Modelling Risk Management Process According to ISO Standard
Total Page:16
File Type:pdf, Size:1020Kb
International Journal of Recent Technology and Engineering (IJRTE) ISSN: 2277-3878, Volume-8 Issue-2, July 2019 Modelling Risk Management Process According to ISO Standard Ikram Akkiyat, Nissrine Souissi section we present an overview of the different approaches Abstract: Risk management is defined as an essential step in that describe the activities of several risk management the improvement process proposed under the standard ISO 9001: processes. A comparative analysis of these approaches is 2015. The guidelines to the process of risk management have been presented in the third section. The fourth section concerns the proposed since 2009 by the International Standardization building of our risk management process meta-model. We Organization (ISO). But before, organization and institutions have their own way to manage risk. An analysis of risk finish this paper by a conclusion and perspectives. management processes in the literature has been realized in order to identify the standard process. Unified Modeling language II. OVERVIEW OF RISK MANAGEMENT (UML) was used to present this meta model. The purpose of this APPROACHES paper is to propose a risk management process model based on ISO 31000: 2018 and following the recommendations of ISO In this section, we present the main approaches addressing 9001: 2015 by integrating risk management modeling in process the risk management, such as: the standards ISO 9001: 2015, modeling. ISO 21500: 2012, ISO 27001: 2013, ISO 20000-1: 2011 and ISO 31000: 2018 risk management standard. In addition to Index Terms: Process Modelling; Model; UML; Risk these standards, we are presenting demarches proposed by Management Process; ISO Standards; ISO 31000:2018; ISO PMBOK 6th Edition, NIST (National Institute of Standards 9001:2015; and technology - USA) and HSE (Health and Safety Executive - UK). The ISO 31000 standard provides I. INTRODUCTION principles and guidelines on risk management. This standard The term ―risk in an organization represents the effect of has become a generic and recognized reference for risk uncertainty on objectives [1], and its management is an management. The standard ISO 31000: 2018 can be used for essential step in order to optimize and improve the processes any field, it is not specific to an industry or a sector [2] composing the whole system. Risk management is part of the [3].The international community involved in its review process of the strategic management in an organization, recognizes its importance and its positioning with regard to taking into account the importance of the contributions and its guidelines and its unifying purpose. It seems to be the influence of the environment. Risk management is complementary to the different standards applicable to any defined as the set of coordinated activities to direct and sector, such as ISO 9001, and can easily allow the control an organization with regard to risk [1]. Before that implementation of a risk management system. ISO (International Standardization Organization) offered a Other ISO standards, which at the base are not dedicated to standard of management of risk in 2009, agencies had used risk management, had integrated in their latest editions, a different methods to manage risks within their entities. In risk-based approach. 2015, the risk management has been recommended by the The concept of risk in the ISO 9001 standard has been ISO9001: 2015 as being an important step in the implicit in previous editions, and it is explicit in the 2015 improvement process of an organization. It relies on the edition [4]. We emphasize here that ISO 9001: 2015 provides definition, assessment and implementation of corrective requirements for quality management systems, and is aligned actions in order to avoid or correct the consequences of the with the changes that organizations face, focusing more on risk. In this paper, we propose a meta-model of risk performance, reflection based on risk and activation of the management process, based on the standard ISO 31000: cycle Plan-Do-Check-Act at all levels of the organization [4]. 2018, which will facilitate the implementation of the risk In the same way as the ISO 9001:2015, ISO 21500:2012 management process in any type of business process and in provides a process for risk management in the framework of any field and in any domain of organizations. We suggest in the project lifecycle [5]. This international standard provides this sense to follow the recommendations of ISO 9001: 2015 a high-level description of the concepts and processes and integrate risk modelling in business process modelling. considered as good practices in project management. This This work is organized into five sections; in the second standard is included as Part II of the PMBOK. It is admitted that the PMBOK Guide [6] had a great influence on the Revised Manuscript Received on July 30, 2019. development of the ISO 21500. In this context, as in PMBOK, Ikram Akkiyat, SIWEB Team, Ecole Mohammadia Des Ingénieurs, risk management is present during the process of planning, Mohammad V University of Rabat, Rabat, Morocco; implementation, and control of the project lifecycle. Nissrine Souissi, Computer Science Department Rabat School of Mines, Rabat, Morocco & SIWEB Team, Mohammadia School of Engineering, Mohammed V University, Rabat, Morocco Published By: Retrieval Number: B3751078219/19©BEIESP Blue Eyes Intelligence Engineering DOI: 10.35940/ijrte.B3751.078219 5830 & Sciences Publication Modelling Risk Management Process According to ISO Standard The process of assessment and treatment of risks related to III. COMPARATIVE ANALYSIS information security in ISO/IEC 27001 aligns also with the In this section, we present a comparative analysis of principles and guidelines in the ISO 31000. ISO / IEC 27001 the approaches presented in the previous section, and we is the most well-known of the standards of the family ISO discuss the results of this analysis. 27000, which aims to assist organizations in the field of information security. ISO/IEC 27001 provides the A. Analysis requirements for an information security management system, A comparative analysis of standards covering the and includes people, processes and information systems by management of risks has been presented in [2], where it was applying a risk management process [7]. question to compare the activities of the risk management ISO/IEC 20000-1 which is a service management system process in the standards ISO 9001, ISO 21500, ISO/IEC standard, cites ISO 31000 as the generic reference to risk management [2]. The requirements that provide ISO 27001 and ISO/IEC 20000-1, and show that an approach of 20000-1:2011[8]include design, transition, delivery and risk management based on the process approach may improvement of services to meet the agreed requirements. constitute a basis for the improvement, coordination and The National Institute of Standards and Technology (NIST) interoperability of the activities of risk management in IT, in [9]proposes a method of risk management through the order to achieve several aspects, such as: project proposal of several activities similar to those proposed in the management, quality management and the security of framework of ISO 31000:2018 [9]. It’s about framing risk, information systems. We present in what follows an enriched assessing, proposing solutions and finally risk monitoring. version which compares all approaches cited in the previous The Health and Safety Executive [11] proposes a risk section, with the process of management of the risks defined assessment process consisting of five activities: Identification in ISO 31000:2018. of probabilities, assessment of risks and proposal of solutions The standard ISO 31000:2018 contains 10 chapter, and precautions, saving important data and finally reviewing th the assessment and repeating the process if necessary. we are here focusing on the 6 chapter which is ―Process‖, since this new release in organized as a High Level Standard (HLS). Table 1 shows the comparative analysis: Table I: Comparison of different risk management processes Risk Management processes ISO ISO ISO ISO ISO/IEC PMBOK NIST HSE - UK 31000:2009 9001:2015 21500:2013 20000-1:2011 27001:2013 6th Edition 4.2 4.2 6.2 Understanding 4.3.40 Understanding Communicatio the needs and Manage the needs and n and expectations of communicatio expectations of consultation interested ns interested parties parties 4.1 5.3 1. Plan Risk Understanding 1. Frame the Scope, Context Managemen the organization risk Processes’activities and criteria t and its context 6.3.2 Defining 3.11 Project the scope constraints 4.1 Understanding the organization and its context 6.3.3 External and Internal A.8 Control of Context externally 3.5.2 Factors provided outside the processes, organizational products and boundary services 6.3.4 Defining risk criteria Published By: Retrieval Number: B3751078219/19©BEIESP Blue Eyes Intelligence Engineering DOI: 10.35940/ijrte.B3751.078219 5831 & Sciences Publication International Journal of Recent Technology and Engineering (IJRTE) ISSN: 2277-3878, Volume-8 Issue-2, July 2019 6.1.2 Information security risk 6.3.1 Service assessment continuity and 6.2 Information 5.4 availability security 2. Assess the Risk requirements objectives and risk assessment 6.6.1 plans to achieve Information them security policy 8.2 Information security risk assessment (operation) 6.1 6.6.3 Actions to 6.1.2 6.4.2 Information 1. Identify address risks 4.3.28 Information 2. Identify Risk security the and Identify risks security risk Risks identification changes and hazards opportunities assessment (c) incidents (6.1.1) 3. Perform Qualitative 6.1.2 Risk 2. Decide 9.1.3 6.4.3 4.3.29 Information Analysis who might Analysis and Risk analysis Assess risks security risk 4. Perform be harmed evaluation assessment (d) Quantitative and how Risk Analysis 3. Evaluate 6.1.2 9.1.3 the risks 6.4.4 4.3.29 Information Analysis and and decide Risk evaluation Assess risks security risk evaluation on assessment (e) precaution s 6.1.3 6.1 Information Actions to security risk 6.5.