Risk Management

Risk Management According to ISO 31000, “Risk management – Principles and guidelines”, organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organization’s objectives is “risk”.

All activities of an organization involve risk. Organizations manage risk by identifying it, analyzing it, and then evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria.

Throughout this process, they communicate and consult with stakeholders and monitor and review the risk and the controls that are modifying the risk in order to ensure that no further risk treatment is required. ISO 31000 describes this systematic and logical process in detail.

While all organizations manage risk to some degree, ISO 31000 establishes a number of principles that need to be satisfied to make risk management effective. The standard recommends that organizations develop, implement, and continuously improve a framework whose purpose is to integrate the process for managing risk into the organization’s overall governance, strategy and planning, management, reporting processes, policies, values, and culture.

Risk management can be applied to an entire organization, at its many areas and levels, at any time, as well as, to specific functions, projects and activities.

Although the practice of risk management has been developed over time and within many sectors in order to meet diverse needs, the adoption of consistent processes within a comprehensive framework can help to ensure that risk is managed effectively, efficiently, and coherently across an organization.

The generic approach described in ISO 31000 provides the principles and guidelines for managing any form of risk in a systematic, transparent, and credible manner and within any scope and context.

Each specific sector or application of risk management brings with it individual needs, audiences, perceptions, and criteria. Therefore, a key feature of ISO 31000 is the inclusion of “establishing the context” as an activity at the start of this generic risk management process.

Establishing the context captures the objectives of the organization, the environment in which it pursues those objectives, its stakeholders, and the diversity of risk criteria – all of which will help reveal and assess the nature and complexity of its risks.

When implemented and maintained in accordance with ISO 31000, the management of risk enables an organization to, for example:

  • increase the likelihood of achieving objectives;
  • encourage proactive management;
  • be aware of the need to identify and treat risk throughout the organization;
  • improve the identification of opportunities and threats;
  • comply with relevant legal and regulatory requirements and international norms;
  • improve mandatory and voluntary reporting;
  • improve governance;
  • improve stakeholder confidence and trust;
  • establish a reliable basis for decision making and planning;
  • improve controls;
  • effectively allocate and use resources for risk treatment;
  • improve operational effectiveness and efficiency;
  • enhance health and safety performance, as well as environmental protection;
  • improve loss prevention and incident management;
  • minimize losses;
  • improve organizational learning; and
  • improve organizational resilience.

ISO 31000 is intended to meet the needs of a wide range of stakeholders, including:

a) those responsible for developing risk management policy within their organization;
b) those accountable for ensuring that risk is effectively managed within the organization as a whole or within a specific area, project or activity;
c) those who need to evaluate an organization’s effectiveness in managing risk; and
d) developers of standards, guides, procedures and codes of practice that, in whole or in part, set out how risk is to be managed within the specific context of these documents.

The current management practices and processes of many organizations include components of risk management, and many organizations have already adopted a formal risk management process for particular types of risk or circumstances. In such cases, an organization can decide to carry out a critical review of its existing practices and processes in the light of ISO 31000.

Principles – Clause 3

According to ISO 31000, for risk management to be effective, the organization should comply at all levels with the risk management principles below:

a. Creates and protects value
b. Integral part of all organizational processes
c. Part of decision making
d. Explicitly addresses uncertainty
e. Systematic, structured, and timely
f. Based on the best available information
g. Tailored
h. Takes human and cultural factors into account
i. Transparent and inclusive
j. Dynamic, iterative, and responsive to change
k. Facilitates continual improvement of the organization

Framework – Clause 4

According to ISO 31000, the success of risk management will depend on the effectiveness of the management framework that provides the foundations and arrangements that will embed it throughout the organization.

The framework ensures that information about risk derived from the risk management process is adequately reported and used as a basis for decision making and accountability at all relevant organizational levels.

4.2 Mandate and commitment
4.3 Design of framework for managing risks
4.4 Implementing risk management
4.5 Monitoring and review of framework
4.6 Continual improvement of the framework

Process – Clause 5

According to ISO 31000, the risk management process should be:

  • an integral part of management,
  • embedded in the culture and practices, and
  • tailored to the business processes of the organization.

The risk management process comprises the following activities:

5.2 Communication and consultation
5.3 Establishing the context
– Establishing the external context
– Establishing the internal context
– Establishing the context of the risk management process
– Defining risk criteria
5.4 Risk assessment
– Risk identification
– Risk analysis
– Risk evaluation
5.5 Risk treatment
– Selection of risk treatment options
– Preparing and implementing risk treatment plans
5.6 Monitoring and review
5.7 Recording the risk management process

Although ISO 31000 provides generic guidelines, it is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed.

ISO 31000:2009, Risk management – Principles and guidelines, can be ordered at this ISO web page for about $118.

ISO/TR 31004:2013, Risk management – Guidance for the implementation of ISO 31000, provides guidance for organizations on managing risk effectively by implementing ISO 31000:2009. The technical report provides:

  • a structured approach for transitioning risk management arrangements in order to be consistent with ISO 31000, in a manner tailored to the organizational characteristics;
  • an explanation of the underlying concepts of ISO 31000;
  • guidance on aspects of the principles and risk management framework that are described in ISO 31000.

ISO/TR 31004:2013 can be ordered at this ISO web page for about $158.