IMPLEMENTING RISK MANAGEMENT

SYSTEM
(Based on ISO 31000: 2018 Risk Management – Guidelines)

Management System Promoters, Ghaziabad – 201 013 (India)

Mail ID: , [email protected]
Phone: +91 8920431042, 9818185537
Managing Risk
The Challenge !!!
►We live in an ever-changing world
where we are forced to deal with
uncertainty every day.

Why ?
Organizations of all types and sizes
face external and internal factors and
influences that make it uncertain
whether they will achieve their
objectives.

IMPLEMENTING RISK MANAGEMENT SYSTEM 2

Managing Risk

Success
What Predicts Success ??
►How an organization tackles that
uncertainty can be a key predictor of
its success

Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 3

Why Risk Management ?

Preparing for and responding to negative

events, from the predictable to the unforeseen,
from the mundane to the catastrophic, has
become a fact of life for businesses and
governments around the world.

Tackling these risks requires an integrated

and holistic framework with the capability to
identify, evaluate and adequately define
responses to the circumstances

This holistic approach gives organizations a

better framework for mitigating risk while
advancing their goals and opportunities in the
face of business threats

Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 4

Why ISO 31000 ?

►Risk is a necessary part of doing business and in a world

where enormous amounts of data are being processed at
increasingly rapid rates, identifying and mitigating risks is a
challenge for any company.
►Many contracts and insurance agreements require solid
evidence of good risk management practice.
►ISO 31000 provides direction on how companies can
integrate risk-based decision making into an organization’s
governance, planning, management,reporting, policies, values
and culture

Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 5

ISO 31000:2018 Risk management
►This provides Guidelines on Managing risk faced by
organizations.
►The application of these guidelines can be
customized to any organization and its context.
►This document provides a common approach to
managing any type of risk and is not industry or sector
specific.
►This document can be used throughout the life of the
organization and can be applied to any
activity,including decision-making at all levels.
Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 6

Implementing Risk Management
►is iterative and assists organizations in setting strategy,
achieving objectives and making informed decisions.
►is part of governance and leadership, and is fundamental to how
the organization is managed at all levels. It contributes to the
improvement of management systems.
►is part of all activities associated with an organization and
includes interaction with stakeholders
►considers the external and internal context of the organization,
including human behaviour and cultural factors
►is based on the principles, framework and process.

►These components might already exist in full or in part within the

organization, however, they might need to be adapted or improved
so that managing risk is efficient, effective and consistentSource : ISO 31000
IMPLEMENTING RISK MANAGEMENT SYSTEM 7
Principles, framework and process

IMPLEMENTING RISK MANAGEMENT SYSTEM 8

Step 1 Define Risk Management Principles

►The purpose of risk management is the

creation and protection of value.
► It improves performance, encourages
innovation and supports the
achievement of objectives.

Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 9

ISO 31000
Principles for risk management
►Risk management creates and protects value
Contributes to the demonstrable achievement of objectives and
improvement of performance in, for example, human health and
safety, security, legal and regulatory compliance, public
acceptance, environmental protection, product quality, project
management, efficiency in operations, governance and reputation.

►Risk management is an integral part of all organizational processes

Part of the responsibilities of management and of all organizational
processes including strategic planning and project and change
management processes.

►Risk management is part of decision making

Helps decision makers make informed choices, prioritize actions
and distinguish among alternative courses of action.

►Risk management explicitly addresses uncertainty

Takes account of uncertainty, the nature of that uncertainty, and
how it can be addressed.

Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 10

 Principles for risk management, continued ..
►Risk management is systematic, structured and timely

A systematic, timely and structured approach contributes to efficiency

and to consistent, comparable and reliable results.

►Risk management is based on the best available information

The Inputs to the process are based on information sources such as
historical data, experience, stakeholder feedback, observation, forecasts
and expert judgment.
►Risk management is tailored.

It is aligned with the organization's external and internal context and risk
profile.

►Risk management takes human and cultural factors into account

recognizes the capabilities, perceptions and intentions of external and
internal people that can facilitate or hinder achievement of the
organization's objectives.

Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 11

 Principles for risk management, continued …
►Risk management is transparent and inclusive.

Appropriate and timely involvement of stakeholders and, in particular,

decision makers at all levels of the organization, ensures that risk
management remains relevant and up-to-date. Involvement also allows
stakeholders to be properly represented and to have their views taken into
account in determining risk criteria.
►Risk management is dynamic, iterative and responsive to change.

Risk management continually senses and responds to change. As external

and internal events occur, context and knowledge change, monitoring and
review of risks take place, new risks emerge, some change, and others
disappear.

►Risk management facilitates continual improvement of the

organization
Organizations should develop and implement strategies to improve their
risk management maturity alongside all other aspects of their organization.

Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 12

 Step 2 Develop Risk Management Framework
•The purpose of the risk management
framework is to assist the organization in
integrating risk management into
significant activities and functions.
•The effectiveness of risk management will
depend on its integration into the
governance of the organization, including
decision-making.
•This requires support from stakeholders,
particularly top management.
•Framework development encompasses
integrating, designing, implementing,
evaluating and improving risk management Components of Framework
across the organization. Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 13

 Step 3 Establish Risk Management process

The risk management process involves the

systematic application of policies,
procedures and practices to the activities
of :
•Communicating and consulting,
•Establishing the context and
•Assessing, treating, monitoring,
•Reviewing, recording and
•Reporting risk.

Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 14

 Establish Risk Management process

•The risk management process should

be an integral part of management and
decision-making and integrated into the
structure, operations and processes of
the organization.
•It can be applied at strategic,
operational, programme or project
levels.

Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 15

 Step 4 Communication and consultation

Communication and consultation aims

to:
•bring different areas of expertise
together for each step of the risk
management process;
•ensure that different views are
appropriately considered when defining
risk criteria and when evaluating risks;

• provide sufficient information to

facilitate risk oversight and decision-
making;
•build a sense of inclusiveness and
ownership among those affected by risk.
Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 16

 Step 5 Establishing the context

•The purpose of establishing the scope,

the context and criteria is to customize
the risk management process, enabling
effective risk assessment and
appropriate risk treatment.

•Scope, context and criteria involve

defining the scope of the process, and
understanding the external and internal
context.

Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 17

 Step 6 Perform Risk assessment

•Risk assessment is the overall process

of risk identification, risk analysis and
risk evaluation.
•Risk assessment should be conducted
systematically, iteratively and
collaboratively, drawing on the
knowledge and views of stakeholders.
•It should use the best available
information, supplemented by further
enquiry as necessary.

Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 18

 Step 7 Risk Treatment

•The purpose of risk treatment is to

select and implement options for
addressing risk.
•Risk treatment involves an iterative
process of:
•formulating and selecting risk treatment
options;
• planning and implementing risk treatment;

•assessing the effectiveness of that

treatment;
•deciding whether the remaining risk is
acceptable;
• if not acceptable, taking further treatment.
Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 19

 Step 8 Monitor and review Risk Management Process

•The purpose of monitoring and review

is to assure and improve the quality and
effectiveness of process design,
implementation and outcomes.
•Ongoing monitoring and periodic review
of the risk management process and its
outcomes should be a planned part of
the risk management process, with
responsibilities clearly defined..

Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 20

 Step 9 Recording and reporting outcomes

•The risk management process and its

outcomes should be documented and
reported through appropriate
mechanisms.
•Recording and reporting aims to:
•communicate risk management activities and
outcomes across the organization;
• provide information for decision-making;
• improve risk management activities;

•assist interaction with stakeholders, including

those with responsibility and accountability for
risk management activities.

Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 21

Occupational Health & Environmental Safety

Risk Assessment
Contents

•Why do I need a risk assessment?

•What is a risk?
•What is a risk assessment?
•Hazards.
•Risks.
•Control measures.
•Case Study.
Why do I need a risk assessment?

Employer’s Duties

• Employers who have identified hazards on site

must carry out a Risk assessment
• If a hazard is present, they must:
• Identify what it is
• Assess its risk/health effects
• Try to eliminate/prevent the risk
• Or reduce the risk
• …As a last resort, if it is not possible or prohibitive
to eliminate or reduce the hazard , PPE may be
the only viable solution

• The employer is responsible for selection,

maintenance & training of PPE
What is a risk?

Risks and Hazards are often confused;

• A hazard is the potential of a

substance or process to cause harm to
people
e.g. sulphuric acid will cause burns to skin

• A risk is the probability of a hazard

actually causing harm
What is a risk?

For Example;

Hazard of Asbestos = causes mesothelioma (lung cancer)

Risk of inhaling Asbestos fibres = minimal if asbestos board is in good

condition. However, risk is greater if the asbestos board is in poor
condition or is being broken.
What is a Risk Assessment?

A risk assessment is an information gathering exercise about:

Hazards, Risks and Controls

Requires information on:

• Substances.
• Work processes (location & duration).
• Assessments of the levels of exposure.
• Evaluations of control measures.
Occupational Health & Environmental Safety

Hazards
Hazards

• A Hazard is any substance or process which may cause

harm.
• In order to conduct a risk assessment it is necessary to
consider any hazards that may be present in your
workplace.
• For example:
– Do you use any hazardous substances,
e.g.. Paints, solvents, acids?
– Is it a noisy environment?
– Do you work at heights?
– Does your process generate any particles or gases?
Some hazards affecting the body.
Peak noise exceeding Metal/plastic
135dB. shards
Chemical
splashes

Dusts
Mists
Particulate Chemical
Metal Radiation; UV,
Gases &
fumes visible, infra red.
Vapours

Continuous
noise
exceeding
80dB.
Where can I find information on hazards?

Where to look for information on substances:

• Material Safety Data Sheets (MSDS)

• Container labels

• Trade journals

• Risk phrases

• HSE
Where can I find information on hazards?

Materials Safety Data Sheets

Includes details on:

• Name & Address of supplier

• Chemical Composition/Ingredients
• Physical Data
• Exposure Controls & PPE
• Fire Fighting Information
• First Aid Advice
Where can I find information on hazards?

Container labels & trade journals

• Container labels will often list

the “ingredients” in a product.

• Industry trade journals may

provide useful information on
various common hazards.
Where can I find information on hazards?

Risk Phrases
These are definitions of chemicals – as detailed in CHIP 2
Regulations

Examples:

• R1 - explosive when dry

• R26 - very toxic by inhalation
• R35 - causes severe burns
• R42 - may cause sensitisation by inhalation
• R43 - may cause sensitisation by skin contact
• R49 - may cause cancer by inhalation
Work Processes

Remember : Substances are not the

only hazard!

• When conducting a risk

assessment, it is important to
consider not just what you are
using but how you are using it.

• Work processes may also have an

associated hazard, for example,
what does the process generate?
Occupational Health & Environmental Safety

Risks
Risks

• A risk is the probability of a hazard actually causing harm.

• The level of risk can be different for different workers, for example,
expectant mothers, people with disabilities or new workers.
• For respiratory and hearing hazards, the risk associated is usually
assessed by the level of exposure experienced by an individual
compared with occupational limits.
Assessment of level of exposure.
• The level of exposure to a hazard is
critical when conducting a risk
assessment.
• This will determine whether the
hazard is a threat.
• Monitoring methods include;
passive badge samplers, noise
meters and personal pump
monitoring.
• This can indicate a personal dose,
which is the best assessment of the
potential risk to an individual.
• Other assessment methods also
exist.
E.g. HSG53, HSE Guide to
Selecting RPE.
Assessment of level of exposure.

An example of some results collected during monitoring:

a
m 8 hour average
o
u
n
t

Time
Assessment of level of exposure

• Once the level of exposure has been determined

the next step is to compare this value to the limit
value.

• For example:
– For respiratory hazards this is the workplace exposure
limits (WELs) detailed in EH40*.
– For Noise this is the action levels detailed in European
Union Physical Agents (Noise) Directive, 2003/10/EC.

• This will help you to evaluate whether any control

measures are necessary.
*EH40 is a document written by the HSE that is updated regularly, use of an up-to-date version is
• essential.
Workplace Exposure Limits

• WELs are occupational exposure limits set

under CoSHH (Control of Substances
Hazardous to Health).
• They are concentrations of hazardous
substances in the air, averaged over a specified
period of time.
• Two time periods are used, short term (15
minutes) and long term (8 hours).
• Employers have a legal duty under CoSHH to
control exposure to chemicals hazardous to
health.
Noise Legislation
The European Union Physical Agents (Noise) Directive, 2003/10/EC details
the thresholds that exposure to occupational noise must not exceed.

Lower
HPE available upon
Exposure 135dB
request
Action 80dB(A) Peak
Continuous Not enforced
Value

Upper
Exposure 137dB Peak HPE must be provided
Action 85dB(A) Strictly enforced
Value Continuous

Must never exceed this

140dB Peak
Exposure noise level at the ear
Limit 87dB(A) whilst wearing hearing
Value Continuous protection
Occupational Health & Environmental Safety

Control Measures
Control Measures

There is a hierarchy of control that should be followed:

Elimination/substitution

Engineering Controls

Personal Protective Equipment

Best use of PPE is in combination with other control

measures, during inspection or whilst other control
measures are being put in place.
Elimination/Substitution

• Is it possible to alter your work process in order to eliminate or

reduce the risk of a hazard?
• Could you substitute a hazardous substance for a less hazardous
chemical?
• Elimination/substitution should be your first consideration when
aiming to reduce risk, but this may not always be a viable option.
Engineering Controls

• If you are not able to eliminate the hazard,

you should next consider whether
engineering controls could be put in place
to reduce the risk of the hazard.
• For instance could better ventilation reduce
exposure to a hazardous particle? Or could
non-slip matting be fitted to reduce the risk
of falls?
• In some cases however, the hazard may
still present a significant risk after
engineering controls have been put in
place. In this case PPE can be
considered…
Personal Protective Equipment

• The best use of PPE* is in combination

with other control measures, during
inspection or whilst other control
measures are being put in place.

* It should, however, be noted that over attenuation

when using HPE can be dangerous and is not
advisable.
Personal Protective Equipment
If your risk assessment considers PPE to be necessary, 3M can offer
a wide range of solutions.
Occupational Health & Environmental Safety

Case Study
Case Study

Hazard
• An employer identifies a
hazard: Substance x, a
residual dust is
generated by the
manufacturing process.

• The risk phrase for

substance x is R23,
toxic by inhalation.
Case Study

Risk

a • The WEL value is 10mgm-3

m 8 hour average over an 8 hour TWA.
•
o The 8 hr TWA exposure of
u his employee to substance x
n is 120mgm-3.
t
Time • The exposure to substance
x needs to be reduced by at
least 12 times.
Case Study

Control Measures

• He cannot eliminate or substitute substance x for another material as it is a critical

ingredient to his process.
• He has incorporated on-line extraction and ventilation.
• The employer decides to evaluate PPE as an additional control measure.
• He decides to use an FFP3 respirator as this has a APF of 20 when fitted correctly
i.e would reduce exposure by a factor of 20.
Summary

• Employers who have identified hazards on site must carry out a Risk
assessment.
• A risk is the probability of a hazard actually causing harm.
• A risk assessment should;
• identify hazards
• consider the risks
• control the risks
• PPE is the last resort.
• The best use of PPE is in combination with other control measures,
during inspection or whilst other control measures are being put in
place.
ISO 31000 Relationship with other management systems

► Leadership (corporate Governance) of an organisation is performed by

Top Management and high level personnel of the different departments.
► To direct management and employees for common objectives and
behaviours a policy of the organisation is deployed, communicated and
implemented.
► Management Systems arrange the organisations different control
mechanisms.
► Management-Information-Systems measure the activities in the organization
and present the results with quantitative and financial indicators.
► All activities of the organisation must comply to statutory and regulatory
requirements.

Source : ISO 31000

IMPLEMENTING RISK MANAGEMENT SYSTEM 54

ISO 31000
Connection with Other Management instruments

Top Management
“Corporate Governance“

Organizations
policy

Management
Integrated information
Management- Risk management system
system (with internal
Controlling)

Customer, statutory, regulatory and standardized requirements

Source : ONR 49000
IMPLEMENTING RISK MANAGEMENT SYSTEM 55
Risk Management and other related standards

ISO 31000 : RISK MANAGEMENT GUIDELINES

harmonize risk management processes in existing and future standards,
dealing with specific risks and/or sectors, and does not replace those
standards

ISO 27001 : ISO 22301 :

INFORMATION ISO27001:A.14.1
BUSINESS
SECURITY CONTINUITY
Information
MANAGEMENT security aspects of MANAGEMENT
SYSTEM business continuity
management strategic and tactical capability of the
organization to plan for and respond to
preservation of confidentiality, incidents and business disruptions in
order to continue business operations at
integrity and availability of
an acceptable pre-defined level
information

Also the QMS, EMS,OHSMS,ASSET MANAGEMENT to name a few in ISO series

Requires Risk Management
IMPLEMENTING RISK MANAGEMENT SYSTEM 56
 Sudhanshu Jain
8920431042
9818185537
[email protected]

THANK YOU
FOR THE PATIENT LISTENING &
PARTICIPATION.
WE WISHING YOU A RAPID
“SUCCESS”.
Thank You
IMPLEMENTING RISK MANAGEMENT SYSTEM 57