ISO-31000-CLA ISO 31000 - Certified Lead Risk Manager Questions and Answers

The Chief Risk Officer chairs the ERM/RM steering committee. The ERM/RM steering committee oversees the organization’s risk management activities and provides guidance and support to senior management.

According to page 9-10 of source 2, risk management professionals organize internal and external information about the organization into categories such as stakeholders, strategic objectives, policies and procedures, risk appetite and tolerance, and risk culture. This categorization process facilitates the analysis and reporting of the risk information at a later stage, making it easier to understand and use.

Recording and reporting documents information that are relevant to the organization’s risk management framework, process, and system 2 . These activities help to provide evidence, feedback, learning, and improvement for risk management.

A review of the goals and objectives of the risk strategy is part of defining the success measures for the organization’s risk strategy 1 . This helps to ensure that the risk strategy aligns with the organization’s purpose, vision, mission and values.

According to ISO/IEC Guide73 (2009), clause B., residual risk is “the level of remaining after controls have been applied”.  It is sometimes called ‘retained risk’ because it represents the amount of risk that an organization decides to accept or retain after implementing its mitigation strategies  3 .

Monte Carlo simulation is a risk analysis technique that uses random variables to model uncertainty and generate possible outcomes 2 . This helps to assess the probability and impact of different scenarios.

Records and reports provide a continuing account of the risk management system 2 . They help to monitor and review the performance and effectiveness of risk management.

the last step of the risk assessment process, which starts with risk identification, moves to risk assessment, and finally risk evaluation, is Risk evaluation.

Risk evaluation involves comparing the estimated level of risk against the risk criteria established during the risk assessment phase, to determine the significance of the risk and whether it is acceptable or not. This decision is made in consultation with stakeholders, who may provide additional context and information to inform the decision.

The American Society for Quality (ASQ) describes risk evaluation as "the process of comparing an estimated risk against given risk criteria to determine the acceptability of the risk." [1]

Similarly, ISO/IEC 27001:2013 (Information technology — Security techniques — Information security management systems — Requirements) defines risk evaluation as "the process of comparing the estimated risk against given risk criteria in order to determine the significance of the risk." [2]

References: [1] ASQ Glossary - Risk evaluation,  https://asq.org/quality-resources/risk-evaluation  [2] ISO/IEC 27001:2013, Clause 6.1.3(c),  https://www.iso.org/standard/54534.html

according to page 15 of source 3, the development of a risk management strategy takes into account the organization's resources and internal support. These resources include factors such as human, capital, and technological resources; organizational structure, culture, and governance; communication and consultation mechanisms; and support from senior management and leadership. These inputs have an impact on the feasibility and effectiveness of the risk management strategy.

Full accountability for risk controls and treatment and decision making involves risk are two of the enhanced risk management attributes according to ISO 31000:2009 1 . These attributes indicate that risk management is integrated into governance and decision-making processes.

Communication with stakeholders, customers, and interested parties is an essential element for maintaining the relevance of enhanced risk management within the structure of a changing context 3 . Communication helps to establish trust, transparency, accountability, and feedback mechanisms for risk management.

Integrated and customized are two of the nine risk management principles in ISO 31000:2018 1 . Integrated means that risk management is an integral part of all organizational activities. Customized means that risk management is aligned with the organization’s external and internal context and risk profile.

According to , page 13-14, probability multiplied by impact equals risk magnitude which is “a measure that reflects both likelihood and consequences”. It can be used as an indicator for prioritizing risks.

Risk management is a strategic management process 2 . Risk management helps organizations to align their objectives, strategies, and actions with their external and internal environment.

According to , page 9, defining the context involves “understanding what influences people’s perception and tolerance of risks”. Discussing how girls are viewed by community members can help identify potential sources of resistance, conflict or violence that may affect the project’s objectives and outcomes.

 According to ISO31000 (2018), clause 4., one of the principles of effective risk management is “taking human and cultural factors into account”. This means that risk management should consider how people’s behaviors, perceptions, values and attitudes influence or are influenced by risk .

Treatment plan provides a roadmap on how the treatment options will be deployed 3 . Treatment plan helps to define the objectives, scope, responsibilities, resources, timeframe, and monitoring mechanisms for implementing risk treatment actions.

Risk management is systematic, structured, and timely 4 . Systematic means that risk management follows a logical and consistent approach. Structured means that risk management has clear steps, roles, and responsibilities. Timely means that risk management provides information in time for decision making.

 ISO uses the concept of uncertainty as the driver and rationale for risk management. Uncertainty refers to the state of having incomplete knowledge or understanding about something that can affect an organization’s objectives.

Monitoring and review is a critical part of risk assurance 5 . This step involves checking whether the risk management framework, policy, and plan are implemented, whether they remain suitable, and whether they need improvement.

  Risk management is a process with inputs, activities, and outcomes 1 . The inputs are the organization’s context and risk criteria. The activities are risk identification, analysis, evaluation, and treatment. The outcomes are improved decision making, performance, and resilience.

Systematic means doing something according to a plan or method. Systematic implies orderliness, consistency, and rigor in applying risk management.

  People processes and hard processes are two types of integrated processes 3 . People processes involve human factors such as culture, values, ethics, and behavior that influence risk management. Hard processes involve technical aspects such as methods, tools, techniques, and systems that support risk management.

Treatment plan becomes a living document of defining the direction of the risk treatment and being able to monitor progress against the plan 3 . Treatment plan helps to ensure that risk treatment actions are aligned with the changing context, objectives, and stakeholder expectations.

KPIs (Key Performance Indicators) and KRIs (Key Risk Indicators) are measured extensively throughout the organization and into the supply chain 1 . These indicators help to monitor and evaluate the performance and effectiveness of risk management.

According to , page 23, after validating the training curricula, a risk management professional schedules and conducts training sessions based on the target audience’s needs and availability.

Risk management is tailored 4 . Tailored means that risk management takes into account the specific needs, objectives, and characteristics of each organization and its context.