The ISO21500 risk subject area contains four processes.
|ISO21500 process groups|
4.3.28 Identify risks4.3.29 Assess risks
|4.3.30 Treat risks||4.3.31 Control risks |
In the diagram below, these processes are presented as a flow diagram using the inputs and outputs defined in ISO21500. There are three planning processes and one controlling process.
Unusually, ISO21500 does not have approved changes as an input to the initial process (identify risks). Since the risks associated with approved changes must be included in the risk register, it has been added to the diagram above in brackets.
The corresponding elements from the Praxis risk management procedure are shown below.
The Praxis version of this process shows the feedback loops from each step back to the identify step as the management team should regularly review the list of identified risks.
The identify step in the Praxis procedure and the ISO21500 identify risks process are direct equivalents.
The purpose of this process is to identify risks, both threats (risks that could have a negative impact on the objectives) and opportunities (risk that could have a positive effect on the objectives.
ISO21500 lists the risk register as an input to assess risks and treat risks. However, the outputs of these processes do not explicitly show that they update the risk register. The ‘updated risk register’ as been added to the diagram to show that assess risks and treat risks modify the risk register which is then an input to the later processes.
All risks will be recorded in a risk register that must be regularly reviewed and updated throughout the project or programme. To be consistent with other subject area processes identify risk should have approved changes as an input, since these will be one of the things that will trigger a review of the risks in the register. In fact changes should not be approved until any associated risks have been identified and assessed.
The assess step in the Praxis procedure and the ISO21500 assess risks process are direct equivalents.
This process will use qualitative assessment techniques to estimate the probability and impact of each risk event. It may also use quantitative assessment techniques to deal with overall levels of uncertainty in time and cost estimates.
The output of this process are prioritised risks. High priority risks will be the focus for the treat risks process and the calculation of any contingency reserves and management reserves required by the project or programme.
The plan responses step in the Praxis procedure and the ISO21500 treat risks process are direct equivalents.
Having identified and prioritised risks, the next step is to decide how to respond to them. Both threats and opportunities have four possible responses that address them in different ways. At this stage much will depend upon the risk appetite and risk attitude of the host organisation.
Once the mechanisms for responding to risks have been decided, the risk register will be updated to reflect this.
The implement responses step in the Praxis procedure and the ISO21500 control risks process are direct equivalents.
The final process in this sequence is to implement the responses so that disruption to the project or programme is minimised. This is not only concerned with minimising the impact of threats but also with maximising the benefit obtained from opportunities.
As a result of this process, corrective action may be taken and change requests issued.