RCS - Risk Management

Lijntoelichting 2 (rand en accentlijn):    Back to competences

Robert attended the Risk Management in Banking programme at INSEAD and is practicing the ISO31000 standard for Risk management based on his ISO auditor competency.

Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

Risk management is performed in a very structured and pre-defined way:

1. identify, characterize threats

2. assess the vulnerability of critical assets to specific threats

3. determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets)

4. identify ways to reduce those risks

5. prioritize risk reduction measures based on a strategy


The International Organization for Standardization (ISO) identifies the following principles of risk management:


Risk management should:

 be an integral part of organizational processes

 be part of decision making process

 explicitly address uncertainty and assumptions

 be systematic and structured process

 be based on the best available information

 be tailorable

 take human factors into account

 be transparent and inclusive

 be dynamic, iterative and responsive to change

 be capable of continual improvement and enhancement

 be continually or periodically re-assessed


Robert includes all these principles in his work as a risk manager. In the end, risk management processes generate only four possible outcomes:

 Avoidance (eliminate, withdraw from or not become involved)

 Reduction (optimize mitigate)

 Sharing (transfer outsource or insure)

 Retention (accept and budget


Where enterprise meets excellence ..