Introduction to ISO

The International Organization for Standardization, commonly referred to as ISO, is an independent, nongovernmental organization that brings together experts to share knowledge, develop consensus-based standards and offer solutions to global challenges. These standards are thought of as formulas for the best ways of doing things.

Following the ISO standards is voluntary; they are not regulatory requirements. Organizations that commit to ISO standards go above and beyond their legal obligations.

ISO 31000: Risk Management

ISO 31000 is the latest set of guidelines for risk management practices, replacing the 2009 guidelines.

These guidelines were developed for people who create and protect value in an organization by:

  • Managing risk
  • Making decisions
  • Setting and achieving objectives
  • Improving performance

ISO 31000 provides a common approach to managing any type of risk, regardless of the industry. The guidelines can be customized and adapted to fit any organizational structure, management style, or work culture. And they can be applied at all levels of your organization.

Benefits of participation include:

  • Access to guidelines and definitions that provide consistency across industries
  • An ability to uncover risks previously hidden or not considered
  • A framework for prioritizing the risks that are the most relevant and specific to your organization
  • A leadership commitment to risk management that creates a ripple effect throughout your organization

Skeleton

There are six sections within each ISO standard, and they all follow the same format. This allows an organization to follow the ISO process consistently at all levels.

The six sections are:

  • Scope
  • Normative References, if applicable
  • Definitions of terms used in the guidelines
  • Principles (values) identified for creating and managing the framework and processes
  • Framework, which enables an organization to integrate the principles and processes across its management systems
  • Process, or guidance on the systematic application of policies, procedures and practices, including communicating, assessing, recording and reporting

Section 3: Definitions

Defining terms accurately and consistently ensures that an organization is clear on how a term is used. It also guarantees that all other organizations following the ISO standard are using the same definitions.

For example, in the 2018 revision of ISO 31000, “risk” is now defined as “the effect of uncertainty on objectives.” This represents a shift in the traditional understanding of risk, allowing organizations to tailor risk management to their needs and objectives.

Sections 4-6: The meat

Sections 4 through 6 are the meat of the guidelines. They help an organization create and protect value by identifying and eliminating or controlling risks. Integrating the standard’s principles, framework and processes guides the organization toward improving performance, encouraging innovation and accomplishing objectives.

The 2018 version of ISO 31000 places a greater focus on creating and protecting value as key drivers of risk management. It also features related principles like continuous improvement, stakeholder inclusion, customization of processes, and considering human and cultural factors.

Section 4: Principles

The principles in Section 4 are the foundation for managing risk. They help guide the organization in establishing its risk management framework and processes. These principles are:

  • Make risk management an integral part of all organizational activities, equal to the need for quality, safety, health, and sustainability.
  • Take a structured and comprehensive approach to risk management to ensure that results are both consistent and comparable.
  • Customize the framework and process to the organization’s objectives, both internally and externally.
  • Involve stakeholders to reveal perceptions and views related to risk.
  • Remain dynamic. Be able to anticipate, detect, and respond to changes and events in a timely manner.
  • Use the best available information that accounts for limitations and uncertainties.
  • Understand how human behavior and culture influence all aspects of risk management.
  • Embrace continuous improvement based on new knowledge, learning, and experience.

Section 5: Framework

Leadership engagement is at the core of risk management. Effective organizational leadership integrates risk management into all of the organization’s significant activities and functions. These include strategy and planning, organizational resilience, information technology, corporate governance, human resources, compliance, quality, health and safety, business continuity, crisis management, and security.

The organization must evaluate its existing risk management practices and processes, identify gaps, and address those gaps within the framework. The framework includes integration, design, implementation, evaluation, and improvement. Each of these components can be customized to meet the specific needs of the organization.

Integration — Leadership must be committed to integrating risk management at all levels of the organization, making it a part of the organization’s purpose, governance, strategy, objectives, and operations.

Design — In designing the framework, an organization should consider the external and internal contexts.

External

  • Social, cultural, political, legal, regulatory, financial, technological, economic and environmental factors, whether international, national, regional or local
  • External stakeholder relationships, perceptions, values, needs, and expectations
  • Contractual relationships and commitments

Internal

  • The organization’s vision, mission, and values
  • Capabilities, understood in terms of resources and knowledge (capital, time, people, intellectual property, processes, systems, and technologies), strategy, objectives, and policies

Implementation — The implementation phase addresses time and resources; stakeholder engagement and awareness; who makes decisions across the organization, and how and when those decisions are made.

Evaluation — The effectiveness of the framework is evaluated through metrics and periodic reviews. Evaluations focus on relevancy and measure effectiveness against the organization’s stated goals and objectives.

Improvement — Organizations commit to continuous improvement by addressing gaps as they develop and making incremental changes.

Section 6: Process

The risk management process involves systematically applying policies, procedures, and practices that:

  • Communicate and consult
  • Establish context
  • Assess, treat, monitor, review, record, and report risk

During the process phase, a full risk assessment is conducted. Similar to health and safety risk assessments required by the Occupational Safety and Health Administration, risk management assessments involve identifying, analyzing, prioritizing, and evaluating risks.

A risk assessment identifies more than just the risks that have been corrected. It also accounts for the variable nature of human behavior and culture. Reviewing operational processes, procedures, and employee practices integrates more than existing or potential conditions.

Factors involved in the process phase include:

Communication and consultation — Listening to internal and external stakeholders promotes awareness and understanding of risk. It also garners valuable feedback to support decisions about how to control real, potential, and perceived risks.

Scope, context, and criteria — This includes required resources, relationships between processes and activities, and the internal and external factors that can be sources of risk.

Risk assessment — The risk assessment itself identifies, recognizes, and describes risks that might prevent an organization from achieving its objectives.

Risk treatment —This involves creating implementation plans to mitigate or reduce risks.

Monitoring and review — Once risk treatments have been selected, the organization must monitor and track their effectiveness.

Recording and reporting — Findings and corrective actions are communicated to internal and external stakeholders.

This risk assessment process takes the all-hazards approach found in emergency management and emergency response planning. The process is the same for conducting a quality assessment (ISO 9001) or food safety assessment (ISO 22001). Once you are familiar with the processes in one ISO standard, that knowledge will easily carry over to others.

Successful risk management starts at the top

Following any ISO standard requires commitment and support at the highest levels of the organization. Since these standards are consensus-based and not regulatory in nature, you must see the benefits of participation to fully commit. Following just some of the guidelines may provide benefits, but committing to the entire standard can help keep your organization on track to effectively managing its risks and achieving organizational objectives.

ISO 31000 allows risk managers and organizations to systematically identify, correct, and remove risks to the business, following guidelines designed by experts across industry boundaries.