Risk Management and Assessment covering ISO 31000 for Organizational Resilience Programs




Risk Management and Assessment to ISO 31000


About us

Contact us

Site map

Terms of use



ASIS Members

Product overview

ORMS Toolkit

ORMS Entry Level

ORMS Intermediate

ORMS Professional

ORMS Consultant


Example data

Pricing & Licensing

Free trial


Private Sector Preparedness

OR Standard

Organizational Resilience

Risk Management

Crisis Management

Impact Analysis










Risk Management

Risk Assessment

ISO 31000

Risk Management and Assessment to ISO 31000

Handling risk analysis and risk management in the organizational resilience process

An organizational resilience management system must be based on an effective risk assessment process. This involves the identification of possible hazards and threats that could cause disruptive events to occur that could interrupt part or all of the operational process.  These hazards and threats are not restricted to natural disasters or extreme weather conditions but should include any event that could disrupt the smooth running of the organization and prevent production and delivery of goods or services or result in serious non-compliance situations. The Organizational Resilience Software supports this risk assessment process and simplifies what could otherwise be a complex and arduous process.


Risk analysis and assessment processes are based on ISO 31000 concepts

ISO 31000 is the recognized standard of choice for setting up and maintaining an effective risk framework. These concepts are fully incorporated into the Organizational Resilience Standard [ASIS SPC.1-2009] and likewise in the organizational resilience software. Four of the five organizational resilience software products include a comprehensive risk management infrastructure based on ISO 31000.


How much risk is acceptable

As described by Dr. Marc Siegel so succinctly in his paper “Societal Security Management System Standards”, all organizations face a certain amount of uncertainty and risk. In order assure sustainability of operations and maintain resilience, competitiveness and performance, organizations must have a system to manage their risks. The challenge is to determine how much risk and uncertainty is acceptable and how to cost effectively manage the risk and uncertainty while meeting the organization’s strategic and operational objectives. Given the finite resources of organizations, it is imperative that they have business-friendly tools to address any array of threats, hazards and risks they may face. Standards will be playing an ever increasing role in the management of operational risks organizations face.


Avoiding segregating or siloing risk

An integrated approach can help avoid segregating or siloing risks and provides an overall risk profile allowing the organization to better understand the relationships between risks and identify solutions to problems. It leverages the perspectives, knowledge and capabilities of divisions and individuals within an organization. Because of the relatively low probability and yet potentially high consequence nature of many natural, intentional, or unintentional threats and hazards that an organization may face, an integrated approach allows an organization to establish priorities that address its individual needs for managing operational risks within an economically sound context.


Acceptance of risk is a necessary part of business

Risk analysis is recognized as the cornerstone of any resilience, continuity or recovery process. Without the risk analysis process being carried out in a structured manner, any resilience, continuity or recovery planning will effectively be carried out in a vacuum with poor prioritization and decision making. Acceptance of risk is a necessary part of business but needs to be properly understood and managed if you are going to make it work for you rather than against you.


Acceptance or reduction of risk part of the management process

Risk management has been generally defined as the identification, assessment and prioritization of risks. However, there is a growing realization that it should also include the formal acceptance of those risks and/or an approved program of risk treatments to reduce residual risks.


Risk management framework conforming to ISO 31000

The Organizational resilience software delivers a risk assessment process covering the risk management policy, risk management framework, integration, communication, establishing the risk management context, risk identification, risk assessment, risk analysis, risk evaluation, risk treatment and ongoing review and accountability.


How does the organizational resilience software deliver risk management?

The organizational resilience software delivers an extremely comprehensive risk management process. Module 1.1 includes the risk management framework and structure including policy and risk appetite. Module 3.4 delivers a comprehensive range of potential hazards and threats where the User can analyze each hazard and also add additional hazards if desired.  It supports the identification of potential disruptive incidents and also the setting of probability and possible consequences.  It is a really easy process to work through and, when coupled with the integral business impact process, also enables the establishment of recovery times and cascades those requirements to all assets, resources and operational processes.


Impact analysis

The Organizational Resilience Software delivers risk analysis and impact assessment in a unique way where these functions are closely linked so that predicted consequences can be viewed and cascaded across the organization. The software uses a clever mapping technique combined with calculated recovery times and criticality values that are based on parameters controlled by the User.