Once the overall framework/standard is agreed upon and signed off by the key stakeholders (very important to get executives to physically sign off and take some responsibility for the agreement that ISO31000:2018 will become the baseline for the risk management within the organization), it is time to assess the effect of uncertainty on strategic objectives.
STEP 1 – STRATEGIC OBJECTIVES DECOMPOSITION
Any kind of risk analysis should start by taking a high-level objective and breaking it down into more tactical, operational key performance indicators (KPIs) and targets. When breaking down any objectives it is important to follow the McKinsey MECE principle (ME – Mutually Exclusive, CE – Collectively Exhaustive) to avoid unnecessary duplication and overlapping. Most of the time strategic objectives are already broken down into more tactical KPIs and targets by the strategy department or HR, so this saves the risk manager a lot of time.
This is a critical step to make sure risk managers understand the business logic behind each objective and helps make risk analysis more focused.