IGTA Journal - Autumn 2017

The ISO 31000 standard defines risk as the effect of uncertainty on achieving objectives. This definition once again changes the issues surrounding risk by requiring that the business objectives whose attainment might be impaired by the occurrence of uncertain circumstances should be specified. This multitude of objectives means that decision-makers need to choose between alternatives. At the operational level, risk managers will suggest methods for preventing the effects of uncertainty from interfering with the conduct of the activities carried out to achieve the objectives. This new definition does not call into question the problems of dealing with dangers or assessing potentially harmful events. The standard also formally sets out the role of decision-makers. The generic risk management process put forward by ISO 31000 restates the traditional activities of assessing risk (identification, analysis and assessment) and handling it. The standard adds three other actions to them: (1) setting out the context, making it mandatory, before these actions start, to lay down the fundamental parameters that characterise the environment in which risk management is to take place and the values of those parameters, for example by means of a risk matrix; (2) communication and consultation, and its link to all the other risk management process tasks and discussions with other internal and external stakeholders; (3) the monitoring and review intended for example for re-evaluating the conduct of risk management activities. The organizational framework is intended to manage these conflicts and more widely to incorporate risk management actions into the procedures of the organisation or company. In fact, risk management should not be treated as a stand-alone activity, but instead as part of other activities, including operational activities. It should therefore be of use to these operational activities and in particular it should contribute to the decisions that they require. Provision should be made for continuous improvement of this management process. For that purpose, it is useful to have evaluation resources to help with improvement. This organizational framework is built up using the traditional "PDCA" (i.e. Plan, Do, Check and Act") cycle. Risk management performance indicators need to be defined. The risk management process consists of the 11 basic principles laid down in the standard, as we stated above. In the final analysis, a risk management process such as this should create value, for example. It should also incorporate human and cultural factors. In addition, it should deal explicitly with uncertainty. It should aim to inform and train all stakeholders. It involves defining everyone's roles and responsibilities, risk appetite, etc. A standard such as ISO 31000 needs to be revised every 5 years (as happened recently). The revision process is slow and involves garnering opinions from various stakeholders. This complicates it and slows it down, while at the same time giving it even greater value. In a document such as this, the difficulty lies in laying down guidelines and making it useful as a roadmap for everyone, while avoiding it becoming an all-encompassing manual, heavy-going and in the final analysis unsuitable because it would be too specific. IGTA eJournal | Autumn 2017 | 38