- The IRM methodology we employ is in line with ISO 31000:2009 Clauses 2.3 and 2.8 requiring a risk management process (Figure 4.1), as well as Clause 5 (5.4.2 requiring risk identification where we use tornado analysis and scenario analysis; 5.4.3. requiring quantitative risk analysis where we apply Monte Carlo risk simulations; 5.4.4 where existing Excel-based evaluation models are used and overlaid with IRM methodologies such as simulations; etc.).
- ISO 31000:2009 Clause 5.4.4 looks at the risk tolerance levels and comparing various risk levels in a portfolio optimization and efficient frontier analysis employed in our IRM methodology (Figure 4.2).
- Figure 4.3 shows quantified consequences and the likelihoods (probabilities and confidence levels) of potential events that can occur using simulations, as required in ISO 31000:2009 Clauses 2.1 and 5.4.3.
- ISO 31000:2009 Clause 5.4.3 requires viewing the analysis from the perspectives of various stakeholders, multiple consequences, and multiple objectives to develop a combined level of risk. These perspectives are achieved through a multicriteria optimization and efficient frontier analysis (Figure 4.4) in the IRM process.
- ISO 31000:2009 Clause 3F requires that historical data and experience as well as stakeholder feedback and observation coupled with expert judgment be used to forecast future risk events. The IRM process employs a family of 16 forecasting methods (Figure 4.5 shows an example of the ARIMA model) coupled with risk simulations with high fidelity to determine the best goodness-of-fit when historical data exist, or using subject matter expert estimates and stakeholder assumptions, we can apply the Delphi method and custom distribution to run risk simulations on the forecasts.
- ISO 31000:2009 Clauses 3C, 5.4.3, 5.5, and 5.5.2 require risk evaluations on risk treatments, options to execute when different types of risks are involved, and selecting and implementing various risk treatment strategic options that are not solely reliant on economics. The IRM’s strategic real options methodology allows users to model multiple path-independent and path-dependent implementation strategies or alternate courses of action that are generated to mitigate downside risks and take advantage of upside potentials (Figure 4.6).
- Figure 4.7 illustrates how ISO 31000:2009 Clauses 3D, 3E, and 5.4.3 are satisfied using the IRM process of probability distribution fitting of uncertain variables and how their interdependencies (correlations) are executed.
- Risk controls are required in ISO 31000:2009 Clauses 2.26, 4.43, and 5.4.3 (Figure 4.8). The control charts and Risk Effectiveness calculations in PEAT ERM help decision makers identify if a particular risk mitigation strategy and response that was enacted had sufficiently and statistically significantly affected the outcomes of future risk states.
- Scenarios, cascading, and cumulative effects (consequences) are also the focus of ISO 31000:2009 Clause 5.4.2. The IRM method uses tornado analysis, scenario analysis, dynamic sensitivity analysis, and risk simulations (Figure 4.9) to identify which inputs have the highest impact on the organization’s risks and model their impacts on the total risks of the organization.
- ISO 31000:2009 Clause 5.2 requires proper communication of risk exposures and consequences, and an understanding of the basis and reasons of each risk. The PEATERM Risk Dashboards provide details and insights for a better understanding of the issues governing each of the risk issues in an organization (Figure 4.10).
Figure 4.1: ISO 31000:2009—IRM
Figure 4.2: ISO 31000:2009—Risk Tolerance
Figure 4.3: ISO 31000:2009—Consequences and Likelihood
Figure 4.4: ISO 31000:2009—Multiple Stakeholder Objectives and Consequences
Figure 4.5: ISO 31000:2009—Historical Data and Future Forward Forecast
Figure 4.6: ISO 31000:2009—Multiple Options, Strategies, and Alternatives
Figure 4.7: ISO 31000:2009 Structured Approach, Probability Fitting, and Correlations
Figure 4.8: ISO 31000:2009—Risk Control Efficiency and Effectiveness
Figure 4.9: ISO 31000:2009—Consequences, Cascades, and Scenarios
Figure 4.10: ISO 31000:2009—Communication and Consultation