Managing risk is a critical part of the success of any organisation. That’s why ISO (International Organization for Standardization) developed the 31000 Risk Management Standard. Issued in 2009, the standard helps address operational continuity, and also confidence and reassurance in your organisation’s economic resilience, professional reputation and environmental and safety outcomes. Best of all, ISO 31000 can be tailored to your organisation to help achieve the best results.
The purpose of risk management is the creation and protection of value. It improves performance, encourages innovation and supports the achievement of objectives. Principles include the requirement for the risk management initiative to be (1) customised; (2) inclusive; (3) structured and comprehensive; (4) integrated; and (5) dynamic.
The purpose of the risk management framework is to assist with integrating risk management into all activities and functions. The effectiveness of risk management will depend on integration into governance and all other activities of the organisation, including decision-making.
> At CRI Group we are working on new ISO 31000 Awareness training course. Show your interest and sign up for more updates HERE!
2.1. Leadership and commitment, including:
- aligning risk management with the strategy, objectives and culture of the organisation;
- issuing a statement or policy that establishes a RM approach, plan or course of action;
- making necessary resources available for managing risk; and
- establishing the amount and type of risk that may or may not be taken (risk appetite).
2.2. Integration, including:
- determining management accountability and oversight roles and responsibilities; and
- ensuring risk management is part of, and not separate from, all aspects of the organisation.
2.3. Design, including:
- understanding the organisation and its internal and external context;
- articulating risk management commitment and allocating resources; and
- establishing communication and consultation arrangements.
2.4. Implementation, including:
- developing an appropriate implementation plan including deadlines;
- identifying where, when and how different types of decisions are made, and by whom; and
- modifying the applicable decision-making processes where necessary.
2.5. Evaluation, including:
- measuring framework performance against its purpose, implementation and behaviours; and
- determining whether it remains suitable to support achievement of objectives.
2.6. Improvement, including:
- continually monitoring and adapting the framework to address external and internal changes;
- taking actions to improve the value of risk management; and
- improving the suitability, adequacy and effectiveness of the RM framework.
The risk management process involves the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk.
3.1. Communication and consultation, including:
- bringing different areas of expertise together for each step of the RM process;
- ensuring different views are considered when defining risk criteria and evaluating risks;
- providing sufficient information to facilitate risk oversight and decision-making; and
- building a sense of inclusiveness and ownership among those affected by risk.
3.2. Scope, context and criteria, including:
- defining the purpose and scope of risk management activities;
- identifying the external and internal context for the organisation;
- defining risk criteria by specifying the acceptable amount and type of risk; and
- defining criteria to evaluate the significance of risk and to support decision-making;
3.3. Risk assessment, including:
- risk identification to find, recognise and describe risks that might help or prevent achievement of objectives and the variety of tangible or intangible consequences;
- risk analysis of the nature and characteristics of risk, including the level of risk, risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness; and
- risk evaluation to support decisions by comparing the results of the risk analysis with the established risk criteria to determine the significance of risk.
4. Risk treatment, including:
- selecting the most appropriate risk treatment option(s); and
- designing risk treatment plans specifying how the treatment options will be implemented.
5. Monitoring and review, including:
- improving the quality and effectiveness of process design, implementation and outcomes;
- monitoring the RM process and its outcomes, with responsibilities clearly defined;
- planning, gathering and analysing information, recording results and providing feedback; and
- incorporating the results in performance management, measurement and reporting activities.
6. Recording and reporting, including:
- communicating risk management activities and outcomes across the organisation;
- providing information for decision-making;
- improving risk management activities; and
- providing risk information and interacting with stakeholders.
Getting Started with ISO 31000 Risk Management?
ISO 31000 is an international standard issued in 2009 by ISO (International Organization for Standardization). All types and sizes of organisations face internal and external factors that directly impact whether an organisation can achieve their objectives or not. ISO 31000:2018 serves as a guide for the design, implementation and maintenance of risk management, ISO 31000:2018 describes a systematic and logical process, during which organisations manage risk by identifying it, analysing it, and then make a determination as to mitigating the risk treatment in a way that is consistent with their risk appetite. An organisation can implement risk management across the entire company, and it can do so at any time. Our newly published “ISO 31000 Risk Management: A guide to identify, analyse and mitigate risk” playbook covers everything you need to know about ISO 31000:2018; here’s a quick rundown of the playbook structure:
- What is ISO 31000?
- Why is this Standard a good idea?
- What are the benefits for my business?
- Principles of ISO 31000:2018
- ISO 31000 framework
- Why was it revised?
- What are the main differences?
- Key Clauses of 31000:2018
- Who is the standard for?
- The process
- The link between 31000:20180 and other standards
- Importance of risk management leadership
- 31000:2018 and continuous improvement
- How do we get started?
> Risk management is a full-time, ongoing endeavour for organisations in today’s business world, and it poses constant challenges. The first part of reducing risk is having a strategy, and taking action. So DOWNLOAD your free playbook now!