The ISO 31000 risk management system standard offers a common framework and process to manage organisational opportunities as well as threats.
ISO 31000 is a paramount standard to ISO 9000, ISO 14000 and OHSAS 18000, guiding the application of these related standards within a comprehensive risk management system.
Any organisation’s risk management should be capable of review and evaluation by any risk manager or auditor. ISO 31000 sets a framework for ‘components that provide the foundation and organisational arrangement for designing, implementing, monitoring, reviewing and continually improving risk management processes’.
The framework of ISO 31000 follows the Plan, Do, Check, Act model, like other global management system standards. The standard also provides practical guidelines on how to;
- implement risk management
- identify risks
- manage risks
- improve organizational performance
- maximize opportunities and minimise losses
- maintain raise awareness of opportunities and risks
ISO 31000 can be used by management system implementers, risk managers, divisional managers, auditors, and board members.
ISO 31000: Risk defined
Risk is the effect of uncertainty on organisational objectives. An effect is a deviation from the expected, with positive or negative results. Objectives have different aspects, like goals in financial, health, safety, environmental terms, and could apply at different levels, including strategic, general, project, product, or process.
Risk is often characterised by reference to potential events and consequences, or a combination of these. Risk is often expressed in terms of a combination of the consequences of an event, including changes in circumstances, and associated likelihood of occurrence.
Uncertainty is the state, or partial state, of deficiency of information, understanding or knowledge of an event, its consequence or likelihood.
ISO 31000: Business principles approach
According to Clause 3, risk management should be;
- Value creating
- Integral to organisational processes
- Considered in making decisions
- Explicit in addressing uncertainty
- Systematic and structured
- Based on best available information
- Tailored to organisational activities
- Taking into account human factors
- Transparent and inclusive
- Dynamic, iterative and responsive to change
- Capable of continuous improvement.
Enhanced risk management should have five attributes:
- Emphasis on continuous improvement through setting organisational performance goals, measurement, review, and modification of processes, systems, resources, capability and skills.
- Comprehensive, defined and accepted accountability for risks, controls and treatment tasks. Identified individuals accept, are appropriately skilled, and have adequate resources to check controls, monitor risks, improve controls and communicate about risks and management to interested parties.
- Decisions at all levels explicitly consider risks and application of the risk management process.
- Continual communication, visible, comprehensive and frequent reporting of risk management performance to interested parties as part of a governance process.
- Viewed as a core organisational process, considering sources of uncertainty that could be treated to maximise the chance of gain and minimise the chance of loss. Regarded by senior managers as essential for achieving organizational objectives. Governance structure and process must be founded on a risk management process.
ISO 31000: A Risk Management Approach
Corporate governance is the way an organisation is controlled to achieve its objectives. Control offers reliability within a tolerable degree of certainty. It is the ‘glue’ that holds an organisation together, while risk management provides resilience.
A risk management system depends on management commitment and allocation of resources during design, implementation, maintenance and monitoring the process at all levels.
Resources include assignment of competent people, accurate forecasting and spending, quality material, adequate and sufficient equipment, appropriate and efficient methods, marketing the management system inside and outside the organisation.
Management must set the tone for honest communication and reporting at all levels, to ensure reliable data, information, appropriate decisions, accountability and responsibility.
ISO 31000: How to Ensure Success
Management should sustain commitment to a risk management process through strategic planning, rigorous monitoring, and guidance on:
- Defining and endorsing risk management policy
- Aligning organisational culture and risk management policy
- Aligning risk management and organizational performance indicators, objectives and strategies
- Achieving legal compliance
- Assigning accountabilities and responsibilities at appropriate levels
- Allocating relevant resources to risk management
- Communicating risk management benefits
- Adjusting the risk management framework to remain appropriate.
ISO 31000: Design a Risk Management Framework
Designing and implementing a risk management framework depends on seven key components; context, policy, accountability, integrate processes, allocate resources, communication mechamisms, and implementation. Each is detailed below.
Understand organisational context
Evaluate external and internal context to determine framework.design. External context may include social, cultural, legal, regulatory, financial, technological, economic, natural and competitive environment, at international, national, regional or local level. Evaluate key drivers and trends impacting on objectives, as well as relationships, perceptions and values of external stakeholders.
Internal context includes;
- Governance, structure, roles, accountabilities
- Policies, objectives, strategies to achieve the above
- Capabilities in terms of resources and knowledge, like capital, time, people, processes, systems, technologies
- Information systems, information flow and decision processes, formal and informal
- Relationships, perceptions, values of internal stakeholders, and organizational culture
- Standards, guidelines and models adopted
- Form and extent of contractual relationships
- Establish risk management policy
Risk management policy should clearly state and communicate organisational objectives and commitment to risk management and addresses at least these elements;
- Rationale for managing risk
- Links between objectives, policies and risk management policy
- Accountabilities and responsibilities for risk management
- Responses to conflicting interests
- Commitment to allocate resources to accountable and responsible people
- Metrics and reporting of management performance
- Commitment to review and improve risk management policy and framework periodically and in response to incidents.
Ensure accountability, authority and appropriate competence for managing risk, including implementing and maintaining a risk management process, with adequate, effective and efficient controls;
- Identify risk owners with accountability and authority
- Assign accountability for development, implementation and maintenance of the framework
- Identify responsibilities within the process
- Establish performance measurement, reporting and escalation processes
- Institute appropriate recognition levels
- Integrate organisational processes
Risk management should be embedded in all practices and processes in a way that it is relevant, effective and efficient. Embed risk management in policy, strategic planning and review, and change management.
- Manpower and competence
- Methods and effective applications
- Material, quality content and tools
- Machines appropriate and effective to the system
- Money appropriate to the forecast
- Marketing the system to users, suppliers and clients
- Internal communication mechanisms
These mechanisms should consolidate risk information where appropriate from a variety of data sources, taking into account data sensitivity;
- Key components of the risk management framework and modifications
- Framework effectiveness and outcomes
- Relevant information available at appropriate levels and times
- Consultation processes
- External reporting mechanisms
- Engage appropriate stakeholders in effective information exchange
- Report as required by legislation and governance codes
- Report on communication and consultation results
- Cultivate confidence in the organisation and risk data gathering
- Plan crisis communication procedures.
- Set appropriate timing and strategy
- Apply risk management to all processes
- Comply with legislation
- Align decision making, objectives and goals with risk management
- Conduct information and training sessions
- Communicate and consult with stakeholders on appropriate measures.
- AS/NZS ISO 31000 Workshop Series for RMIA, Nov & Dec 2009
- Shortreed, John; Director, Institute for Risk Research University of Waterloo
- Queensland Audit Office Report 7 1998 -1999; http://www.qao.qld.gov.au/publications/document/AGReports/9899/report7.html