Risk Management Presentation (E)

Quản lý rủi ro 8/6/2018
Risk management
Presented by
Pho Duc Tru
Risk management 2018 v3 1
Introduction
Risk treatment
1
The purpose of risk management is the creation and

protection of value. It improves performance, encourages
innovation and supports the achievement of objectives.
ISO 31000:2018
Bad risk management or no risk

management is the sourse or
the root cause of each and
every busisness failures
2
Meaning of risk management

• Organizations of all types and sizes face external and internal factors
and influences that make it uncertain whether they will achieve their
objectives.
• Managing risk is iterative and assists organizations in setting
strategy, achieving objectives and making informed decisions.
• Managing risk is part of governance and leadership, and is
fundamental to how the organization is managed at all levels. It
contributes to the improvement of management systems.
• Managing risk is part of all activities associated with an organization
and includes interaction with stakeholders.
• Managing risk considers the external and internal context of the
organization, including human behaviour and cultural factors.
Definitions(ISO 31000:2018)
Risk:
Effect of uncertainty on objectives
• An effect is a deviation from the expected. It can be positive,
negative or both, and can address, create or result in opportunities
and threats.
• Uncertainty is simply something we are uncertain about, there is
doubt, we are unsure
• Objectives can have different aspects and categories, and can be
applied at different levels
• Risk is usually expressed in terms of risk sources , potential events,
their consequences and their likelihood
Risk management
Coordinated activities to direct and control an organization with regard
to risk
3
Definitions (ISO 31000:2018)

Risk source
element which alone or in combination has the potential to give rise to
risk
Event
occurrence or change of a particular set of circumstances
• An event can have one or more occurrences, and can have several
causes and several consequences
• An event can also be something that is expected which does not
happen, or something that is not expected which does happen.
• An event can be a risk source.
Likelihood
chance of something happening (whether defined, measured or
determined objectively or subjectively, qualitatively or quantitatively,
and described using general terms or mathematically (such as a
probability or a frequency over a given time period)
Control
measure that maintains and/or modifies risk
• Controls include, but are not limited to, any process, policy, device,
practice, or other conditions and/or actions which maintain and/or
modify risk.
• Controls may not always exert the intended or assumed modifying
effect
4
Consequence
outcome of an event affecting objectives
• Consequences can be expressed qualitatively or quantitatively.
• Any consequence can escalate through cascading and cumulative
effects
Risk
management
in QMS
planning
Outline risk
assessment
activity
sequence
5
Converting issues and interests into actions
Risk-based thinking
There are several requirements on the subject of risk scattered throughout

ISO 9001:2015:
• When planning for the QMS, the risks and opportunities that arise from
an assessment of the context of the organization and the determination
of stakeholder requirements are to be determined and addressed to
give assurance that the QMS can achieve its intended results (6.1.1).
• When determining the processes needed for the QMS the organization
shall address the risks and opportunities as determined in 6.1 (4.4.1f).
• Top management is to promote the use of risk-based thinking (5.1.1d).
• Top management is to ensure that risks and opportunities that can
affect conformity of products and services and the ability to enhance
customer satisfaction are determined and addressed (5.1.2b).
6
Risk-based thinking
• Plan actions to address these risks and opportunities, including how to
integrate and implement the actions into its QMS processes, and
evaluate the effectiveness of these actions (6.1.2).
• Actions taken to address risks and opportunities are to be
proportionate to the potential impact on the conformity of products and
services (6.1.2).
• The results of analysing data and information arising from monitoring
and measurement are to be used to evaluate the effectiveness of
actions taken to address risks and opportunities (9.1.3).
• Management reviews are to be planned and carried out, taking into
consideration the effectiveness of actions taken to address risks and
opportunities (9.3.2e).
• When a nonconformity occurs, risks and opportunities determined
during planning are to be updated if necessary (10.2.1)
Elements of risk management
7
Principles of RM
Principles of RM
a) Integrated
Risk management is an integral part of all organizational activities.
b) Structured and comprehensive
A structured and comprehensive approach to risk management
contributes to consistent and comparable results.
c) Customized
The risk management framework and process are customized and
proportionate to the organization’s external and internal context
d) Inclusive
Appropriate and timely involvement of stakeholders enables their
knowledge, views and perceptions to be considered.
8
Principles of RM
e) Dynamic
Risks can emerge, change or disappear as an organization’s external
and internal context changes. Risk management responds to those
changes and events in an appropriate and timely manner.
f) Best available information
The inputs to risk management are based on historical and current
information, as well as on future expectations. Risk management
explicitly takes into account such information and expectations.
g) Human and cultural factors
Human behaviour and culture significantly influence all aspects of risk
management at each level and stage.
h) Continual improvement
Risk management is continually improved through learning and
experience.
Risk management
framework
9
Purpose
• The risk management framework assists the organization
in integrating risk management into significant activities
and functions.
• The effectiveness of risk management will depend on its
integration into the governance of the organization,
including decision-making.
• This requires support from stakeholders, particularly top
management.
Content of a framework
The organization
should evaluate its
existing risk
management
practices and
processes, evaluate
any gaps and address
those gaps within the
framework.
framework
10
Leadership and commitment

Top management and oversight bodies, where applicable, should ensure
that risk management is integrated into all organizational activities and
should demonstrate leadership and commitment by:
— customizing and implementing all components of the framework;
— issuing a statement or policy that establishes a risk management
approach, plan or course of action;
— ensuring that the necessary resources are allocated to managing risk;
— assigning authority, responsibility and accountability at appropriate
levels within the organization.
Integration
• Risk is managed in every part of the organization’s
structure. Everyone in an organization has responsibility
for managing risk.
• Governance guides the course of the organization, its
external and internal relationships, and the rules,
processes and practices needed to achieve its purpose
• Risk management should be a part of, and not separate
from, the organizational purpose, governance,
leadership and commitment, strategy, objectives and
operations.
11
Design
Understanding the organization and its context
When designing the framework for managing risk, the organization
should examine and understand its external and internal context.
Articulating risk management commitment
Top management demonstrate and articulate their continual commitment
to risk management through a policy, a statement or other forms that
convey an organization’s objectives and commitment to risk management
Assigning organizational roles, authorities,
responsibilities and accountabilities
that the authorities, responsibilities and accountabilities for relevant roles
with respect to risk management are assigned and communicated at all
levels of the organization,
Design
Allocating resources
allocation of appropriate resources for risk management
Establishing communication and consultation
The organization should establish an approved approach to
communication and consultation in order to support the framework and
facilitate the effective application of risk management
Communication and consultation should be timely and ensure that
relevant information is collected, collated, synthesised and shared, as
appropriate, and that feedback is provided and improvements are made.
12
Design
Establishing communication and consultation
The organization should establish an approved approach to
communication and consultation in order to support the framework and
facilitate the effective application of risk management
Communication and consultation should be timely and ensure that
relevant information is collected, collated, synthesised and shared, as
appropriate, and that feedback is provided and improvements are made.
Implementation
The organization should implement the risk management framework
by:
— developing an appropriate plan including time and resources;
— identifying where, when and how different types of decisions are
made across the organization, and by whom;
— modifying the applicable decision-making processes where
necessary;
— ensuring that the organization’s arrangements for managing risk are
clearly understood and practised.
13
Evaluation
— periodically measure risk management framework
performance against its purpose, implementation
plans, indicators and expected behaviour;
— determine whether it remains suitable to support
achieving the objectives of the organization..
Improvement
• continually monitor and adapt the risk management
framework to address external and internal changes. In doing
so, the organization can improve its value
• continually improve the suitability, adequacy and
effectiveness of the risk management framework and the
way the risk management process is integrated
14
Risk Management Process
General
The risk management process involves the systematic application of
policies, procedures and practices to the activities of
• communicating and consulting,
• establishing the context
• assessing,
• treating,
• monitoring, reviewing,
• recording and reporting risk
15
Risk Management Process
General
The risk management process should be
• an integral part of management and decision-making and
integrated into the structure, operations and processes of the
organization. It can be applied at strategic, operational,
programme or project levels.
• There can be many applications of the risk management process
within an organization, customized to achieve objectives and to
suit the external and internal context in which they are applied.
• The dynamic and variable nature of human behaviour and culture
should be considered throughout the risk management process.
16
Key questions
Key questions we need to answer to identify and address
the risks and opportunities
1 What are we trying to do? - the objective, the goal
2 What might affect what we are trying to do? - the uncertainties that
might help or hinder.
3 Which of these are most important? - the risk assessment.
4 What can we do about it? - risk treatment.
5 Have we taken the action we planned to take? - implementation.
6 Did the action work - risk monitoring.
7 What's changed since the last time we took action? - risk review.
Risk and
opportunity
management
process
17
Risk and
opportunity
management
process
Communication and consultation

Communication seeks to promote awareness and
understanding of risk, whereas consultation involves
obtaining feedback and information to support
decision-making.
Close coordination between the two should facilitate
factual, timely, relevant, accurate and understandable
exchange of information, taking into account the
confidentiality and integrity of information as well as
the privacy rights of individuals
18
Scope, context and criteria

• Defining the scope
The organization should define the scope of its risk management
activities. Risk management process may be applied at different
levels
• Defining external and internal context
• Defining risk criteria
The organization should specify the amount and type of risk that it
may or may not take, relative to objectives. It should also define
criteria to evaluate the significance of risk and to support decision
making processes.
Risk assessment
19
General
• Risk/opportunity assessment is the overall process risk
‒ identification,
‒ analysis and
‒ evaluation
• Risk/opportunity assessment should be conducted

systematically, iteratively and collaboratively, drawing on
the knowledge and views of stakeholders.
Khái quát
Đánh giá rủi ro là một quá trình tổng hợp của
– nhận diện,
– phân tích và
– định giá trị rủi ro.
20
Risk and opportunity identification

The purpose of risk identification is to find, recognize and
describe risks that might help or prevent an organization
achieving its objectives.
Relevant, appropriate and up-to-date information is important in
identifying risks

The following factors, and the relationship between these
factors, should be considered:
— tangible and intangible sources of risk;
— causes and events;
— changes in the external and internal context;
— threats and opportunities;
— vulnerabilities and capabilities;
— limitations of knowledge and reliability of information;
— time-related factors;
— consequences and their impact on objectives;
— biases, assumptions and beliefs of those involved.
21

DISTINGUISHING RISKS AND OPPORTUNITIES FROM CAUSES
AND EFFECTS
• We sometimes make statements that we present as describing risks
when they are describing issues, problems, facts, causes or effects.
• Causes are existing conditions
We therefore express:
• the existing condition in terms of what is, what has/has not happened,
what does/does not occur. These are facts;
• the uncertain event in terms of what may, might or possibly happen;
• the effect in terms of what could or would follow.
As a result of <an existing condition>, <an uncertain event> might occur
which would lead to <an effect on the objective>.
Types of uncertainty
Stochastic uncertainty - this is the uncertainty of events, that is,
whether an event will or will not happen. Or when the even will occur
Aleatoric uncertainty - this is the uncertainty of variables, that is,
whether results will be the same or different from those observed
previously. We don't know which result of a range of possible results
we will get, (how much something will cost, how long the job will take),
Epistemic uncertainty - this is uncertainty of knowledge, for example,
whether the knowledge we have is complete or incomplete and
therefore ambiguous, whether we know what the customer wants
Ontological uncertainty - this is uncertainty of the unknown, that is,
whether everything that affects the results is inside or outside our frame
of reference, things we haven't thought of, what are commonly referred
to as blind spots or unknowns
22
Types of risk
Strategic risk
Strategic risks result directly from operating within a specific industry
at a specific time and include:
• Market risk - the risks present in the market and inherent to the
industry or arising out of competition, for example, shifts in
consumer preferences or emerging technologies that make the
product line obsolete.
• Reputational risk - Loss of your company's reputation from
product or service failures, lawsuits or negative publicity. According
to Matt McGee (a search engine optimization consultant), "One
negative blog post or review can spread online in a flash and
change the direction of a company."
Types of risk
Strategic risk
• IT risk - loss of business continuity due to certain inherent risks
associated with the technologies.
• Environmental risk - Organizations that operate in or depend on
suppliers from regions of the world prone to natural environmental
disasters are exposed to risk of an unpredictable kirid
• Human capital risk - Organizations that depend on a particular
source or type of labour may be exposed to risk of supply
shortages or poaching from competitors.
• Health and safety risks - Organizations that operate in dangerous
environments or provide services may expose members of the
public to hazards.
23
Types of risk
Financial risk
Financial risks are associated with how the organization handles its
financial assets, including:
• Debt and credit, interest rates and foreign exchange rates.
• The customer's ability to pay.
• The organization's ability to raise the necessary capital to fund
improvements.
Types of risk
Operational risks
Operational risks are present in every enterprise and result from
internal process failures such as:
• Product/service risk - You can't translate your concept into a
working and compelling product/ service.
• Technology risk - You can't build a good enough or, if necessary,
breakthrough technology.
• Business development risk - You can't get deals with other
companies that you depend on to build or distribute your
product/service.
24
Types of risk
Operational risks
• Timing risk - You are too early or too late to the market or there
'are unforeseen , external events, such as transportation breaks
down, or a supplier fails to deliver a product or service when
required.
• Margin risk - You build something people want but that you can't
defend, and therefore competitors will squeeze your margins.
• Mistakes in execution - The formal plans and procedures are not
implemented as intended.
• System failures - A common cause of failure reduces the ability of
the system to consistently provide a confolUling product or service.
Types of risk
Compliance risk
Risks associated with compliance are those subject to regulatory and
statutory requirements, including legal infringements and rule
breaches.
.
25

Risk register
a) The intended results of the QMS (or a process if being undertaken
at that level)
b) The relevant issues/source (as deduced from the PESTLE and
SWOT analysis)
c) Objectives (intended result)
d) Whether the issue poses a risk or an opportunity
e) The category of risk or opportunity for reporting purposes (e.g.
strategic, operational, finance, compliance)
f) Description of the uncertainty
g) Consequence/impact
h) Existing controls
Risk/opportunity analysis
General
• Risk analysis involves developing an understanding of the risk.
• Risk analysis provides an input to risk evaluation and to
decisions on whether risks need to be treated, and on the most
appropriate risk treatment strategies and methods.
• Risk analysis involves consideration of the causes and sources
of risk, their positive and negative consequences, and the
likelihood that those consequences can occur.
• Factors that affect consequences and likelihood should be
identified. Risk is analyzed by determining consequences and
their likelihood, and other attributes of the risk.
• An event can have multiple consequences and can affect
multiple objectives. Existing controls and their effectiveness and
efficiency should also be taken into account
26
Risk/opportunity analysis
General
• Consequences can be expressed in terms of tangible and
intangible impacts. In some cases, more than one numerical
value or descriptor is required to specify consequences and
their likelihood for different times, places, groups or situations
Risk and opportunity analysis

Some analysis techniques
• Hazard Analysis studies (HAZAN)

• Hazard and Operability studies (HAZOP)
• Fault Tree Analysis (FTA)
• Event Tree Analysis (ETA)
• Root cause analysis (RCA)
• Failure Modes Effects and Criticality Analysis (FMECA)
• Failure Modes and Effects Analysis (FMEA)
• Matrix model 5X5 (4x4)
ISO 31010
27
Risk and opportunity evaluation

The purpose of risk evaluation is to assist in making
decisions, based on the outcomes of risk analysis, about
which risks need treatment and the priority for treatment
implementation.
Risk evaluation involves comparing the level of risk found
during the analysis process with risk criteria established
when the context was considered. Based on this
comparison, the need for treatment can be considered.
Risk and opportunity evaluation

In some circumstances, the risk evaluation can lead to a
decision to undertake further analysis.
The risk evaluation can also lead to a decision not to treat
the risk in any way other than maintaining existing controls.
This decision will be influenced by the organization's risk
attitude and the risk criteria that have been established.
28
RISK APPETITE
The amount and type of risk that an organization is
prepared to pursue, retain or take to meet their strategic
objectives
• An organization with an aggressive appetite for risk might set
aggressive goals, whereas an organization that is risk averse, with
a low appetite for risk, might set conservative goals. It follows
therefore that an organization should establish its risk appetite
before setting its goals, and this will inevitably shape its strategy
• There needs to be a consensus across all functions and at all levels
on the organization's risk appetite otherwise decision-making will
continually run into problems
RISK TOLERANCE
The acceptable level of variation relative to achievement of
a specific objective
Risk tolerance is a practical concept for dealing with tactical issues
where not all inputs to a process are the same and necessitate equal
treatment and is best measured in the same units as those used to
measure the related objective
29
RISK APPETITE & RISK TOLERANCE
RISK TOLERANCE
30
Actions to address risks and

opportunities
General
Planning actions to address risks and opportunities means

figuring out what to do about the risks and opportunities
that have been identified and quantified
31
General
Risk and opportunities treatment involves an iterative
process of:
— formulating and selecting treatment options;
— planning and implementing treatment;
— assessing the effectiveness of that treatment;
— deciding whether the remaining risk is acceptable;
— if not acceptable, taking further treatment.
Selection of treatment options
Selecting the most appropriate

treatment option(s) involves
balancing the potential benefits
derived in relation to the achievement
of the objectives against costs, effort
or disadvantages of implementation.
Treatment options are not
necessarily mutually exclusive or
appropriate in all circumstances
32
Selection of risk treatment options
Options for treating risk may involve the following:

— avoiding the risk by deciding not to start or continue with the activity
that gives rise to the risk;
— taking or increasing the risk in order to pursue an opportunity;
— removing the risk source;
— changing the likelihood;
— changing the consequences;
— sharing the risk (e.g. through contracts, buying insurance);
— retaining the risk by informed decision.
33
Selection of risk treatment options

Justification for treatment is broader than solely economic
considerations and should take into account all of the
organization’s obligations, voluntary commitments and
stakeholder views.
The selection of treatment options should be made in accordance
with the organization’s objectives, criteria and available
resources.
When selecting treatment options, the organization should
consider the values, perceptions and potential involvement of
stakeholders and the most appropriate ways to communicate and
consult with them.
Actions to address opportunities

The adoption of new practices, launching new products, opening new
markets, addressing new clients, building partnerships, using new
technology and other desirable and viable possibilities to address the
organization's or its customers' needs may all incur risk.
There is a difference between:
a) deciding a course of action to achieve an objective and looking for
things that could go wrong, reducing the risk and sticking with the
course of action at reduced risk and; (addressing risks)
b) having an objective and looking for innovative ways of achieving it
that had hitherto not been thought of and might not happen but if
they did they would assist achieve the objective.(addressing
opportunities)
34
Actions to address opportunities

There's a risk the opportunity will not happen, and therefore actions
could be taken that will make it more likely that the opportunity will
happen. It therefore has the reverse effect to actions to address risk.
The actions needed to make things happen should be planned and
these plans implemented. As they are not routines, they should be
regarded as projects
..\Sent to courses\High Risk Opportunity.tables.docx
Preparing and implementing treatment plans

• The purpose of risk treatment plans is to specify how the chosen
treatment options will be implemented, so that arrangements are
understood by those involved, and progress against the plan can be
monitored.
• The treatment plan should clearly identify the order in which risk
treatment should be implemented.
• Treatment plans should be integrated into the management plans
and processes of the organization, in consultation with appropriate
stakeholders
35
Integrating actions into QMS processes

• Actions will be taken by the QMS processes rather than by a
separate initiative that is taken independently of those processes.
• start by identifying the processes where such actions would take
place, then analysing the process to locate the stage where the
conditions need to change to reduce the risk or exploit the
opportunity
• In some cases, a branch of the process network may need to be
redesigned, in others all it may need is a change to a checklist. In
this way, on executing a process, the actions intended to address
risks or opportunities will be implemented.
• We also need to update the process risk register so that there is a
record of provisions built into the process to mitigate risk or exploit
the opportunity
Evaluate the effectiveness of actions

• What extent did the actions taken mitigate the identified risk or
facilitate the identified opportunity?
• Need to answer some basic questions:
a) If the action taken was to avoid a risk, over what timescale will
we monitor the situaJion to detect if the risk has been avoided
and?
b) If the action taken was to take a risk to pursue an opportunity,
how will we know if the anticipated adverse effects materialized
and if they did what impact they had?
c) If the action taken was to eliminate the source of risk, how will
we know if we've eliminated it?
d) If the action taken was to reduce the likelihood of a risk, how
will we know if we have done this?
36
Evaluate the effectiveness of actions

• Need to answer some basic questions:
e) If the action taken was to increase the likelihood of an opportunity,
how will we know if we have done this?
f) If the actiO!l taken was to change the magnitude of the
consequences how will we know if we have done this?
g) If the action taken was to share the risk, how will we know if that
was a wise decision?
h) If the action taken was to accept the risk, when will we know if that
was a wise decision?
Monitoring and review

The purpose of monitoring and review is to assure and improve the
quality and effectiveness of process design, implementation and
outcomes.
Ongoing monitoring and periodic review of the risk management
process and its outcomes should be a planned part of the risk
management process, with responsibilities clearly defined.
Monitoring and review should take place in all stages of the process.
Monitoring and review includes planning, gathering and analysing
information, recording results and providing feedback.
The results of monitoring and review should be incorporated
throughout the organization’s performance management,
measurement and reporting activities
37
Summary
1 When we take action to address risks and opportunities, we are not
reacting to circumstances that have already happened but trying to
deal with circumstances that have yet to happen so that we are
adequately prepared for the favourable or unfavourable
consequences.
2 Pursuing a strategy of only looking for undesirable outcomes is a
pessimistic approach to quality management, whereas looking for
both risks and opportunities is a balanced approach to quality
management.
3 There are risks the sources of which are external to the QMS
(extrinsic risks), and these are addressed in clause 6.1 before a
QMS is established. Then there are risks the sources of which are
internal to the QMS (intrinsic risks), and these are addressed in
clause 5.1.2b) during and after a QMS is established.
4 If risks are not properly analysed they cannot be properly managed.
Summary
5 When it comes to measuring risk, we need a form of calibration;
otherwise, it's just guesswork that anyone can do.
6 Converting a qualitative method of risk analysis into a points-based
scoring method does not make it a quantitative method, neither
does adding or multiplying scores that have been made on the
basis of opinion.
7 Whether a risk is to be avoided, eliminated, reduced, taken, shared
or accepted depends on an organization's risk appetite, and this
should be established before its goals are set as this will inevitably
shape its strategy.
8 Taking a risk to pursue an opportunity is different to accepting a risk
in that there may be no choice but to accept certain risks if a
particular objective is to be achieved, whereas when taking a risk,
you are deliberately playing the odds to seize an opportunity..
38
Summary
9 There's a risk an opportunity will not happen and therefore actions
could be taken that will make it more likely to happen.
lO A properly orchestrated plan that changes the way people work
will be far more successful than managerial exhortation to do
better, seize every opportunity or simply work harder.
11 If the methods used to evaluate the effectiveness of actions to
mitigate risk do not actually measure the risks in a mathematically
and scientifically sound manner, management doesn't even have
the basis for determining whether a method works.

.
Thank You!
http://dichvudanhvanban.com
39

Risk Management Presentation (E)

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Risk Management Presentation (E)

Încărcat de

Drepturi de autor:

Formate disponibile

Quản lý rủi ro 8/6/2018

Risk management 2018 v3 1

Risk management 2018 v3 2

The purpose of risk management is the creation and

Risk management 2018 v3 3

Bad risk management or no risk

Risk management 2018 v3 4

Meaning of risk management

Risk management 2018 v3 5

Definitions (ISO 31000:2018)

Risk management 2018 v3 7

Risk management 2018 v3 8

Risk management 2018 v3 9

Risk management 2018 v3 10

Converting issues and interests into actions

Risk management 2018 v3 11

There are several requirements on the subject of risk scattered throughout

Risk management 2018 v3 12

Risk management 2018 v3 13

Elements of risk management

Risk management 2018 v3 14

Risk management 2018 v3 15

Risk management 2018 v3 16

Risk management 2018 v3 17

Risk management 2018 v3 18

Risk management 2018 v3 19

Risk management 2018 v3 20

Leadership and commitment

Risk management 2018 v3 21

Risk management 2018 v3 22

Risk management 2018 v3 23

Risk management 2018 v3 24

Risk management 2018 v3 25

Risk management 2018 v3 26

Risk management 2018 v3 27

Risk management 2018 v3 28

Risk Management Process

Risk management 2018 v3 29

Risk management 2018 v3 30

Risk Management Process

Risk management 2018 v3 31

Risk management 2018 v3 32

Risk management 2018 v3 33

Risk management 2018 v3 34

Risk management 2018 v3 35

Communication and consultation

Risk management 2018 v3 36

Scope, context and criteria

Risk management 2018 v3 37

Risk management 2018 v3 38

• Risk/opportunity assessment should be conducted

Risk management 2018 v3 39

Risk management 2018 v3 40

Risk and opportunity identification

Risk management 2018 v3 41

Risk and opportunity identification

Risk management 2018 v3 42

Risk and opportunity identification

Risk management 2018 v3 43

Risk management 2018 v3 44

Risk management 2018 v3 45

Risk management 2018 v3 46

Risk management 2018 v3 47