Major risk clouds were accumulating long before the COVID-19 pandemic. However, the research shows that firms only take an interest in risk after major crises. Well, it’s never too late to leverage risk management best practices to prepare for next time. And ISO 31000 might just be key to those preparations.
What is ISO 31000?
First published in November 2009, then updated in 2018, ISO 31000: 2018 is the international standard for the practice of risk management. Like all other ISO standards, ISO 31000 was created to apply to a wide variety of organisations, based anywhere, and for any type of operation, irrespective of complexity, size, or type.
Revising the Australia/New Zealand risk management standard AS/NZS 4360: 2004, ISO 31000 sought to do something different than other generic risk assessment standards and protocols.
The international standard provides a framework for establishing the context of, identifying, analysing, evaluating, treating, monitoring, and communicating risk, prioritising executive buy-in from the get-go. The logic goes that only a proactive stance on part of senior leadership can ensure that best-practice risk processes are fully integrated across all levels of the organisation.
Not just that. Once risk processes are properly implemented, ISO 31000 stresses that business process owners have to remain active, also. Why? It’s incumbent on those business process owners to identify and consider risks in their business decisions.
Add to that, the entire business has to integrate risk management in all other key aspects of its decision-making, e.g., business continuity, compliance, crisis management, organisational resilience, etc.
What risk management best practices does ISO 31000 advocate?
As a generic standard, ISO 31000 does not prescribe a one-size-fits-all risk management process. Instead of mandating uniformity, the standard argues that the design and implementation of risk management plans and frameworks should be contingent on specific organisational factors. Those factors are likely to include company objectives, context, structure, operations, processes, functions, projects, products, services, and assets.
Risk management principles enshrined in ISO 31000
The standard does provide one major innovation, though. It redefines certain, key risk management principles. Complying with these principles should help ensure success in risk management. Those principles include, but aren’t limited to the following:
- Risk management creates and protects value. Risk management contributes to the achievement of objectives and improvement of performance in human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance, reputation, etc.
- Risk management is an integral part of all organisational processes. Risk management is not a stand-alone activity, separate from the main activities and processes of the organisation. Risk management is part of the responsibilities of management and an integral part of all organisational processes, including strategic planning and all project and change management processes.
- Risk management is part of decision making. Risk management helps decision makers make informed choices, prioritise actions, and distinguish among alternative courses of action.
- Risk management explicitly addresses uncertainty. Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed.
- Risk management is systematic, structured, and timely. A systematic, timely, structured approach to risk management contributes to efficiency and to consistent, comparable, and reliable results.
- Risk management is based on the best available information. The inputs to the process of managing risk are based on information sources, such as historical data, experience, stakeholder feedback, observation, forecasts, and expert judgement. However, decision makers should inform themselves of any limitations of the data or modelling used or the possibility of divergence among experts.
On the last point: one way to overcome the data limitations inherent in risk management is to invest in integrated risk and safety management software that will help you achieve the goals set out in ISO 31000.
Not sure what information and incident management capabilities matter? Download our free guide, Purchasing Risk and Safety Management Software: A buyer's guide.