When creating, developing, and implementing a risk framework such as ISO 31000, it is essential to establish the context of the risk strategy in terms of internal and external factors, risk type, measurement plans, and appropriate processes.
Clause 6.3.1 in ISO 31000 begins as a general introduction to establishing the context – something already covered in Clause 5.3 in more depth. It is essential that the context of the organisation is developed to be confident in establishing the context of the risk strategy within it.
The context of the risk management strategy is to be defined in line with the context of the organisation’s activities and objectives as established in the context of the organisation. It must also be considered that a risk management strategy is not standalone from other activities of the organisation – it should be an integral part to each area of the business for effective risk management.
The context should consider:
- Time, location, specific inclusions/exclusions
- Business objectives and activities
- Resources, including accountability and responsibilities
- Records, including where they are kept and a standard reporting process
Clause 6.3.4: Defining Risk Criteria
The risk criteria will define the risk management process. Identifying and defining the risk criteria enables and organisation to deliver a concise, efficient, and standard process to realising and mitigating risk.
Considerations when defining risk criteria may include:
- The nature and type of uncertainties affecting the outcomes of risks and objectives
- Legal, regulatory, contractual, and voluntary commitments of the organisation
- The likelihood of a risk and the impact of its consequence
- Timeframes of risk cause and risk treatment
- Complex and multiple risks – chain of risk impacts
- How to determine the severity of a risk
All risks should be defined within the context of the organisation, in relation to the objectives and activities of the business, to be most effective. The above list is not exhaustive and you may find other factors or considerations to bring into account when defining how to identify risk criteria for your risk management strategy. This is where the ISO 31000 framework is particularly useful, as the flexibility within the framework allows organisations to define their own approach and scope of risk according to the business objectives and goals.
Next in the series: Clause 6.4 Risk Assessment Process