ISO-31000-CLA Questions and Answers

Understanding the potential causes of risk events will primarily help an organisation to reduce the frequency of loss. This is because identifying and analysing the sources and drivers of risks can enable an organisation to implement preventive or mitigating measures.

Transparency and inclusiveness are key ISO 31000:2018 attributes. Transparency means that risk management activities are visible, understandable, and verifiable by relevant stakeholders. Inclusiveness means that appropriate stakeholders are involved in risk management decisions and actions.

Level of risk is described in terms of consequence and likelihood. Consequence means the outcome or impact of a risk event on objectives. Likelihood means how probable it is that a risk event will occur.

 According to ISO31000 (2018), clause 4., one of the principles of effective risk management is “taking human and cultural factors into account”. This means that risk management should consider how people’s behaviors, perceptions, values and attitudes influence or are influenced by risk .

According to ISO31000 (2018), clause 1., it is “not intended for certification purposes”. It provides guidance on how organizations can manage their risks effectively using a systematic approach based on principles, framework and process 3.

Risk management is core to governance and compliance4. Risk management helps to ensure that organizational objectives are achieved in a lawful, ethical, and transparent manner.

Control is not a set of systematic, deliberate, and actionable steps to manage risk, but rather a measure or action that modifies risk1. Process is a set of systematic, deliberate, and actionable steps to manage risk2. Process involves establishing context, identifying risks, analyzing risks, evaluating risks, and treating risks.

The accuracy and reliability of the risk assessment should be identified as clearly as possible1. This helps to communicate the level of confidence in the risk assessment results and to inform decision-making.

 ISO uses the concept of uncertainty as the driver and rationale for risk management. Uncertainty refers to the state of having incomplete knowledge or understanding about something that can affect an organization’s objectives.

According to 2, FIRM scorecard is “a tool for measuring risk performance”. It uses four dimensions: financial impact, internal processes, reputation and market position (FIRM). Loss of income and financial gain are examples of financial impact risks that can be quantified using monetary values or ratios. Reputational damage is an example of reputation risk that is more difficult to quantify using objective measures.