1.3 Explain a risk management model

Risk assessment model:

ISO 31000 model provides a framework for risk management in all types of organizations. The basic risk management process, as is defined by this model can be seen in the following chart:





The first step is risk identification; this is approached carefully and as extensively as possible so as to identify as much possible risks as possible.

In this model, risk identification is done through three methods: free and structured interviews and brainstorming. Risks are identified during sessions conducted with trained external personnel and organization’s employees then later put into the description model.

As risks are identified, the model works to define them by some basic dimensions of risk description included in the risk catalog. Later, during further stages other dimensions should be implemented.




Each identified risk is placed in one of the following groups: Physical failure threats and risks, Operational threats and risks, Natural environmental events, Factors outside of the organizations

control, Stakeholder threats and risks, Design and installation of security equipment, information and data management and communications, threat to continuity of operations.


Describing risks based on groups is the first dimension of risk definition in the risk catalog and since some risks are more complex than others they cannot be defined simply by one group; therefore, some risks have a secondary group placement.

Uncertainty which is a key element of the definition, can exist as the product of variability of natural systems, and might also exist due to:

  • unavailable information,
  • unavailable and inaccessible information ,
  • information with unknown accuracy,
  • information subject to different interpretations, or
  • Information that has a wide range of possibilities and can change over time.


Risk analysis:

Please click the paypal icon below to receive CMI Level 5

Unit: 5021V1 – Operational Risk Management in full for only $20