ISO 31000 – Risk Management Standard

Introduction

Working in an environment with full of uncertainty encourages the organisations to manage the risks affecting their economic performance and professional reputation, as well as environmental, safety and societal outcomes. Risk and risk management are strongly addressed in the new revision of ISO standards of quality, safety and environmental management systems including ISO 9001 and ISO 14001 which are planned to be published in 2015 and ISO 45001 which is planned to be published in 2016.

ISO 31000:2009, Risk management – Principles and guidelines, provides principles, framework and a process for managing risk. It can be used by any organisation regardless of its size, activity or sector. Using ISO 31000 can help organisations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment.

However, ISO 31000 is not a certifiable standard, but provides an extensive guidance for internal or external audit programmes and can be used as an internationally recognised best practice for benchmarking purpose

The objective of this Standard is to achieve:

• A more confident and rigorous basis for decision-making and planning
• Better identification of opportunities and threats
• Gaining value from uncertainty and variability
• Pro-active rather than re-active management
• More effective allocation and use of resources
• Improved incident management and reduction in loss and the cost of risk, including commercial insurance premiums
• Improved stakeholder confidence and trust
• Improved compliance with relevant legislation

The components of ISO 31000

1) One vocabulary for risk management

As the necessity of using a consistent set of terms in risk management in order to have greater clarity and a wider understanding of risk management, many of the pre-existing terms and definitions that had arisen from different forms of risk and applications of risk management had to change. Fortunately, ISO combined the creation of the standard with a revision of the existing ISO/IEC vocabulary for risk management in Guide 73:2002 and both documents were published at the same time and will be updated together in future.

2) Performance criteria

In order to ensure that the risks are managed effectively and efficiently, the principles of effective risk management in ISO 31000 are that it should:

1. Create and protect value;
2. Be an integral part of all organisational processes;
3. Be part of decision making;
4. Explicitly address uncertainty;
5. Be systematic, structured, and timely;
6. Be based on the best available information;
7. Be tailored;
8. Take into account human and cultural factors;
9. Be transparent and inclusive;
10. Be dynamic, iterative, and responsive to change;
11. Facilitate continual improvement of the organisation.

A second list of attributes, in an annex to the standard, contains unavoidable characteristics of managing risk effectively that are also powerful indicators of risk management performance.

3) The process for managing risk

After considering numerous options and variants, ISO 31000:2009 largely adopted the same broad process as AS/NZS 4360:2004 for managing risk as shown in Fig. 1.

There are two elements of the process that can be considered as continually acting. These are:

• Communication and consultation with internal and external stakeholders, where practicable, to gain their input to the process and their ownership of the outputs, and
• Monitoring and review, so that appropriate action occurs as new risks emerge and existing risks change as a result of changes in either the organisation’s objectives or the internal and external environment in which they are pursued.

The central spine of the risk management process starts establishing the context as an essential predecessor to risk identification.

Risk identification requires the application of a systematic process to understand what could happen, how, when, and why.

Risk analysis is concerned with developing an understanding of each risk, its consequences, and the likelihood of those consequences. Whether the end result is expressed as a qualitative, semi-quantitative, or quantitative manner, gaining this understanding requires consideration of the effect and reliability of existing controls and any control gaps.

Risk evaluation then involves making a decision about the level of risk and the priority for attention through the application of the criteria developed when the context was established.

Risk treatment is the process by which existing controls are improved or new controls are developed and implemented. It involves evaluation of and selection from options, including analysis of costs and benefits and assessment of new risks that might be generated by each option, and then prioritising and implementing the selected treatment through a planned process. The options can be elimination, substitution, engineering, administration and using Personal Protective Equipment (PPE) to eliminate or mitigate the risks.

ISO 31000:2009 gives a set of general options to be considered when risk is treated. The order of the list reflects preference. Importantly, the options deal with both risks that have a downside and/or upside consequences.

4) The framework for managing risk

One of the recurrent themes in IS0 31000 is that to be effective, risk management must be integrated into an organisation’s decision-making processes (which, of course, is how risk is generated). Clause 4 of the standard concerns implementation of the risk management process through integration by using a management framework, which consists of the policies, arrangements, and organisational structures to implement, sustain, and improve the process. The standard not only describes the important elements that are required in such a framework but also describes how an organisation should go about creating, implementing, and keeping these elements up to date and relevant.

Other Relevant Standards

A number of other standards also relate to risk management.

• ISO Guide 73:2009, Risk management – Vocabulary complements ISO 31000 by providing a collection of terms and definitions relating to the management of risk.
• ISO/IEC 31010:2009, Risk management – Risk assessment techniques focus on risk assessment. Risk assessment helps decision-makers understand the risks that could affect the achievement of objectives as well as the adequacy of the controls already in place.
• ISO/IEC 31010:2009 focuses on risk assessment concepts, processes and the selection of risk assessment techniques.

How ISO Consulting Services can help you

Please contact us to find out how our training courses, workshops and coaching sessions can assist you to meet all requirements of ISO 31000 standard.