Reference no: EM133360200
A company leader might think, "Now is the time to apply risk management principles based on ISO 31000:2018 within the company." The background and purpose of this thought can vary. Starting from demands from shareholders, incidents of wrong decisions in the past, mirroring other companies, requirements from regulators, to unqualified reasons such as 'in order to win a prestigious award'. Whatever the background, the most important question is, Are we ready? What should be prepared?" Most companies may feel that forming a unit or division or whatever it's called in the company, recruiting a leader and a group of teams, and appointing a consultant to help are sufficient. However, in practice, the average company is limping in developing and implementing risk management principles. Even if the framework is formed, as referred to in ISO 31000:2018, it is still difficult for companies to implement it. When this strenuous effort goes on for a long time, companies often lose energy and momentum. Costs and sacrifices that are not small have been made, but the implementation of risk management does not provide benefits and the main goal, which is to create and protect company value. It tends to become a routine full of burdensome paper works, risk assessments only meet the requirements, mitigation effectiveness is never evaluated, a priori towards risk-based thinking, a feeling of indifference, and so on. At least that's the result of the author's personal experience and observations over the last dozen years in the implementation of risk management. Both as practitioners/employees, consultants, trainers and assessors.
Question 1.What should companies do to be ready to implement risk management and get optimal benefits?
Question 2. The explanation in ISO 31000:2018 says that risk management should be integrated with business processes. But which business processes and why?