An Analysis of Risk Management Processes and Comparison with ISO31000:2018

Abstract

The risk management literature documented a variety of risk management processes. The ISO 31000:2018 grouped risk identification, risk analysis and risk evaluation under risk assessment. The step after risk assessment is risk treatment. The final step is risk monitoring and review. The Institute of Risk - Risk Management Standard grouped risk identification, description, and estimation under risk assessment. COSO defined risk identification as event identification. Event identification identifies both risks and opportunities. This study explores and analyses risk management processes. This study seeks to understand steps in risk management processes, and whether all the steps follow the steps as outline by ISO 31000:2018 risk management process. The study finds variety of risk management process developed by previous studies. A risk management process can be as simple as four-step process or as comprehensive as twenty-three-step process. Regardless the number of steps, ultimately there are four common steps in the risk management processes. The steps are risk identification, risk analysis, risk treatment, and monitoring and review. The finding of this study enhances knowledge on risk management processes. Each risk management process is unique to a particular business or area of application. However, despite the uniqueness, the study finds that the risk management processes use the sequence of the risk management process as outlined by ISO 31000: 2018 as their basis. The differences being the terms and descriptions of the steps in the process.