SUMMARY AND CONCLUSIONS

ZAGADNIENIA OGÓLNE Z ZAKRESU ZARZĄDZANIA RYZYKIEM

It can be pointed out by analysing the standards recommended by ISO as well as those adopted by The Polish Committee for Standardization (PKN) that the topic of risk management is emerging in many standards in numerous fields. Until ISO 31000:2009 Risk Management – Principles and Guidelines, ISO Guide 73:2009 Risk Management – Vocabulary and ISO/IEC 31010 Risk Man-agement — Risk Assessment Techniques have been adopted, this aspect was tackled by the following standards, in particular: ISO 14000 – Environmental impact assessment, ISO/IEC 27001 – Information security management sys-tems, PN-EN ISO 9001:2008 – Enterprise organisation and management or standards related to the safety of technical devices, i.e.: EN ISO 14121-1 and EN ISO 12100:2010. The standards recommended the use of the risk assessment process without indicating, however, detailed codes of procedure regarding the entire process.

It should be noted that the relevance of the standards was not only reflect-ed in the minds of theorists and practitioners creating and applying them, but has been confirmed by, in particular, Polish legal regulations. Article 2 of the Standardisation Act (Journal of Law of 2002 No. 169, item 1386, as amended) specifies the status of standards as documents issued by authorised organisa-tional entities, which are establishing, for a given field of activity, principles, guidelines or characteristics based on long-term practices and experience.

The first substantial advantage of applying standards from a family of ISO 31000 is that terminologies are harmonised according to readable groups of terms and their definitions. The documents allow understanding and applying a consistent terminology referring to risk management, its elements and pro-cesses in all fields of activity in which it is present.

Another important matter is possibly the most universal and unified ap-proach of ISO 31000 to risk management processes, which allows its flexible use by any organisation operating in any public or private sector. The standard provides principles, structure and processes which can be permanently imple-mented in all areas of an organisation’s activity regardless the type of risks en-countered.

Another significant benefit of implementing ISO 31000 guidelines, apart from its abovementioned flexible accommodation to an organisation’s current

SUMMARY AND CONCLUSIONS

Another significant benefit of implementing ISO 31000 guidelines, apart from its abovementioned flexible accommodation to an organisation’s current

CZĘŚĆ I

ZAGADNIENIA OGÓLNE Z ZAKRESU ZARZĄDZANIA RYZYKIEM

Publikacja finansowana przez NCBiR w ramach projektu „Zintegrowany system budowy planów zarządzania kryzysowego w oparciu o nowoczesne technologie informatyczne” nr DOBR/0016/R/ID2/003

needs, is openness to the changes resulting from changing conditions and needs.

One can realise by analysing carefully the principles described in the stand-ard what, in particular, are the benefits that an organisation can obtain as a result of implementing the system. To a certain extent they provide an an-swer to the following question: why should we implement the system or what can we obtain in return? An answer to the following question: how to imple-ment the system within an organisation in an effective and efficient manner? is clearly indicated by scrutinising the provisions concerning the framework struc-ture. The description of processes allows answering the following question on the other hand: how to manage a risk in an organisation?

An important advantage is that the risk management process is defined in a comprehensive and orderly manner. It covers all processes occurring within an organisation. An important aspect of the process is that all the prerequisites to determine the context are specified at the beginning. A risk can be assessed appropriately by using such knowledge. An organisation can approach the risk management process properly by adhering to such recommendations at this stage. Depending on the needs, it is recommended to conduct consultations and communicate the risk, and also to carry out monitoring and review as sup-plementary and aiding tools for all the stags. The reliable evidencing of actions is an inherent component of risk management within an organisation recom-mended by ISO 31000, the benefits of which are frequently influencing an or-ganisation’s future: supporting the decision-making process, development and improvement of methods and processes within an organisation.

The current approach to risk assessment relies, most of all, on know-how and experience with the existing threats. Various risk assessment methods con-siderably improving emergency management are also applied.

This part presents also selected risk management methods positively influ-encing risk management when implemented in decision-making processes.

A planned response to a risk is an outcome of a risk assessment performed.

Alternative procedures and activities reducing the threats and heightening the potential benefits for the objectives set are established under the process.

A risk response plan is a key phase of the risk management process as methods of responding to favourable and unfavourable events are elaborated in the

CZĘŚĆ I

ZAGADNIENIA OGÓLNE Z ZAKRESU ZARZĄDZANIA RYZYKIEM

Publikacja finansowana przez NCBiR w ramach projektu „Zintegrowany system budowy planów zarządzania kryzysowego w oparciu o nowoczesne technologie informatyczne” nr DOBR/0016/R/ID2/003

plan. A risk of increasing or decreasing the successfulness of the entire project is immediately influenced by the efficiency of risk response planning for the threatened tasks¹⁴⁸.

The planned reactions must be proportional to the consequences of occur-rence of unfavourable events; they must eliminate (or mitigate) the effects of a given threat in a cost-effective fashion and be carried out in a timely manner.

Several strategies are commonly employed in a risk response planning process.

An emergency plan has to be developed for each of the risks in such a way that the measures taken are as effective as possible.

A myriad of methods have been identified in the process of analysing risks and threats assessment. 31 methods are described in ISO/IEC 31010:2009.

These are not all the existing risk assessment methods, but those described in this part permit to learn about diverse approaches to the topic in question. The methods have been so chosen as to analyse different approaches to risk as-sessment. The methods allow to represent the array of risk management start-ing with expert’s considerations to methods based on the buildstart-ing of diagrams and logical scenarios of events. It is recommended to use the following meth-ods:

1. SWIFT method

questions such as: ”what if…?” ”if ever…?” ”what could happen…?”

force us to analyse the majority of potential scenarios, their causes and consequences; the method can be applied broadly;

2. event tree

useful for calculating, modelling and allocating various follow-up scenar-ios related to the main event; it displays event progression depending on the scenario selected; the method is useful when analysing safety systems and emergency procedures;

3. cause and effect analysis

the method eliminates certain constraints of the event tree and fault tree methods by analysing events evolving over time; it delivers an ex-tensive review of system operation;

148 http://wartowiedziec.org/index.php/pracownik-samorzadowy/zarzdzanie/16316-jakociowa-i-ilociowa-analiza-ryzyka, access: February 2015.

plan. A risk of increasing or decreasing the successfulness of the entire project is immediately influenced by the efficiency of risk response planning for the threatened tasks¹⁴⁸.

Several strategies are commonly employed in a risk response planning process.

An emergency plan has to be developed for each of the risks in such a way that the measures taken are as effective as possible.

A myriad of methods have been identified in the process of analysing risks and threats assessment. 31 methods are described in ISO/IEC 31010:2009.

1. SWIFT method

questions such as: ”what if…?” ”if ever…?” ”what could happen…?”

force us to analyse the majority of potential scenarios, their causes and consequences; the method can be applied broadly;

2. event tree

3. cause and effect analysis

the method eliminates certain constraints of the event tree and fault tree methods by analysing events evolving over time; it delivers an ex-tensive review of system operation;

148 http://wartowiedziec.org/index.php/pracownik-samorzadowy/zarzdzanie/16316-jakociowa-i-ilociowa-analiza-ryzyka, access: February 2015.

CZĘŚĆ I

ZAGADNIENIA OGÓLNE Z ZAKRESU ZARZĄDZANIA RYZYKIEM

Publikacja finansowana przez NCBiR w ramach projektu „Zintegrowany system budowy planów zarządzania kryzysowego w oparciu o nowoczesne technologie informatyczne” nr DOBR/0016/R/ID2/003

4. scenario analysis

useful for depicting each type of risk, both, a long-term and short-term risk;

5. bow tie analysis

easy to understand and transparent in communicating an event.

6. consequence/probability matrix

very legible, with the possibility application of different scale (4x4, 5x5, 6x6) and weights.

The practical application of risk management standards indicates that they are a universal source of knowledge ensuring proven tools aiding the manage-ment of all organisational processes in the conditions of uncertainty. By apply-ing them, organisations can more effectively fulfil the mission they were creat-ed for, as well as the objectives and tasks relevant for business or public pur-poses.

Since introducing the elements of risk management in 2009, its importance has been continuously growing. It is thus recommended to use recognised guidelines for risk management, which unify the terminology, offer universal principles, a flexible framework structure, appropriately matched processes, including tools supporting risk assessment and risk management evidencing.

CZĘŚĆ I

ZAGADNIENIA OGÓLNE Z ZAKRESU ZARZĄDZANIA RYZYKIEM

Publikacja finansowana przez NCBiR w ramach projektu „Zintegrowany system budowy planów zarządzania kryzysowego w oparciu o nowoczesne technologie informatyczne” nr DOBR/0016/R/ID2/003

LITERATURA

Wydawnictwa zwarte i czasopiśmiennicze

1. Chrószcz B., Analiza i ocena ryzyka zawodowego osób obsługujących systemy maszynowe transportu pionowego w polskich kopalniach węgla kamiennego, rozprawa doktorska, AGH, Kraków 2007.

2. Gołębiewski J., Zarządzanie kryzysowe w świetle wymogów bezpieczeństwa, Kraków 2011.

3. Kaszubski R., Romańczuk D. (red)., Księga dobrych praktyk w zakresie zarządzania ciągłością działania, wyd. Związek Banków Polskich, Warszawa 2012.

4. Kotarbiński T., Traktat o dobrej robocie, Ossolineum, Wrocław 1973.

5. Nogalski B., Kultura organizacyjna. Duch organizacji, Oficyna Wydawnicza Ośrodka Postępu Organizacyjnego, Bydgoszcz 1998.

6. Peszko A., Podstawy zarządzania organizacjami, Skrypty uczelniane AGH, nr 1485, Wydawnictwa AGH, Kraków 1997.

7. Pilch T., Bauman T., Zasady badań pedagogicznych: strategie ilościowe i jakościowe, wyd. Żak, Warszawa 2001.

8. Sikorski Cz., Kultura organizacyjna, C.H. Beck, Warszawa 2002.

9. Słownik terminów z zakresu bezpieczeństwa narodowego, Myśl Wojskowa 6/2002, Bellona, Warszawa 2002.

10. Urbanek P. (red.), Ekonomia i zarządzanie w teorii i praktyce, WUŁ, Łódź 2011.

11. Wolanin J., Zarys teorii bezpieczeństwa obywateli, DANMAR, Warszawa 2005.

12. Wróblewski D. (red. nauk.), Przegląd wybranych dokumentów normatywnych z zakresu zarządzania kryzysowego i zarządzania ryzykiem wraz z leksykonem, CNBOP-PIB, Józefów 2014.

13. Wróblewski D., Połeć B., Teoria i praktyka zarządzania ryzykiem – normy a regulacje w prawie miejscowym, w: D. Majchrzak (red.), Zarządzanie kryzysowe w wymiarze lokalnym. Organizacja, procedury, organy i instytucje, AON, Warszawa 2014.