Managing risk is a critical part of the success of any organisation. Whether you’re an experienced risk professional or just trying to understand risk, ISO 31000 is a great resource for your organisation, no matter the size or industry. Issued in 2009 by International Organization for Standardization, ISO 31000 Risk Management standard helps address operational continuity and provides confidence and reassurance in your organisation’s economic resilience, professional reputation and environmental and safety outcomes. Best of all, ISO 31000 can be tailored to your organisation to help achieve the best results. ISO 31000 is also a perfect way to show your commitment as a risk professional to mitigate risk within your organisation. Now widely adopted around the world, ISO 31000 is blissfully concise and clear, offering a flexible way to implement common-sense risk management.
The standard’s guidance is constructed as a list of principles, along with the framework and process. However, there is an overlap between framework and process in ISO 31000, as demonstrated by the inclusion of context as part of the designing the framework and as part of the scope, context and criteria. Establishing communication and consultation is a component of the process and is discussed as part of the design component of the framework.
> At CRI Group, we are working on a new ISO 31000 Awareness training course. Show your interest and sign up for more updates HERE!
In addition to the overlap of framework and process, there are examples of overlap of principles and framework, including the inclusion of integration as a principle and as a component of the framework. This overlap clearly demonstrates that risk professionals who use the standard as the basis for the implementation of a risk management strategy will need to extract the valuable information and guidance provided in ISO 31000 and develop it into a coherent and logical implementation checklist.
Any professional who handles risk needs to understand the full and detailed requirements of a management system. These requirements define the components required for the successful implementation of a management initiative, including a risk management initiative. The list below provides an overview of the stages involved in implementing the ‘Control and Develop’ components.
The successful implementation of any risk management strategy depends on the ongoing process that involves working through the ten activities relate to the four components: (1) Plan; (2) Implement; (3) Measure; and (4) Learn.
- Identify the intended benefits of the risk management strategy and gain board support.
- 2. Plan the scope of the risk management strategy and develop a common language of risk.
- 3. Establish the risk management strategy, framework and roles and responsibilities.
- Adopt suitable risk assessment tools and an approved risk classification system.
- Establish risk benchmarks (risk criteria) and undertake risk assessments.
- Determine risk appetite and risk tolerance levels and evaluate the existing controls.
- Evaluate the effectiveness of existing controls and introduce improvements.
- Embed risk-aware culture and align risk management with other activities in the organisation.
- Monitor and review risk performance indicators to measure risk management contribution.
- Report risk performance in line with obligations and monitor improvement.
Although the standard covers the full scope of requirements for a management system, the structure of the guidelines in the framework requires some interpretation and conversion into a checklist or implementation/action plan. Also, risk professionals will need to extract the guidance and advice most relevant to their employer or client organisations when formulating a successful risk management initiative. This is time and effort well spent, as ISO 31000 provides a host of benefits, including the following:
- Provides sound principles for effective management and corporate governance.
- Signifies that, as an organisation, you are committed to managing risks in every part of your business.
- Demonstrates your management capabilities in protecting your business from internal and external threats.
- Provides guidance for internal or external audit programmers.
- Enhances your company’s reputation and can provide a competitive advantage.
ISO 31000 contains vital information for any risk professional. As you support your employer and/or clients in the implementation of a risk management strategy, ISO 31000 can give you the guidance and the support to do so. The combination of principles, framework and process set out in ISO 31000 provides a high-level, but comprehensive, view the components that are required to implement risk management in an organisation.
ISO 31000 is an essential and well-recognised contribution to effective risk management. Still, risk professionals will need to extract the guidance and advice most relevant to their employer or client organisations when formulating a successful risk management initiative that will enhance the success of the organisation.