Skip to main content

São Paulo/SP – September 26, 2022. Risk management aims to create and protect value, improving performance, encouraging innovation and supporting the achievement of objectives.

*By Lucas Santos

Risk is the effect of uncertainty on certain objectives and can be represented by a deviation from the expected, bringing positive or negative consequences. Organizations of all sizes and in all segments have risks at a strategic, tactical and operational level.

Risk management is important for the organization to know and control the risks related to the business in a standardized way and in compliance with best practices.

According to the ABNT NBR ISO 31000:2018 standard, Risk Management aims to create and protect value, improving performance, encouraging innovation and supporting the achievement of objectives.

Risk Management Principles

The ISO 31000 standard determines that an organization's risk management structure must meet the following principles:

  • Integrated: it must be performed in order to integrate all the organization's activities, enabling the identification and treatment of all risks to which the organization may be exposed;
  • Structured and comprehensive: it must be structured to cover all the organization's activities, contributing to consistent and comparable results;
  • Customized: the risk management process must be customized for each organization, considering its internal and external context related to its objectives;
  • inclusive: Stakeholder involvement results in more effective risk management as it considers different points of view and perceptions of the activities addressed;
  • Dynamics: it must enable the anticipation, detection, recognition and responses to risks that may arise through changes in the organization's external and internal contexts;
  • Best information available: the information used for risk management must be collected and/or generated through reliable sources, considering historical and current data and future projections. It is important that this information is timely, clear and available to interested parties in order to achieve the risk management objective;
  • Human and cultural factors: the human behavior and cultural characteristics of the organization significantly influence the risks related to the business;
  • Continuous improvement: it must be continually improved, through learning and experiences to ensure it fits the context of the organization.

Risk Management Structure

Risk management must be structured so as to enable its integration into the organization's significant activities. Such structuring depends on the involvement and awareness of the parties involved to facilitate decision-making for effective risk management.

The involvement of leadership and commitment of the parties involved is a fundamental part of risk management in the organization. It is the responsibility of Senior Management and supervisory bodies (appointed by Senior Management) to ensure the integration of risk management into the organization's activities and the decision-making necessary to manage business risks.

The ABNT NBR ISO 31000 standard proposes the following phases for the risk management structure:

  • Integration: risk management is everyone's responsibility in the organization. It is important that risk management is considered as a part of the organizational purpose and governance of the organization, and not as a separate activity.
  • Conception: Understanding the organization's context is critical to the risk management framework. During the design phase, the external and internal contexts are understood to meet the principle of personalization of risk management. In addition to understanding the context, in this phase there is the articulation of commitment to risk management (through the creation of policies, for example), the assignment of roles, authorities and responsibilities of the process, the allocation of necessary resources and the establishment of communications related to risk management;
  • Implementation: successful implementation depends on stakeholder involvement and awareness. Once risk management has been properly implemented, the principles of integration into the organization's activities and decision-making are guaranteed, as well as its dynamic characteristic to adapt to changes in the business.
  • Evaluation: the results of risk management must be evaluated in order to measure their quality, effectiveness and suitability for the organization;
  • Improvement: through the analysis of the results, collected in the evaluation stage, risk management may undergo adaptations to ensure its applicability to the organization's context.

Risk management process

After the proper implementation of the risk management framework, the organization will be able to execute the risk management process. This process can be applied at a strategic, operational, program or project level.

It is important that communication channels are defined and clear to all interested parties, during all stages of the process, in order to standardize information sharing flows.

The ISO 31000 standard defines the following steps for the process:

  • Scope, context and criteria: The scope of the management process must be defined and clearly communicated among stakeholders. For example, whether risk management will be carried out at an operational level or what type of risk will be assessed. In addition, the context of the process (internal processes or processes that may involve external parties, for example) and risk criteria must be defined;
  • Risk assessment process: in this step, risks are identified and information related to them is collected, such as risk sources, causes, related vulnerabilities, etc. After identifying the risks, they are analyzed to determine the probability and impact of their materialization in the organization's environment, among other factors. The last activity of this stage is the risk assessment, where the decision to be taken in response to the identified risks will be defined;
  • Risk treatment: as a response to the risk, one of the treatment options defined during the scope, context and criteria stage will be chosen;
  • Monitoring and critical analysis: as well as the structure, the risk management process is monitored to assess its effectiveness and suitability for the organization's scenario (through continuous process improvement);
  • Registration and reporting: it is important that the result and information from the risk management process are formally recorded and communicated among the interested parties.

Final considerations

Effective risk management is essential for organizations, regardless of their segment and size. The integration of management into the organization's activities minimizes exposure to internal and external factors that could have a negative impact.

A well-defined structure for risk management guarantees the organization a more effective control of its environment, both in current scenarios, considering changes and changes in the internal and external context of the organization, as well as facilitating the future projection and preparation of the organization for emerging risks.

— Lucas Santos is GRC, Privacy and Information Security Senior Consultant at [SAFEWAY]

How can we help?

THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.

today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.

In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law SuitPeople and Technology.

through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!