The Risk Framework section of International Organization for Standardization (ISO) Standard 31000 assists organizations with integrating risk management into their significant activities and functions.

Five components of framework development

Framework development consists of five components that encompass “leadership and commitment”:

  • Integration
  • Design
  • Implementation
  • Evaluation
  • Improvement

Integration

Executive leadership must commit to integrating risk management into all of the organization’s activities. Leadership commitment goes beyond supporting risk assessment activities behind the scenes; leaders must demonstrate their commitment by leading the process. Effective leaders:

  • Are visible and vocal about their support for risk management
  • Explain how the risk management process will strengthen the organization through preparedness and improvement
  • Encourage others to participate and set the standard for engagement at all levels

One action leadership can take to demonstrate its commitment to risk management is to publish a signed statement or policy that establishes the organization’s risk management framework. The document should specify:

  • The organization’s commitment to the resources, people, and time required to properly identify and address its risks
  • Roles, responsibilities, and accountable assignments, including who will complete various activities and tasks within the framework

Leadership should also partner with oversight bodies to:

  • Ensure known risks are addressed
  • Activities are within the organization’s risk management framework and objectives
  • Activities and findings are effectively communicated to the organization and its interested parties, including stockholders and the greater community

Design

The design process must include both external and internal risks.

External considerations include:

  • Social, cultural, political, and regulatory factors
  • External stakeholder relationships and perceptions
  • Contractual commitments and dependencies

Internal considerations include:

  • The organization’s mission and values
  • Governance, structure, and corporate culture
  • Capabilities of resources, capital, and current technologies
  • Internal relationships with employees, including perceptions, values, and interdependencies

It’s important to equally consider internal and external risks. For example, an organization might not consider fleet and drivers as risks if it has no fleet. But vehicle and driver issues could present risks with contractors or transport haulers.

In this process, roles, authorities, and accountabilities must be clearly communicated and include risk management as a core responsibility. Allocating resources, including people, is also a leadership function. It’s important to be aware that selecting people and resources can be a risk in and of itself when you consider skill levels, established procedures, management systems, and training needs.

Understanding strengths and weaknesses and the limitations of available resources will help guide the organization and ensure that activities are realistic.

Other considerations in the design process are how to communicate, what to communicate, when to communicate, and who to communicate to. Communication involves sharing information with targeted audiences and seeking input from interested parties, both internal and external. Gathering feedback helps the organization:

  • Identify risks
  • Formulate actions to eliminate or reduce those risks
  • Determine if other risks are created because of those actions

The feedback process is cyclical. There should always be input concerning risks and perceptions, the actions to take around those risks, and the effectiveness of those decisions.

Implementation

After gathering input from internal and external stakeholders, the leadership team can make educated decisions about what to do and how to do it. Implementing an effective plan includes:

  • Identifying and evaluating available resources
  • Determining what decisions need to be made and who within the organization has the authority and duty to make them
  • Evaluating those decisions and the actions to be taken

This process may uncover needs, resource limitations, or other concerns that would require altering or changing the decision or action.

Because this phase involves decision-making, it’s worth reiterating that the entire risk management process must be fully integrated into all of the organization’s decisions and activities. Any change in context or scope during the process will change or alter the decisions and actions.

Evaluation

Next, there must be a conscious effort to review and evaluate the decisions and actions. This involves:

  • Reviewing the context and intent of the decision to ensure it fits the organization’s needs
  • Assessing whether the prescribed activities are, in fact, effectively mitigating the identified risks

The evaluation process allows the risk management team to create metrics for measuring effectiveness and identifying additional improvement opportunities.

If the team discovers that the activities are not fulfilling their objectives and the risk is still too great to accept, they must:

  • Identify the gaps
  • Renegotiate how to mitigate or reduce the risk

The evaluation process should not be thought of as a formality. It’s just as important to evaluate risk management decisions as it is to make and implement them. If the evaluation process is skipped, the course of actions taken may result in new or unintended risks that the organization will have to contend with.

Improvement

Lastly, the improvement phase answers some important questions:

  • Are the decisions and selected activities meeting expectations in lowering risk?
  • Do the implemented plans create or uncover additional risks?
  • Have there been changes to perceptions, actions, or risks that created additional needs (regulatory or political changes, changes to the organizational structure, etc.)?

The organization must continue to monitor conditions and changes and engage the entire team whenever something surfaces. Evaluating whether current decisions and actions are adequate for reducing the risk completes the cycle.

If a change is necessary, the team can go back to internal and external stakeholders for input, identify additional risks or perceptions, design and implement actions, and reevaluate those actions.

Successful risk management starts with a solid framework

This framework enables the risk management process to work. It keeps the organization focused on risk management at every level. Understanding how to advance the framework helps the organization integrate risk management into all of its decisions.