Risk Management Consultancy
The management of risk is critical for any organisation to achieve its business objectives, both in ensuring the necessary level of resilience and in taking advantage of potential opportunities. URM’s consultants have acquired considerable experience in assisting organisations implement best practice risk management practices and systems. This experience is multi-faceted and includes assessing risk:
- Across the entire organisation, i.e. enterprise level
- Within specific risk categories, e.g. information security or business continuity risk
- Within changing environments, e.g. a third-party risk management programme.
So how do we define risk? ISO 31000, the International Standard for Risk Management, defines risk as the ‘effect of uncertainty on objectives’. To provide further context, we can draw on the definition in ISO 27000, the Information Security Overview and Vocabulary Standard i.e. ‘Information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organization.’ This extends the definition, implying that in order for a risk to exist, it must relate to something of value.
Referring to ISO 31000 again, the definition of risk management is the ‘coordinated activities to direct and control an organisation with regard to risk’. To expand on this, we can summarise that risk management encompasses those activities which allow us to better identify, analyse and evaluate risks, and manage them proactively, in order to minimise any possible damage and maximise any opportunities. The last point is important, in that whilst risk generally has a negative connotation, there can be positive outcomes.
Best Practice Approach
URM recommends that organisations follow documented best practice when implementing risk management frameworks, with the current best practice defined within ISO 31000. The Standard encourages an iterative process to be established that ensures risks are identified, analysed, evaluated and treated in a consistent and repeatable way. Whilst you cannot certify against ISO 31000, the Standard is recommended and referred to by all the risk-based management system standards, e.g. ISO 27001 and ISO 22301.
URM can help you define your risk management methodology so that different risk disciplines can be aligned. Risk can then be consistently reported on throughout your organisation and will ensure that different risk categories such as operational, finance and information security are viewed in the same way.