ISO-31000-CLA Exam Dumps - GAQM: ISO Questions and Answers

Risk management is a process with inputs, activities, and outcomes1. The inputs are the organization’s context and risk criteria. The activities are risk identification, analysis, evaluation, and treatment. The outcomes are improved decision making, performance, and resilience.

According to 2, domain 1, ERM “is a coordinated set of activities and methods that is used by organizations to manage risks across the enterprise”. It takes an integrated or holistic approach that considers all types of risks and their interrelationships across the organization’s functions and levels.

Risk management is systematic, structured, and timely4. Systematic means that risk management follows a logical and consistent approach. Structured means that risk management has clear steps, roles, and responsibilities. Timely means that risk management provides information in time for decision making.

The ISO 31000:2018 process can be used to identify stakeholder risk requirements, needs, and expectations4. This is part of establishing the context for risk management, which involves defining the scope, objectives, criteria, roles and responsibilities for risk management.

A pure risk only leads to the possibility of a loss, whereas a speculative risk may lead to a gain12. For example, entering into a contract to purchase a new factory is a speculative risk, as it could result in either profit or loss depending on market conditions.

According to 1, OCEG GRC model is “a framework for integrating governance, risk management, compliance and ethics/culture into a single capability”. It defines risk management as “the capability that enables an organization to understand how uncertainty affects its ability to achieve objectives” 2.

According to , page 13-14, probability multiplied by impact equals risk magnitude which is “a measure that reflects both likelihood and consequences”. It can be used as an indicator for prioritizing risks.

A fire occurring in a new manufacturing process line is an example of a pure risk, which is a situation that can only end in a loss12. For example, the fire could damage property, injure workers or disrupt operations.

 ISO uses the concept of uncertainty as the driver and rationale for risk management. Uncertainty refers to the state of having incomplete knowledge or understanding about something that can affect an organization’s objectives.

the last step of the risk assessment process, which starts with risk identification, moves to risk assessment, and finally risk evaluation, is Risk evaluation.

Risk evaluation involves comparing the estimated level of risk against the risk criteria established during the risk assessment phase, to determine the significance of the risk and whether it is acceptable or not. This decision is made in consultation with stakeholders, who may provide additional context and information to inform the decision.

The American Society for Quality (ASQ) describes risk evaluation as "the process of comparing an estimated risk against given risk criteria to determine the acceptability of the risk." [1]

Similarly, ISO/IEC 27001:2013 (Information technology — Security techniques — Information security management systems — Requirements) defines risk evaluation as "the process of comparing the estimated risk against given risk criteria in order to determine the significance of the risk." [2]

References: [1] ASQ Glossary - Risk evaluation, https://asq.org/quality-resources/risk-evaluation  [2] ISO/IEC 27001:2013, Clause 6.1.3(c), https://www.iso.org/standard/54534.html