Risk Assessment

This chapter focuses on the crucial ISO 31000 process step of “Risk Assessment”. The chapter begins with a number of specific, practical recommendations for conducting risk identification, including guidance on what level of granularity to aim for, and some examples of useful risk categorisations. An example is then developed to illustrate the quantitative risk analysis process: Monte-Carlo modelling is explained and then used to construct profit and loss distributions for operational, financial and value-adding risks. These distributions are then aggregated to form an overall profit and loss distribution for the organisation. Reputational risks, as a separate category of risk, are also discussed. The chapter concludes by summarising the information that needs to be recorded and reported for this process step.