ISO 31000: How to carry out a risk assessment

Now that we’ve looked at different areas to consider when assessing your ISO 31000 risk management framework, let’s focus on how to carry out a risk assessment in the eighth installment of our ISO 31000 blog series.

Once the context of the organisation  and the scope of the risk management strategy are defined, the risk criteria  can then be identified and developed (Clause 6.3). These sets of criteria are designed to establish the way risks are recognised and recorded. From this information, we can determine how to carry out an ISO 31000 risk assessment.

The next step of the ISO 31000 framework is Clause 6.4. This is the overall process of identifying risks, analysis, and the evaluation of risk criteria effectiveness. The whole process is designed to be systematic, iterative, and collaborative so that a comprehensive and integrated risk management strategy is developed. At all stages of risk assessment, it is vital to communicate with and involve key internal and external stakeholders where required, to make the most of broad experience and knowledge to develop a strong strategy.

Clause 6.4.2: Risk Identification

The first step in ISO 31000 risk assessment is the identification stage. You are required to find, understand, and describe risks. Remember that a risk is considered as something that could hinder, prevent, or even help an organisation to achieve its strategic objectives.

During the risk identification stage, it is vital to use the latest information available. Factual, timely, and accurate data will enable you to develop the most relevant strategy. Factors to consider when identifying a potential risk to your organisation may include:

• Tangible and intangible sources
• Causes / events
• Threats and opportunities (even positive risks need to be assessed)
• Existing capabilities for handling risk, and any vulnerabilities
• Contextual changes, such as alteration to an external factor
• Resources available, the nature and value of such
• The likelihood and consequences of a risk
• The severity of a risk should it occur
• Knowledge gaps (the known unknowns)
• Time resources and allocation of risk management team
• The bias, experiences, and assumptions of stakeholders involved in risk assessment

When identifying a risk, it’s important to note that there may be more than one outcome to a risk occurrence – and that this may impact upon further identified risks.

Clause 6.4.3: Risk Analysis

The risk analysis phase allows for decisions to be made regarding risk treatment, and to further identify and define the organisation's risk appetite. The risk type, level, and likelihood are all taken into consideration alongside detailed factors such as available resource and internal/external influences.

There may be multiple outcomes possible from one risk incident, and this may impact on further risks. The domino effect of a risk should also be considered within the context of the organisation’s objectives.

The techniques used to analyse risk are plenty and varied, and it is up to the organisation to define the ones used. Some of this is covered in Clause 6.3, as the context of the risk strategy includes the definition of risk criteria and measuring capabilities. You may choose to use a qualitative, semi-quantitative, or quantitative approach, or a combination of all three, in order to determine how to analyse risks.

Remember that risk is very subjective. While communication with key stakeholders at all stages of risk management strategy development and implementation is vital, an approach must be taken where bias is mitigated in some way. One person may perceive a risk as highly likely and severe, while another may consider it moderately likely and less severe. It’s up to your organisation to determine how to define the measurement of the level of risk, and this will impact how you measure and analyse risks.

Clause 6.4.4 Risk Evaluation

The final stage in the risk assessment process is risk evaluation. The idea behind evaluation is to allow an organisation to make decisions regarding risk treatment and the prioritising of risk mitigation with ease.

Risk evaluation takes the risk criteria and measures against the risk analysis to determine:

• Effectiveness of criteria definition
• Which risks are the highest priority
• How to approach the next steps (risk treatment)
• Success of risk analysis process (are there any knowledge gaps remaining?)

The outcome of a risk evaluation could result in several actions: you will either need to assign further analysis, maintain your existing controls, or reconsider the objectives of the risk strategy in alignment with the organisation’s objectives.

Regular evaluation allows you to develop a comprehensive and mature risk management strategy, as changes to risk factors, impact, consequence, and objectives can be addressed in a reasonable time frame.

Now that you know how to carry out a risk assessment, find out how one of our customers improved their CA/PA risk assessment process with our software.