By Víctor Parrado López – Management Systems Consultant
Nowadays, the majority of organizations are complex; they contain many departments, work teams in a delocalized way, etc. In addition, human factor adds a complexity, already high, to the issue; different cultures, very different profiles, etc. This fact may hide need to manage all possible events that could hinder operation of our organization. This is the “step of maturity” that positions organizations in market, and that will have a projection on its competitiveness.
But how can I conveniently identify risk in my organization? What should I take into account when carrying out this work? How can I weigh risk in an organization? Should I estimate them, or should I measure them accurately? ? This article does not intend to be categorical solution to these questions, but rather to shed some light on them and propose some factors and guidelines, resulting from our experience in this field, that help to solve these questions in a convenient way.
Issues proposed by ISO 31010
In order to try to alleviate some of these problems, ISO 31010 proposes a series of issues to be taken into account in risk appreciation process Mainly it refers to a series of guidelines that will determine, to a large extent, criteria for identifying each risk.
These guidelines will establish context and objectives of the organization, in order to adapt these criteria to the organization’s own aspects; another essential part will be to establish scope and type of risks that are considered tolerable; In addition, available resources and communication between internal and external parties will be decisive. Finally, methods and techniques used for risk appreciation, which include risk identification, risk analysis and risk assessment, will be a determining factor for success.
It is logical to think that level of maturity of organization will determine, to a large extent, risk appreciation techniques that it will use. That is why among many techniques proposed by ISO 31010, we must use the one that suits our purposes and possibilities, each with its advantages or disadvantages
For an organization with no previous experience in risk appreciation, it may be appropriate to use a technique that provides us with a first level of approximation of our risks, allowing us to manage them. Examples of this philosophy can be techniques such as “Brainstorming” or Interviews with those responsible for different areas, easy and quick to implement but which require participants to have extensive experience in the area for satisfactory achievement, based primarily on the human factor.
On the contrary, in an organization with a remarkable level of maturity it may be convenient to make appreciation in a much more detailed way, sensitively eliminating uncertainty and using statistical methods to do so, an example may be the Monte Carlo simulation technique. To apply this technique, a model or algorithm is performed, the input of which will be random numbers, taking appropriate probability distributions, and its output will be simulations of the system that allow modeling the frequency of a response. We can use this technique to determine more accurately than with previous techniques, probability that a risk will materialize, or that the exploitation of a vulnerability brings a defined consequence. Despite substantial advantages it may have, we find that an exact definition of model requires, in addition to the experience of modeler, time, especially in the face of large models.
However, in a large organization, it may be imprudent to perform risk management manually, as complexity would certainly prevent this. Furthermore, in the case where a company uses different methodologies (due to different purposes of different departments) it would be very difficult to analyse risks, relevant treatment plan(s) and to obtain different indicators for continuous improvement proposed by the standard.
For this reason, from Globalsuite Solutions we propose a solution to this problem using GlobalSUITE® tool facilitating above mentioned tasks. At Globalsuite Risk Management, it will be possible to manage risk appreciation by applying different methodologies, thus meeting the needs of different departments. Moreover, different risk management plans can be managed depending on different analyses, taking advantage of resources invested by different departments, thus centralizing effort.
Moreover, GlobalSUITE Risk Managementis a tool that is part of an integral management system, which is GlobalSUITE®. In this way, in the face of adoption of other standards, all efforts will be centralized, it will be an incremental process and its maintenance will be optimal. In addition, through GlobalSUITE Balanced ScoreCard module, senior management will obtain a global vision of state of its management system, together with all the items that comprise it, these being aligned with its objectives and enabling early detection of deviations.
No results found.
Need more information?
Contact our team of experts to request more information about our solutions