Understanding risk management


Business risks can take many forms, with organizations of all sizes and in any industry facing a variety of internal and external risks. Whichever form they take, they can affect operational efficiencies, economic position, brand reputation, health and safety as well as the environment which overall impacts the ability to achieve business objectives.

To help identify and mitigate these risks, businesses require guidelines to form strategies and policies to prioritize business continuity.

What is ISO 31000?


ISO 31000 Risk Management - Guidelines is the international Standard for risk management, created by the International Organization for Standardization. It provides a generic approach to risk management with principles and guidelines for anyone who manages risk in an organization, not only professional risk managers. 

Effective use of this Standard requires implementation throughout all business processes, from strategy and planning to continued management and reporting. 

5 ISO 31000 risk management framework components 


The ISO 31000 framework works in a cycle. There are 5 components to help establish, maintain and improve a risk management system in any business.  

Integration 

Integrating risk management looks different for each organization. It's a dynamic process that must be customized to suit specific needs, with everyone responsible to play their part in managing risk. It needs to work alongside operations, strategies and objectives, rather than treated as a separate function, with accountability and specific roles defined.  

Design 

The design function of ISO 31000 includes 5 areas - understanding the organization and its context, articulating risk management commitment, assigning roles and responsibilities, allocating resources and establishing communication and consultation. 

Implementation 

Successfully implementing risk management framework requires an organization to define timelines and resources within their plan; identify how decisions are to be made and who is responsible for them at each level of the organization; understanding that the decision-making process may need to change where necessary and that strategies; and arrangements for managing risk are understood by each stakeholder and actively practiced.

Evaluation 

While it may seem that once the risk management framework is established, it should continually work to an organization's benefit - this is rarely the case. Continual assessment is needed to evaluate the framework's effectiveness, measuring the performance of the plan against its intended purpose and expectations. This step helps an organization understand whether it continues to work towards their objectives.

Improvement 

Continuing to monitor the internal and external environments of an organization can help identify gaps or opportunities to improve the current risk management framework. As an established plan can seem comprehensive, working in a dynamic environment can lead to new, unexpected risks. 

11 ISO 31000 risk management principles 


There are 11 guiding principles within ISO 31000. Implementation of these principles can promote a safer, more resilient organization. The Standard states that risk management: 

  1. Creates and protects value. 
  2. Is an integral part of all organizational processes. 
  3. Is part of decision making. 
  4. Explicitly addresses uncertainty. 
  5. Is systematic, structured and timely. 
  6. Is based on the best available information. 
  7. Is tailored. 
  8. Takes human and cultural factors into account. 
  9. Is transparent and inclusive. 
  10. Is dynamic, iterative and responsive to change. 
  11. Facilitates continual improvement of the organization. 

Types of risks 


A traditional view of risk involves the threat of danger, generally in the form of injury or loss. ISO 31000 shifts this view on risk, taking an approach to focus on the uncertainty of an environment, rather than a negative outcome to also allow the potential for opportunities. 

There are 3 categories of risk - hazard, relating to events that result in negative outcomes; control, relating to events that result in uncertain outcomes; opportunity, relating to events that result in positive outcomes. 



Get on top of your risk management planning today.
Purchase the Standard

Understanding ISO 45001, the occupational health and safety Standard

Health and safety guidelines tailored for COVID-19 work conditions with ISO 45005

Standards for business continuity in times of crisis