The ISO Technical Management Board Working Group on Risk Management published ISO 31000:2009, Risk Management – Principles and Guidelines in November 2009 after receiving approval from the ISO member organisations. Although ISO 31000 is intended to be suitable for any company and any type of risk, unlike the well-known ISO quality standards, it cannot be certified. The framework and essential components of ISO 31000 Risk Management will be covered in this article.
The AS/NZS 4360:2004 risk management standard should be immediately identifiable to people who are familiar with it. With a few phrasing modifications, ISO 31000 remains mostly unchanged.If your company followed the AS/NZS standard, the switch to ISO 31000 ought to go quite smoothly. As an additional resource, the Risk Management Guidelines Companion to AS/NZS 4360:2004, provides guidance on the design and implementation of risk assessment and management techniques. Similarly, ISO/IEC 31010:2009 is the auxiliary document that supports the new ISO 31000 standard.
For those unfamiliar with the AS/NZS standard, or those unfamiliar with a formal, structured risk management process, the remainder of this article will discuss the structure and key elements of ISO 31000.
The ISO 31000 risk management process has two main parts, which are:
The Framework, which directs how risk management is organized and carried out generally throughout an organization; and
The Process, which outlines the precise process for locating, evaluating, and managing risks.
Framework The plan, do, check, act (PDCA) cycle, which is utilized in all management system designs, is mirrored in the ISO 31000 Framework. However, according to the standard, “This Framework is not intended to prescribe a management system, but rather to assist the organization in integrating risk management into its overall management system.” This assertion ought to inspire companies to be adaptable in implementing the framework’s components as necessary.
The Framework’s main components include:
Governing and Policy gives instructions and exhibits devotion to the organization
Program Design Design of the overall Framework for managing risk on an ongoing basis
Implementation Implementing the risk management structure and program
Monitoring and Review Oversight of the management system structure and performance
Continual Improvement Improvements to the performance of the overall management system
Organizations should be ready to invest significant effort in building a strong framework and resist the impulse to go right into the risk assessment process, especially those without past experience with management systems. The Framework offers the consistency and continuity needed to support program establishment rather than merely project execution, making process design an essential stage.
Important components that businesses shouldn’t ignore include:
Developing managerial commitment, both now and in the future, by doing things like:
creation and acceptance of a formal policy
determining and allocating the resources required, including the knowledge and funds required to support the program
creation of a monthly review cycle to keep management informed of the program’s progress and inspire all participants
creating a program that fits the organization, its culture, and its surroundings, including:
Understanding the outside factors, including market trends, legal requirements, and expectations of significant outside stakeholders
Knowing the internal forces, such as the current organizational structure, culture, and capabilities,
The organizational purpose and needs will determine how much of each of these factors an organization will take into account and apply. The purpose is to create a program that is well-known, well-equipped, fit with the culture and goals of the business, and long-lasting.
Process An organization is prepared to create the Process once the risk management Framework has been established. The ISO 31000 definition of the Process states that it is “multi-step and iterative; designed to identify and analyze risks in the organizational context.”
As seen in the graphic below, the Process’s key components include:
Consultation and communication with all parties involved
Providing the background
identification of risks
Regular monitoring and evaluation are essential, just like in the Framework.
The first and third actions throughout the risk assessment Process should happen often, as shown in the picture above. Regular communication is essential early on in the process to understand stakeholders’ interests and concerns and validate the process’s focal point. Later on, constant communication assists in explaining the justification for actions and the reasons the business need certain risk management strategies. Regular supervision also makes ensuring that controls are operating properly and that the company tackles changes in the risk environment and procedures. Together, these activities ensure that all stakeholders clearly understand expectations and that the organization addresses change as quickly as possible.
Determining what ISO 31000 refers to as the “context” is necessary before beginning the real process of assessing risks. The internal and external surroundings are both considered in connection to the goals and strategies of the company, creating the context. Examining the organization’s internal and external surroundings is the first step in the context-setting process, which is why management should continue this evaluation in more depth here and concentrate on the scope of the specific risk management Process.
The subsequent evaluation processes entail creating methods for locating, analyzing, and assessing certain hazards. Although there are several published procedures and strategies, they should all have the following essential components:
Identification of Risk
identification of a risk’s origins, impact areas, and probable events, including their causes and effects
Source classification: internal vs. external
identifying potential effects and elements that influence such effects
Evaluation of the probability
Identification and assessment of the current controls
comparing the risks identified to the rick criteria established
Decisions are made to manage or accept risks while taking internal, statutory, regulatory, and third-party requirements into account.
Consult ISO/IEC 31010, the accompanying auxiliary document mentioned earlier, if you’re interested in learning more about each of the risk assessment methodologies and approaches. It should be noted that the intricacy of the methodologies and the scope of the study depend much on the organization. and management should consult with all stakeholders when developing an appropriate approach.
Overall, management should develop and implement risk treatments to reduce residual risks to levels acceptable to key stakeholders and monitor/adjust to ensure efficiency and effectiveness.
Relationship to Business Continuity and ASIS SPC.1-2009 The simultaneous publication of the ASIS SPC.1 Organizational Risk standard and ISO 31000 prompted a number of inquiries. Should the market consider them equivalent or interchangeable since they are both based on management systems? What connection do they have to business continuity? Which is a reliable foundation for Enterprise Risk Management (ERM), if either?
SPC.1 presents a somewhat more constrained scope, defining organizational resilience in terms of security, preparedness, and continuity, whereas ISO 31000 maintains a wider – perhaps more strategic – focus. Both standards draw on the management systems processes and describe a similar process structure.
In terms of business continuity, it is merely one of the numerous risk management strategies that would make up a broader strategic risk management approach. program espoused by ISO 31000. As a result, business continuity should be viewed a sub-component of the risk management program described in ISO 31000 because it addresses one specific risk (process, resource and technology availability).
Overall, the guidelines of ISO/IEC 31010 and the risk management principles and procedures outlined in ISO 31000 offer a solid framework that enables an organization to create and implement a repeatable, proactive, and strategic program. The objectives, resources, and circumstances of any individual organization have a significant impact on the design of particular program components. Every program should include management involvement in setting direction and routinely reviewing results, regardless of the level of implementation. This will not only improve the management of risk but also ensure that risk is appropriately treated in accordance with organizational objectives and long-term strategies.