Setting the scene for my ISO 31000 journey
When I began to write my book on risk management for workplace and process risks, I realised how easy it was to over complicate the subject. I needed to rethink my approach to the extent where I “simplified” risk management.
Making an important subject like risk management unintelligible is neither helpful nor effective in getting the desired end results (i.e., to effectively manage risks).
Having researched various options, I opted to use the ISO 31000 (2018) “Risk Management – Guidelines” framework as the baseline for my book.
However, to achieve simplification, I had to dig into my experiences and dovetail around the ISO 31000 guidelines.
In this article, I want to briefly share with you some background on ISO 31000 and my thoughts behind simplifying risk management.
What is ISO 31000?
Achieve their objectives;
Improve the identification of opportunities and threats; and
Effectively allocate and use resources for risk treatment (i.e., process to modify risk).
However, what you might not know is that the ISO website also provides an Online Browsing Platform (OBP) allowing you to view the content of the ISO 31000 if you want to check before you buy. This is really well worth checking out.
How can ISO 31000 help?
Whatever your reasons or motivators might be, if your Organisation’s objective is to have a structured approach for risk management, then ISO 31000 can provide the principles, framework and a process for managing risk.
Management Systems and ISO 31000
From a popularity perspective, many of you will be familiar with ISO 14001 (2015) for Environmental Management and ISO 45001 (2018) for Occupational Health and Safety Management standards.
Take a peek into the content of either of these standards and you will find reference to ISO 31000. This is no coincidence because fundamentally it’s about managing risks and ISO 31000 provides the guidelines to facilitate and support risk management.
Whist management systems such as ISO 14001 and ISO 45001 are certifiable, ISO 31000 is a set of guidelines and is not certifiable standard. ISO 31000 does provide guidance for internal or external audit programmes.
ISO 31000 can provide a useful platform for comparing risk management practices of individual organisations against an international benchmark. The latter can help to support your management and corporate governance aspirations.
Why use ISO 31000 as your reference point?
Following an international guideline for managing risk can help to ensure that an organisation is implementing the best practices, particularly in its management and overall operations.
Typically, ISO standards and guidelines require majority consensus of approval by at least 75% of the member bodies casting a vote. This provides a level of assurance and support towards justification.
The simplified approach for risk management
Based upon ISO 31000, for an effective risk management framework, we can formulate the following:
Risk Management Framework = Risk Management Policy + Risk Management Plan
Where, as per ISO 31000 guidelines:
Risk Management Policy = High-level statement of the overall intentions and direction of an Organisation related to risk management.
Risk Management Plan = Scheme specifying the approach, the management components (or elements) and resources to be applied to the management of risk.
The Risk Management Policy will set out the objectives, mandate, roles, responsibilities and commitment to manage risk. It will provide an overview of the Risk Management Framework and Plan.
The Risk Management Plan will comprise of procedures, treatment plans, assignment of responsibilities, performance measurement, monitoring and reporting, review periods and sequence and timing of activities (as examples).
Like with all standards and guidelines, the devil is in the detail or to be more precise, in the Risk Management Plan.
There is no “one size fits all” and when it comes to focusing on the foundations and arrangements for the Risk Management Plan, this is where there are pitfalls and potential for over complication.
When advising Clients (which is also the crux of my book: “Risk Management Simplified”), my advice is to consider the following 6 Elements as key influencing factors within the Risk Management Plan:
- Risk Attitude.
- Risk Control.
- Risk Identification and Assessment.
- Actions Management.
- Performance Improvement.
There are of course other elements that can be thrown into the mix, but I consider the above to be the critical elements.
Is ISO 31000 a good choice for my risk management framework?
The title of my article is about “choice” for a risk management framework.
After much research for my book, I opted for the ISO 31000 guidelines because it allows every Organisation to establish a bespoke framework focusing on the Policy and Plan.
The foundation and arrangements for the Policy and Plan (which makes up the Framework), need to be clear…especially the Risk Management Plan.
Even if you may have an established risk management framework or process, it’s well worthwhile bench marking relative to ISO 31000.
A “gap analysis” approach can provide additional assurance that whatever framework or process is being used, the elements and components are in harmony with an international practice.