Home  ›  what criteria should an organization use to determine an "acceptable level" of risk?

what criteria should an organization use to determine an "acceptable level" of risk?

Written By Saturday, 9 April 2022 Add Comment Edit

Attending: This page is intended to be viewed online and may not exist printed or copied.

v. Risk Direction Principles and Procedure

v.i General

This Standard provides an approach to managing the risk in an organization'southward supply chain. The process, based on ISO 31000, covers elements of defining contexts, risk assessment, and run a risk treatment (Effigy 1). ISO 31000 is a primal building cake to this approach; while adapting it to the organization's needs and purposes, the Standard recognizes the need to avoid replicating standards documents merely rather to optimize current all-time practices that help promote and sustain organizational resiliency.

SCRM-Figure1.jpg

Effigy 1: Risk Management Procedure (based on ISO 31000)

As described in ISO 31000:2009, the foundation of whatsoever take a chance direction program is based on:

  • Establishing the context;

  • Risk assessment involving:

    • Risk identification – recognizing what risks exist;
    • Risk analysis – considered in terms of likelihood and consequence, after because current controls; and
    • Hazard evaluation - deciding how to prioritize the risks.

  • Take chances handling – using the results of the risk assessment to make up one's mind how to treat the risks;

  • Advice and consultation with internal and external stakeholders throughout the risk management procedure; and

  • Ongoing monitoring and review conducted throughout the risk management process.

Risk management is an integral part of an overall business management strategy which specifically assesses and addresses the upshot of dubiety on the arrangement'south objectives.

Therefore, in managing chance it is of import to understand the significance, influence, types, and sources of uncertainty. Factors to consider include (but are not limited to):

  • Abyss of information;
  • Availability and reliability of information sources;
  • Dependability and result of risk treatments and controls;
  • Assumptions made in assessing and treating run a risk;
  • Degree of certainty of likelihood and consequence predictions;
  • Volatility of internal and external context;
  • Context of time and perceptions of time;
  • Results of sensitivity studies; and
  • Effectiveness of take a chance monitoring and change management.

Risk management is an ongoing activity that involves continual monitoring and cess of the run a risk landscape. The internal and external context of an organisation and its supply chain are dynamic. Therefore the hazard assessment procedure should be able to evaluate a wide multifariousness of risks over time, as well as monitor, review, and adapt to a dynamic context of its operations.

5.2 Take a chance Communication and Consultation

The organization should establish and maintain a formal and documented communication and consultation procedure with its internal and external stakeholders in all steps of the risk direction procedure to ensure that:

  • Objectives, needs, and interests of the internal and external stakeholders are understood (including persons, organizations, communities, and upstream and downstream supply concatenation partners);

  • Risks are adequately identified and communicated within the organization and throughout the supply chain;

  • Dependencies and linkages with subcontractors and within the supply chain are understood;

  • Risk cess process interfaces with other management disciplines; and

  • Adventure assessment is beingness conducted within the appropriate internal and external context and parameters relevant to the organisation and its contractors and supply chain.

v.3 Establishing the Context

5.3.1 General
The process begins with identifying the internal and external context and environs that may influence supply chain risk.

To conduct the gamble cess and manage risks, the arrangement needs to offset understand the internal and external environs in which it operates. This includes identifying all relevant stakeholders that tin affect risk or be impacted by risk. Defining the context provides the basis for defining the scope and stakeholders involved in the risk management process.

In establishing the context, the organization should identify its objectives and value drivers. What are the value generators and drivers for the organisation, as well every bit its implicit and explicit goals and values? Agreement the activities that are instrumental in the organization providing its goods and services will provide a ground for prioritizing and evaluating take a chance. The organization needs to appraise and evaluate what is key to the organization achieving its objectives and creating value.

Risks exist at all levels and entities inside an organization. Procedure risks exist at production sites. Supplier risks exist at direct or indirect supplier sites. Distribution risks exist at suppliers and in upstream and downstream transportation and logistics systems. Legislative, compliance, intellectual belongings, sovereign, and regulatory risks exist at the country or regional level for multinational enterprises. Finally, operational risks exist at the agency, department, division, branch, unit, or corporate level.

Organizations should identify, own, prioritize, and manage risks at the point at which they occur. Organizations should also aggregate and report risks across the arrangement and vertically through business reporting structures. Organizations should requite risks that be within multiple entities common, coordinated treatments. When managing risks it is important to exist aware of cumulative furnishings from i event setting off a chain of events, and the impact of one risk treatment method on other areas of gamble.

Ownership of an identified hazard is not e'er clearly divers. Defining risk ownership is necessary to treat the risk and assure that it does non adversely affect the organizations in the supply chain. Such risks may arise when franchises brand, for local consumption, a concluding product whose performance will touch on reputation of whole franchise. For example, risks may arise when a supplier uses atomic number 82 paint on toys ultimately assembled for firms with potent brand‐name recognition. Governance controls and guidance to manage such risks may include corporate leadership setting policies, standards, procedures, and contractual and auditing requirements for suppliers to follow. When organizations cannot impose on franchises and supply chain partners how to operate their facilities, they should provide guidance and evaluate impacts of risks due to nonconformance.

The presence of differing risks at multiple levels of an organization underscores the importance of defining the context within which a risk-management program is implemented. This includes suppliers, production and services, logistics (due east.thousand., transportation, warehousing, and distribution), customers, and other elements that can affect the supply chain. These elements will vary by manufacture, as will the efforts an organization can make to address them. For instance, a manufactory may have more control over assembly risks, while a business unit of measurement may be tasked with controlling supply-chain risks posed by legislative and regulatory bug as well as managing some procurement risks.

Defining the scope is a fundamental determination in developing an SCRM plan. The scope defines what activities of the organization and its supply chain will exist included in the SCRM program. Organizations may initially focus on a Tier ane entity, or fifty-fifty prioritize amidst Tier 1 supply concatenation entities. A Tier ane entity is the principal client, contractor, or supplier that provides goods or services directly to or from the organization. In most cases, the scope should include suppliers and customers based on their office in the value concatenation. In determining how much of the supply chain to include beyond the first tier, managers may wish to characterize inputs by the number of suppliers and number of customers. For example, if many possible suppliers exist for a mutual commodity, it may exist unnecessary to get beyond the first tier when considering supply chain risks. For materials with few or sole sources, it will probably be necessary to consider risks at the second tier. Between these two extremes, organizations need to assess how critical a detail component is or how easily a supplier tin can be replaced and, if necessary, consider supply risks in the second tier for priority components or suppliers. A cardinal node is when the supply chain map funnels to a bespeak when one or 2 deeper sub-tier suppliers provide the sources for all suppliers above. An instance of this occurred with the Xirallic paint pigment supplier (Tier iii) that was the simply source of glitter effect auto pigment in the world, affecting many auto manufacturers.

Understanding the activities that are instrumental in the arrangement providing its appurtenances and services will provide a basis for prioritizing and evaluating adventure. Distribution risks exist at suppliers and in upstream and downstream transportation and logistics systems. Legislative, compliance, intellectual holding, sovereign, and regulatory risks be at the land or regional level for multinational enterprises. Finally, strategic risks be at the agency, department, division, branch, unit of measurement, or corporate level. When managing risks it is important for the organizations concerned to be enlightened of cumulative effects from one event setting off a chain of events, as well every bit the bear on of one run a risk treatment method on other areas of chance.

Past repeating this process for increasing numbers of tiers of suppliers and customers, organizations can place the portions of the supply concatenation that have the greatest risks to operations. Specific knowledge of an organization and its supply concatenation, context of performance, and risks is necessary to guide decisions; and to this cease, the initial risk cess should look at all tiers without pre-prioritization of individual risks. The level of each adventure should be validated.

five.3.2 Internal Context
Understanding the internal environment enables the take a chance management program to be in sync with the organization's direction mode, processes, organizational construction, culture, and business strategy. Every organization is unique and each take a chance management application is a tailor made process. Examples of factors that should exist considered in agreement the internal environs include (only are not express to):

  • Governance, accountabilities, decision making processes, and organizational construction;
  • Resource and capabilities (human and physical);
  • Cultural characteristics (including differences in education and social interactions and communications);
  • Business model (including evaluation and performance criteria);
  • Policies;
  • Strategic initiatives;
  • Processes and activities;
  • Data systems, data security, and flow;
  • Internal stakeholders;
  • Organizational culture; and
  • Communication and consultation protocols.

5.iii.3 External Context
Understanding the external context, including its supply chain dependencies and interdependencies, should provide the basis for understanding the sources of doubtfulness outside of the organization that may influence the achievement of objectives. The external context includes factors that the organization tin can and cannot directly control or influence, only are essential for understanding the run a risk environs (see Figure ii). Examples of factors that should be considered in agreement the external environment include (just are non limited to):

  • Supply chain, dependencies and interdependencies (including critical infrastructure);
  • Legal, regulatory and contractual obligations;
  • Economic, social, political and cultural factors;
  • Regime and public relationships;
  • Crime statistics;
  • Meteorological and geological factors;
  • Financial and competitive surround;
  • Advice, transportation and logistics factors;
  • Community resources, capacities, and capabilities;
  • Marketplace, brand and reputational factors;
  • Perceptions of take a chance and values by external stakeholders;
  • Transparency and integrity of external governance institutions;
  • External stakeholders (including the media, interest groups, and starting time responders); and
  • Communication and consultation protocols and capabilities.

SCRM-Figure2.jpg

5.3.four Mapping the Supply Chain
The ongoing procedure of supply chain mapping is an essential decision making tool to ensure an arrangement identifies risks and how all-time to prioritize and manage them. Supply chain mapping should emphasize the importance of critical paths and value creation. To achieve desired objectives and outcomes, supply chain value mapping identifies priority processes for the organization. Agreement value propositions of different tiers of the supply chain will help the organization focus its run a risk management approach. Supply chain mapping should reverberate the overall strategy of the organization in creating value and achieving its objectives. Therefore, the supply chain map should conspicuously identify supply concatenation partners, their contributions and value added, the various menses types, and the way the business organisation is organized.

A supply chain map should document, past node, aspects affecting operations such as:

  • Supply chain partners with highest spending levels or that affect major value flows;
  • Dependencies and interdependencies (including utilities and other critical infrastructure);
  • Single source suppliers;
  • Upstream and downstream partners who support concern functions;
  • Logistics, storage, and transportation;
  • Labor suppliers;
  • Contractual and compliance requirements;
  • Image and visibility;
  • Admission to highly sensitive internal information; and
  • Partners in loftier risk businesses and/or locations.

Mapping supply concatenation processes provides a better understanding of the potential risks that exist also as the organizations involved. Figure three presents a notional map. Upstream, information technology starts with raw materials, services, parts, assemblies, and packaging going direct to the organization or via its suppliers. Distribution systems, including trucks, trains, ships, aircraft, and the internet move items and information from suppliers to their customer inventory. These same distribution systems may motility goods and services to end-user customers. Several factors are common to all these elements and can be the source of risks throughout the supply chain. These include infrastructure such every bit buildings, equipment and network security, dependencies and interdependencies (east.thou., electricity, water, telecommunications, cyberspace, etc.); procedure functions such as production planning or sales and operational planning; and all persons working on behalf of the organization. Non all of these nodes volition have risks for all operations, merely all should be considered.

The supply chain mapping process should identify the parties involved and the associated risks in the value chain, including, but non limited to, the following processes:

  • Planning;
  • Procurement;
  • Production;
  • Packing;
  • Storage;
  • Loading/unloading;
  • Transportation;
  • Product and service delivery;
  • Document preparation; and
  • Reverse logistics.

SCRM-Figure3.jpg

Figure iii: Notional Supply-Chain Process Flows

Information flows should as well be documented with clear communication channels. Information tin can period both upstream, downstream, and sideways. In particular, information flows on downstream conditions can help upstream processes provide the correct quantity and quality of materials needed. Sideways flow of data should be accompanied by responsibleness to ensure the correctness of the menstruation of materials. Any abnormalities can exist brought up to minimize and manage the risks.

Various analytical tools exist for identifying and prioritizing risks in the supply chain. The process of developing a supply chain or value stream map enables a ameliorate understanding of the product, cloth and information flows, value stream metrics, and the interaction of processes. For case, Pareto analysis can help firms identify the proportion of appurtenances and suppliers on which it is most dependent in terms of cost, value cosmos, production, and failure, and hence the appurtenances and services that can pose the most take chances to the supply chain. Pareto analysis is designed for users to place which small-scale set of practices, functions, suppliers, staff, etc. have the greatest touch. More sophisticated portfolio analysis can help firms place goods by both their value and the risk of supply continuity and lead firms to focus their SCRM kickoff on strategic or critical goods of high value and high supply continuity chance. These may include scarce or high-value items, major assemblies, or unique parts which may have natural scarcity, few suppliers, and difficult specifications.

Accurate supply chain mapping will amend determination making processes and drive preventive actions that tin can avoid and mitigate undesirable and potentially disruptive events. This volition allow an organization to be more preemptive in managing its supply concatenation and afterward gain a competitive reward.

v.iv Take chances Assessment Process

5.4.i General
Risk assessment is a dynamic process that should take a holistic, finish-to-cease arroyo. Using its supply chain map, the organization should too identify risks associated with its Tier ane supply chain partners, expanding this analysis to additional tiers every bit necessary to develop a complete picture of the take chances profile. Given the dynamic nature of risk, on-going monitoring of the risk criteria, contour, and cess process are necessary for effective risk management. Also, the tangible and intangible costs of risk and risk treatment should exist considered when conducting a chance assessment.

The risk assessment process should distinguish between risks that should be included in the run a risk direction programme and those that require treatment. Risks that could potentially forbid the organization from achieving its objectives should exist considered. The organization should consider not just risks that are internal to the organisation, merely also those associated with its supply chain, dependencies and interdependencies. The organization should assess risks that could potentially crusade undesirable and/or disruptive events.

5.iv.2 Hazard Criteria
Setting the risk criteria should be done prior to conducting the risk assessment. The take a chance criteria establish the organization's approach to and parameters for assessing, accepting, pursuing, retaining, or treating risk. The take a chance criteria provide the ground for establishing the telescopic. The definition of the adventure criteria will determine how take a chance is analyzed and evaluated. To prioritize and address risks, organizations need to ascertain risk criteria for determining the method they will use to determine the acceptable level of take a chance to its operations and supply chain. Risk criteria provide a basis for evaluating the significance of risk within the bounds of the amount of adventure the arrangement is willing to accept.

The take a chance criteria are set to understand the impact of uncertainty on the organization achieving its objectives. It sets the benchmarks for how the organisation will measure and evaluate consequences and likelihood. Will level of risk be described qualitatively or quantitatively? How volition the scales be expressed? Risk criteria should too be considered for the perceived and bodily level of risk that will be tolerated by supply concatenation partners. Setting the risk criteria is a dynamic and iterative process and should exist revisited and revised to reflect the changing mural of gamble.

By understanding the organization and its context, the organization can set the telescopic for its SCRM process, document its methodology, and justify its assumptions. Setting the scope is as well a dynamic procedure and should be revisited based on the analyses conducted during the SCRM process.

5.iv.3 Take chances Appetite
Conspicuously defining the organization's risk appetite internally and within its supply concatenation is a keystone to good governance and effective risk direction, even so it is one of the more hard tasks of top management. Run a risk ambition is the corporeality and blazon of run a risk that an organisation is willing to pursue, take, or tolerate. Agreement risk appetite is an indicator of maturity of the risk direction programme. Clearly defining the take a chance appetite sets the boundaries that enable an system to increase its opportunities by optimizing risk taking and accepting calculated levels of take chances within an appropriate level of authority.

When establishing take chances appetite, top direction should consider strategic, tactical, and operational aspects. An understanding of the culture of the organization is necessary for evaluating both pursuing and tolerating run a risk. The thoroughness, integrity, and reliability of information should be evaluated when establishing run a risk appetite. When establishing gamble appetite, information technology is important to empathise both the real and perceived risks of internal and external stakeholders in the organization and its supply chain, as well as interested parties perceiving themselves every bit impacted by the activities of the organization and its supply chain.

5.4.three Risk Identification
Chance identification should consider the questions of what tin can happen, when, where, how, and why, every bit well as possible outcomes. Take a chance analysis will expand and further define these aspects. The outcome of take chances identification is a prioritized list of risks associated with the system achieving its objectives. Risk identification should be a well-structured process since a risk not identified cannot exist analyzed. Risk identification comprises:

  • Criticality analysis – Asset and activity valuation and potential impacts of undesirable and disruptive events ("what", "where," and outcomes);

  • Threat and/or gamble analysis – Annihilation that has the potential to disrupt the accomplishment of objectives and the activities and processes that support them ("who/what", "why," and "when"); and

  • Vulnerability analysis – Susceptibility of an outcome successfully materializing that has the potential to disrupt the achievement of objectives and the activities and processes that back up them ("how").

The risk identification procedure should not only consider negative consequences of a risk event merely also the opportunities it may create. Many methods exist for conducting risk identification (e.g., previous gamble assessments, exercises and modeling, surveys, historical information analysis, business impact analysis, logic copse/diagrams, brainstorming sessions, checklists, and "worst-case" scenario workshops). Regardless of the method or methods used, adventure identification should be comprehensive, documented, and repeatable. Information technology should consider (but non be limited to):

  • Reliability and degree of uncertainty of data;

  • Biases that may influence results (including the effect of assumptions);

  • Root causes and triggers of chance;

  • Broad consultations with internal and external stakeholders;

  • Supply concatenation relationships, dependencies and interdependencies;

  • Priority business functions and activities and the impact of their loss (including time dependencies);k) The value of avails to the system, its supply chain partners, competitors, and adversaries;

  • Unmarried, multiple and compounded weaknesses including overlapping and multiple furnishings of risks;

  • Likelihood of success of a risk event occurring as well every bit causing an undesirable and/or disruptive result; and

  • The interactions between threat, criticality, and vulnerability assay.

It may be helpful to categorize the risks by type. Information technology is of import to remember that risk assessments are dynamic and risk management should include continuous identification and assay of all risks related to the organization's business organization.

Table 1 presents examples of risks an organisation may wish to consider in its take chances identification procedure. Annex C presents a longer only non exhaustive listing. Notation that risks can overlap categories.

Table 1: Examples of Sources of Take chances to an Organization and its Supply Chain

SCRM-Table1.jpg

Examples of points to consider in identifying risk include (but are not limited to):

  • Number and location of suppliers. For case, are in that location suppliers in countries with social unrest, terrorist or drug activity, or loftier levels of corruption and other crime?

  • Number and origin of shipments. For instance, accept increased quantities or values of shipments posed additional risks?

  • Contractual terms defining responsibleness for shipping. For example, companies may specify security controls and procedures for their suppliers. (Annex D provides sample contractual terms and conditions for supply-concatenation security.)

  • Compliance requirements, call up, and reverse logistics. For case, companies may have specific requirements for the handling and packaging of products as well as the return of damaged, expired, and recalled products.

  • Brand and reputation protection. For example, some companies require measures for brand protection related social responsibleness and legal obligations, including ecology, health, and rubber bug.

  • Modes of data transfer. For example, information protection and encryption may exist required for information files and transmissions.

  • Modes of transport and routes for shipments. For instance, companies may ask their suppliers to follow certified security procedures for ocean-container or truck-trailer shipments.

  • Risks related to logistics providers or partners involved in the supply chain who handle shipments (e.g., packaging companies, warehousing, trucking companies, freight forwarders, and air or ocean carriers). For case, firms may crave that logistics providers meet all certification standards from an official supply-concatenation security programme.

Chance identification is a function of local atmospheric condition and may vary from facility to facility within the aforementioned organization also as between elements within a supply chain. Information technology is essential to identify the risks associated with the locations of functions and choke points in the supply concatenation. For example, the administrative headquarters of a supplier may not be the same as the product location. Therefore, the risks may be very different, then the supposition should non be made that identifying the risks at the administrative headquarters volition be representative of the risks throughout the supply chain.

The arrangement should periodically review the condition of their risks in a catalogue of risks (due east.chiliad., a gamble register), incorporating new risks as they develop and revising risk ranking. The catalogue of risks serves as the fundamental repository for all risks identified by organization and includes (merely is non limited to) information on run a risk criteria, likelihood, consequences, treatments, predictable outcomes, and chance owners. Risk management activities should exist documented, tracked, traceable, and not-repudiatory.

v.iv.four Adventure Assay
Risk analysis is a process to understand the nature and level of risk to determine its significance. The arrangement takes the information generated during the gamble identification process and evaluates this within the context of its operations and the hazard criteria. The risk analysis process should estimate the likelihood and consequence of risks facing an system and accordingly prioritize them for ultimate treatment. To begin, organizations may cull to rank take a chance events with varying degrees of particular, depending on the risk, and the information, data, and resources available.

As seen in Figure 4, the output from risk identification provides the input to gamble assay.

SCRM-Figure4.jpg

Effigy four: Determining the Level of Hazard

Likelihood and outcome can be expressed qualitatively or quantitatively (or a combination of methods). The decision on which approach works best for an system is based on the:

  • Availability and reliability of information;

  • Scales and level of detail of the risk identification procedure;

  • Methods for determining threats and impacts to tangible and intangible assets, every bit well equally tangible and intangible impacts (intangible assets and impacts may not lend themselves to numeric evaluations);

  • Other risk analysis processes and methodologies used by the organization; and

  • Most effective method for communicating level of risk to conclusion-makers.

Regardless of the method used to determine the level of risk, intendance should be taken to assure a consequent arroyo and consider the level of confidence, particularly for aggregated data. Units and scales of measuring take chances adamant during the definition of risk criteria should be used consistently throughout the analysis. The hazard analysis method used should meet the needs of the risk evaluation and treatment conclusion making process.

One method of risk analysis which uses a cause and effect analysis is the bow-tie method (for more data on this and other methods, meet ISO 31010:2009). The bow-tie method provides a simple, qualitative arroyo to help fully understand the characteristics of a risk event. An outcome can have multiple causes and multiple consequences—the two dimensions of run a risk—and existing treatments. Risk treatments tin can be reviewed to understand their effectiveness and efficiency. It enables the evaluation of run a risk treatment methods to ameliorate understand inherent risk (i.e., gamble in the absence of any treatment) and remainder risk (i.e., level of risk remaining later treatment). The bow-tie gamble analysis method clearly ties treatment deportment against each dimension of take a chance event. The bow-necktie method is a proficient way of visualizing risk and communicating the effectiveness of the handling methods in place to manage risks. Figure 5 shows an example of the bow-necktie method.

SCRM-Figure5.jpg

Figure 5: Bow-Necktie Method for Linking Treatment to Crusade and Issue

The bow-tie method tin can be used to assist simplify risk analysis and provide a subjective estimate of the level of take chances past allowing the conceptualization of the interaction of causes, treatments, and consequences of a risk. The steps involved in conducting a risk analysis using the bow-tie method are as follows:

  • Based on the hazard identification, describe a gamble issue that may provide an opportunity or outcome in an undesirable or disruptive event;

  • Determine the foreseeable possible causes of the hazard event (left side);

  • Place the potential consequences of the risk outcome (right side);

  • Evaluate what preventive and protective measures are in identify to modify the likelihood;

  • Evaluate what mitigation, response, and recovery measures are in place to reduce the consequences;

  • Evaluate the effects of multiple layers of protection, as well as cascading and multiple impacts; and

  • Determine the level of risk.

five.4.5 Risk Evaluation
Risk evaluation uses the gamble criteria and outputs from the take chances identification and risk analysis steps to determine what risks are acceptable with existing risk treatments and which require additional risk treatment. The level of take a chance determined during risk analysis will betoken the priorities for risk treatment. Evaluating the level of chance earlier and later treatment combined with value driver analysis provides the ground for determining if the residuum risk levels fall within an acceptable level of risk prepare past the hazard criteria. Adventure treatment prioritization should also be predicated on an understanding of the chance tolerance. If the level of residual risks is institute to be greater than the adequate level of chance set by the take a chance criteria, then the organization should consider culling or boosted risk treatments to reduce the level of residual take chances. Initial handling decisions will be driven past tolerance, not merely addressing rest risk. Risk evaluation considers the cost and benefits of unlike treatment options. Care should be taken during the hazard evaluation stage to brand certain treating one risk is non creating another adventure.

Adventure evaluation considerations include:

  • Objectives of projects and opportunities;
  • Tangible and intangible impacts;
  • Legal, regulatory, and contractual requirements;
  • Tolerability of risks to others;
  • Whether a gamble needs handling;
  • Deciding whether hazard can exist tolerated;
  • Whether an activity should be undertaken; and
  • Priorities for treatment.

Acceptable take chances levels will be unique to each organisation and supply chain. They may vary past project, commodity, production, or service, besides every bit over time. The arrangement may have varying levels of chance-tolerance for different divisions, subsidiaries, and partners. It may non exist practical to eliminate all risk due to costs. It may be desirable to accept adventure to gain an opportunity. To achieve every bit low every bit reasonably practical hazard, a typical target of gamble evaluation is to determine the most cost effective treatments.

Examples of reasons an organization may tolerate risk (by informed determination) include:

  • The level of the gamble is so low that specific treatment is not appropriate within the constraints of bachelor resources;

  • The risk is such that there is no handling available. For case, the risk causes may not be within the control of an system;

  • The cost of treatment, including insurance costs, is so plainly excessive compared to the do good that toleration is the only pick. This applies particularly to lower ranked risks;

  • The opportunities presented outweigh the threats to such a degree that the risk is justified; and

  • Organizations may besides make up one's mind to accept a risk by informed decision-making or to maximize a business organisation opportunity.

Regardless of the method used to evaluate risk treatment(s) to achieve a level of chance every bit low equally reasonably possible, it is important to understand that this is an iterative procedure where the risk director can pick multiple layers of risk handling measures including:

  • Eliminating the risk exposure;
  • Isolating the chance source or potential targets;
  • Technical modifications and substitutions;
  • Administrative and procedural controls;
  • Protective, preventive, and mitigation measures; and
  • Accepting or exploiting risk by informed conclusion.

During the risk evaluation process, the proposed risk treatment processes should be evaluated to consider the cost-benefit of the measure to reduce risk and whether the risk treatment changes or introduces new take a chance to the organization and its supply chain. Figure vi illustrates how the output from the take chances identification and analysis steps can be represented by a funnel approach where intolerable risk must be treated at any reasonable cost. Treatment measures are applied to bring the chance to a level that is as depression as reasonably possible where further task treatments are asymmetric to the cost/benefit. Risks accomplish a tolerable level where risk is within the level of tolerance of the risk criteria. Contingency measures might be considered for risks that remain after handling.

Acceptable risk levels will be unique to each organization and supply chain. They may vary by project, commodity, production, or service, too as over time. The organization may take varying levels of hazard-tolerance for unlike divisions, subsidiaries, and partners. It may not be practical to eliminate all risk due to costs. It may be desirable to have adventure to proceeds an opportunity. To achieve as low as reasonably practical risk, a typical target of risk evaluation is to determine the virtually cost effective treatments.

Examples of reasons an system may tolerate chance (by informed decision) include:

  • The level of the hazard is so depression that specific handling is non advisable inside the constraints of available resources;
  • The run a risk is such that there is no handling available. For example, the run a risk causes may non be within the control of an organization;
  • The cost of handling, including insurance costs, is so obviously excessive compared to the benefit that toleration is the but option. This applies particularly to lower ranked risks;
  • The opportunities presented outweigh the threats to such a degree that the risk is justified; and
  • Organizations may also determine to take a risk past informed decision-making or to maximize a business opportunity.

Regardless of the method used to evaluate risk treatment(due south) to achieve a level of take a chance as low equally reasonably possible, it is important to understand that this is an iterative process where the risk manager can choice multiple layers of risk treatment measures including:

  • Eliminating the risk exposure;
  • Isolating the risk source or potential targets;
  • Technical modifications and substitutions;
  • Administrative and procedural controls;
  • Protective, preventive, and mitigation measures; and
  • Accepting or exploiting hazard by informed decision.

During the risk evaluation procedure, the proposed hazard treatment processes should be evaluated to consider the cost-do good of the measure to reduce take a chance and whether the chance treatment changes or introduces new risk to the organisation and its supply concatenation. Figure half-dozen illustrates how the output from the risk identification and analysis steps can be represented by a funnel approach where intolerable take a chance must be treated at any reasonable price. Treatment measures are applied to bring the risk to a level that is as low as reasonably possible where further task treatments are disproportionate to the cost/benefit. Risks reach a tolerable level where adventure is inside the level of tolerance of the risk criteria. Contingency measures might be considered for risks that remain after handling.

SCRM-Figure6.jpg

Figure 6: Chance Evaluation Funnel

I way an organization may wish to assess its risk tolerance is through a risk "borderland" graph, plotting the likelihood of events by their effect (Figure 7). Organizations may discover some risks to exist of such low likelihood or to have such limited consequence that they do not warrant whatever further treatment or consideration. For those of greater likelihood or consequence, the organisation may wish to reduce, through resource management, an extra level of supplies or "rubber stock" or evolution of a risk distribution strategy (east.grand., use of multiple sourcing) or other mechanisms of risk avoidance or elimination. Such mechanisms may seek to reduce the likelihood, elapsing, or consequence of a risk outcome. Organizations may likewise determine to accept a adventure by informed decision-making to maximize a business opportunity.

SCRM-Figure7.jpg

Figure 7: Conceptual Chance "Frontier"

Another means of representing the relationship between likelihood and consequences is to use a "heat" map showing chance-events on a matrix defining likelihood and consequence levels. This technique allows managers to hands see the relative likelihood and effect of differing risks. To use this method finer, it is critical to take well-defined and consistently used criteria for the different likelihood and outcome levels. Diverse scales are used by different organizations; the gradations, scaling, and terms used should be based on what is best understood by the users and the decision makers. Figure 8 shows a "heat" map illustrating the concept.

SCRM-Figure8.jpg

Figure 8: "Heat" Map

The "heat" map shows how firms may wish to prioritize risks by likelihood and upshot.

An instance of an alternative scale would be:

  • For result categories: Low, Moderate, Serious, Astringent, Major, and Extremely Serious; and
  • For likelihood categories: Very Unlikely, Unlikely, Possible, Probable, and Regular.

Next: Risk Handling

wallsenisho.blogspot.com

Source: https://www.asisonline.org/publications--resources/standards--guidelines/scrm/ra-principles-and-process/

0 Response to "what criteria should an organization use to determine an "acceptable level" of risk?"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel