ABSTRACT
The effectiveness of the risk management approach will depend on the foundation set from identifying the context of the organization as well as a well-defined, comprehensive approach as outlined in the ISO 31000:2009. As with ANSI/ASIS SPC.1-2009, it is imperative to thoroughly understand the target organization from as many aspects as possible. For instance, there are internal considerations that must be determined, such as the organization’s personnel and culture, the organizational structure, the organizational policies and procedures, all known stakeholders, and the environment within which the organization operates. There are also external considerations, such as the physical, social, political, economic, and cultural environment in which the organization operates. Supply chain consideration, including its dependencies and interdependencies, should be considered, such as the ability of vendors to provide resources necessary for the organization to achieve goals (products) and to move these products in accordance with the demands of organizational plans. This understanding is used to develop the risk management policy, which must show a clear purpose and alignment between the policies and objectives of the organization, along with the criteria used to define and evaluate the risk. The risk criteria, like the risk policy, should be aligned with one another in accordance with the values and objectives of the organization. The risk criteria provide the basis for evaluating the significance of risk. The risk criteria establish how the organization will assess, avoid, accept, or exploit risk (which depends on the organization’s risk appetite). It provides the basis for evaluating the types of risk events, the likelihood
absolutely critical to understanding risk (ISO 3100:2009(E), p. 17). Simply listing the risks facing an organization is not sufficient to understanding the actual risks. The risk criteria should be based on achieving the organization’s objectives, not merely listing events. When developing the risk criteria to evaluate the risks, there is a need for a robust understanding from multiple stakeholders concerning the acceptable level of risk, as well as agreed upon definitions of the methods for assessing likelihood, frequency, and consequences of the risk (ISO 3100:2009(E), p. 17). You cannot assess something if you don’t understand what you are looking at or why it’s important. Risk criteria should be developed before the risk assessment; however, they also should be revisited throughout the risk assessment and management processes to ensure they remain relevant and continue to reflect the values and objectives of the organization and its stakeholders.
