Two in One---risk management
本帖最后由 小编H 于 2011-2-12 14:35 编辑
Risk strategy not only manages threats, but also validates ISO standards programs
by Eugene "Gene" A. Razzetti
The terms risk analysis, risk assessment and risk management—often used interchangeably—involve a variety of different concepts and metrics. There is no one single approach to risk management. Approaches and strategies can be as simple or complex as the processes they were designed to assess.
But keeping the approach simple is almost always better, and incorporating a spreadsheet to automatically compute and display the assessments can only strengthen the approach.
Think of risk management as disciplined subjectivity: You subjectively assess threats, criticalities and vulnerabilities by using your knowledge and experience. Then, you can assign them a consistent, replicable set of numerical values or criteria.
Performing risk management on a spreadsheet customized for your organization can provide a fast, descriptive tool to:
Standardize, assess, prioritize and display readiness for specific business or mission scenarios.
Predict the impact of personnel and material changes before time or funds are spent.
Create uniform reports to higher authorities.
Predict readiness by assessing risks.
Functions (sums, multiplications and averages) can be programmed into the spreadsheet, and graphs can be created automatically as values are introduced or changed.
Risk management and ISO standards
Each of the following International Organization for Standardization (ISO) standards requires organizations to identify and assess threats, along with their associated risks.
ISO 14001:2006—Environmental management systems: Clause 4.3.1 environmental aspects: "The organization shall establish, implement, and maintain a procedure:
To identify the environmental aspects of its activities, products and services within the defined scope of the environmental management system that it can control and those that it can influence, taking into account planned or new developments, or new or modified activities, products or services.
To determine those aspects that have or can have a significant impact on the environment—for example, significant environmental aspects."1
ISO 9001:2008—Quality management systems: Clause 5.1 management commitment: "Top management shall provide evidence of its commitment to the development of the quality management system and continually improving its effectiveness by:
Communicating to the organization the importance of meeting customer as well as statutory and regulatory requirements.
Establishing a quality policy.
Ensuring quality objectives are established.
Conducting management reviews.
Ensuring the availability of resources."2
ISO 28001:2007—Security management systems for the supply chain: Clause 4.3.1 security risk assessment: "The organization shall establish and maintain procedures for the ongoing identification and assessment of security threats and security management-related threats and risks, and the identification and implementation of necessary management control measures. Security threats and risk identification, assessment and control methods should, at a minimum, be appropriate to the measure and scale of the operations. This assessment should consider the likelihood of an event and all of its consequences which shall include …"3
ISO standards require the CEO or a manager aspiring to achieve certification to identify and quantify—in a comprehensive, consistent, replicable and auditable manner—the risks of performing the organization’s mission. Put another way, standards require risk assessment, which is the foundation of risk management.
Risk assessment to risk management
It is the job of management not only to assess risk, but also to identify quantifiable courses of action (COA) to eliminate or mitigate that risk. Organizations can and should expand their basic risk assessment strategies and model the impact of potential COAs—big improvement, little or no improvement, or worse than before. In going this extra mile, risk assessment becomes risk management.
This risk management strategy identifies and assigns numerical values to:
Threats—hazards or adverse events—to the organization.
Criticality of those threats to operations.
Vulnerability of the organization’s operations or missions to those threats according to the formula:
Risk = criticality x vulnerability x threat.
Then—unlike more basic risk assessment models—the strategy goes on to predict the impact of external or environmental factors, as well as the change if a selected COA is implemented.
The steps of the process follow. Steps one through three compute the basic risk assessment. Step four applies environmental factors to make the assessment more accurate and specific. Step five completes the process by taking the assessment and assessing the change brought about by notionally implementing a course of corrective action.
Step one—create risk assessment criteria. For assessments to be consistent, for reports to be uniform among reporting departments and for the management tool being created to help in the decision-making process, you need standard numerical values or criteria to assess threats, criticalities and vulnerabilities to the organization’s missions or processes.
Table 1 contains a sample set of numerical values from one to 10 and defines each in terms of threat, criticality and vulnerability. We will use these numbers to complete the risk assessment process.
!(http://www.asq.org/img/qp/100932-table1.gif)
Risk strategy not only manages threats, but also validates ISO standards programs
by Eugene "Gene" A. Razzetti
The terms risk analysis, risk assessment and risk management—often used interchangeably—involve a variety of different concepts and metrics. There is no one single approach to risk management. Approaches and strategies can be as simple or complex as the processes they were designed to assess.
But keeping the approach simple is almost always better, and incorporating a spreadsheet to automatically compute and display the assessments can only strengthen the approach.
Think of risk management as disciplined subjectivity: You subjectively assess threats, criticalities and vulnerabilities by using your knowledge and experience. Then, you can assign them a consistent, replicable set of numerical values or criteria.
Performing risk management on a spreadsheet customized for your organization can provide a fast, descriptive tool to:
Standardize, assess, prioritize and display readiness for specific business or mission scenarios.
Predict the impact of personnel and material changes before time or funds are spent.
Create uniform reports to higher authorities.
Predict readiness by assessing risks.
Functions (sums, multiplications and averages) can be programmed into the spreadsheet, and graphs can be created automatically as values are introduced or changed.
Risk management and ISO standards
Each of the following International Organization for Standardization (ISO) standards requires organizations to identify and assess threats, along with their associated risks.
ISO 14001:2006—Environmental management systems: Clause 4.3.1 environmental aspects: "The organization shall establish, implement, and maintain a procedure:
To identify the environmental aspects of its activities, products and services within the defined scope of the environmental management system that it can control and those that it can influence, taking into account planned or new developments, or new or modified activities, products or services.
To determine those aspects that have or can have a significant impact on the environment—for example, significant environmental aspects."1
ISO 9001:2008—Quality management systems: Clause 5.1 management commitment: "Top management shall provide evidence of its commitment to the development of the quality management system and continually improving its effectiveness by:
Communicating to the organization the importance of meeting customer as well as statutory and regulatory requirements.
Establishing a quality policy.
Ensuring quality objectives are established.
Conducting management reviews.
Ensuring the availability of resources."2
ISO 28001:2007—Security management systems for the supply chain: Clause 4.3.1 security risk assessment: "The organization shall establish and maintain procedures for the ongoing identification and assessment of security threats and security management-related threats and risks, and the identification and implementation of necessary management control measures. Security threats and risk identification, assessment and control methods should, at a minimum, be appropriate to the measure and scale of the operations. This assessment should consider the likelihood of an event and all of its consequences which shall include …"3
ISO standards require the CEO or a manager aspiring to achieve certification to identify and quantify—in a comprehensive, consistent, replicable and auditable manner—the risks of performing the organization’s mission. Put another way, standards require risk assessment, which is the foundation of risk management.
Risk assessment to risk management
It is the job of management not only to assess risk, but also to identify quantifiable courses of action (COA) to eliminate or mitigate that risk. Organizations can and should expand their basic risk assessment strategies and model the impact of potential COAs—big improvement, little or no improvement, or worse than before. In going this extra mile, risk assessment becomes risk management.
This risk management strategy identifies and assigns numerical values to:
Threats—hazards or adverse events—to the organization.
Criticality of those threats to operations.
Vulnerability of the organization’s operations or missions to those threats according to the formula:
Risk = criticality x vulnerability x threat.
Then—unlike more basic risk assessment models—the strategy goes on to predict the impact of external or environmental factors, as well as the change if a selected COA is implemented.
The steps of the process follow. Steps one through three compute the basic risk assessment. Step four applies environmental factors to make the assessment more accurate and specific. Step five completes the process by taking the assessment and assessing the change brought about by notionally implementing a course of corrective action.
Step one—create risk assessment criteria. For assessments to be consistent, for reports to be uniform among reporting departments and for the management tool being created to help in the decision-making process, you need standard numerical values or criteria to assess threats, criticalities and vulnerabilities to the organization’s missions or processes.
Table 1 contains a sample set of numerical values from one to 10 and defines each in terms of threat, criticality and vulnerability. We will use these numbers to complete the risk assessment process.
!(http://www.asq.org/img/qp/100932-table1.gif)
没有找到相关结果
已邀请:
RSS Feed
9 个回复
天堂之吻 (威望:4) (四川 成都) 机械制造 员工 - 无
赞同来自:
!(http://www.asq.org/img/qp/100932-table2.gif)
The spreadsheets contain normally expected organizational processes and eight notional threats to those processes. Having identified the threats and using their knowledge and experience, risk managers assign numbers from the criteria table. The spreadsheet automatically computes the total and average threat. The average threat is used in all the subsequent calculations.
This is the simplest way I have found to compute the total and average threat. You may have another way, but you must be consistent in whatever method you develop.
Some people use the highest threat figure in the row instead of the average threat figure. That’s OK, as long as they do that consistently throughout the risk assessment process. Users may want to modify any or all of these matrixes and calculations to suit their own preferences. Some modifications may prove misleading or self-defeating, such as using a "0." You will uncover them soon enough. The most important thing is to be consistent throughout the assessment processes.
Step three—compute basic risk. As users complete the threat spreadsheet, they identify and assess the threats to the organization. The next spreadsheet automatically copies the computed average threat for each organizational task and allows users to compute unadjusted (basic) risk according to the familiar formula:
Risk = criticality x vulnerability x threat.
To determine basic risk, users assign numerical values from the same criteria table for:
The criticality of the threat incident or adverse event—if it happened—to the specific organizational task.
The vulnerability of the organization to the threat incident or adverse event.
Table 3 computes basic risk assessment. Unfortunately, this is often the final step in risk assessment, but it is only the beginning of risk management.
!(http://www.asq.org/img/qp/100932-table3.gif)