J
JaneB
So many organizations do not give themselves credit for the good PA activities they have in place.
Stijloor.
You're right.
I just saw an organisation doing this brilliantly. They had a very sound risk asessment process in place. It's based around the risk management model in the Standard (4360 I think), with their risk assessment revisited and updated at defined internvals, & at least annually.
For each risk assessed at a certain level, they determine what mitigation or management strategies are needed (ie, preventive), and ensure they implement those, and/or revisit/revise as needed. Some of the measures they've put in place are similar to some of those on the PA Matrix you posted - eg, procedure XYZ, audit checks of ABC, etc. Best I've seen. And report all this through to the Board regularly, of course.