Thanks for your attention to my lengthy query.
Our organization has been practicing the below Risk Management:
1) Enterprise Risk Management -ERM (ISO31000) for the entire organisation
2) ISO22301 BCM Risk Assessment for entire organisation
3) ISO27001 Risk Assessment for the ICT Service Delivery department only)
4) ISO9001 Risk Management for a Call Centre
These Risk Management practices with different aspects have caused confusion in the organization;staff is asking why so many risk assessments? and also caused overhead in handling these practices.
I observe that the below:
1) Lot of overlapping risk assessment as some risks that are taken care at the ERM level are to be reassessed again at the other ISO aspects.
2) Different perspective of each Risk Assessment;e.g. ISO27001 at CIA with focus on critical assets, ISO22301 on Critical Business function or processes from continuity aspect, ISO9001 at the Service Quality aspect whereas ERM at the political, financial, competition, environmental, etc aspects
3) Scope of each Risk Assessment is varied from an enterprise-level to a specific core function level
We recognise this strength but also a weakness and plan to initialize a Risk Management alignment exercise.
Appreciate if you could share good advice in the alignment or normalisation of risk management approach with the below goals:
1. Improve the effectiveness of entire risk management with a holistic view
2) Improve the efficiency of entire risk management
3) Still maintaining the goal of each risk assessment / management
Hope to hear from you soon.