Comparative Analysis: ISO 31000:2018 v/s PMI Risk Standard

Comparative Analysis: ISO 31000:2018 v/s PMI Risk Standard

1.???? Introduction

Risk management is essential for any organization as it allows for the anticipation, identification, and response to threats and opportunities that could affect the achievement of objectives. In an increasingly complex and dynamic business environment, where factors such as economic volatility, regulatory changes, technological advances, and unexpected events can arise at any time, the ability to proactively manage risks becomes a key differentiator. Risk management protects the organization from potential losses and allows it to capitalize on opportunities, improve decision-making, and ensure operational continuity. Without adequate risk management, organizations are exposed to more significant uncertainty and vulnerability, which can compromise their long-term sustainability and success. Although the Project Management Institute has systematically developed a process and is recognized in the industry as one of the most accepted approaches, it is not the only approach. For this reason, I wanted to compare it with another industry benchmark, ISO 31000:2018, on risk. This comparison allows for a better understanding of the strengths of each standard and how they can complement each other for more effective risk management.

2.???? General Approach and Structure

  • PMI (PMBOK - Risk Management):

  • Designed for risk management in projects, programs, and portfolios, the PMI standard is integrated within the Project Management Body of Knowledge (PMBOK? Guide), the Portfolio Management Standard?, and the Program Management Standard?.
  • It follows a sequential and detailed approach, organizing risk management into clear and specific processes, including risk identification, analysis, response, and monitoring.
  • It is based on best practices and experience from its application across different industries globally.
  • It is flexible and easily adaptable to circumstances, size, and environment.
  • It is based on “Value Delivery” and alignment with the organization's strategic objectives.

  • ISO 31000:2018:

  • It provides generic guidelines at the organizational level, applicable to any type of entity and in any context, making it less applicable to day-to-day operations. It has a conceptual and theoretical focus.
  • It also follows a sequential approach but with an undefined reference framework concerning its application.

3.???? Similarities

  • The two standards do not conflict. While PMI offers a more specific and descriptive approach, ISO 31000 provides a broader and more general framework.
  • When analyzing their essence, in their conception, both are very similar and establish a common ground.
  • The PMI Risk Management Standard for Portfolios, Programs, and Projects can be used for the entire organization since both Portfolios and Programs encompass projects and operations, making it adaptable to the organizational reality.
  • Similarly, organizations can use both standards together, as they do not conflict, with the PMI standard being more specific and practical than generic.

4.???? Objectives and Scope

  • PMI:

  • It focuses on managing risks that directly affect the achievement of project, program, and portfolio objectives and, therefore, the organization's strategic objectives.

  • ISO 31000:2018:

  • It seeks to integrate risk management at all levels of the organization, aligning it with governance and strategy.

5.???? Risk Management Processes

  • PMI:

  • It defines detailed and specific processes based on best practices, including tools and techniques for each phase of the risk management process.
  • It is adaptive, to some extent, regarding the processes and tools related to each organization's specific aspects.
  • It proposes the following process for risk management, which forms a continuous cycle repeated throughout the project's life cycle to manage risks and ensure the project's success proactively:

a)???? Plan Risk Management

  • Description: This process involves defining how project risk management activities will be conducted. Methodologies, roles and responsibilities, schedule, budget, and risk categories are established.
  • Key outputs: Risk management plan.

b)??? Identify Risks

  • Description: It focuses on identifying risks that could affect the project, both positive and negative. It involves gathering information about potential risks and documenting their characteristics.
  • Key outputs: Risk register, risk report, updates to the project management plan.

c)???? Perform Qualitative Risk Analysis

  • Description: This process prioritizes identified risks for further analysis or action by evaluating the probability of occurrence and impact on project objectives. It helps identify which risks require immediate attention.
  • Key outputs: Updates to the risk register, evaluation of urgency, and risk categorization.

d)??? Perform Quantitative Risk Analysis

  • Description: Risks are numerically quantified, and their effect on project objectives is analyzed. This typically includes techniques such as simulations, sensitivity analysis, and probabilistic models.
  • Key outputs: Updates to the risk register, data on probability, and quantitative impact.

e)???? Plan Risk Responses

  • Description: Options and actions are developed to enhance opportunities and reduce threats to project objectives. This process includes strategies for negative risks (mitigation, avoidance, transfer, acceptance) and positive risks (exploitation, enhancement, sharing, acceptance).
  • Key outputs: Risk response plan, updates to the project management plan.

f)???? Implement Risk Responses

  • Description: The agreed responses to identified risks are executed in this process. It is essential to ensure that planned responses are implemented as intended.
  • Key outputs: Updates to the project management plan and lessons learned are registered.

g)??? Monitor Risks

  • Description: This process involves continuous risk monitoring, implementing response plans, tracking residual risks, and identifying new risks. It ensures the risk management process is effective throughout the project's life cycle.
  • Key outputs: Updates to the risk register, performance reports, and lessons learned.

  • ISO 31000:2018:

The ISO 31000:2018 standard also provides a structured approach to risk management applicable to any organization. Unlike PMI, which offers a more detailed and specific approach, ISO 31000 focuses on principles and a general framework. The key steps of the risk management process according to ISO 31000 are described below:

a)??? Establish the Context

  • Description: This step involves defining the internal and external environment in which the organization operates, including objectives, strategies, and risk criteria. It is crucial to ensure that risks are identified and managed in the appropriate context.
  • Key activities:

§? Define organizational objectives.

§? Identify stakeholders and their interests.

§? Determine risk criteria (how risks will be evaluated).

b)??? Risk Identification

  • Description: It focuses on identifying risks that could affect the achievement of organizational objectives. This step includes the identification of both negative risks and opportunities (positive risks).
  • Key activities:

§? Identify sources of risk, events, and their potential causes and consequences.

§? Create a comprehensive list of relevant risks.

c)???? Risk Analysis

  • Description: This step involves understanding the nature of the risks and their characteristics, including the probability and consequences of their occurrence. It helps develop a basis for evaluating and managing risks.
  • Key activities:

§? Evaluate the probability of occurrence and impact of risks.

§? Consider the effectiveness of existing controls.

d)??? Risk Evaluation

  • Description: The risk analysis results are compared with the established risk criteria to determine which risks require additional treatment. This helps prioritize risks.
  • Key activities:

§? Classify risks by priority level.

§? Decide on the need to treat certain risks.

e)???? Risk Treatment

  • Description: It involves selecting and implementing options to address risks. This may include avoiding, mitigating, transferring, or accepting the risk, as well as exploiting, enhancing, sharing, or accepting opportunities.
  • Key activities:

§? Develop and implement risk treatment plans.

§? Assign responsibilities for managing risks.

f)???? Monitoring and Review

  • Description: This step involves continuous monitoring of risks, the effectiveness of controls, and the progress of risk treatment plans. It is an ongoing process that ensures the relevance and effectiveness of the risk management process.
  • Key activities:

§? Review the effectiveness of risk treatment.

§? Monitor changes in the context and emerging risks.

g)??? Communication and Consultation

  • Description: This is a cross-cutting process that occurs at all stages of risk management. It involves communication and consultation with internal and external stakeholders to ensure everyone understands the risks and related decisions.
  • Key activities:

§? Establish effective communication mechanisms.

§? Consult with stakeholders on risks and risk treatment.

6.???? Practical Application

  • PMI:

o?? Its specificity makes it especially useful for managing risks in projects, programs, and portfolios, where a detailed and methodological approach is required, although it can also be applied at the organizational and corporate levels in Programs and Portfolios.

o?? These tools and techniques are fundamental for effective risk management according to the PMI standard, and each can be adapted and applied according to the specific needs of the project, program, portfolio, or organization. Tools proposed by phase:

a)??? Plan Risk Management

o?? Meeting Analysis Techniques

o?? Documentation Analysis Techniques

o?? Expert Judgment

o?? Interview Techniques

o?? Analysis Techniques of Environmental Factors and Organizational Process Assets

b)??? Risk Identification

o?? Brainstorming Techniques

o?? Checklists

o?? Interviews

o?? SWOT Analysis

o?? Root Cause Analysis Techniques

o?? Diagramming Techniques (e.g., Flow Diagrams)

o?? Assumptions Analysis

o?? Historical Data Analysis

o?? Ishikawa Diagram (Fishbone Diagram)

o?? Expert Judgment

o?? Delphi Techniques

c)???? Perform Qualitative Risk Analysis

o?? Probability and Impact Evaluation

o?? Probability and Impact Matrices

o?? Risk Type Evaluation (Individual Risks vs. General Project Risks)

o?? Urgency Evaluation

o?? Risk Classification Techniques (RBS - Risk Breakdown Structure)

o?? Interviews and Expert Judgment

o?? Diagramming Techniques (e.g., Influence Diagrams)

d)??? Perform Quantitative Risk Analysis

o?? Monte Carlo Analysis

o?? Simulation Techniques

o?? Decision Tree Analysis

o?? Sensitivity Analysis (e.g., Tornado Diagrams)

o?? Probability Distribution (Probability Curves)

o?? Event-Based Decision Models

o?? Expected Monetary Value (EMV) Techniques

o?? PERT Network Models

o?? Expert Judgment

e)???? Plan Risk Responses

o?? Strategies for Negative Risks (Mitigation, Avoidance, Transfer, Acceptance)

o?? Strategies for Positive Risks (Exploitation, Enhancement, Sharing, Acceptance)

o?? Cost-Benefit Analysis

o?? Contingency Evaluation Techniques

o?? Decision Analysis and Decision Trees

f)???? Implement Risk Responses

o?? Expert Judgment

o?? Risk Review Meetings

o?? Execution of Risk Response Plans

o?? Use of Contingency Reserves

g)??? Monitor Risks

o?? Project Performance Analysis

o?? Risk Audits

o?? Risk Reviews

o?? Variation and Trend Analysis Techniques

o?? Prioritization Techniques

o?? Lessons Learned Register

o?? Reserve Analysis

  • ISO 31000:2018:

o?? It does not propose specific techniques.

o?? It is complemented by ISO 31.010.

Conclusion

The PMI standard and ISO 31000:2018 share a common foundation, although they have different approaches to risk management. ISO 31000:2018 offers a general framework, and its practical applicability may be limited due to its more conceptual and broad approach. On the other hand, the PMI standard provides a more specific and practical approach, particularly effective in managing risks within projects, programs, and portfolios. It is important to note that since portfolios and programs also encompass operations, PMI risks can be implemented throughout the organization. This standard, centered on value delivery and strategic alignment, is especially suitable for adoption as an integrated system throughout the organization, offering practical and effective solutions rather than mere abstract knowledge.

要查看或添加评论,请登录

Alfonso Kaiser的更多文章

社区洞察

其他会员也浏览了