Risk is one of the most fundamental concepts that each organization will face. While there are many definitions of risk, ISO 31000 defines risk as the effect of uncertainty on objectives. The standard states that all types and sizes of organizations are influenced by internal and external factors that affect their goals. This effect is defined as risk; it can be something damaging to the organization or an opportunity for further development.
According to ISO 31000, risk comprises its source, the potential harm it can cause, and the likelihood and consequences of specific events. In a Cybersecurity setting, a source would be an outdated software that has vulnerabilities. A hacker exploiting the outdated software would be considered an event. If we are talking about important software, the likelihood would be high, as attackers would seek to gain financial benefits by exploiting such a vulnerability. The consequences could be huge financial losses and reputational damage to the organization, especially if consumer personal data is leaked.
Robert S. Kaplan and Anette Mikes categorize risk in three different levels: Preventable risk, strategy risk, and external risk:
This type of risk originates from within the organization, whether it is due to employee behavior, internal processes, or systems. Some examples include employee fraud, illegal and unethical activities, and corruption, among others. The best way to handle this type of risk is through ongoing monitoring, thorough selection systems when recruiting new employees, and effective performance management. An example of a preventable risk would be an employee stealing products from the organization and selling them online.
Strategy risk is the risk that is deliberately taken on by the organization in order to create value. This type of risk is not inherently bad; it is rather necessary to create a competitive advantage in today’s market. The key to taking strategic risks is thorough market research and finding the right balance between risk and reward. The amount of strategy risk that an organization undertakes highly depends on its risk appetite or tolerance. An example of a strategy risk is an organization expanding to a new country when it is uncertain about the demand for its service in that market.
External risk originates from outside the organization. This type of risk cannot be entirely prevented, but it can be mitigated through resilience planning, redundant backup processes, insurance, and flexibility. External risks can include natural disasters, political crises, economic crises, and sudden regulatory changes, among others.
Organizations need a standardized framework to manage the diverse array of risks they face. This is where ISO 31000 comes into play, as it provides principles and guidelines that organizations can follow for effective risk management, enabling them to create value and protect themselves. While it does not prescribe exact ways to manage risk, it offers a framework that can be adopted by all organizations, regardless of their type or size.
According to ISO 31000, risk management should be:
The standard provides a framework and a risk management process that all organizations can follow to create value and remain protected.
Here at PECB, we put utmost importance on risk management as it is the cornerstone of every successful business. Through our globally recognized training courses and certifications, we equip individuals with the skillset needed to ingrain successful risk management processes in any organization.
Our ISO 31000 training courses:
Author:
Albion Beqaj is a Content Editing Specialist in the PECB Marketing Department. He is responsible for evaluating the written material, ensuring its accuracy and suitability for the target audience, and ensuring that the material meets PECB standards. If you have any questions, feel free to contact us at support@pecb.com.
Share
