Thanks for the feedback. Still unclear when in the process residual risk is assigned. Yodon said "Residual risk is, initially, your estimate of how well your controls mitigate the risks.", but Qualpod said "once action plans are working, new Condition of risk Is evaluated." Former sounds like evaluation of residual risk should be done up front before implementing the risk responses, as an estimate. Later sounds like we estimate the effects of the risk responses on the existing risks during periodic monitoring. Maybe it's both?
(1) estimate the residual risk based on existing controls and proposed responses, and (2) evaluate if the mitigations are actually having the effect they are supposed to. But what if they don't have the effect which was expected...? Where should that risk number be implemented. I get the question of "do we update the residual risk score during periodic monitoring"?
Dear ukrain
first off, You don´t mention if it is risk under 9001 or other standard.
Under 9001 is not necessary to establish complex methodology because is it not required.
it only requires to identify risk and opportunities and take actions to address such R&O.
but if you work under other standards, it may be helpful to take a look at ISO 31010, into it
there are several methods to address the risks.
However if you want to apply some other efforts to address the risk in 9001 (is my case), there are some easy practices
to follow.
I have to say that ...Risk always exist.
However the value changes over the time, for different causes, economy, goverment, laws, etc.
You need to establish allowable values for your bussiness.
Example: if you detect a risk, and use the formulae PxI (probability ximpact) and get low values (2x1=2)
then, this risk is under an acceptable value, so it is not needed to take actions and that´s all.
but this or other risk, sometimes it will come up, and at analzing, you get high values, (5X5=25), so
according to your criteria , you must do something to lower that value.
Then you define actions, put them to work, and after some elapsed time, you evaluate the same risk
and get this values (2x2=4), now your risk value is under the control you have defined.
Example of criteria:
risk type A , low risk , 1-5, do nothing
risk type B . Medium risk 6 -12, implement action plans within 3 days after is detected.
and so on, additionally, you have to assign values for probability and impact.
Hope it helps.