Fundamentals of Risk Management
Approaches to risk management
Download 3.45 Mb. Pdf ko'rish
|
Fundamentals of Risk Management
|
Approaches to risk management
108 prepare for, mitigate, respond to, and recover from a disruptive incident. This allows integration with ISO 31000. It is also compatible with existing ISO management system standards (such as ISO 9001, ISO 14001, ISO 27001 and ISO 28000). The overall approach is that a resilient organization needs to ‘prevent, protect and pre- pare’ in relation to resources and assets and at the same time be able to ‘respond, recover and review’ when a crisis occurs. When seeking to make an organization more resilient, it is essential to have a definition of the desired state of resilience that is being sought. ISO 22300:2012 ‘Societal Security – Terminology’ defines resilience as the ‘adaptive capacity of an organization in a complex and changing environment’. This is a useful definition, but resilience is often associated with crisis management, and this definition does not explicitly address the behaviour of an organization during a crisis. Perhaps a better definition would be the ‘capacity of an organization to consistently achieve a desired state following a change in circumstances’. This definition is more inclusive of the management of a crisis, as well as the ability to successfully respond to less dramatic or disruptive events. The emergence of resilience is an opportunity for risk management and business continuity specialists to work together to ensure a more co-ordinated approach to enterprise risk management, business continuity and crisis management. There are three behaviours that should be achieved by an organization if it is to achieve increased resilience: ● ● awareness of changes in the external, internal and risk management environments, so that constant attention to resilience is ensured; ● ● ‘prevent, protect and prepare’ in relation to all types of resources, including assets, networks, relationships and intellectual property; ● ● ‘respond, recover and review’ in relation to disruptive events, including the ability to respond rapidly, review lessons learnt and adapt. Finally, it is worth noting that another trend in the structure of risk management and resilience standards appears to be emerging. Several standards are moving towards the ‘plan–do–check–act’ (PDCA) structure. This approach is entirely consistent with the plan, implement, measure, learn (PIML) approach to implementing a risk man- agement initiative that is set out in Appendix C. The ASIS standard explicitly follows the PDCA format. PIML is preferred to PDCA because it is a more comprehensive and analytical approach. In fact, both the framework and the risk management process described in ISO 31000 are aligned with the PIML approach, once the ‘mandate and commitment’ for the framework and the ‘establish the context’ for the process stages (respectively) have been completed. As the increasing importance of resilience is recognized, advice on achieving resilience is becoming more widespread. For example, the box below summarizes advice provided to organizations by the Cabinet Office of the UK government. |
