The document discusses ISO 31000 risk management standard and how it can help organizations. It provides an overview of the standard's contents including its principles, framework, and process. It describes what risk management is and how to position it in an organization. Examples are given of where risk management should be considered, such as for organizations, projects, information security, and more. The conclusion stresses that risk management is important and organizations should consider what types of risk assessments are relevant to their objectives.
PECB Webinar: ISO 31000 – Risk Management and how it can help an organization
1. ISO 31000 – Risk Management and
how it can help an organization
Steve Tremblay, Senior ITSM Consultant/Trainer
B.Sc., PMP, ITIL Master, DPSM, CGEIP, COBIT, Kepner-Tregoe,
ISO/IEC 20000 Consultant Manager, ISO/IEC 27001, ISO/IEC 27002 & RESILIA
September 21, 2015
2. ISO 31000 – Risk Management and
how it can help an organization
Steve Tremblay, Senior ITSM Consultant/Trainer
B.Sc., PMP, ITIL Master, DPSM, CGEIP, COBIT, Kepner-Tregoe,
ISO/IEC 20000 Consultant Manager, ISO/IEC 27001, ISO/IEC 27002 & RESILIA
September 21, 2015
3. Agenda
Brief overview of the Standard content
What is Risk Management?
How to position Risk Management in an organization?
Examples of where Risk Management should be considered:
Organizations and Risk Management
Portfolio/Program/Project and Risk Management
Information Security Management and Risk Management
Conclusion
3
6. How can we deal with Risks?
The Classic Four: Avoid, Reduce, Transfer or Retain
Five: The Aggressive: Exploit
Six: The Don’t want to know about it: Ignore
6
Reduce
TransferRetain
Avoid
Probability
Impact
No – Minor – Medium – Serious - Extreme
Very High
High
Medium
Low
Very Low
Source: (DeLoach, 2003)
7. Overview of the ISO 31000 – Risk
Management Standard content
Principles and Guidelines
8. ISO 31000 – Risk Management – Principles
and guidelines
Clause 1 – Scope (of the standard)
Clause 2 – Terms and definitions (related to risk management)
Clause 3 – Principles
Clause 4 – Framework
Clause 5 – Process
Annex A – Attributes of enhanced risk management
8
9. ISO 31000 – Clause 3 (The Principles)
For risk management to be effective, an organization should
at all levels comply with principles. Risk management:
Creates and protects value
Is an integral part of all organizational processes
Is part of decision making
Explicitly addresses uncertainty
Is systematic, structured and timely
Is based on the best available information
Is tailored
Takes human and cultural factors into account
Is transparent and inclusive
Is dynamic, iterative and responsive to change
Facilitates continual improvement of the organization
9
10. ISO 31000 – Clause 4 (The Framework)
10
Mandate and commitment
Design of framework for managing
risk
Implementing risk
management
Continual improvement of
the framework
Monitoring and review of the
framework
12. Risk Management
Coordinated activities to direct and control an
organization with regard to risk (as defined in ISO
31000)
“Risk is defined as the probability of an event and its
consequences.”
“Risk management is the practice of using processes, methods
and tools for managing these risks.”
12
13. ISO/IEC 31000 – Clause 5 (The Process)
13
Risk Assessment
Establishing the context
Risk identification
Risk analysis
Risk evaluation
Risk treatment
Communication
and
consultation
Monitoring and
review
27. Organizations and Risk Management
Risk Management is the process of identifying, analyzing and
responding to risk factors throughout the organization.
Strategic
Tactical
Operational
Risk assessment can therefore be conducted at various levels of the
organization. The objectives and events under consideration
determine the scope of the risk assessment to be undertaken.
Risk assessment is intended to provide management with a view of
events that could impact the achievement of objectives. It is best
integrated into existing management processes and should be
conducted using a top-down approach that is complemented by a
bottom-up assessment process.
27
28. Portfolio/Program/Project and Risk
Management
Risk Management is the process of identifying, analyzing and
responding to risk factors of portfolios throughout the life of
programs/projects and in the best interests of its objectives.
Proper risk management implies control of possible future events
and is proactive rather than reactive.
Proper risk management will reduce not only the likelihood of an
event occurring, but also the magnitude of its impact.
Evaluation of the risk factors associated with the delivery or
implementation of a program/project, considering stakeholders,
dependencies, timelines, cost, and other key considerations. This is
typically performed by project management teams.
28
29. Information Security Management and Risk
Management
Risk Management is the process of identifying, analyzing and
responding to risk factors throughout the information systems to
focus coordinated activities to direct and control an organization
with regard to risk.
When planning for the Information Security Management System
(ISMS), the organization shall consider the issues related to its
context and the requirements of its stakeholders and determine the
risks and opportunities that need to be addressed.
The next steps are to identify, analyze, evaluate then to
identify/implement the right treatment strategies.
29
30. PLAN – DO – CHECK - ACT
30
Interested
parties
Interested
parties
Information
security
requirements
& expectations
Information
security
requirements
& expectations
PLAN
Establish
ISMS
PLAN
Establish
ISMS
CHECK
Monitor &
review ISMS
CHECK
Monitor &
review ISMS
ACT
Maintain &
improve
ACT
Maintain &
improve
Management responsibilityManagement responsibility
ISMS PROCESSISMS PROCESS
Interested
parties
Interested
parties
Managed
information
security
Managed
information
security
DO
Implement
& operate
The ISMS
DO
Implement
& operate
The ISMS
31. Suggested sources for more details:
ISO 31000: Principles and Guidelines on Implementation
ISO 31010: Risk Management – Risk Assessment Techniques
ISO 73: Risk Management – Vocabulary
Conclusion
If you don't actively attack risks, they will
actively attack you!!
32. Dealing effectively with Risks
Every organization should consider what types of risk assessments
are relevant to its objectives. The scope of risk assessment that
management chooses to perform depends upon priorities and
objectives.
Risk must be managed at the enterprise level in an integrated way.
Risk Management should be integrated into the business process in
a way that provides timely and relevant information to
management.
For risk assessment to be a continuous process, it must be owned by
the business and be embedded within the business cycle, starting
with strategic planning, carrying through to business process and
execution, and ending in evaluation.
Risk treatments must be identified and implement as required.
Risk can then be managed as part of day-to-day decision making, in
a manner consistent with the organization’s risk appetite and
tolerance.
32
34. PECB offering on ISO 31000
34
Risk Management plays a vital role in an organization’s performance. Companies increasingly
focus on identifying risks and managing them before they affect their business.
PECB offer an inclusive range of ISO 31000 Risk Management training courses, which can be
found below:
36. Our company
Excelsa Technologies Consulting Inc. is a trusted independent
advisor, helping organizations maximize efficiencies and
increase value to their IT services.
We specialize in the delivery of Information Technology
Service Management (ITSM) and Information Security
Management (ISM) consulting and training services, using
best practices such as the Information Technology
Infrastructure Library (ITIL®
), TIPA®
, TOGAF®
, COBIT®
, and
standards such as ISO/IEC 20000, 27001, 38500, 31000 and
others.
At Excelsa Technologies Consulting Inc., our team includes a
network of the most accredited consultants and trainers in
the IT industry.
36