ISO 31000 - Holistic risk management in organizations
ISO 31000 is an international standard published in 2009 that provides the principles and guidelines for effective risk management in organizations. In addition, it describes a generic approach to risk management, which can be applied to different types of risks (financial, security, project risks, etc.) and used by any type of organization. ISO 31000 provides a uniform vocabulary and concepts to discuss risk management. Provides guidelines and principles that can help you conduct a critical review of your organization's risk management process.
ISO 3100 includes definitions and terms relevant to risk management, a set of principles for effective risk management, recommendations for establishing a risk management framework, and recommendations for establishing a risk management process.
The importance of effective risk management within an organization is evident when we talk about RAMS Engineering with a clear focus on security risk management.
The regulations include a series of principles that the organization's risk management must always take into account:
- its objective is to create and protect the value that the organization brings to its clients, workers and society as a whole,
- an important part of it is based on the improvement of information between the parties,
- it is a relevant part of the organization's organizational processes,
- it is tailor-made for each organization. Therefore, and giving a logical example, internal risk management for a Bank is not the same as for a Railway Administration,
- it is used in corporate decision making,
- takes into account human and cultural factors,
- explicitly addresses uncertainty,
- is transparent and inclusive,
- it is systematic, structured and timely,
- it is dynamic, iterative and receptive to change,
- facilitates continuous improvement of the organization
The standard does not provide detailed instructions or requirements on how to manage specific risks, nor any advice related to a specific application domain; it remains at a generic level.
Compared to the older standards on
risk management, the 31000 standard innovates in several areas:
- It provides a new definition of risk as the effect of uncertainty on the possibility of achieving the organization's objectives, highlighting the importance of defining objectives before attempting to control risks and emphasizing the role of uncertainty.
- It introduces the (sometimes controversial) notion of risk appetite, or the level of risk that the organization agrees to take in exchange for expected value.
Concept of "appetite for risk"
Risk appetite is defined as the amount and type of risk that an organization is willing to pursue, retain, or take to achieve its objectives. It represents a balance between the potential benefits of innovation (and risk) and the threats that change inevitably brings. It helps guide people within the organization on the level of allowed risk and encourages consistency of approach across the organization. Generally expressed (for a company) by a broad focus statement:
- defines a risk management framework with different organizational procedures, roles and responsibilities in risk management
- describes a management philosophy in which risk management is considered an integral part of strategic decision-making and change management
A non-strictly certifiable standard
Many ISO standards are certifiable: a certificate from an accredited conformity assessment body indicating that your activities in a specific perimeter are in accordance with the standard. For example: many organizations certify their quality management system to iso 9001. The 31000 standard provides guidance rather than requirements, so it is "not intended for certification purposes". In any case, some of our clients, once the ISO 31000 recommendations have been implemented, request a 3th party checked certification from us in order to provide evidence to their clients and other stakeholders of compliance with the recommendations dictated by the standard.
The risk management process in detail
The risk management process, according to ISO 31000 implies the continuous and organized application of policies, procedures and actions following the following diagram, risk management being a relevant part of the management and decision-making of the company from a management point of view.
- Risk identification: identifying what could prevent us from achieving our objectives.
- Risk analysis : understanding the sources and causes of the identified risks; study probabilities and consequences given the existing controls, to identify the level of residual risk.
- Risk assessment : compare the results of the risk analysis with the risk criteria to determine if the residual risk is tolerable.
- Risk treatment : changing the magnitude and probability of consequences, both positive and negative, to achieve a net increase in profit.
- Establishing the context (Scope, Context and Criteria): This activity consists of defining the scope of the risk management process, defining the objectives of the organization and establishing the risk assessment criteria. The context includes both external elements (regulatory environment, market conditions, stakeholder expectations) and internal elements (organizational governance, culture, organizational norms and rules, capabilities, existing contracts, worker expectations, systems of information, etc.).
- Monitoring and review : this task consists of measuring the performance of risk management against indicators, which are periodically reviewed to verify their suitability. It involves verifying deviations from the risk management plan, verifying whether the risk management framework, policy and plan are still appropriate, given the external and internal context of the organization, reporting on risk, progress with the risk management plan. risk management and how well the risk management policy is being followed and the effectiveness of the risk management framework is reviewed.
- Communication and consultation: This task helps to understand the interests and concerns of stakeholders and to verify that the risk management process focuses on the correct elements and also helps to explain the rationale for decisions and treatment options for particular risks . Communication and consultation aims, therefore, to bring together different areas of expertise for each stage of the process; ensure that different points of view are appropriately considered when establishing criteria and assessing risks; provide sufficient information to facilitate risk monitoring and decision-making; generate a feeling of inclusion by affected parties.
At Leedeo Engineering , we are specialists supporting our clients at any level required for RAMS and risk management tasks, including the implementation of ISO31000. Do not hesitate to contact us >>