How Can ISO Management System Standards Contribute To Mitigate . - UNECE
How can ISO Management System Standards contribute to mitigate business risks? Valentin Nikonov, PhD (Economics), PMP IPMA, Director General, Growth Trajectory Consulting Company Irena Kogan, Partner, Growth Trajectory Consulting Company 1
Issues of practical implementation ‘Nobel prize lectures’ vs. ‘buy low, sell high’, and ‘generic risk management process’ Everybody manages risks – no need to convince How to make risk management efficient and effective? – Risks are timely identified and no risks are missed – Risk are properly evaluated – Risk management strategies are implemented effectively – Etc. 2
Too many risks to manage: standards come from different spheres 3
Necessary conditions to build a RM System 1. Process management framework – Risks are managed by business processes 2. Operational risk management system – Risks ‘reside’ in the business processes ISO Management System Standards are very helpful – risk management system is already there 4
Business process and operational risk management system 5
Three-layer Risk Management System 6
Case study Operational risk management on the basis of ISO 9001:2008 Integrating Information Security Risk management processes (based on ISO 27001:2005) 7
Business Process Management (ISO 9001) 8
Operational Risk Management System (ISO 9001) Risk assessment Risk management strategy Risk identification Observations from employees (8.5.2,8.5.3 ISO 9001:2008) Internal Audits (8.2.2 ISO 9001:2008) Operational risk management process (ISO/IEC 9001:2008) Information security risks (ISO/IEC 27001)! Customer feedback (8.2.1 ISO 9001:2008) 9
Adding processes for specific risks Information Security (ISO 27001:2005) 10
ISO 27001:2005 Information Security Management System Management of informational assets Name Confidentialit Integrity Availability Criticality Owner Users High High The head of Sales division y Clients Annex A High High database sales division Management of informational risks of Risk Measure, proposed by an asset owner Cost Responsible Deadline control in ISO/IEC 27001:2005 Unauthorized Implementation of a personnel in biometric access control secure areas system X Security department X Security policy Organization of information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition, development and maintenance Information security incident management Business continuity management Compliance A.9.1 ‘New lines' in the process table – raising business efficiency 11
Conclusion ISO MS Standards application forms a ground for implementation of a three layer enterprise-wide risk management system, which provides effective and consistent management of risks; Though different organizations manage different risks, the structure of a Risk Management System is the same for organizations of all types; Further development of risk management tools and methods on the basis of existing ISO standards would be beneficial for risk management promotion and application at all levels. 12
(ISO 9001) Operational risk management process (ISO/IEC 9001:2008) Internal Audits (8.2.2 ISO 9001:2008) Observations from employees (8.5.2,8.5.3 ISO 9001:2008) Customer feedback (8.2.1 ISO 9001:2008) Information security risks (ISO/IEC 27001)! Risk identification Risk assessment Risk management strategy 9
ISO 10381-1:2002 da ISO 10381-2:2002 da ISO 10381-3:2001 da ISO 10381-4:2003 da ISO 10381-5:2001 da ISO 10381-6:1993 da ISO 10381-7:2005 ne ISO 10381-8:2006 ne ISO/DIS 18512:2006 ne ISO 5667-13 da ISO 5667-15 da Priprema uzoraka za laboratorijske analize u skladu s normama: HRN ISO 11464:2004 ne ISO 14507:2003 ne ISO/DIS 16720:2005 ne
ISO 10771-1 ISO 16860 ISO 16889 ISO 18413 ISO 23181 ISO 2941 ISO 2942 ISO 2943 ISO 3724 ISO 3968 ISO 4405 ISO 4406 ISO 4407 ISO 16232-7 DIN 51777 PASSION TO PERFORM PASSION TO PERFORM www.mp ltri.com HEADQUARTERS MP Filtri S.p.A. Via 1 Maggio, 3 20060 Pessano con Bornago (MI) Italy 39 02 957
ISO 18400-107, ISO 18400-202, ISO 18400-203 and ISO 18400-206, cancels and replaces the first editions of ISO 10381-1:2002, ISO 10381-4:2003, ISO 10381-5:2005, ISO 10381-6:2009 and ISO 10381-8:2006, which have been structurally and technically revised. The new ISO 18400 series is based on a modular structure and cannot be compared to the ISO 10381
The DIN Standards corresponding to the International Standards referred to in clause 2 and in the bibliog-raphy of the EN are as follows: ISO Standard DIN Standard ISO 225 DIN EN 20225 ISO 724 DIN ISO 724 ISO 898-1 DIN EN ISO 898-1 ISO 3269 DIN EN ISO 3269 ISO 3506-1 DIN EN ISO 3506-1 ISO 4042 DIN
ISO 45001 Established:-ISO 10006 -Quality in project management-ISO 10007 -Configuration management-ISO 15161 -Food safety (ISO 9000 and HACCP)-ISO 19600 -Compliance management systems-ISO 20000 -IT services-ISO 20121 -Sustainable event management-ISO 20400 -Sustainable purchasing-ISO 22000 -Food safety-ISO 22301 -Business continuity management
ISO 8402 was published in 1986, with ISO 9000, ISO 9001, ISO 9002, ISO 9003 and ISO 9004 being published in 1987. Further feedback indicated that there was a need to provide users with application guidance for implementing ISO 9001, ISO 9002 and ISO 9003. It was then agreed to re-number ISO 9000 as ISO 9000-1, and to develop ISO 9000-2 as the .
ISO 45001 : 2018 Health & Safety (OH&S) Management Systems ISO 37001 : 2016 Anti-Bribery Management Systems ISO 28000 : 2007 Supply Chain Security Management Systems ISO 21001 : 2018 Education Management Systems ISO 22000 : 2018 Food Safety Management Systems ISO 50001 : 2018 Energy Management Systems ISO 20000-1 : 2018 IT Service Management Part 1
ISO 37120. PAS 181/ISO 37106. PAS 183 – data sharing & IT. PAS 184. PAS 185. a security-minded approach. ISO/IEC 30145 . reference architecture. ISO/IEC . 30146. ISO 37151. ISO 37153. ISO 37156. Data exchange. ISO 37154. ISO 37157. ISO 37158. Monitor and analyse . data. PAS 182/ ISO/IEC 30182. PD 8101. PAS 212. Hypercat. BIM. PAS 184. Role of .
