Risk Management ISO 31000

We live in an ever-changing world where we are forced to deal with uncertainty every day. But how an organization tackles that uncertainty can be a key predictor of its success.

Risk is a necessary part of doing business, and in a world where enormous amount of data are being processed at increasingly rapid rates, identify and mitigating risks in a challenge for any company. It is no wonder then that many contracts and insurance agreements require solid evidence of good risk management practice.

ISO 31000 provides direction on how organizations can integrate risk-based decision making into an organization’s governance, planning, management, reporting, policies, values and culture. It is an open, principles-based system, meaning it enables organizations to apply the principles in the standard to the organizational context.

Who is ISO 31000 for?

ISO 31000 is applicable to all organizations, regardless of type, size activities and location, and covers all types of risk. It was developed by a range of stakeholders and is intended for use by anyone who manages risks, not just professional risk managers.

What are the benefits for my business?

ISO 31000 helps organizations develop a risk management strategy to effectively identify and mitigate risks, thereby enhancing the likelihood of achieving their objectives and increasing the protection of their assets. Its overarching goal is to develop a risk management culture where employees and stakeholders are aware of the importance of monitoring and managing risks.

Implementing ISO 31000 also helps organizations see both the positive opportunities and negative consequences associated with risk, and allows for more informed , and thus more effective, decision making, namely in the allocation of resources. What’s more, it can be an active component in improving an organization’s governance and, ultimately, its performance.

What are the main differences?

 ISO 31000 provides more strategic guidance than ISO 31000:2009 and places more emphasis on both the involvement of senior management and the integration of risk management into the organization. This includes the recommendation to develop statement or policy that confirms a commitment to risk management, assigning authority, responsibilities and accountability at the appropriate level within the organization and ensuring that the necessary resources are allocated to managing risk.

The revised standard now also recommends that risk management be part of the organization structure, processes, objectives, strategy and activities. It places a greater focus on creating values as the key driver of risk management and features other related principles such as:

  • Continual improvement.
  • The inclusion of stakeholders.
  • Being customized to the organization and consideration of human and cultural factors.

The content has been streamlined to reflect an open-systems model that regularly exchanges feedback with its external environment in order to fit a wider range of needs and contexts. The key objective is to make things clearer and easier, using plain language to define the fundamentals of risk management in a way that the reader will find easier to comprehend. The terminology is now more concise, with certain terms being moved to ISO guide 73, risk management vocabulary, which deals specifically with the risk management terminology and is intended to be used alongside ISO 31000. Work has commenced on a terminology standard and implementation handbook to further enhance the understanding and applicability of the standard.

What about certification?

ISO 31000 provide guidelines not requirements, and is therefore not intended for certification purposes.

How I get started?

  • Be aware of your organization’s key objectives. This will help you clarify the targets and requirements of your risk management system.
  • Assess your current governance structure. This will ensure you allocate the right roles responsibilities and reporting procedures when it comes to risk.
  • Define your level of commitment. What resources will you be able to allocate to implementing or maintaining a risk management system.

Who was ISO 31000 developed by?

ISO 31000 was developed by ISO technical committee on risk management, ISO / TC 262. Other standards in its portfolio, which supports ISO 31000, include technical report ISO / TR 31004, Risk Management Guidance for the Implementation of ISO / IEC 31010, Risk Management – Risk Assessment Techniques which was developed jointly with the International Electro technical Commission.

About ISO

ISO (International Organization for Standardization) is an independent, non-governmental organization with a membership of 162* national standard bodies. Through its members, ISO brings together experts to share knowledge and develop voluntary, consequences-based, market relevant international standards that support innovation and provide solutions to global challenges. ISO has published more than 22000* international standards and related documents covering almost every industry, from technology to food safety, to agriculture and healthcare.

Managing the Risks:

  • Organizations of all types and sizes face external and internal factors and influences that make it uncertain whether they will achieve their objectives.
  • Managing risk is iterative and assists organizations in setting strategy, achieving objectives and making informed decisions.
  • Managing risks is part of governance and leadership, and is fundamental to how the organization is managed at all levels. It contributes to the improvement of management systems.
  • Managing risk is part of all activities associated with an organization and includes interaction with stakeholders.
  • Managing risks considers the external and internal context of the organization, including human behavior and cultural factors.
  • Managing risks is based on:
    • The principles.
    • The Framework.
    • The Processes.

The Principles:

The Framework:

The Processes:

  • Risk Management Principles:
    • Value Creation and Protection:
      • Integrated.
      • Structure and comprehensive.
      • Customized.
      • Inclusive.
      • Dynamic.
      • Best available information.
      • Human and cultural factors.
      • Continual improvement.
  • Risk Management Framework:
    • Leadership and Commitment:
      • Design.
      • Implementation.
      • Evaluation.
      • Improvement.
      • Integration.
  • Risk Management Processes:
    • Communication and Consultation.
    • Scope Context and Criteria:
    • Monitoring and Review.
    • Recording and Reporting.

These four processes will integrate together aiming to perform:

    • Risk Identification.
      • Risk Analysis.
      • Risk Evaluations.
    • Risk Treatment.
    Risk Assessment:

The top reasons compliance program fails

                     An effective compliance program manages an organization’s policies and procedures in a way that protects the organization and supports an ethical organizational culture. The challenge is turning those policies into practices that drive employee behavior.

These are the top 10 reasons compliance programs fall short:

  1. Failure to access and understand the risks.
  2. Lack of leadership.
  3. Insufficient resources.
  4. Insufficient profile of the compliance function.
  5. Lack of clear procedures to make policies accessible.
  6. Complete priorities and incentives.
  7. Insufficient communication and training.
  8. Insufficient third-party management.
  9. Insufficient monitoring.
  10. Inconsistent enforcement and corrective actions.