Much as we like Excel, much of our recent risk management activity has been focused on getting rid of spreadsheets, and the use of SharePoint as an alternative risk register format.
Otherwise, the challenge recently has come from the expansion of risk management beyond enterprise risks and towards commercial and project risks.
There is of course nothing new about risk management at the project and contract level, but where there is a high turnover of low-value risks, it requires an efficient and effective management approach.
A benefit of ISO 31000:2009 is that it can be applied within existing management systems to formalise and improve risk management processes, avoiding wholesale substitution.
The scope of the ISO 3100 approach to risk management is to align all strategic, management and operational tasks of an organization throughout projects, functions, and processes within a common set of risk management objectives
Different views of enterprise risk
Even in enterprise risk, we have experienced similar stresses when combining alternative perspectives. Take, for example, the difference in perception of probability between capital plant items (often still of great interest when less than 1%) and management risks (where 1% risk is likely to mean ‘fully mitigated’).
Our experience in reaching for a common treatment of these different types of risk suggests that knowing who and when the risk was recorded is quite as relevant as the technical assessment, and hence our move towards a system which ‘excels’ at recording field-level changes through a combination of version control and approval mechanisms.