Safety and Risk Management - Control Hazards - Literature review Example

Implementation of AS/NZS ISO 31000:2009 Risk Management Institution: Instructor: Course: Table of Contents Table of Contents 2 2.1 AS/NZS ISO 31000:2009 Basics 4 3.1 Components of AS/NZS ISO 31000:2009 Risk Management 5 Mandate and obligation 5 AS/NZS ISO 31000 Design Framework for Managing Risk 5 Monitoring 6 Continual Improvement 6 4.1 AS/NZS 31000:2009Risk Management process 7 Communication and consultation 7 Establishing in context 8 Risk Assessment 9 Risk Identification 9 Risk Analysis 10 Risk Evaluation 10 Risk Treatment 11 Monitoring and Review 12 5.1 Strategies for Enhancing Risk Management 12 6.1 ISO 31000 Designs a Framework for Managing Risk 13 7.1 ISO 31000 capture risk and opportunity data 14 8.1 Cons of AS/NZS ISO 31000:2009 16 9.1 Conclusion 16 References 18 1.1. Introduction Risk management is a process of prioritizing different kinds of risks. It entails identification, analysis, and appeasement of uncertainty in investment decision-making (Carr, 2008, p. 12). Basically, risk management transpires when an investor examines and assays to quantify the possibility of losses in a firm and then takes the necessary precaution. Tarantino and Cernauskas (2011) indicated that, incompetent risk management results to meticulos consequences for both the company and employees. According to David and Wu (2008), risk management involves two step process, that is, determining the risk and handling the risk competently. In its part a hazard is ia a potential source of harm or damage. Which has an adverse effect on someone or some object in the workplace under certain conditions. According to Tarantino & Cernauskas (2011, hazards originate from a wide range of sources. This include, practice, process and substances, which are capable of causing harm or contrary health effect to the employees under specific conditions. For example, the presence of faulty electrical circuit in the working place can expose workers to harm. In its part risk is the probability of a person to be harmed when exposed to hazard (Clarke, 2003). To manage risk a thorough assessment of the risk must be conducted, to identify hazards, evaluate the risk, and determine the best appropriate means to control the hazard. Companies for the past years have adopted generic modeling systems such as BS 31100 (British) and NIST 800-30 (USA) for risk management, to apply a set of principles, processes, framework, and actions that prevents injuries and accident in the workplaces. However, AS/NZS ISO 31000:2009 apart from sounding like a dry title has superseded international standards by providing a new definition of risk and a best platform for risk management in global organizations. 2.1 AS/NZS ISO 31000:2009 Basics AS/NZS ISO 31000:2009 is a new generic standard of risk management published by International Organization for Standardization in 2009. According to Purdy (2010), AS/NZS ISO 31000 can help an organization of any size to strive towards prosperity through efficient risk management.AS/NZS ISO 31000:2009 is a revised AS/NZS 4360, which previously had an outstanding success in the global context. AS/NZS 4360, developed in New Zealand and Australia in 1995, has been a conspicuous success to managers across the globe (Purdy, 2010, pp. 881-886). However, since the introduction of AZ/NZS ISO 31000, AZ/NZS 4630 legacy has slowly disappeared. Even though researchers argue that, ISO 31000 is same as AS/NZS 4360 because the guidelines and principles virtually resembles. Watters (2010) proved them wrong, in his research Watters (2010) indicated that, ISO 31000 meets the true international risk management standard as compared to BS 31100 and NIST 800-30. Watters (2010) believes that, ISO 31000 can be categorised in the same group as ISO 9000 a standard for quality management.according to (Woods, 2012), ISO 31000 is an international flavour that can seduce global organizations, that are searching a coherent risk managmentapproach in the global platform. ISO 31000 introduces new eleven principles of risk management making it the best standard for fire management compared to the likes of BS 31100 and NIST 800-30 (Woods, 2012, p. 38). AS/NZS ISO 31000 contains key components that are essential in risk management. 3.1 Components of AS/NZS ISO 31000:2009 Risk Management Key components in the AS/NZS ISO 31000:2009 provides an efficient and proactive risk management framework. AS/NZS ISO 31000 includes the following components Mandate and obligation According to Cch (2009), risk management is a continous activity that requires full obligation. In addition, it must be ruled by command from the board of management (Cch, 2009, p. 87). If implemented it can sustain employees and senior management and prevent them from any kind of risk. ISO 31000 ensures on-going effectiveness of risk management and sustainable commitment of the organization. Mandate and obligation defines and approves the risk management policy in the organization (Purdy, 2010). In addition, ISO 31000 contains risk management indicators that straighten with the performance exhibitors of the business. Purdy (2010) believes that, the mandate of ISO 310000 is to ensure regulatory and legal compliance. In this respect, vital resources are ration to risk management. Unlike other standards, ISO 31000 communicates the benefit of Risk management to the stakeholders. Consequently, ISO 31000 ensures that, the structure for managing risk remains intact (Cch, 2009, p. 89). AS/ NZS ISO 31000 designs an effective framework for managing risk in global organizations. AS/NZS ISO 31000 Design Framework for Managing Risk Isaca (2009) asserts that, ISO 31000 outlines a framework for efficient implementation. The standard defines the overall risk management framework, formulates a risk management policy, implants procedures into practice, allots resources, and decides the responsibility of all key elements. Additionally, ISO 31000 outlines an effective framework to handle risk (Isaca, 2009, p. 8). Woods (2012) posited that, ISO31000 provide a base for efficient implementation. Whereby, it contains a well designed cyclic reporting to both the stakeholders and staff members. According to Isaca (2009), ISO 31000 provide key drivers that have an impact on the goals and objectives of the business. Isaca (2009) further notes that, ISO 31000 ensures accountability and sustainability to manage risk. In addition, IS00O 31000 sets up performance calculation and ensures suitable levels of acknowledgment. AS/ NZS ISO 31000 provides a platform for risk monitoring and reviewing. Monitoring ISO 31000 ensures that all risk management elements and actions are efficiently working to meet the required organization expectations. According to Isaca (2011), ISO 31000 ensures organizations can manage to measure risk management against indicators. Dali & rLajtha (2012) noted that ISO 31000 enables organizations to periodically progress against the risk management plan. Dali & rLajtha (2012) further indicates that, a well-implemented ISO 31000 offers an organization a risk management plan, which can easily be followed. Since its introduction ISO 31000 has continue improving the level of risk management in organizations. Continual Improvement ISO 31000 has continued enhancing risk management key elements thus improving risk management framework in the organization (Dali & rLajtha, 2012, pp. 1-8). In his Isaca (2012), found that, through monitoring and examination, ISO 31000 improves the risk management framework, plan, and policy. Implementation of ISO 3100 can lead to improvement of organizations culture, operation and risk management. Compared to other standards such as BS 31100 and NIST 800-30, AS/NZS ISO 31000 provides the best risk management process (Watters, 2010). 4.1 AS/NZS 31000:2009Risk Management process Risk management process is an indispensable part of management, implanted in the practices and culture, and fixed to the processes of the organization. According to Watters (2010), ISO 31000-risk management process is made up of five stages namely communication and consultation, establishing context, risk assessment, Risk treatment and finally Monitoring and Review. Communication and consultation Risk management process involves binding both internal and external stakeholders. According to Isaca (2012), stakeholders plays a crucial role in the establishment of expectations, shaping the context of risk management and being certain their needs is best served. Isaca (2012) posited that, communication links the risk manager, risk owner, and stakeholders in the risk management process. It is worth noting that, effective Communication and consultation is vital in ensuring responsible implementation of risk management process. Nevertheless, ISO 31000 enables the stake holders understand the foundation on decisions and actions agreed. In addition, ISO 31000 ensures that stakeholder’s interests are well considered and comprehended (Purdy, 2010). In this respect, ISO ensures sufficient identification and the appropriate establishment of context. Communication and consultation is essential especially to the stakeholders. In this regard, stakeholders make judgments based on intuition of risk. ISO (2009) posited that these intuitions change due to differences in concepts, needs, and values of stakeholders. Isaca (2011) believes that, stakeholders opinions have a meaningful impact on the decisions made. In addition, stakeholders’ intuitions should be recognized, noted, and considered in the decision-making process. Through communication and consultation, ISO 31000 facilitates relevant, trustworthy, precise, and essential exchanges of information, considering classified and personal morality aspects (ISO, 2009). Establishing in context This involves setting up boundaries, taking into account both internal and external factors. According to Isaca (2011), ISO 31000 enables the risk manager to establish a background of risk management process, which includes risk management policy, procedures, and methodology to apply. In the external context, ISO 31000 ensures external stakeholders concerns and goals are taken into account when developing the risk standard (Isaca, 2011). The external context includes political, social, cultural, and economic factors. According to woods (2010), factors are key drivers that have an impact on the goals and objectives of the organization, and should take into account the intuitions and importance of the stakeholders. In internal context, Isaca (2011) asserts that, risk management process should go concurrently with the organization, structure, culture, and strategy. Watters (2010) notes that, ISO 31000 enables risk management to take place in line with organization goals and objectives thus improving organization credibility and commitment. Internal context includes organization structure, governance, and accountabilities. Nevertheless, ISO 31000 defines the objective and goals of risk management activities, the depth, and scope of the risk management to be carried, which includes exclusions and inclusions. In addition, ISO offers the risk methodology to be implemented and defines the way efficiency and performance should be evaluated in risk management (Tarantino & Cernauskas, 2011). Risk Assessment This comprises the procedures for analyzing, appraising, and analyzing risks. Ideally, it utilizes various risk identification methodologies, which include expert facilitation and brainstorming. However, ISO 31000 provides guidelines on how to select and apply methodical techniques for risk assessment. Isaca (2011) posited that, organization should identify the existing management controls in order to determine the degree of residual risk. Isaca (2011) further notes that, it is essential to evaluate the level of the risk, since its essential in decisions pertaining to advance risk treatment. According to ISO (2009), risk assessments involves three stages namely, risk identification, risk analysis and risk evaluation. Risk Identification In risk identification, organizations should be in a position to identify the sources of risk, its effect, and the possible outcomes. According to waters (2010), risk identification generates an inclusive list of risks established on events that enhance, create, or prevent achievement of organization objectives. ISO 31000 enables the risk manager to; easily identify risks connected without tracking an opportunity. In addition, identification can contain risk regardless of their sources being under control. Isaca (2009) recommends that, ISO 31000 provide organizations with the best risk identification tool that well suits its objectives and abilities and to the risk expected. ISO 31000 provides pertinent and up-to-date important information crucial to risk identification. Consequently, it provides substantial information required for the process (Purdy, 2010). Risk Analysis Risk analysis in its part involves developing infer of risk. According S, et al. (2010), risk analysis entails furnishes an input in the evaluation of risk and decisions on if the risk needs to be treated. Risk analysis entails taking into account the sources and causes of risk, their consequences, and the chances of the consequences to take place (S, et al., 2010, pp. 9-447). According to Isaca (2010), risk is analyzed to determine the outcomes, and their probabilities. A single event can have numerous consequences, which in turn can affect the organization multiple objectives. S, et al. (2010) believes that, through modeling of an event outcome and extrapolation of the available data, consequences, and their probability can be easily determine. Risk Evaluation According to S, et al. (2010) risk evaluation is applied to assist in decision-making, based on the results of risk analysis. Risk evaluation includes comparison of risk levels found in the analysis stage, about which risk criteria was established. Based on this, it become easier to point out the similar and different risks, thus the necessity for treatment is considered. According to S, et al. (2010), decisions made should consider the broader context of the risk and contain thoughtful endurance of the risk support, rather than benefiting from the risk. In some instances, risk evaluation can force an organization to take further analysis. Risk Treatment At this level, risk remains unbearable and risk treatment is vital. S, et al. (2010), believes that the best way risk owners can treat their risks is by avoiding risk. S, et al. (2010), recommends that, risk level should always remain within its appetite. This is managed by selecting more than one option to modify risk and fully implement those options. ISO 31000 offer guidelines that enables risk managers and risk owners, asses the best risk treatment, and decide whether the remaining risks are bearable. In addition, ISO 31000 gives the procedure of developing a new treatment for non-endurable risk. ISO 31000, outline options of risk treatment this include, eliminating the risk source, replacing the likelihood and the consequences. In addition, reducing the risk in order to chase for an opportunity and sharing the risk with other parties. Isaca (2011) asserts that, in order to select an appropriate risk treatment option the implementation efforts and the cost must balance against the benefits drawn. In this regard, legal, natural environment protection and social responsibility must be taken into considerations. In risk treatment option, the intuitions, and worthiness of the stakeholders is taken into account, by providing efficient means of communicating to them. ISOM 31000 outlines the order on how risk treatments should be implemented (ISO, 2009). It is worth noting that risk treatment can launch more risks, because of failure in risk treatment measures. Therefore monitoring is essential during risk treatment since it acts as a spy watch to ensure the measure remains productive. ISO (2009) warns that, during the risk treatment secondary risks can generate, creating the need for assessment. However, ISO (2009), provide guidelines which maintain that, the secondary risks and original risk are the same; hence they should be combined into the same treatment plan. According to Purdy (2010), stakeholders should be involved in decisions during the treatment plans. In addition, the organization management process should be merged with the treatment plans. Then, after risk treatment, both stakeholders and decision makers should be conversant with the nature of the residual risk. Monitoring and Review Maintaining the relevancy of risk management framework is critical, because of the varying needs of the organization and the outside effects. Purdy (2010) argues that monitoring and reviewing should be part of risk management plan, since it involves regular surveillances. ISO (2009) clearly indicates that, management, risk owners, and board are responsible for monitoring and reviewing. The responsibilities offered to them includes, ensuring effective control of operation and design, researching for further information to enhance risk assessment learning lessons from past events. In addition, risk managers should identify emerging risk and detect any changes both in internal and external context. 5.1 Strategies for Enhancing Risk Management ISO (2009) acknowledges the need for continuous improvement of risk management. The standard lists five characteristics that improves risk management framework to help organizations manage to gauge their own performance. The first attribute is the continual improvement, whereby organizations are expected to set up performance measurement and goals. Secondly, accountability for risks: here risk owners are expected to employ a well-trained and competent risk manager who can manage to control risk from happening. Thirdly, applying risk management in all decision making: this means that all business operation should run with risk management being point of view. Fourthly, continual communication: a well-established organization should have risk management reporting centre whereby, risks are reported. Finally, incorporation of risk to organization governance composition: here organization should consider risk at both procedural and policy levels. Isaca believes that, ISO 310000 motivates organizations to success and contrasts their present risk management exercise to the processes and principles set in the ISIO 31000 document. It localizes areas that need improvements and offers strategies for the improvement (S, et al., 2010, pp. 8-447) 6.1 ISO 31000 Designs a Framework for Managing Risk Risk management framework should define how risk should be managed at any levels in the organization. ISO (2009) provides an effective framework that is critical to the prosperity of the business. It provides an ample platform for organization desiring to restore their framework, or organization defining risk management for the first time. In addition, ISO 31000 provides guidelines, which describes the characteristics of a prospering framework. The standard contains recommendations concerning the framework. Below is an example from Strategic Group of Enterprise Risk solution (STG), who adopted ISO 310000 nine months after its publication. A survey conducted by Cch (2009) found that, 59 percent of board directors believe the burden of risk has increased. However, 41 percent believed that the introduction of ISO 310000 has improved their confidence in addressing risk management. STG is among the confident companies that believe IOSO 31000 came in rescue for risk management. Tom Teixeira the companies vice president notes that, ISO 310000 principles, framework, and process of risk management is feasible to any type of organization be it private or public. Tom insists that, ISO 31000 does not mandate, instead it stresses for an efficient inclusion of structure and culture within the organization in the management of risk.’ Standards are very crucial’ asserts tom, they make immense and explicit contribution to numerous facet of enterprises life. According to Woods (2012), standards provide common solutions to common problems. It is worth noting that ISO 31000 is a voluntary standard, which has no power to regulate or legislate. However, the STG VP insists that, organizations should adopt this standard especially, when bringing up their business. Because of its international standardization, ISO 31000 can grant an organization a business advantage (Cch, 2009). ISO 31000 is solid on “what” because it summarizes the components required for a healthy risk management process. STG identified three crucial elements that can lead to successful implementation of risk management process. This includes, the risk culture of business, management principle, policy framework, recording and sharing system. All these elements are drafted in the ISO 31000 document. According to Isaca (2011), most risk owners often neglect establishing and guiding the vital risk culture change in their organizations. Because, many believes cultural change is a sideshow. However, ISO (2009) insists that, risk culture enhances the process and performance of risk management 7.1 ISO 31000 capture risk and opportunity data ISO (2009) defines risk as an ‘effect of uncertainty on objectives’. Meaning risk can be either an opportunity or a threat. An organization with competent ERM (enterprise risk management) can entrap both risks, whereby opportunity would lead to the positive impact, and threat will drive to the negative impact. To manage this risk owner should include Active Risk Manager (ARM) in the risk management team (ISO, 2009). As defined in the ISO 31000 ARM should have the ability to record both qualitative and quantitative data in order to determine whether the risk is a threat or an opportunity. Spreadsheets were used as risk recording systems in the tradition era. This made file accessibility almost impossible, since the captured data were locked within multiple. Employees could only see the data capturing process but could not the benefit that came out of data collection and sharing (Clarke, 2003). However, ARM unlocks the knowledge and data captured and helps inlay risk and opportunity bringing culture into the organization. ISO 31000 designed ARM to capture risk and opportunity information from the stakeholders. The ARM contains a collaborative workshop solution (CWS) which facilitate the risk information collection by the risk management team CWS as defined by ISO 31000-download organization risk policies and structure that can be run offline (ISO, 2009). Tom the STG vice president asserts that, ISO 31000 has strived STG board of directors and the senior management staff understand the importance of engaging risk culture and process in the business operation. Tom argues that, implementing ISO 31000 has benefited the organizations in many ways, such as, improved decision-making based on evidence. In addition, the corporate governance and lucidity has adversely improved (Cch, 2009). Moreover, ISO 31000 has improved STG bids and tenders, by helping it win more tenders and improved its ability to complete its projects on time and within the calculated budget. In addition, ISO 31000 has reduced ‘unknown risks whereby it mitigates risk steps and fall back plans, this has reduced surprises giving board directors a reason to sleep well (Cch, 2009) 8.1 Cons of AS/NZS ISO 31000:2009 However, the above written has portrayed only one side of the coin. AS/NZS ISO 31000:2009 regardless of its countless pros it has its cons. ISO 31000 does not provide a methodology to execute a framed risk modeling exercise. As compared to BS 31100 (British) and NIST 800-30 (USA), ISO 31000 does not contain structured guidelines to itemize web security risks. In addition, ISO 31000 works best for systematic risks rather than technical risks.ISO emphasizes less on “why” a solid risk management is essential and “how” to implement the system to make risk management a reality (Tarantino & Cernauskas, 2011, p. 87) 9.1 Conclusion ISO 31000 is much far different from other ISO standards, because its mandate not only apply to the risk practitioners but also to the board of directors and the top management within the organization.ISO provides a unique solution for organizations intending to establish a dependable basis for planning and decision making. This improves the confidence and trust of the stakeholders thus increasing the likelihood of achieving the organization objectives. In addition, ISO 31000 reduces the potential negative consequences that can result from poor management of risk. It is worth noting that, ISO 31000 ultimate goal is improving the sustainability of organizations in Australia and abroad. Adopting and implementing ISO, 31000 can help Australian organizations compare their services with other organizations that are internationally recognized. This will provide them with principles and guidelines for effective risk management. In this regard, ISO 31000 can help risk owners manage risks carefully and become aware of the opportunities and susceptibility that arises from the present and potential risk. Finally, ISO 31000 can help Australian organizations implement and successively improve the risk management framework, which is an integral component in the management systems. References Carr, D., 2008. Obama's social networking was the real revolution. The New York Times , p. 2. Cch, 2009. Australian Master Environment Guide. Sydney: CCH Australia Limited. Clarke, S., 2003. Managing the Risks of Workplace Stress: Health and Safety Hazards. London: Taylor & Francis. Dali, A. & rLajtha, C., 2012. tHE GOLD STANDARD": THE EDP AUDIT, CONTROL AND SECURITY NEWSLETTER. ISO 31000 RISK MANAGEMENT, 45(5), pp. 1-8. David, L. O. & Wu, D. D., 2008. Enterprise Risk Management. 1st ed. Texas: World Scientific. Isaca, 2009. The Risk IT Framework. Risk IT, p. 106. Isaca, 2011. Cism Review Manual 2011. 9 ed. s.l.:ISACA. ISO, 2009. Risk managment. ISO Guide 73:2009, p. 29. Purdy, G., 2010. ISO 31000:2009--Setting a New Standard for Risk Management. Risk Analysis, 30(6), pp. 881-886. S, D., Miller & Rivera, J. D., 2010. Community Disaster Recovery and Resiliency: Exploring Global Opportunities and Challenges. London: Taylor & Francis. Tarantino, D. A. & Cernauskas, D., 2011. Essentials of Risk Management in Finance. 53 ed. Colarado: John Wiley & Sons. Watters, J., 2010. The Business Continuity Management Desk Reference. Sydney: Jamie Watters. Woods, M., 2012. An Integrated Case Study Approach. Risk Management in Organizations, p. 192. Read More