14 Desember 2011


Agar penerapan manajemen risiko dapat berjalan dengan efektif, perusahaan menerapkan prinsip – prinsip manajemen risiko sebagai berikut : 
1. Memberikan nilai lebih dalam mencapai sasaran dan tujuan perusahaan.
2. Merupakan suatu bagian yang integral dari seluruh proses kegiatan perusahaan.
3. Merupakan bagian dalam pengambilan keputusan.
4. Secara tegas ditujukan kepada ketidakpastian yang mengancam pencapaian sasaran perusahaan.
5. Pendekatan secara sistematis, terstruktur, dan tepat waktu.
6. Berdasarkan informasi terbaik yang telah ada.
7. Menyesuaikan dengan kondisi internal dan eksternal perusahaan.
8. Mempertimbangkan faktor-faktor sumber daya manusia dan budaya.
9. Transparan dan inklusif.
10. Dinamis, berulang, dan tanggap terhadap perubahan.
11.Memfasilitasi perbaikan dan peningkatan berkelanjutan perusahaan.                                  



2.1 Risk
According to ISO 31000, risk is the “effect of uncertainty on objectives”, and an effect is a positive or negative deviation from what is expected. So, risk is the chance that there will be a positive or negative deviation from the objective you expect to achieve.

ISO 31000 recognizes that organizations operate in an uncertain world. Whenever you try to achieve an objective, there’s always the chance that things will not go according to plan. There’s always the chance that you will not achieve what you expect to achieve. Every step you take to achieve an objective involves uncertainty. Every step has an element of risk that needs to be managed. According to ISO 31000, you can reduce your uncertainty and manage your risk, by using a systematic approach to risk management.

Uncertainty (or lack of certainty) is a state of being that involves a deficiency of information and leads to inadequate or incomplete knowledge or understanding. In the context of risk management, uncertainty exists whenever your knowledge or understanding of an event, consequence, or likelihood is inadequate or incomplete. So, you can reduce your uncertainty by getting better information and improving your knowledge and understanding.

2.2 Risk management
Risk management refers to a coordinated set of activities and methods that is used to direct an organization and to control the many risks that can affect its ability to achieve objectives. According to the Introduction to ISO 31000, the term risk management also refers to the architecture that is used to manage risk. This architecture includes risk management principles, a risk management framework, and a risk management process.

2.3 Risk management framework
According to ISO 31000, a risk management framework is a set of components that support and sustain risk management throughout an organization. There are two types of components: foundations and organizational arrangements. Foundations include your risk management policy, objectives, mandate, and commitment. And
organizational arrangements include the plans, relationships, accountabilities, resources, processes, and activities you use to manage your organization’s risk.

2.4 Risk management policy
A policy statement defines a general commitment, direction, or intention. A risk management policy statement expresses an organization’s commitment to risk management and clarifies its general direction or intention.

2.5 Risk attitude
An organization’s risk attitude defines its general approach to risk. An organization’s risk attitude (and its risk criteria) influence how risks are assessed and addressed. An organization’s attitude towards risk influences whether or not risks are taken, tolerated, retained, shared, reduced, or avoided, and whether or not risk treatments are implemented or postponed.

2.6 Risk management plan
An organization’s risk management plan describes how it intends to manage risk. It describes the management components, the approach, and the resources that will be used to manage risk. Typical management components include procedures, practices, responsibilities, and activities (including their sequence and timing).
Risk management plans can be applied to products, processes, and projects, or to an entire organization or to any part of it.

2.7 Risk owner
A risk owner is a person or entity that has been given the authority to manage a particular risk and is accountable for doing so.

2.8 Risk management process
According to ISO 31000, a risk management process is one that systematically applies management policies, procedures, and practices to a set of activities intended to establish the context, communicate and consult with stakeholders, and identify, analyze, evaluate, treat, monitor, and review risk.

2.9 Establishing the context
To establish the context means to define the external and internal parameters that organizations must consider when they manage risk. An organization’s external context includes its external stakeholders, its local, national, and international environment, as well as any external factors that influence its objectives. An organization’s internal context includes its internal stakeholders, its approach to governance, its contractual relationships, and its capabilities, culture, and standards. ISO 31000 expects you to consider your organization’s context when you define the scope of its risk management program, when you formulate its risk management policy, and when you establish its risk criteria.

2.10 External context
An organization’s external context includes all of the external environmental parameters and factors that influence how it manages risk and tries to achieve its objectives. It includes its external stakeholders, its local, national, and international environment, as well as key drivers and trends that influence its objectives. It includes stakeholder values, perceptions, and relationships, as well as its social, cultural, political, legal, regulatory, financial, technological, economic, natural, and competitive environment.

2.11 Internal context
An organization’s internal context includes all of the internal environmental parameters and factors that influence how it manages risk and tries to achieve its objectives. It includes its internal stakeholders, its approach to governance, its contractual relationships, and its capabilities, culture, and standards.

Governance includes the organization’s structure, policies, objectives, roles, accountabilities, and decision making process, and capabilities include its knowledge and human, technological, capital, and systemic resources.

2.12 Communication and consultation
Communication and consultation is a dialogue between an organization and its stakeholders. This dialogue is both continual and iterative. It is a two-way process that involves both sharing and receiving information about the management of risk. However, this is not joint decision making. Once communication and consultation is finished, decisions are made and directions are established by the organization, not by stakeholders. 

Discussions could be about the existence of risks, their nature, form, likelihood, and significance, as well as whether or not risks are acceptable or should be treated, and what treatment options should be considered.

2.13 Stakeholder
A stakeholder is a person or an organization that can affect or be affected by a decision or an activity. Stakeholders also include those who have the perception that a decision or an activity can affect them. ISO 31000 distinguishes between external and internal stakeholders.

2.14 Risk assessment
Risk assessment is a process that is, in turn, made up of three processes: risk identification, risk analysis, and risk evaluation.

Risk identification is a process that is used to find, recognize, and describe the risks that could affect the achievement of objectives.

Risk analysis is a process that is used to understand the nature, sources, and causes of the risks that you have identified and to estimate the level of risk. It is also used to study impacts and consequences and to examine the controls that currently exist.

Risk evaluation is a process that is used to compare risk analysis results with risk criteria in order to determine whether or not a specified level of risk is acceptable or tolerable.

2.15 Risk identification
Risk identification is a process that involves finding, recognizing, and describing the risks that could affect the achievement of an organization’s objectives. It is used to identify possible sources of risk in addition to the events and circumstances that could affect the achievement of objectives. It also includes the identification of
possible causes and potential consequences.

You can use historical data, theoretical analysis, informed opinions, expert advice, and stakeholder input to identify your organization’s risks.

2.16 Risk source
A risk source has the intrinsic potential to give rise to risk. A risk source is where a risk originates. It’s where it comes from. Potential sources of risk include at least the following: commercial relationships and obligations, legal expectations and liabilities, economic shifts and circumstances, technological innovations and upheavals, political changes and trends, natural events and forces, human frailties and tendencies, and management shortcomings and excesses. All of these elements could potentially generate a risk that must be managed.

2.17 Event
An event could be one occurrence, several occurrences, or even a nonoccurrence (when something doesn’t happen that was supposed to happen). It can also be a change in circumstances. Events always have causes and usually have consequences. Events without consequences are often referred to as near-misses, near-hits, close-calls, or incidents.

2.18 Consequence
A consequence is the outcome of an event and has an effect on objectives. A single event can generate a range of consequences which can have both positive and negative effects on objectives. Initial consequences can also escalate through knock-on effects.

2.19 Likelihood
Likelihood is the chance that something might happen. Likelihood can be defined, determined, or measured objectively or subjectively and can be expressed either qualitatively or quantitatively (using mathematics).

2.20 Risk profile
A risk profile is a written description of a set of risks. A risk profile can include the risks that the entire organization must manage or only those that a particular function or part of the organization must address.

2.21 Risk analysis
Risk analysis is a process that is used to understand the nature, sources, and causes of the risks that you have identified and to estimate the level of risk. It is also used to study impacts and consequences and to examine the controls that currently exist. How detailed your risk analysis ought to be will depend upon the risk, the purpose of the analysis, the information you have, and the resources available.

2.22 Risk criteria
Risk criteria are terms of reference and are used to evaluate the significance or importance of your organization’s risks. They are used to determine whether a specified level of risk is acceptable or tolerable.

Risk criteria should reflect your organization’s values, policies, and objectives, should be based on its external and internal context, should consider the views of stakeholders, and should be derived from standards, laws, policies, and other requirements.

2.23 Level of risk
The level of risk is its magnitude. It is estimated by considering and combining consequences and likelihoods. A level of risk can be assigned to a single risk or to a combination of risks.

A consequence is the outcome of an event and has an effect on objectives. Likelihood is the chance that something might happen.

2.24 Risk evaluation
Risk evaluation is a process that is used to compare risk analysis results with risk criteria in order to determine whether or not a specified level of risk is acceptable or tolerable.

2.25 Risk treatment
Risk treatment is a risk modification process. It involves selecting and implementing one or more treatment options. Once a treatment has been implemented, it becomes a control or it modifies existing controls. You have many treatment options. You can avoid the risk, you can reduce the risk, you can remove the source of the risk, you can modify the consequences, you can change the probabilities, you can share the risk with others, you can simply retain the risk, or you can even increase the risk in order to pursue an opportunity.

2.26 Control
A control is any measure or action that modifies risk. Controls include any policy, procedure, practice, process, technology, technique, method, or device that modifies or manages risk. Risk treatments become controls, or modify existing controls, once they have been implemented.

2.27 Residual risk
Residual risk is the risk left over after you’ve implemented a risk treatment option. It’s the risk remaining after you’ve reduced the risk, removed the source of the risk, modified the consequences, changed the probabilities, transferred the risk, or retained the risk.

2.28 Monitoring
To monitor means to supervise and to continually check and critically observe. It means to determine the current status and to assess whether or not required or expected performance levels are actually being achieved.

2.29 Review
A review is an activity. Review activities are carried out in order to determine whether something is a suitable, adequate, and effective way of achieving established objectives.

In general, ISO 31000 expects you to review your risk management framework and your risk management process. It specifically expects you to review your risk management policy and plans as well as your risks, risk criteria, risk treatments, controls, residual risks, and risk assessment process.

 Dari email Lokal (manuar)

Tidak ada komentar:

Posting Komentar

isi di bawah sini...komentar anda : menggunakan anonimous atau menggunakan web anda contoh www.suralaya.com