Documente Academic
Documente Profesional
Documente Cultură
Risk management
Presented by
Pho Duc Tru
Introduction
Risk treatment
1
Quản lý rủi ro 8/6/2018
2
Quản lý rủi ro 8/6/2018
Definitions(ISO 31000:2018)
Risk:
Effect of uncertainty on objectives
• An effect is a deviation from the expected. It can be positive,
negative or both, and can address, create or result in opportunities
and threats.
• Uncertainty is simply something we are uncertain about, there is
doubt, we are unsure
• Objectives can have different aspects and categories, and can be
applied at different levels
• Risk is usually expressed in terms of risk sources , potential events,
their consequences and their likelihood
Risk management
Coordinated activities to direct and control an organization with regard
to risk
Risk management 2018 v3 6
3
Quản lý rủi ro 8/6/2018
Definitions(ISO 31000:2018)
Likelihood
chance of something happening (whether defined, measured or
determined objectively or subjectively, qualitatively or quantitatively,
and described using general terms or mathematically (such as a
probability or a frequency over a given time period)
Control
measure that maintains and/or modifies risk
• Controls include, but are not limited to, any process, policy, device,
practice, or other conditions and/or actions which maintain and/or
modify risk.
• Controls may not always exert the intended or assumed modifying
effect
4
Quản lý rủi ro 8/6/2018
Definitions(ISO 31000:2018)
Consequence
outcome of an event affecting objectives
• Consequences can be expressed qualitatively or quantitatively.
• Any consequence can escalate through cascading and cumulative
effects
Risk
management
in QMS
planning
Outline risk
assessment
activity
sequence
5
Quản lý rủi ro 8/6/2018
Risk-based thinking
6
Quản lý rủi ro 8/6/2018
Risk-based thinking
• Plan actions to address these risks and opportunities, including how to
integrate and implement the actions into its QMS processes, and
evaluate the effectiveness of these actions (6.1.2).
• Actions taken to address risks and opportunities are to be
proportionate to the potential impact on the conformity of products and
services (6.1.2).
• The results of analysing data and information arising from monitoring
and measurement are to be used to evaluate the effectiveness of
actions taken to address risks and opportunities (9.1.3).
• Management reviews are to be planned and carried out, taking into
consideration the effectiveness of actions taken to address risks and
opportunities (9.3.2e).
• When a nonconformity occurs, risks and opportunities determined
during planning are to be updated if necessary (10.2.1)
7
Quản lý rủi ro 8/6/2018
Principles of RM
Principles of RM
a) Integrated
Risk management is an integral part of all organizational activities.
b) Structured and comprehensive
A structured and comprehensive approach to risk management
contributes to consistent and comparable results.
c) Customized
The risk management framework and process are customized and
proportionate to the organization’s external and internal context
d) Inclusive
Appropriate and timely involvement of stakeholders enables their
knowledge, views and perceptions to be considered.
8
Quản lý rủi ro 8/6/2018
Principles of RM
e) Dynamic
Risks can emerge, change or disappear as an organization’s external
and internal context changes. Risk management responds to those
changes and events in an appropriate and timely manner.
f) Best available information
The inputs to risk management are based on historical and current
information, as well as on future expectations. Risk management
explicitly takes into account such information and expectations.
g) Human and cultural factors
Human behaviour and culture significantly influence all aspects of risk
management at each level and stage.
h) Continual improvement
Risk management is continually improved through learning and
experience.
Risk management
framework
9
Quản lý rủi ro 8/6/2018
Purpose
• The risk management framework assists the organization
in integrating risk management into significant activities
and functions.
• The effectiveness of risk management will depend on its
integration into the governance of the organization,
including decision-making.
• This requires support from stakeholders, particularly top
management.
Content of a framework
The organization
should evaluate its
existing risk
management
practices and
processes, evaluate
any gaps and address
those gaps within the
framework.
framework
10
Quản lý rủi ro 8/6/2018
Integration
• Risk is managed in every part of the organization’s
structure. Everyone in an organization has responsibility
for managing risk.
• Governance guides the course of the organization, its
external and internal relationships, and the rules,
processes and practices needed to achieve its purpose
• Risk management should be a part of, and not separate
from, the organizational purpose, governance,
leadership and commitment, strategy, objectives and
operations.
11
Quản lý rủi ro 8/6/2018
Design
Understanding the organization and its context
When designing the framework for managing risk, the organization
should examine and understand its external and internal context.
Articulating risk management commitment
Top management demonstrate and articulate their continual commitment
to risk management through a policy, a statement or other forms that
convey an organization’s objectives and commitment to risk management
Assigning organizational roles, authorities,
responsibilities and accountabilities
Top management and oversight bodies, where applicable, should ensure
that the authorities, responsibilities and accountabilities for relevant roles
with respect to risk management are assigned and communicated at all
levels of the organization,
Design
Allocating resources
Top management and oversight bodies, where applicable, should ensure
allocation of appropriate resources for risk management
Establishing communication and consultation
The organization should establish an approved approach to
communication and consultation in order to support the framework and
facilitate the effective application of risk management
Communication and consultation should be timely and ensure that
relevant information is collected, collated, synthesised and shared, as
appropriate, and that feedback is provided and improvements are made.
12
Quản lý rủi ro 8/6/2018
Design
Establishing communication and consultation
The organization should establish an approved approach to
communication and consultation in order to support the framework and
facilitate the effective application of risk management
Communication and consultation should be timely and ensure that
relevant information is collected, collated, synthesised and shared, as
appropriate, and that feedback is provided and improvements are made.
Implementation
The organization should implement the risk management framework
by:
— developing an appropriate plan including time and resources;
— identifying where, when and how different types of decisions are
made across the organization, and by whom;
— modifying the applicable decision-making processes where
necessary;
— ensuring that the organization’s arrangements for managing risk are
clearly understood and practised.
13
Quản lý rủi ro 8/6/2018
Evaluation
— periodically measure risk management framework
performance against its purpose, implementation
plans, indicators and expected behaviour;
— determine whether it remains suitable to support
achieving the objectives of the organization..
Improvement
• continually monitor and adapt the risk management
framework to address external and internal changes. In doing
so, the organization can improve its value
• continually improve the suitability, adequacy and
effectiveness of the risk management framework and the
way the risk management process is integrated
14
Quản lý rủi ro 8/6/2018
General
The risk management process involves the systematic application of
policies, procedures and practices to the activities of
• communicating and consulting,
• establishing the context
• assessing,
• treating,
• monitoring, reviewing,
• recording and reporting risk
15
Quản lý rủi ro 8/6/2018
General
The risk management process should be
• an integral part of management and decision-making and
integrated into the structure, operations and processes of the
organization. It can be applied at strategic, operational,
programme or project levels.
• There can be many applications of the risk management process
within an organization, customized to achieve objectives and to
suit the external and internal context in which they are applied.
• The dynamic and variable nature of human behaviour and culture
should be considered throughout the risk management process.
16
Quản lý rủi ro 8/6/2018
Key questions
Key questions we need to answer to identify and address
the risks and opportunities
1 What are we trying to do? - the objective, the goal
2 What might affect what we are trying to do? - the uncertainties that
might help or hinder.
3 Which of these are most important? - the risk assessment.
4 What can we do about it? - risk treatment.
5 Have we taken the action we planned to take? - implementation.
6 Did the action work - risk monitoring.
7 What's changed since the last time we took action? - risk review.
Risk and
opportunity
management
process
17
Quản lý rủi ro 8/6/2018
Risk and
opportunity
management
process
18
Quản lý rủi ro 8/6/2018
Risk assessment
19
Quản lý rủi ro 8/6/2018
General
• Risk/opportunity assessment is the overall process risk
‒ identification,
‒ analysis and
‒ evaluation
Khái quát
Đánh giá rủi ro là một quá trình tổng hợp của
– nhận diện,
– phân tích và
– định giá trị rủi ro.
20
Quản lý rủi ro 8/6/2018
21
Quản lý rủi ro 8/6/2018
Types of uncertainty
Stochastic uncertainty - this is the uncertainty of events, that is,
whether an event will or will not happen. Or when the even will occur
Aleatoric uncertainty - this is the uncertainty of variables, that is,
whether results will be the same or different from those observed
previously. We don't know which result of a range of possible results
we will get, (how much something will cost, how long the job will take),
Epistemic uncertainty - this is uncertainty of knowledge, for example,
whether the knowledge we have is complete or incomplete and
therefore ambiguous, whether we know what the customer wants
Ontological uncertainty - this is uncertainty of the unknown, that is,
whether everything that affects the results is inside or outside our frame
of reference, things we haven't thought of, what are commonly referred
to as blind spots or unknowns
22
Quản lý rủi ro 8/6/2018
Types of risk
Strategic risk
Strategic risks result directly from operating within a specific industry
at a specific time and include:
• Market risk - the risks present in the market and inherent to the
industry or arising out of competition, for example, shifts in
consumer preferences or emerging technologies that make the
product line obsolete.
• Reputational risk - Loss of your company's reputation from
product or service failures, lawsuits or negative publicity. According
to Matt McGee (a search engine optimization consultant), "One
negative blog post or review can spread online in a flash and
change the direction of a company."
Types of risk
Strategic risk
• IT risk - loss of business continuity due to certain inherent risks
associated with the technologies.
• Environmental risk - Organizations that operate in or depend on
suppliers from regions of the world prone to natural environmental
disasters are exposed to risk of an unpredictable kirid
• Human capital risk - Organizations that depend on a particular
source or type of labour may be exposed to risk of supply
shortages or poaching from competitors.
• Health and safety risks - Organizations that operate in dangerous
environments or provide services may expose members of the
public to hazards.
23
Quản lý rủi ro 8/6/2018
Types of risk
Financial risk
Financial risks are associated with how the organization handles its
financial assets, including:
• Debt and credit, interest rates and foreign exchange rates.
• The customer's ability to pay.
• The organization's ability to raise the necessary capital to fund
improvements.
Types of risk
Operational risks
Operational risks are present in every enterprise and result from
internal process failures such as:
• Product/service risk - You can't translate your concept into a
working and compelling product/ service.
• Technology risk - You can't build a good enough or, if necessary,
breakthrough technology.
• Business development risk - You can't get deals with other
companies that you depend on to build or distribute your
product/service.
24
Quản lý rủi ro 8/6/2018
Types of risk
Operational risks
• Timing risk - You are too early or too late to the market or there
'are unforeseen , external events, such as transportation breaks
down, or a supplier fails to deliver a product or service when
required.
• Margin risk - You build something people want but that you can't
defend, and therefore competitors will squeeze your margins.
• Mistakes in execution - The formal plans and procedures are not
implemented as intended.
• System failures - A common cause of failure reduces the ability of
the system to consistently provide a confolUling product or service.
Types of risk
Compliance risk
Risks associated with compliance are those subject to regulatory and
statutory requirements, including legal infringements and rule
breaches.
.
25
Quản lý rủi ro 8/6/2018
Risk/opportunity analysis
General
• Risk analysis involves developing an understanding of the risk.
• Risk analysis provides an input to risk evaluation and to
decisions on whether risks need to be treated, and on the most
appropriate risk treatment strategies and methods.
• Risk analysis involves consideration of the causes and sources
of risk, their positive and negative consequences, and the
likelihood that those consequences can occur.
• Factors that affect consequences and likelihood should be
identified. Risk is analyzed by determining consequences and
their likelihood, and other attributes of the risk.
• An event can have multiple consequences and can affect
multiple objectives. Existing controls and their effectiveness and
efficiency should also be taken into account
26
Quản lý rủi ro 8/6/2018
Risk/opportunity analysis
General
• Consequences can be expressed in terms of tangible and
intangible impacts. In some cases, more than one numerical
value or descriptor is required to specify consequences and
their likelihood for different times, places, groups or situations
27
Quản lý rủi ro 8/6/2018
28
Quản lý rủi ro 8/6/2018
RISK APPETITE
The amount and type of risk that an organization is
prepared to pursue, retain or take to meet their strategic
objectives
• An organization with an aggressive appetite for risk might set
aggressive goals, whereas an organization that is risk averse, with
a low appetite for risk, might set conservative goals. It follows
therefore that an organization should establish its risk appetite
before setting its goals, and this will inevitably shape its strategy
• There needs to be a consensus across all functions and at all levels
on the organization's risk appetite otherwise decision-making will
continually run into problems
RISK TOLERANCE
The acceptable level of variation relative to achievement of
a specific objective
Risk tolerance is a practical concept for dealing with tactical issues
where not all inputs to a process are the same and necessitate equal
treatment and is best measured in the same units as those used to
measure the related objective
29
Quản lý rủi ro 8/6/2018
RISK TOLERANCE
30
Quản lý rủi ro 8/6/2018
General
31
Quản lý rủi ro 8/6/2018
General
Risk and opportunities treatment involves an iterative
process of:
— formulating and selecting treatment options;
— planning and implementing treatment;
— assessing the effectiveness of that treatment;
— deciding whether the remaining risk is acceptable;
— if not acceptable, taking further treatment.
32
Quản lý rủi ro 8/6/2018
33
Quản lý rủi ro 8/6/2018
34
Quản lý rủi ro 8/6/2018
35
Quản lý rủi ro 8/6/2018
36
Quản lý rủi ro 8/6/2018
37
Quản lý rủi ro 8/6/2018
Summary
1 When we take action to address risks and opportunities, we are not
reacting to circumstances that have already happened but trying to
deal with circumstances that have yet to happen so that we are
adequately prepared for the favourable or unfavourable
consequences.
2 Pursuing a strategy of only looking for undesirable outcomes is a
pessimistic approach to quality management, whereas looking for
both risks and opportunities is a balanced approach to quality
management.
3 There are risks the sources of which are external to the QMS
(extrinsic risks), and these are addressed in clause 6.1 before a
QMS is established. Then there are risks the sources of which are
internal to the QMS (intrinsic risks), and these are addressed in
clause 5.1.2b) during and after a QMS is established.
4 If risks are not properly analysed they cannot be properly managed.
Summary
5 When it comes to measuring risk, we need a form of calibration;
otherwise, it's just guesswork that anyone can do.
6 Converting a qualitative method of risk analysis into a points-based
scoring method does not make it a quantitative method, neither
does adding or multiplying scores that have been made on the
basis of opinion.
7 Whether a risk is to be avoided, eliminated, reduced, taken, shared
or accepted depends on an organization's risk appetite, and this
should be established before its goals are set as this will inevitably
shape its strategy.
8 Taking a risk to pursue an opportunity is different to accepting a risk
in that there may be no choice but to accept certain risks if a
particular objective is to be achieved, whereas when taking a risk,
you are deliberately playing the odds to seize an opportunity..
38
Quản lý rủi ro 8/6/2018
Summary
9 There's a risk an opportunity will not happen and therefore actions
could be taken that will make it more likely to happen.
lO A properly orchestrated plan that changes the way people work
will be far more successful than managerial exhortation to do
better, seize every opportunity or simply work harder.
11 If the methods used to evaluate the effectiveness of actions to
mitigate risk do not actually measure the risks in a mathematically
and scientifically sound manner, management doesn't even have
the basis for determining whether a method works.
Thank You!
http://dichvudanhvanban.com
39