You may have heard these terms used interchangeably – I know I have. I thought I’d take a look into ISO 31000 to see if any light could be shed on this monumental question! It turns out that the answer is in there…here’s the scoop:
Managing Risk…
- Top management is accountable for managing risk. It contributes to Management System improvement
- Managing risk evolves (mutates?) and helps organizations set directions, meet objectives and make informed decisions
- Managing risk has to be system wide and needs to include interaction with Stakeholders
- Managing risk should reference Context and organizational culture for applicability
- Managing risk can be improved with ISO 31000 Principles, Framework and Process
Risk Management…
- ISO 31000: 3.2 ‘Risk Management’ is defined as ‘coordinated activities to direct and control an organization with regard to risk’
- Oversight Bodies are accountable for overseeing Risk Management
- Oversight Bodies review risks and objectives to ensure they are aligned with the organizations strategic direction
- Oversight Bodies understand the risks facing an organization pursuing its objectives
- Oversight Bodies assess the effectiveness of the systems in place for managing risk
- Oversight Bodies make sure organizations have identified their risks adequately relative to their Context
So there you have it – ‘Managing Risk’ is an overall concept like ‘creating quality’ or ‘protecting our people’ or ‘taking care of the environment’ and ‘Risk Management’ is the set of processes an organization has in place to direct and control itself in the realm of ‘risk. (ISO 31000 Clause 3.2)