Risk Management – Article 12
Risk Management Process – Establishing the Context of the Risk Management Process
Keshav Ram Singhal
Sub-clauses 5.3.4 of ISO 31000:2009 standard provides guidelines on establishing the context of the risk management process.
We need to understand the context of the risk management process of the organization and it varies according to the needs of the organization. The context of the risk management process of an organization can involve the following:
- Defining goals and objectives of risk management activities
- Defining responsibilities for and within the risk management activities
- Defining the scope (with depth and breadth including specific inclusions and exclusions) of the risk management activities to be carried out
- Defining the risk criteria (evaluation terms of reference against risk reference) of the risk management policy
- Defining the activity, process, function, project, product, service or asset in terms of time and location
- Defining relationships between (i) a particular project and other projects, (ii) a process and other processes, or (iii) an activity and other activities of the organization
- Defining risk assessment methodologies
- Defining performance and effectiveness evaluation process in the management of risk
- Identifying and specifying decisions to be made
- Identifying, scoping or framing studies needed, their extent and objectives, and the resources required for such studies
The organization should provide its attention to above factors (not limited to) to ensure that risk management approach adopted in the organization should be appropriate to the:
- Risks affecting the achievement of objectives
The organization should establish the (i) objectives, (ii) strategies, (iii) scope, and (iv) parameters of the activities or those parts of the organization where the risk management process is being applied.
The organization should undertake risk management by considering the need to justify the resources used in risk management process. The organization should specify the resources required, responsibility and authority, and the records to be maintained.
Next write-up …. Risk Management Process – Defining Risk Criteria