ISO 31010 and risk assessment
How can I conveniently identify my organization’s risks? What should I take into account when carrying out this work? How can I weigh risk in an organization? Should I estimate them or should I measure them accurately? Many of these issues arise daily in companies due to the continuous search for improvement of their competitiveness that allows to take the “step of maturity” that positions organizations in the market.
This article is not intended to be the categorical solution to these issues, but it will address the associated regulations, proposing some factors and guidelines that will help to conveniently solve these questions.
Issues proposed by ISO 31010
In 2019 the second version of ISO/IEC 31010 Risk Management – Risk Assessment Techniques has been approved, the most notable change of which is the extension of the techniques described for risk assessment in organizations and the application thereof. These techniques are shown in the annexes to the standard, with “Annex A” being the classification of risk assessment techniques, while “Annex B” describes them. In addition, throughout this standard, reference is made to other documents describing these techniques with greater specification. Another change in current regulations is the highest level of detail of planning, implementation, verification and validation processes.
This regulation is not a certifiablestandard, it is a methodological tool that proposes a number of issues to consider in the risk assessment process.
The techniques described can be used in various environments,this standard being an introductory document to the techniques, for which it compares its possible applications, benefits and limitations, referencing other sources for more information.
To apply these techniques, we must first reflect on the risks of the company and this is done through the negative uncertainty that we can detect in the business. That is, any potential potential impact on the company poses a risk that must be identified for further evaluation. These risks can be potential events. An event can have multiple causes and consequences. Risk assessment techniques aim to help understand uncertainty and associated risk.
Risk detection should be considered taking into account all the factors that affect the company: organizational, social and environmental. In addition, it is essential to establish the scope and type of risks that are considered tolerable, with the resources available and communication between internal and external parties being decisive.
Finally, methods and techniquesused for risk assessment, including risk identification, risk analysis and subsequent assessment, will be a determining factor for the success of the risk assessment. How risk is assessed depends on the complexity and novelty of the situation, and the level of relevant knowledge and understanding. Among the many techniques proposed by ISO 31010, we must use the one that suits our purposes and possibilities,each with its advantages or disadvantages.
For a first risk assessment or an organization with no prior experience in assessing its risks, it may be advisable to use a technique that provides us with a first level of approximation of our risks,which allows us to manage them. Examples of this philosophy may include techniques such as “brainstorming” or interviews with those responsible for different areas. Both are easy and quick to implement and only require participants to have extensive experience in the area for satisfactory achievement, relying primarily on the human factor.
However, an organization with a remarkable level of maturity may want to perform appreciation in a much more thorough manner to more accurately determine the likelihood of a risk materializing. An example may be the Monte Carlo simulation technique used by a model or algorithm, the input of which will be random numbers, taking appropriate probability distributions, and their output will be system simulations that allow you to model the frequency of a response. We can use this technique to determine more accurately than with previous techniques, probability that a risk will materialize, or that the exploitation of a vulnerability brings a defined consequence. Despite the substantial advantages it may have, we must take into account its requirements (the modeler’s experience in risk management and runtime), especially in the face of large models.
Possible setbacks, such as in a large organization, should be taken into account, it might be unwise to carry out risk management manually, as complexity would surely prevent it. Furthermore, in the case where a company uses different methodologies (due to different purposes of different departments) it would be very difficult to analyse risks, relevant treatment plan(s) and to obtain different indicators for continuous improvement proposed by the standard.
From GlobalSUITE Solutions we propose a solution to this problem through the GlobalSUITE tool® facilitating the work mentioned above. With GlobalSUITE Risk Management it will be possible to carry out the risk assessment by applying different methodologies, thus satisfying the needs of the different departments. Moreover, different risk management plans can be managed depending on different analyses, taking advantage of resources invested by different departments, thus centralizing effort. In addition, through GlobalSUITE Balanced ScoreCard module, senior management will obtain a global vision of state of its management system, together with all the items that comprise it, these being aligned with its objectives and enabling early detection of deviations.