ISO 31000:2009 Risk Management

Risk Management – Principles and Guidelines

Risk management is an increasingly important business driver and stakeholders have become much more concerned about risk, because it is becoming a driver of strategic decision making, since it may be a cause of uncertainty in the organization or it may simply be embedded in the activities. An enterprise-wide approach to risk management enables an organization to consider the potential impact of all types of risks on all processes, activities, stakeholders, products and services. Implementing a comprehensive approach will result in an organization benefiting from what is often referred to as the ‘upside of risk’. The global financial crisis in 2008 demonstrated the importance of adequate risk management. Since that time, new risk management standards have been published, including the international standard, ISO 31000 ‘Risk management – Principles and guidelines’.

Considering the business management, the risk is an intrinsic component of it where empirical evidences showed that 50 % of small and medium-sized enterprises (SMEs) were closed down before completing their fifth year. The business risks have its oven consequences in terms of economic performance and professional reputation, which also have environmental, safety and social considerations. According to the ISO, ISO 31000:2009, Risk management – Principles and guidelines, has been designed to provide principles, framework and a process for risk management, which can be used by any organization regardless of its size, activity or sector. The application of ISO 31000 in collaboration with other standards like ISO 9001 will help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment. However, ISO 31000 is a set of guideline which will provide guidance for minimization of external and internal risks. Risk assessments are very new words in the industry today, but it was existed from the beginning which has been neglected for centuries. Now it is being considered today due to the extreme completion and market forces today, because underlying element of uncertainty, which is often possible to predict risks, and to set in place systems and design actions to minimize their negative consequences and maximize the positive ones. Those risks that arise from disorder can be controlled through better management and governance, where businesses that adopt a risk management strategy are more likely to survive and to grow.

As to the ISO 31000:2009, it provides generic guidelines to design, implement and maintain an efficient risk management model throughout an organization which can facilitate broader adoption of enterprise risk management standards as to the context of organization when and where requires the harmonization with multiple silo-centric management systems. The approach enables all strategic, management and operational task of an organization to capture into the risk management system throughout the projects, functions and processes that are aligned to a common set of risk management objectives. Thus, ISO 31000:2009 has included broader stakeholder group which comprised of executive level stakeholders, appointment holders in the enterprise risk management group, risk analysts and management officers, line managers and project managers, compliance and internal auditors, and independent auditors.  

ISO 31000:2009 also provides a list of methods to deal with risks identified.

Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk

Accepting or increasing the risk in order to pursue an opportunity

Removing the risk source

Changing the likelihood

Changing the consequences

Sharing the risk with another party or parties (including contracts and risk financing)

Retaining the risk by informed decision

Risk Management Principles

Risk management is a process that is underpinned by a set of principles. Also, it needs to be supported by a structure that is appropriate to the organization and its external environment or context. A successful risk management initiative should be proportionate to the level of risk in the organization (as related to the size, nature and complexity of the organization). Further, it must be aligned with other corporate activities, comprehensive in its scope, embedded into routine activities and dynamic by being responsive to changing circumstances. This approach will enable a risk management initiative to deliver outputs, including compliance with applicable governance requirements, assurance to stakeholders regarding the management of risk and improved decision making. The impact or benefits associated with these outputs include more efficient operations, effective tactics and efficacious strategy. These benefits need to be measurable and sustainable.

Nature and Impact of Risk

Risks can impact an organization in the short, medium and long term and these risks are related to operations, tactics and strategy, respectively. Thus risk management strategies are set out for long-term aims of the organization, whereas strategic planning horizon for an organization will typically be 3, 5 or more years. Tactics define how an organization intends to achieve change, because tactical risks are typically associated with projects, mergers, acquisitions and product developments. On the other hand, operations are the routine activities of an organization.

Definition of Risk

There are many definitions of risk and risk management. However, the definition set out in ISO Guide 73 is that risk is the “effect of uncertainty on objectives”. In order to assist with the application of this definition, Guide 73 also states that an effect may be positive, negative or a deviation from the expected, and that risk is often described by an event, a change in circumstances or a consequence. This definition links risks to objectives, because it can most easily be applied when the objectives of the organization are comprehensive and fully stated. Even when fully stated, the objectives themselves need to be challenged and the assumptions on which they are based should be tested, as part of the risk management process.

As to the current multiple-platform initiative, ISO 31000 framework also mirrors the plan, do, check, act (PDCA) cycle, which is common to all management system designs. However, as to the standard, “This framework is not intended to prescribe a management system, but rather to assist the organization to integrate risk management into its overall management system”. This statement is encouraging organizations to be flexible in incorporating elements of the framework as needed.

Major elements of the framework include:

Policy and Governance

Provides the mandate and demonstrates the commitment of the organization

Program Design

Design of the overall Framework for managing risk on an ongoing basis

Implementation

Implementing the risk management structure and program

Monitoring and Review

Oversight of the management system structure and performance

Continual Improvement

Improvements to the performance of the overall management system

The actual process of assessing risks first requires definition of what ISO 31000 calls the “context”, whereas context is a combination of the external and internal environments, both viewed in relation to organizational objectives and strategies. The context setting process begins during the framework phase with the examination of the organization’s internal and external environments, but management should continue this assessment in greater detail here and focus on the scope of the particular risk management Process.

The remaining assessment steps involve developing techniques to identify, analyze, and evaluate specific risks. While multiple documented methods and techniques exist, all should include the following key elements:

Risk Identification

Identification of the sources of a particular risk, areas of impacts, and potential events including their causes and consequences

Classification of the source as internal or external

Risk Analysis

Identification of potential consequences and factors that affect the consequences

Assessment of the likelihood

Identification and evaluation of the controls currently in place

Risk Evaluation

Comparison of the identified risks to the established rick criteria

Decisions made to treat or accept risks with consideration of internal, legal, regulatory and external party requirements

Those interested in each of the risk assessment techniques and methods should refer to ISO/IEC 31010 (Please refer the next article). The complexity of methods and the extent of analysis required are highly dependent on the nature of the organization and management should consult with all stakeholders when developing an appropriate approach. Overall, management should develop and implement risk treatments to reduce residual risks to levels acceptable to key stakeholders and monitor/adjust to ensure efficiency and effectiveness.

Key Aspects of Planning Risk Management

There is a need to understand the risks being taken when seeking to achieve objectives and attain the desired level of reward for any organization including never certified for any standard.

Organizations need to understand the overall level of risk embedded within their processes and activities, which is important for organizations to recognize and prioritize significant risks and identify the weakest critical controls.

The expected benefits of the risk management initiative should be established in advance when setting out to improve risk management performance.

The outputs from successful risk management include compliance, assurance and enhanced decision-making, which will provide benefits by way of improvements in the efficiency of operations, effectiveness of tactics (change projects) and the efficacy of the strategy of the organization.