2 2018mac20 Risk Management and Assessment Programme
2 2018mac20 Risk Management and Assessment Programme
2 2018mac20 Risk Management and Assessment Programme
RISK MANAGEMENT
AND ASSESSMENT
PRESENTED BY :
Puan Zainorni Bte Mohd Janis
SIRIM STS Sdn Bhd
1
COURSE OBJECTIVE
1
ISO 9001:2015 vs ISO 31000:2018
Vs
Session 1
Introduction to
ISO 9001:2015
2
BACKGROUND OF ISO 9001
MAJOR MINOR
CHANGE CHANGE
Inspection Based ISO 9000:1987 ISO 9000:1994
What’s new?
Leadership
6
3
ISO 9001:2015 INTERACTION
4
Session 2
DEFINITION OF RISK
(ISO 9000:2015, Quality Management Systems – Fundamentals and Vocabulary)
RISK
effect of uncertainty
NOTE 1 : An effect is a deviation from the expected — positive or
negative.
NOTE 2 : Uncertainty is the state, even partial, of deficiency of information
related to, understanding or knowledge of, an event, its consequence, or
likelihood
NOTE 3 : Risk is often characterized by reference to potential events and
consequences or a combination of these
NOTE 4 : Risk is often expressed in terms of a combination of the
consequences of an event (including changes in circumstances) and
associated likelihood of occurrence
NOTE 5 : The word “risk” is sometimes used when there is the possibility
of only negative consequences
10
5
Risk
Risk = Likelihood x Consequence
Likelihood
(*chance of something happening)
Consequence
(*outcome of an event affecting
objectives)
(*Clause 3.6 & 3.7 , ISO 31000:2018 Risk Management - Guidelines)
11
12
6
WHY THE NEED TO MANAGE RISK?
• Organization face internal and external factors that make it uncertain to
achieve objective
• The effect of these uncertainties in achieving objective is known as
“risk”.
• The process of managing these risks is known as “ risk management”
13
Establish
Plan Operate Evaluate
Context
Improvement
14
7
WHAT IS “RISK-BASED THINKING”?
15
CUSTOMER PERFORMANCE
RESULTS OF
REQUIREMENTS PLANNING LEADERSHIP EVALUATION
(6) (9) QMS
(5)
16
8
RISK-BASED IN ISO 9001:2015 CLAUSES -1
Clause Details
4.1 Organization shall determine external & internal issues… that affect its ability
to achieve the intended result(s) of QMS
4.2 Due to their effect or potential effect on the organization’s ability to meet
requirements, the organization shall determine the interested parties and the
requirements.
17
9.2 Internal audit – program shall considered changes affecting the organization
9.3.2 Management review input – the effectiveness of action taken to address risks
& opportunities.
18
9
WHY WE NEED RISK ASSESSMENT?
19
20
10
A COHERENT SET STANDARDS
21
Session 3
Risk Management Based On
ISO 31000:2018
22
11
23
ISO 31000:2018
SCOPE:
This standard provides guidelines on managing risk
faced by organizations. These guidelines can be
customized to any organization and its context. This
document provides a common approach to managing
any type of risk and is not industry or sector specific. It
can be used throughout the life of the organization and
can be applies to any activity, including decision-
making at all levels.
12
ISO 31000:2018
INTRODUCTION:
Managing risk is based on principles, framework
and process outlined in this document. These
components might already exist in full or in part
within the organization, however, they might
need to be adapted or improved so that
managing risk is efficient, effective and
cocsistent
25
ISO 31000:2018
26
13
ISO 31000:2018 - Principles
28
14
ISO 31000:2018 - Framework
30
15
ISO 31000:2018 - Process
31
32
16
Session 4
Scope, Context, Criteria
33
34
17
SCOPE, CONTEXT AND CRITERIA
Scope
The organization should define the scope of its
risk management activities. It is important to be
clear about the scope under consideration, the
relevant objectives to be considered and their
alignment with organizational objectives.
35
18
RELATION BETWEEN STRATEGY,
OBJECTIVES AND RISK MANAGEMENT
SWOT Analysis
Objectives
Strategies
Identify Risks
37
SWOT ANALYSIS
38
19
SCOPE, CONTEXT AND CRITERIA
Criteria
The criteria should be defined in order to evaluate the
significance of risk and to support decision-making processes
It should be aligned with the risk management framework and
customized to the specific purpose and scope of the activity
under consideration
It should reflect the organization’s values, objectives and
resources and be consistent with policies and statements
about risk management
The criteria should be defined taking consideration the
organization’s obligations and the views of the stakeholders
The criteria should be established at the beginning of the risk
assessment process, they are dynamic and should be
continually reviewed and amended, if necessary 39
Session 5
Risk Assessment
40
20
ISO 31000:2018 - Process
41
RISK ASSESSMENT
Risk assessment is the overall process of risk
identification, risk analysis and risk evaluation
Risk assessment should be conducted
systematically, iteratively and collaboratively,
drawing on the knowledge and views of
stakeholders
It should be use the best available information,
supplement by further enquiry as necessary
42
21
RISK IDENTIFICATION
Identification of risks through brainstorming
method.
To consider the risks that are beyond
organizational control (external factors).
To understand the organization's objectives that
need to be achieved.
Take into account the knowledge and experience
of those involved in risk management.
43
22
4 Context of the organization
4.1 Understanding the organization
and its context
Organization shall determination external and
internal issues that are relevant to the
organization’s purposes and strategic direction
and that affect the ability to achieve the intended
result of its quality management system.
45
46 46
23
Summary
4.1 4.2
Interested Parties
External Issues Internal Issues
requirements
47
RISK ANALYSIS
Involve input to evaluate the risks and decide whether
the risk can be treated with a certain method.
Took into account the source of risk and risk effect,
either positive or negative.
the method used depends on the existing information
and data
Organizations need to develop an appropriate risk
assessment methodology
48
24
RISK ANALYSIS METHODOLOGY
1) Using qualitative or quantitative methods
2) Developing the likelihood scale (e.g: 1-low, 5-high)
3) Developing risk consequences scale (e.g: 1-low,
5-high)
4) Develop risk assessment format (template)
5) Training and test personnel to ensure proper
understanding on risk assessment methodology
49
50
25
Financial Risk Impact Rating Table (e.g.)
Impact Insignificant Minor Moderate Major Catastrophic
Perspective (Rating 1) (Rating 2) (Rating 3) (Rating 4) (Rating 5)
Business as
Unable to sustain Unable to sustain Unable to sustain Unable to sustain
usual, able to
Working working capital working capital working capital working capital
manage
Capital requirements for requirements for requirements for requirements for
working
≤ 1 Quarter 1 – 2 Quarters 3 – 4 Quarters > 1 year
capital
Net Profit Net Profit
Net Profit erosion Net Profit erosion Net Profit erosion
erosion erosion
amounting to amounting to 6% amounting to 9%
* Net Profit amounting to amounting to >
3% – 5% NPBT – 8% NPBT – 17% NPBT
< 3% NPBT 17% NPBT
** Assets/ Asset damage Asset damage Asset damage Asset damage
Asset damage
amounting to amounting to amounting to 7% amounting to >
Shareholder < 1% Total 1% – 4% Total
amounting to 4%
– 10% Total 10% Total
Equity – 7% Total Assets
Assets Assets Assets Assets
52
26
RISK EVALUATION
• Next step is to assess whether the risk is acceptable
or not.
• Acceptable risk is not necessarily low risk but it
need to be in line with the treatment.
• The risk assessment must take into account the
following:
1. The importance of the activities in which the
risk is be managed
2. The level of control over these risks
3. Potential and actual losses of risk to be faced
4. The advantages and opportunities of such risks
53
- Risk Rating
Risk Level Risk Scale Risk Rating
- Risk is not tolerable
-
20,25
rating to an acceptable level.
- Immediate and drastic action/s may be required to
safeguard the company.
- Risk is not tolerable
-
- Risk is tolerable.
- Risk is monitored against any escalation and managed
Low 1,2,3,4,6
-
27
Risk Level
L
Almost Certain
I Risk Level
K
Likely Very High
E
L High
Possible
I Medium
H
Unlikely Low
O
O
Remote
D
Insignificant Minor Moderate Major Severe
IMPACT
55
Session 6
Risk Treatment
56
28
ISO 31000:2018 - Process
57
RISK TREATMENT
• The purpose of risk treatment is to select and
implement options for addressing risk
58
29
RISK TREATMENT
• The purpose of risk treatment plans is to specify how the
chosen treatment options will be implemented. So that
arrangement are understood by those involved, and
progress against the plan can be monitored
30
Session 7
61
62
31
COMMUNICATION AND CONSULTATION
The purpose is to assist relevant stakeholders in
understanding risk, the basis on which decisions
are made and the reasons why particular actions
are required.
Communication seeks to promote awareness
and understanding of risk
Consultation involves obtaining feedback and
information to support decision-making.
63
32
MONITORING & REVIEW
Rating Description
Management is aware and manages risks well.
Very Good Mitigations are strong and sufficiently robust to manage
risks adequately. Compliance is in place.
No major issues with controls & compliances. Mitigations
Good
are adequate and sufficiently robust.
Mitigations and compliances are generally in place.
Satisfactory
Minimum mitigation issues.
Mitigations are inadequate and not sufficiently robust to
Unsatisfactory manage risks. A large number of mitigation lapses and/or
non-compliance issues.
Absence of mitigations. Non-compliance to policies and
Poor
procedures. General lack of compliance culture. 65
66
33
Session 8
67
68
34
DEVELOPMENT OF RISK MANAGEMENT
CULTURE
69
70
35
Zainorni Mohd Janis
03- 5544 6231
email :
[email protected]
71
36