The Basics of ISO 31000:2018 Risk management – Principles and Guidelines

Overview

ISO 31000 is an international standard published in 2009 (and updated in 2018) that provides principles and guidelines for effective risk management strategy. The standard outlines a comprehensive approach in identifying, analysing, evaluating, treating, monitoring and communicating risks across an organization.

 The standards’ overarching goal is to develop a risk management culture where employees and stakeholders are aware of the importance of monitoring and managing risk.

• The standard redefines risk as the effect of uncertainty on the possibility of achieving the organization’s objectives, highlighting the importance of defining objectives before attempting to control risks, and emphasizing the role of uncertainty.

• It also Introduces the risk appetite, or the level of risk which the organization accepts or willing to take on in return for expected value
• Outlines a management philosophy where risk management is seen as an integral part of strategic decision-making and the management of change.
• Defines a risk management framework with different organizational procedures, roles and responsibilities in the management of risks.

Principles

To achieve its goal, the standard is built upon 8 principles which are based on value creation and protection, this in return improves overall performance, encourages innovation and supports achievement of the organization’s objectives.  Every part of Risk management system is founded by these principles, from the framework to the processes. PDCA is a risk management process: plan, do, check, adjust. This is a cycle that keeps the organization continually improving while factors change over time.

1.Integrated: –Risk management is not separated from the main activities and processes of the organization; it is a part of decision-making in every department

2.Structured and Comprehensive: – Risk management is structured with guidelines and procedures to follow to maintain productivity and efficacy

3.Customized: – Risk management processes are not one-size-fits-all and must be tailored to the organization’s external and internal context to reach objectives

4.Inclusive: – The involvement of stakeholders allows their knowledge and views to be considered, guaranteeing that risk management is relevant and up to date

5.Dynamic: -Context and knowledge within an

organization change constantly and should be acknowledged as they do. Risk management must respond to change continually and in a timely manner to maintain efficiency and results

6.Best Available Information: –An organization will never have all the information needed, but action must be taken when an organization has the best available data. All known information should be available to stakeholders

7. Human and Cultural Factors: –Risk management is influenced significantly by human behavior and culture. The organization’s capabilities, as well as the goals of the people within and around it, must be recognized by risk management to achieve, or inhibit, the goals of the business

8.Continual Improvement: –Improving continually through experience ensures the organization’s resiliency

Framework

The risk management framework aims to help organisations integrate risk management into their key operations and tasks. Effective risk management requires integration with organisational governance and decision-making processes.

This requires cooperation from stakeholders, especially top management.

Framework development involves integrating, creating, implementing, analysing, and improving risk management throughout an organisation.

Top management and oversight bodies should integrate risk management into all organizational activities, demonstrating leadership and commitment. Top management is responsible for managing risk, while oversight bodies oversee risk management.  

1.Integration: –Integrating risk management into an organization is a continuous and iterative process. and should be tailored to the organization’s requirements and culture. Risk management should be integrated into the organization’s purpose, governance, leadership and commitment, strategy, objectives, and operations, rather than distinct from them.

2.Design: –To create a risk management framework,organizations need consider both their internal and external context. This includes examining both internal and external organizational context such as social, cultural, political, legal, regulatory, financial, technological, economic and environmental factors, whether international, national, regional, or local. Top management and oversight bodies should allocate suitable resources for risk management.

3.Implementation: –Effective implementation of the framework requires stakeholder engagement and awareness. This allows organizations to address uncertainty in decision-making and account for new or emerging uncertainties as they arise. A well-designed and implemented risk management framework integrates risk management into all organizational processes, including decision-making, and captures changes in both external and internal settings.

4.Evaluation: –To evaluate the effectiveness of the risk management framework, the organization should not only periodically measure risk management framework performance against its purpose, implementation plans, indicators and expected behaviour but also determine whether it remains suitable to support achieving the objectives of the organization.

5.Improvement: –To meet external and internal changes, the organization’s risk management structure should be continuously monitored and adjusted. By doing so, the organization can enhance its worth. Once gaps or improvement opportunities are discovered, the organization should create plans and assign tasks to those responsible for implementation. Implementing these enhancements will boost risk management thus resulting in continual improvement.

Risk Management Process

The risk management process involves applying policies, processes, and practices to communicate, consult, establish context, assess, treat, monitor, review, record, and report risks. Consider the changing nature of human behavior and culture when managing risks.The risk management process outlined in the ISO 31000 standard includes the activities as in the diagram below;

1.Communication and consultation.

Communication and consultation help stakeholders understand risks, decision-making processes, and necessary actions by ensuring the risk management process is focusing on the right elements and helps explain the rationale for decisions and for particular risk treatment options.

The aim at this stage is to bring different areas of expertise together for each step of the risk management process and ensuring that different views are appropriately considered when defining risk criteria and when evaluating risk.

2.Scope, Context & Criteria

Establishing the scope, context, and criteria helps customise the risk management process, allowing for successful risk assessment and treatment.

When defining scope, the organization should define the scope of its risk management activities since the risk management process may be applied at various levels (e.g. strategic, operational, programme, project, or other activities), it is important to be clear about the scope under consideration, the relevant objectives to be considered and their alignment with organizational objectives.

To apply the risk management process effectively, it is important to understand the organization’s external and internal environments, as well as the specific activity at hand (context).

The organization should define the acceptable level and type of risk in relation to its objectives. It is important to establish standards for assessing risk and making informed decisions. Risk criteria should align with the organization’s goals, objectives, resources, and risk management policies and statements.

3.Risk Assessment

Risk assessment is the overall process of risk identification, risk analysis and risk evaluation.

Risk assessments should be systematic, iterative, and collaborative, incorporating stakeholder knowledge and perspectives.

4.Risk identification:

Risk identification aims to identify and define potential obstacles to an organization’s success.
Accurate and current information is crucial for spotting dangers. It is important to consider that there may be multiple outcomes, each with its own set of tangible and intangible effects.

5.Risk analysis

The purpose of risk analysis is to understand the sources and causes of the identified risks; studying probabilities and consequences given the existing controls, to identify the level of residual risk.

Risk analysis can vary in detail and complexity based on the aim, available information, and resources. Analysis approaches can be qualitative, quantitative, or a combination of both, depending on the context and intended application.

6.Risk evaluation:

The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required or whether the residual risk is tolerable.

Decisions should take account of the wider context, the actual and perceived consequences to external and internal stakeholders. The outcome of risk evaluation should be recorded, communicated, and then validated at appropriate levels of the organization

7.Risk treatment

The purpose of risk treatment is to select and implement options for addressing risk. Selecting the most appropriate risk treatment option(s) involves balancing the potential benefits derived in relation to the achievement of the objectives against costs, effort, or disadvantages of implementation. Risk treatment option may involve: Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk, Taking or increasing the risk to pursue an opportunity, Removing the risk source, Changing the likelihood, Retaining the risk by informed decision.

When deciding on risk treatment alternatives, organizations should consider stakeholder values, attitudes, and communication strategies to ensure their involvement. While all risk remedies are effective, some may be more acceptable to some stakeholders than others.

Even with careful design and implementation, risk treatments may not yield expected results and may lead to unforeseen effects. Monitoring and reviewing risk treatments is crucial for ensuring their effectiveness.

8.Monitoring and review

Monitoring and reviewing processes ensure quality and effectiveness in design, implementation, and outcomes.
The risk management approach should include regular monitoring and review of outcomes, with clearly defined responsibilities.

It consists of measuring risk management performance against indicators, which are periodically reviewed for appropriateness. It involves checking for deviations from the risk management plan, checking whether the risk management framework, policy and plan are still appropriate.

9.Recording and reporting

The risk management process and its outcomes should be documented and reported through appropriate mechanisms.

Decisions concerning the creation, retention and handling of documented information should consider, but not be limited to their use, information sensitivity and the external and external context.

In conclusion, understanding the basics of ISO 31000:2018 Risk Management – Principles and Guidelines is essential for any organization aiming to enhance its risk management practices. This international standard provides a comprehensive framework for identifying, assessing, and mitigating risks, ensuring that organizations can navigate uncertainties effectively and make informed decisions.

At Sentinel Africa, we specialize in Training individuals on the ceryfied ISO 31000 LRM and helping organizations implement ISO 31000, guiding you through the process to achieve robust risk management practices. Our expertise ensures that you not only meet the standards but also leverage them to enhance your organizational resilience and performance. Contact us to learn more about how we can support your journey towards effective risk management.

By Reagan Odira – Consultant at Sentinel Africa Consulting