The extent to which an organization considers and implements any of these elements is dependent on the organizational purpose and needs. The goal is a visible, adequately-equipped program that is compatible with the organization’s culture and objectives and sustainable for the long-term.ISO 31000 is a generic risk management standard. It can be used by any organization no matter what size it is or what it does. It can be used by both public and private organizations and by groups, associations, and enterprises of all kinds. It is not specific to any sector or industry and can be applied to any type of risk. ISO 31000 can be applied to the achievement of any and all types of objectives at all levels and areas within an organization. It can be used at a strategic or organizational level to help make decisions and can be applied to all types of activities. It can be used to help manage processes, operations, projects, programs, products, services, and assets.
The two primary components of the ISO 31000 risk management process are:
- The Framework, which guides the overall structure and operation of risk management across an organization; and
- The Process, which describes the actual method of identifying, analyzing, and treating risks.
Framework
The ISO 31000 Framework mirrors the plan, do, check, act (PDCA) cycle, which is common to all management system designs. The standard states, however, that, “This Framework is not intended to prescribe a management system, but rather to assist the organization to integrate risk management into its overall management system”. This statement should encourage organizations to be flexible in incorporating elements of the framework as needed.
Major elements of the Framework include:
- Policy and Governance. Provides the mandate and demonstrates the commitment of the organization.
- Program Design. Design of the overall Framework for managing risk on an ongoing basis.
- Implementation. Implementing the risk management structure and program.
- Monitoring and Review. Oversight of the management system structure and performance.
- Continual Improvement. Improvements to the performance of the overall management system.
Organizations, particularly those without a prior familiarity with management systems, should prepare to spend considerable time establishing a robust framework and avoid the urge to dive directly into the risk assessment process. Process design is an important step because the Framework provides the stability and continuity to assist in establishing a program as opposed to just executing a project.
Key elements that organizations should not overlook include:
- Establishing management commitment both during the implementation and on a long-term basis, including:
- Identification and allocation of needed resources, including sufficient expertise and budget to
sustain the program.
- Establishment of a regular review cycle to maintain program visibility to management
and motivate all participants.
- Developing a program that works within the organization, its culture and environment, including:
of key external stakeholders.
- Understanding the internal forces – existing governance, organizational structure, culture, and
organizational capabilities.
The extent to which an organization considers and implements any of these elements is dependent on the organizational purpose and needs. The goal is a visible, adequately-equipped program that is compatible with the organization’s culture and objectives and sustainable for the long-term.
Process
After establishing the risk management Framework, an organization is ready to develop the Process. The Process, as defined by ISO 31000, is “multi-step and iterative; designed to identify and analyze risks in the organizational context”.
Major elements of the Process, as seen in the diagram below, include:
- Active Communication.
- Process Execution.
- Risk identification.
- Risk analysis.
- Risk evaluation.
- Risk treatment.
- Oversight.
The first and third activities should occur regularly during the risk assessment Process. Early in the Process, regular communication is critical to understanding stakeholders’ interests and concerns, thus validating the focus of the Process. At later stages, regular communication helps convey the rationale behind decisions and why the organization needs certain risk treatments. In addition, regular oversight ensures that the organization addresses changes in the risk environment and processes and that controls operate effectively. Together, these activities ensure that all stakeholders clearly understand expectations and that the organization addresses change as quickly as possible.
The actual process of assessing risks first requires definition of what ISO 31000 calls the “context”. The context is a combination of the external and internal environments, both viewed in relation to organizational objectives and strategies. The context setting process begins during the Framework phase with the examination of the organization’s internal and external environments, but management should continue this assessment in greater detail here and focus on the scope of the particular risk management Process.
The remaining assessment steps involve developing techniques to identify, analyze, and evaluate specific risks. While multiple documented methods and techniques exist, all should include the following key elements:
- Risk Identification.
including their causes and consequences.
- Classification of the source as internal or external.
- Risk Analysis.
- Assessment of the likelihood.
- Identification and evaluation of the controls currently in place.
- Risk Evaluation
- Decisions made to treat or accept risks with consideration of internal, legal, regulatory and external
party requirements.
Those interested in each of the risk assessment techniques and methods should consult ISO/IEC 31010, the supporting auxiliary document mentioned earlier. Of note, the complexity of methods and the extent of analysis required are highly dependent on the nature of the organization and management should consult with all stakeholders when developing an appropriate approach.
Overall, management should develop and implement risk treatments to reduce residual risks to levels acceptable to key stakeholders and monitor/adjust to ensure efficiency and effectiveness.
Relationship to ASIS SPC.1-2009 and Business Continuity
The release of both ISO 31000 and the ASIS SPC.1 Organizational Risk standard in such close proximity to each other raised several questions. Since both are management systems-based, should the industry view them as equivalent or interchangeable? How do they relate to business continuity? And which, if either, is a sound basis for Enterprise Risk Management (ERM)?
While both standards leverage the management systems processes and describe a similar process structure, SPC.1 presents a somewhat more limited scope, defining Organizational Resilience in terms of security, preparedness and continuity while ISO 31000 maintains a broader – perhaps more strategic – focus.
Regarding business continuity, it is just one of the many risk treatments that would comprise a more strategic risk management program espoused by ISO 31000. As a result, business continuity should be viewed a sub-component of the risk management program described in ISO 31000 because it addresses one specific risk (process, resource and technology availability).
Conclusions
Overall, the risk management principles and processes described in ISO 31000 and supported by the guidance of ISO/IEC 31010 provide a robust system that allows an organization to design and implement a repeatable, proactive and strategic program. The design of specific program elements is highly dependent on the goals, resource, and circumstances of the individual organization. Regardless of the level of implementation, management involvement in setting direction and regularly reviewing results should be a part of every program, which will not only elevate the management of risk, but also ensure an appropriate treatment of risk based on organizational objectives and long-term strategies.