ISO/IEC 31000 for Risk Management

In an ideal scenario, businesses would run without a worry. No worry that anything could derail them from achieving their strategic objectives. Of course, those of us in the real world know that is not the case.

Indeed, the real world is rife with unforeseen events — emanating from within and outside — that can stop organizations in their tracks. One example is Boeing, who recently reported weak numbers for new plane orders, linked to long-term safety, quality, and reputational issues that the company has been grappling with.

When it comes to risk, the top threats that organizations reported feeling highly or extremely exposed to include inflation, cyber risks, and macro-economic volatility among others.

Top threats to organizations, as self-reported in 2023 (Source: PWC)

In today’s turbulent business environment where change is constant, strong risk and resilience capabilities can provide an edge. Putting in place measures to shape an organization’s exposure to risk — as well as mechanisms to mitigate such events and build resilience — are crucial capabilities required to survive and thrive in this environment.

The ISO 31000 standard for risk management is a valuable resource that can bolster an enterprise’s approach to dealing with these uncertainties, which can either:

• Pose threats.
• Offer opportunities.

In this article, we will understand the background, content, and benefits that organizations can gain from adopting this standard in managing risks.

What is ISO 31000?

ISO 31000 is an international standard that is all about risk management for organizations.

Currently in its second edition, the ISO 31000:2018 standard provides guidelines in form of principles, a framework and process for identifying, analyzing, evaluating, treating, monitoring, and communicating risks in any organization based on their context (and regardless of type, size, or location).

ISO 31000 Components (Source)

ISO 31000 provides direction on how to integrate risk-based decision making in key areas such as:

• Governance
• Management
• Planning
• Values
• Culture

By adopting the guidance from this standard, your organization can enhance its probability of achieving its objectives, and also increase the level of protection for your assets.

The ISO 31000 addresses operational continuity, in addition to providing a level of reassurance in terms of:

• Economic resilience
• Professional reputation
• Environmental and safety outcomes

The ISO 31000 standard was developed by ISO’s technical committee (ISO/TC 262) on risk management.

(Related reading: vulnerabilities, threats, and risk & common risk management frameworks.)

Latest version

The updated version addressed the emergence of new challenges such as:

• Increased complexity of economic systems
• Emerging risk factors such as digital currency

It also provided more strategic guidance and emphasized on the involvement of senior management and the integration of risk management into the organization, while placing a greater focus on creating value as the key driver of risk management.

(Related reading: AI risk management, cybersecurity risk management, financial crime risk management & 

ISO 31000 certification

Organizations cannot be certified against the ISO 31000 standard.

But, organizations can adopt the guidance in pursuit of certification of other ISO standards that include risk management requirements such as ISO 9001:2015 for quality management, ISO/IEC 20000-1:2018 for service management, and ISO/IEC 27001:2022 for information security management, among others.

8 Principles of ISO 31000

The ISO 31000 is founded on 8 principles which are concepts centered upon the foundation of creating and protecting value for the organization.

ISO 31000 Principles (Source)

The principles outlined in clause 4 of the standard now follow:

Integrated

Risk management is an integral part of all organizational activities. From the leadership to employees, all organizational stakeholders should be involved in managing risks. Risk should be embedded in the processes and responsibilities across all levels:

• Strategic
• Tactical
• Operational

Structured & comprehensive

Risk management should be implemented and managed in a systematic manner that promotes productivity and effectiveness within the organization. The framework should:

• Be easily understood.
• Contribute to consistency in its results.

Customized

Risk management should be tailored to suit the internal and external context of the organization. Organization can choose to take a formal or informal approach to applying the guidelines.

Inclusive

Risk management should consider the opinions of a diverse range of internal and external stakeholders. As these perspectives change over time, the approach should be regularly refreshed with input from these stakeholders.

Dynamic

The risk management approach should be regularly updated in response to changes in the organization’s operational context. Because of the rapid evolution of internal and external factors that affect strategy and operations, the risk management approach should be able to detect and respond to such changes appropriately.

Best available information

Risk management is only as good as the information that goes into it. For this reason, the organization should make every effort to get the highest quality of information for assessing and managing risks, including considering historical and current context, and forecasting the future where possible.

Human & cultural factors

The risk management activities are significantly impacted by the human element, since they happen in an environment where people respond differently to certain situations. The influence of behavior and culture cannot be understated — consider these factors throughout the risk management activities.

(Related reading: organizational change management.)

Continual improvement

Improving every facet of the risk management approach ensures that it remains relevant to supporting the organization to meet its goals, which should translate to the generation and preservation of value.

ISO 31000 Framework

The risk management framework adapts the risk management process into the organization’s way of working, through the support of the leadership. The top management and relevant oversight bodies facilitate the implementation of the framework by:

• Providing direction through the risk management policy.
• Availing the required resources.
• Assigning relevant roles and responsibilities.

ISO 31000 Framework (Source)

There are five framework elements that are outlined in clause 5 of the standard that should be tailored to suite the organizational context:

Integration

Following the principle of an integrated risk management system, the organization should manage risk in every part of the structure.

The establishment of governance mechanisms can entrench the risk management framework into the organizations processes, and then management translates the governance direction into the strategy and business objectives that are cascaded down the organizational structure.

(Related reading: governance, risk & compliance, the GRC triangle.)

Design

The risk management framework is designed based on the operational context, with consideration for both internal and external issues.

Leadership commitment is articulated and communicated, and relevant roles, responsibilities, authorities, and accountabilities assigned. Required resources (people, technology, information, finances) are made available, and a communication and consultation mechanism crafted.

Implementation

The risk management design is then translated into reality within the organization through a well thought out plan that is directed by the leadership. Stakeholders are engaged so that they are made aware of the impact of the framework on their area of interest. Capacity is built within the organization through training and other upskilling mechanisms, and the framework is embedded into the operational processes.

Evaluation

Once implemented, the organization periodically measures the performance of the risk management framework against the designed purpose, implementation plans, indicators, and expected behavior.

A determination is made as to whether the framework is still fit for purpose.

Improvement

The output of the evaluation triggers actions to improve the risk management framework. Plans are drawn up, assigned, and resources allocated towards enhancing the effectiveness of the framework. This is an iterative process, that continues throughout the life of the framework.

ISO 31000 Process

The risk management process specifies the actions that should be carried out to address any potential opportunities or threats that the organization faces. The process is based on the ISO 31000 principles and is implemented through the framework we just looked at.

ISO 31000 Process (Source)

The risk management process consists of the following activities outlined in clause 6 of the standard:

Scope, context, criteria

This involves defining the scope of the process and understanding the internal and external context.

The scope of the risk management process considers the organization’s objectives, as well as available resources among other factors. Too wide a scope may prove a challenge to manage properly, while a narrow scope may be ineffective in addressing the risks encountered.

Understanding the context enables the organization to effectively customize the risk management process to suit their needs.

The criteria specify the type and amount of risk that the organization is willing to bear and informs the approach to mitigating the identified risks.

(Related reading: risk appetite vs. risk tolerance.)

Risk assessment

This is the overall process of identifying, analyzing, and evaluating risks. It is an iterative and collaborative process, that requires information from all stakeholders to be effective.

• Risk Identification: Here, multiple techniques are applied to identify risks that the organization is exposed to based on the operational context. Identified risks are logged into a risk register.
• Risk Analysis:  The identified risks are then analyzed to comprehend their nature and characteristics including likelihood and impact on the organization. The analysis informs prioritization and evaluation of the risks in readiness for treatment.
• Risk Evaluation: The analyzed risks are then compared against the established risk criteria to determine the strategy to address them.

(Related reading: risk scoring.)

Risk treatment

Here, the options for addressing the risks according to the evaluation are selected and implemented. Justification for treatment is based on resource availability and stakeholder considerations.

Treatment options include acceptance, avoidance, sharing, or mitigation of likelihood and impact. The output from risk treatment is fed back into risk assessment to determine the residual risk, and inform further action.

Communication and consultation

Occurring throughout the entire process, communication and consultation assists stakeholders to understand the risks and respond appropriately.

Without communication and consultation, the ability of the organization to effectively manage risks would be greatly hampered especially where complexity requires a cross-functional approach to analyze and treat the risks effectively.

Monitoring and review

This is an ongoing activity to assure the process and improve its quality and effectiveness. The results are fed into the organization’s performance management framework.

Recording and reporting

Documenting of the risk management process outputs ensures that stakeholders are well informed and that a reference point exists for analysis and improvement purposes.

Getting Started with ISO 31000

According to the risk management handbook, published jointly by ISO and UNIDO, the approach to initiating the implementation of the ISO 31000 guidelines can be summarized in 3 key activities:

• Awareness of the organization’s key objectives to clarify the targets and requirements of the risk management system to be implemented.
• Assessment of the organization’s current governance structure to ensure allocation of the right roles, responsibilities and reporting procedures related to risk management.
• Definition of the organization’s commitment level in terms of what resources to be allocated to the implementation and maintenance of the risk management system.

It is worth remembering that any risk management system based on ISO 31000 or any other framework does not guarantee that a business will navigate successfully through all challenges it faces.

It does, however, provide the capabilities that can empower the organization to be better prepared and ultimately resilient whenever such unforeseen circumstances materialize.