Vocabulary for ‘risk management process’ (supplement for risk specialists)

What to read first: Discrete risk management processes within an enterprise (supplement for risk specialists)

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Clear Lines on Audit and Risk uses the term ‘discrete risk management process’ to refer to an identifiable application of risk management that has a defined context and scope. A discrete risk management process would typically have its own risk register. It may also have its own risk criteria.

  • This usage of ‘risk management process’ appears in ISO 31000, for instance at 5.3.1. It is not exactly the same as the definition of ‘risk management process’ given in ISO Guide 73:2009 3.1, which suggests (though not clearly) that a ‘process’ is something generalizable across varying risk management exercises. Within an organisation, a ‘process’ may be prescribed by a set of rules, for repeated application to different risk assessments. That would be the other meaning of ‘process’.
  • A ‘discrete risk management process’ is very close to, but not identical with, the concept of a ‘risk management activity’ in HB 436. HB 436 (at 5.3.4.1) is talking about a breakdown within ‘a’ risk management activity, whereas Clear Lines is talking about discrete and independent areas of risk management within an organisation (on any scale).
  • If we are talking about an ‘application of risk management’ we are necessarily assuming some level of formality in the process and some use of theory specific to ‘risk management’. The real-world choices for responding to the effects of uncertainty are not necessarily made through the ‘application of risk management’ in this narrower sense.

Next article for Risk Specialists

COSO and ISO 31000 on discrete risk management processes

COSO ERM and ISO 31000 do not recognise discrete risk management processes within an enterprise.

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Drill-down articles

Discrete risk management processes within an enterprise (CRMA)

The CRMA Study Guide does not recognise the possibility of discrete risk management processes within a single enterprise.

For CRMA candidates (IIA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRMA Study Guide.

Discrete risk management processes within an enterprise (CRISC)

The CRISC Review Manual does not discuss the possibility of discrete risk management processes within a single enterprise. There is implicit support for a discrete risk management process for ICT, which may be independent of enterprise or business risk management.

For CRISC candidates (ISACA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRISC Study Guide.

Parent articles

Discrete risk management processes within an enterprise (supplement for risk specialists)

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Index to the topic Discrete risk management processes within an enterprise

Leave a Reply

Your email address will not be published. Required fields are marked *