What is ISO 31010 ?
ISO 31010 is complementary to ISO 31000 and is intended to assist users in the selection and application of risk assessment techniques. In particular, ISO 31010 is intended to be used to develop a deeper understanding of risks, to compare risks as well as how to avoid or overcome them, or to support emerging risk management activities. The risk management techniques described in ISO 31010 are generally applicable, but originate from the technology environment. The steps for risk assessment according to ISO 31010 are first planning the assessment activities, data collection and analysis and model development, actual assessment of the risk, monitoring and reviewing the results, and recording the activities for future projects. Each step cosists of severl sub-steps. The standard also includes detailed descriptions of methods that can be used in each step. These include brainstorming, Delphi method, checklists, FMEA, FMECA, SWIFT, bow-tie analysis, business impact analysis, event tree analysis, fault tree analysis, Pareto charts, decision tree analysis, and others. 36
The ISO 31010 Process
The Process for ISO 31010 is follows a six-step-guideline.
1. Plan the Assesment
The first step of ISO 31010 is to plan the risk assesment by defining the scope and depth of the risk assesment as well as determining all involved stakeholders and possible consequences of risk event occurrence. Understanding the internal and external circumstances leading to risk events or the consequences as well as engaging with all stakeholders to include their perspecives in the assesment are crucial. To better understand a risk and its implications, the objectives of the system or process at risk should be defined and documented as well as considering the impact that human, organizational and social factors could have on the risk and occurrence consequences. Lastly during the planning phase, the criteria for the decion on the risk should be reviewed.
2. Manage Information and Develop Models
For proper risk assesment, all relevant information for this assement needs to be obtained, stored and be made available. Information can be obtained via literature reviews, observations, expert opinion, measurements, experiments, interviews, or surveys. Besides information collection, the quality of the information should also be assessed. This is then followed by the analysis of the obtained information as well the applicaton or development of models on and from this information.
3. Apply Risk Assessment Techniques
The gathered information and the insights generated are then used to identify and develop an understanding of the risks present as well as determining their sources, causes and drivers. In order to gain an understanding of what current measures are doing to manage the present risk the effectivness of existing risk control needs ot be investigated as well as the likelyhood and consequences of a risk occurence need to be understood. Lastly, interactions between different risks need to be understood as well as the measures of risk. Measures of risk are methods to allow for better comparison as well as estimation of risks and are usually done by a combination of risk consequences and their likelyhood.
4. Review the Analysis
After the risks are assessed and analysed, this process and the results need to be reviewed. Fistly the results are re-checked with the previous steps (especially the planning phase) or previous experience and then need to be subjected to a uncertainty and sensitivity analysis. Once this is complete the review can be conducted on the basis of the obtained information and these previous steps.
5. Apply Results to Support Decisions
The results of the review can then be used to derive the measures to be taken for better riks managmeent. Hereby responsible personell need to choose between accepting or treating a risk as well as weighing between these two options on the basis of the advantages and disadvantages for each.
6. Record and Report Risk Assesment Process and Outcomes
Once the management process on the basis of the analysis is carried out, the process and recommendations should be documented and communicated properly.
Sources for the Process of ISO 31010: 45
1. Plan the Assesment
The first step of ISO 31010 is to plan the risk assesment by defining the scope and depth of the risk assesment as well as determining all involved stakeholders and possible consequences of risk event occurrence. Understanding the internal and external circumstances leading to risk events or the consequences as well as engaging with all stakeholders to include their perspecives in the assesment are crucial. To better understand a risk and its implications, the objectives of the system or process at risk should be defined and documented as well as considering the impact that human, organizational and social factors could have on the risk and occurrence consequences. Lastly during the planning phase, the criteria for the decion on the risk should be reviewed.
2. Manage Information and Develop Models
For proper risk assesment, all relevant information for this assement needs to be obtained, stored and be made available. Information can be obtained via literature reviews, observations, expert opinion, measurements, experiments, interviews, or surveys. Besides information collection, the quality of the information should also be assessed. This is then followed by the analysis of the obtained information as well the applicaton or development of models on and from this information.
3. Apply Risk Assessment Techniques
The gathered information and the insights generated are then used to identify and develop an understanding of the risks present as well as determining their sources, causes and drivers. In order to gain an understanding of what current measures are doing to manage the present risk the effectivness of existing risk control needs ot be investigated as well as the likelyhood and consequences of a risk occurence need to be understood. Lastly, interactions between different risks need to be understood as well as the measures of risk. Measures of risk are methods to allow for better comparison as well as estimation of risks and are usually done by a combination of risk consequences and their likelyhood.
4. Review the Analysis
After the risks are assessed and analysed, this process and the results need to be reviewed. Fistly the results are re-checked with the previous steps (especially the planning phase) or previous experience and then need to be subjected to a uncertainty and sensitivity analysis. Once this is complete the review can be conducted on the basis of the obtained information and these previous steps.
5. Apply Results to Support Decisions
The results of the review can then be used to derive the measures to be taken for better riks managmeent. Hereby responsible personell need to choose between accepting or treating a risk as well as weighing between these two options on the basis of the advantages and disadvantages for each.
6. Record and Report Risk Assesment Process and Outcomes
Once the management process on the basis of the analysis is carried out, the process and recommendations should be documented and communicated properly.
Sources for the Process of ISO 31010: 45
German
English