Comparative Analysis: ISO 31000:2018 v/s PMI Risk Standard
Alfonso Kaiser
Gerente de Programas y Portafolio Certificado | Experto en Planificación Estratégica y Gestión de Riesgos | Más de 28 a?os de liderazgo global | MBA, MSc, Ingeniero Naval, PfMP, PgMP, PMP, PMI-RMP
1.???? Introduction
Risk management is essential for any organization as it allows for the anticipation, identification, and response to threats and opportunities that could affect the achievement of objectives. In an increasingly complex and dynamic business environment, where factors such as economic volatility, regulatory changes, technological advances, and unexpected events can arise at any time, the ability to proactively manage risks becomes a key differentiator. Risk management protects the organization from potential losses and allows it to capitalize on opportunities, improve decision-making, and ensure operational continuity. Without adequate risk management, organizations are exposed to more significant uncertainty and vulnerability, which can compromise their long-term sustainability and success. Although the Project Management Institute has systematically developed a process and is recognized in the industry as one of the most accepted approaches, it is not the only approach. For this reason, I wanted to compare it with another industry benchmark, ISO 31000:2018, on risk. This comparison allows for a better understanding of the strengths of each standard and how they can complement each other for more effective risk management.
2.???? General Approach and Structure
3.???? Similarities
4.???? Objectives and Scope
5.???? Risk Management Processes
a)???? Plan Risk Management
b)??? Identify Risks
c)???? Perform Qualitative Risk Analysis
d)??? Perform Quantitative Risk Analysis
e)???? Plan Risk Responses
f)???? Implement Risk Responses
g)??? Monitor Risks
The ISO 31000:2018 standard also provides a structured approach to risk management applicable to any organization. Unlike PMI, which offers a more detailed and specific approach, ISO 31000 focuses on principles and a general framework. The key steps of the risk management process according to ISO 31000 are described below:
a)??? Establish the Context
§? Define organizational objectives.
§? Identify stakeholders and their interests.
§? Determine risk criteria (how risks will be evaluated).
b)??? Risk Identification
§? Identify sources of risk, events, and their potential causes and consequences.
§? Create a comprehensive list of relevant risks.
c)???? Risk Analysis
§? Evaluate the probability of occurrence and impact of risks.
§? Consider the effectiveness of existing controls.
d)??? Risk Evaluation
§? Classify risks by priority level.
§? Decide on the need to treat certain risks.
e)???? Risk Treatment
§? Develop and implement risk treatment plans.
§? Assign responsibilities for managing risks.
f)???? Monitoring and Review
§? Review the effectiveness of risk treatment.
§? Monitor changes in the context and emerging risks.
g)??? Communication and Consultation
§? Establish effective communication mechanisms.
§? Consult with stakeholders on risks and risk treatment.
领英推荐
6.???? Practical Application
o?? Its specificity makes it especially useful for managing risks in projects, programs, and portfolios, where a detailed and methodological approach is required, although it can also be applied at the organizational and corporate levels in Programs and Portfolios.
o?? These tools and techniques are fundamental for effective risk management according to the PMI standard, and each can be adapted and applied according to the specific needs of the project, program, portfolio, or organization. Tools proposed by phase:
a)??? Plan Risk Management
o?? Meeting Analysis Techniques
o?? Documentation Analysis Techniques
o?? Expert Judgment
o?? Interview Techniques
o?? Analysis Techniques of Environmental Factors and Organizational Process Assets
b)??? Risk Identification
o?? Brainstorming Techniques
o?? Checklists
o?? Interviews
o?? SWOT Analysis
o?? Root Cause Analysis Techniques
o?? Diagramming Techniques (e.g., Flow Diagrams)
o?? Assumptions Analysis
o?? Historical Data Analysis
o?? Ishikawa Diagram (Fishbone Diagram)
o?? Expert Judgment
o?? Delphi Techniques
c)???? Perform Qualitative Risk Analysis
o?? Probability and Impact Evaluation
o?? Probability and Impact Matrices
o?? Risk Type Evaluation (Individual Risks vs. General Project Risks)
o?? Urgency Evaluation
o?? Risk Classification Techniques (RBS - Risk Breakdown Structure)
o?? Interviews and Expert Judgment
o?? Diagramming Techniques (e.g., Influence Diagrams)
d)??? Perform Quantitative Risk Analysis
o?? Monte Carlo Analysis
o?? Simulation Techniques
o?? Decision Tree Analysis
o?? Sensitivity Analysis (e.g., Tornado Diagrams)
o?? Probability Distribution (Probability Curves)
o?? Event-Based Decision Models
o?? Expected Monetary Value (EMV) Techniques
o?? PERT Network Models
o?? Expert Judgment
e)???? Plan Risk Responses
o?? Strategies for Negative Risks (Mitigation, Avoidance, Transfer, Acceptance)
o?? Strategies for Positive Risks (Exploitation, Enhancement, Sharing, Acceptance)
o?? Cost-Benefit Analysis
o?? Contingency Evaluation Techniques
o?? Decision Analysis and Decision Trees
f)???? Implement Risk Responses
o?? Expert Judgment
o?? Risk Review Meetings
o?? Execution of Risk Response Plans
o?? Use of Contingency Reserves
g)??? Monitor Risks
o?? Project Performance Analysis
o?? Risk Audits
o?? Risk Reviews
o?? Variation and Trend Analysis Techniques
o?? Prioritization Techniques
o?? Lessons Learned Register
o?? Reserve Analysis
o?? It does not propose specific techniques.
o?? It is complemented by ISO 31.010.
Conclusion
The PMI standard and ISO 31000:2018 share a common foundation, although they have different approaches to risk management. ISO 31000:2018 offers a general framework, and its practical applicability may be limited due to its more conceptual and broad approach. On the other hand, the PMI standard provides a more specific and practical approach, particularly effective in managing risks within projects, programs, and portfolios. It is important to note that since portfolios and programs also encompass operations, PMI risks can be implemented throughout the organization. This standard, centered on value delivery and strategic alignment, is especially suitable for adoption as an integrated system throughout the organization, offering practical and effective solutions rather than mere abstract knowledge.