• By: Staff Editor
• Date: June 07, 2009

ISO 31000 Risk Management

ISO 31000:2009 sets out principles, a framework and a process for the management of risk that is ap-plicable to any type of organization in public or private sector. It emphasizes the fact that the man-agement of risk must be tailored to the specific needs and structure of the particular organization. ISO 31000:2009 can be used by any public, private or community enterprise, association, group or individ-ual. Therefore, ISO 31000:2009 is not specific to any industry or sector.

ISO 31000:2009 can be applied throughout the life of an organization, and to a wide range of activi-ties, including strategies and decisions, operations, processes, functions, projects, products, services and assets. ISO 31000:2009 can be applied to any type of risk, whatever its nature, whether having positive or negative consequences. The standard recommends that organizations develop, implement and continuously improve a risk management framework as an integral component of their manage-ment system.

ISO 31000 is designed to help organizations:

• Increase the likelihood of achieving objectives
• Encourage proactive management
• Be aware of the need to identify and treat risk throughout the organization
• Improve the identification of opportunities and threats
• Comply with relevant legal and regulatory requirements and international norms
• Improve financial reporting
• Improve governance
• Improve stakeholder confidence and trust
• Establish a reliable basis for decision making and planning
• Improve controls
• Effectively allocate and use resources for risk treatment
• Improve operational effectiveness and efficiency
• Enhance health and safety performance, as well as environmental protection
• Improve loss prevention and incident management
• Minimize losses
• Improve organizational learning
• Improve organizational resilience.

ISO 31000 and ISO Guide 73 can be applied to any public, private or community enterprise, association, group or individual. The documents will be useful to:

• Those responsible for implementing risk management within their organizations
• Those who need to ensure that an organization manages risk
• Those needing to evaluate an organization’ practices in managing risk
• Developers of standards, guides procedures and codes of practice relating to the manage-ment of risk.

Applicable and adaptable to all
ISO 31000 sets out principles, a framework, and a process for the management of all forms of risk, in-cluding safety and environment, in all organizations, regardless of size. It does not mandate a one-size-fits-all approach, but emphasizes tailoring the principles and guidelines to the specific needs and struc-ture of the organization. Following a list of terms and definitions, the standard sets out 11 principles to be addressed in order to effectively manage risks and achieve objectives.

The principles need to be reviewed by the board and top management so they may reflect the organiza-tion’s policy. The next section looks at the framework needed to provide the foundations and arrange-ments that will embed the management of risk at all levels of the organization. It calls for risk manage-ment components to be adapted into the existing management system in order to ensure ownership of the policy and process by management and staff.

Commitment of top management
The overarching component of the framework is the mandate and commitment of the organization’s board and top management to the implementation, review and continual improvement of how risk is managed. The end goal is to ensure that risk is fully focused on the achievement of objectives. This focus on objectives is imperative if enterprise risk management (ERM) is to be achieved by a common lan-guage and process throughout the organization.

A strategic process
The risk management process contained in ISO 31000 follows the well worn lead set by the Australian and New Zealand Standard AS/NZS 4360, which consists of:

• Communication and consultation
• Establishing the context
• Risk assessment consisting of the three steps of identification, analysis and evaluation
• Risk treatment
• Monitoring and review.

The process set out needs to become an integral part of how business is managed at all levels. It must be tailored to the business processes and woven into the culture and practices of the organization that make it uniquely different from its competitors. All activities should be traceable by way of records that provide the foundation for improvement in methods and tools, as well as in the overall process. Finally, an informative annex sets out the attributes of enhanced risk management for those organizations that have been working on managing their risks for some time and may wish to strive for a higher level of achievement.

Implementation
The intent of ISO 31000 is to be applied within existing management systems to formalize and improve risk management processes as opposed to wholesale substitution of legacy management practices. Sub-sequently, when implementing ISO 31000, attention is to be given to integrating existing risk manage-ment processes in the new paradigm addressed in the standard.

The focus of many ISO 31000 'Harmonization' programmes have centered on:

• Transferring accountability gaps in enterprise risk management
• Aligning objectives of the governance frameworks with ISO 31000
• Embedding management system reporting mechanisms
• Creating uniform risk criteria and evaluation metrics

Implications
Most implications for adopting the new standard concern the re-engineering of existing management practices to conform to the documentation, communication and socialization of the new risk manage-ment operating paradigm, as opposed to wholesale re-orientation of management practice throughout an organisation. Accordingly, most senior position holders in an enterprise risk management organisa-tion will need to be cognizant of the implication for adopting the standard and be able to develop effec-tive strategies for implementing the standard across supply chains and commercial operations.

Certain aspects of top management accountability, strategic policy implementation and effective gov-ernance frameworks, will require more consideration by organisations that have previously used the now redundant risk management methodologies. In some domains that concern risk management, par-ticular security and corporate social responsibility, which may operate using relatively unsophisticated risk management processes, more material change will be required, particularly regarding a clearly ar-ticulated risk management policy, formalizing risk ownership processes, structuring framework proc-esses and adopting continuous improvement programs.
 

Source:
1.    http://www.iso.org/iso/risk_focus_09-06.pdf
2.    http://en.wikipedia.org/wiki/ISO_31000
3.    http://www.iso.org/iso/pressrelease.htm?refid=Ref1266
4.    http://www.iso.org/iso/catalogue_detail?csnumber=43170
5.    http://www.iso.org/iso/iso_catalogue/management_and_leadership_standards/risk_management.htm