The earlier post in this series compared and contrasted some of the general principles of the standard.
This post will address the framework section of the standard.
As shown in the previous post, the standard uses a similar approach as is ISO 31000 – the model in composed of Principles, Framework and Process.
The standard presents the framework as the means to “provide the foundations, structures and capabilities to enable the risk management process to be applied and ensure its consistent application.” (p18)
In principle I do not see much difference between this framework and the Deming Cycle , which provides the basic management systems model for many standards – including BS 25999 and the BCI’s Good Practice Guide.
The Design (or Plan) step includes;
- establishing the internal and external context of the organisation,
- taking into account the culture of the organisation,
- establishing the policy,
- setting accountability for the work,
- allocation of resources,
- communication and reporting.
All of this is not that dissimilar to what is covered in the Policy and Program Management area of the BCI GPG.
Implementation (or DO) includes integrating the framework across the entity and the implementation of the PROCESS.
Monitor and Review of the framework (Check) and Continual Improvement (Act) are fairly self explanatory and what you would expect from these management systems approaches.
The graphic below illustrates the same Framework model, taken from ISO 31000.
Finally, the same framework – this time from BS25999-2
No heresy and nothing revolutionary in this part.
What do you think about the standard so far?