Risk may be defined as the possibility of occurrence of an event which allows the Vulnerability, in the particular Context of any Organization, to be exploited by a Threat(Internal or External), resulting in an undesirable effect for the Organization. Risk could also, alternatively have a positive opportunity / consequence. Risk-based thinking is essential for achieving an effective quality management system. Riskbased thinking enables an organization to determine the factors that could cause its processes and its quality management system to deviate from the planned results, to put in place preventive controls to minimize negative effects and to make maximum use of opportunities as they arise. The risk management process involves the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk. The organization is responsible for the application of riskbased thinking and the actions it takes to address risk.

Defining risk criteria

The organization should specify the amount and type of risk that it may or may not take, relative to objectives. To set risk criteria, the following should be considered: the nature and type of uncertainties that can affect outcomes and objectives (both tangible and intangible), how consequences (both positive and negative) and likelihood will be defined and measured time-related factors, consistency in the use of measurements, how the level of risk is to be determined, how combinations and sequences of multiple risks will be taken into account, and the organization’s capacity.

Risk identification

The purpose of risk identification is to find, recognize and describe risks that might help or prevent an organization achieving its objectives. Relevant, appropriate and up-to-date information is important in identifying risks.

The organization can use a range of techniques for identifying uncertainties that may affect one or more objectives considering factors such as; tangible / intangible sources of risk, causes and events, threats and opportunities, vulnerabilities and capabilities, changes in the external / internal context, indicators of emerging risks, the nature and value of assets and resources, risk consequences and their impact on objectives, limitations of knowledge and reliability of information, time-related factors and biases, assumptions and beliefs of those involved.

The organization should identify risks, whether their sources are under its direct / indirect / beyond control. Outcomes, may result in a variety of tangible or intangible consequences.

Risk analysis

The purpose of risk analysis is to comprehend the nature of risk and its characteristics including, where appropriate, the level of risk. Risk analysis involves a detailed consideration of uncertainties, risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness. An event can have multiple causes and consequences and can affect multiple objectives.

Risk analysis can be undertaken with varying degrees of detail and complexity, depending on the purpose of the analysis, the availability and reliability of information, and the resources available. Analysis techniques can be qualitative, quantitative or a combination of these, depending on the circumstances and intended use.

Risk analysis should consider factors such as:the likelihood of events and consequences, the nature and magnitude of consequences, complexity and connectivity, time-related factors and volatility, the effectiveness of existing controls and sensitivity and confidence levels.

The risk analysis may be influenced by divergence of opinions, biases, perceptions of risk and judgements. Additional influences are the quality of the information used, the assumptions and exclusions made, any limitations of the techniques and how they are executed. These influences should be considered, documented and communicated to decision makers.Risk analysis provides an input to risk evaluation, to decisions on whether risk needs to be treated and how, and on the most appropriate risk treatment strategy and methods.

Risk evaluation

The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required. This can lead to a decision to: do nothing further / consider risk treatment options / undertake further analysis to better understand the risk and maintain existing controls / reconsider objectives.

The outcome of risk evaluation should be recorded, communicated and then validated at appropriate levels of the organization.

Communication and consultation

Communication seeks to promote awareness and understanding of risk, whereas consultation involves obtaining feedback and information to support decision-making. Communication and consultation with appropriate external and internal stakeholders should take place within and throughout all steps of the risk management process.

Communication and consultation aims to: bring different areas of expertise together for each step of the risk management process, ensure that different views are appropriately considered when defining risk criteria and when evaluating risks and provide sufficient information to facilitate risk oversight and decision-making.

Risk treatment

The purpose of risk treatment is to select and implement options for addressing risk, iteratively: formulating and selecting risk treatment options, planning and implementing risk treatment, assessing the effectiveness of that treatment, deciding whether the remaining risk is acceptable and if not acceptable, taking further treatment.

Selection of risk treatment options

Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. Options for treating risk may involve one or more of the following: avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk, taking or increasing the risk in order to pursue an opportunity, removing the risk source, changing the likelihood, changing the consequences and sharing the risk (e.g. through contracts, buying insurance), retaining the risk by informed decision.

Risk treatments, even if carefully designed and implemented might not produce the expected outcomes and could produce unintended consequences. Monitoring and review need to be an integral part of the risk treatment implementation to give assurance that the different forms of treatment become and remain effective.Risk treatment can also introduce new risks that need to be managed.