization, and
- Identifying, analyzing, evaluating, treating, monitoring and reviewing risk.
Clause 5 of ISO 31000:2009 standard provides guidelines on risk management process and in this regard sub-clauses are as under:
5.1 – General
5.2 – Communication and consultation
5.3 – Establishing the context
5.3.1 – General
5.3.2 – Establishing the external context
5.3.3 – Establishing the internal context
5.3.4 – Establishing the context of the risk management process
5.3.5 – Defining risk criteria
5.4 – Risk assessment
5.4.1 – General
5.4.2 – Risk identification
5.4.3 – Risk analysis
5.4.4 – Risk evaluation
5.5 – Risk treatment
5.5.1 – General
5.5.2 – Selection of risk treatment options
5.5.3 – Preparing and implementing risk treatment plans
5.6 – Monitoring and review
5.7 – Recording the risk management process
Risk management process – General
The risk management process of an organization should be an integral part of the organization’s management. It should be fixed firmly and deeply in the culture and practices of the organization and tailored to the business processes of the organization.
The ISO 31000:2009 standard has provided the risk management process diagram (figure 3 in the standard) that shows the inter-relation between various activities of risk management process. As per the diagram given in the standard, communication and consultation process is interrelated to establishing context, risk management activities (risk identification, risk analysis and risk evaluation) and risk treatment. Monitoring and review of risk management process is also interrelated to establishing the context, risk assessment activities (risk identification, risk analysis and risk evaluation) and risk treatment.
The risk management process comprises to the activities related to different activities as described in various sub-clauses of clause 5 of ISO 31000:2009. We will discuss these activities in forthcoming articles.