Any worthwhile Standard starts with a set of ‘Principles’. ISO 31000 is no exception. Let’s see if we can tie these Risk Principles into a typical ISO Management System.
Value Creation and Protection
is at the core of this section of ISO 31000 and gives it relevance to any business. Without ‘structured risk management’ an organization is a risk of being caught unaware of possible problems – internal or external (4.1) and meet an untimely demise!
- Integrated – make risk management part of the culture – you’ll see a requirement in clause 5.1.1 c) for Management to make sure that the requirements of the Standard are integrated into the business processes. This ties in perfectly with this Principle
- Structured and Comprehensive – Much better to have a ‘Framework’ on which to build a Risk Management plan than simply wander around looking for risky situations. The next post will have more details on the ISO 31000 ‘Framework’.
- Customized – Each organization is so unique that a ‘cookie-cutter’ approach is dangerous. Even multiple sites within the same organization will have a different set of risks based on its Context (4.1), Interested Parties (4.2), People (7.1.2, 7.2), Infrastructure (7.1.3), Work Environment (7.1.4), Communication (7.3) and Awareness (7.4) to name just a few variables.
- Inclusive – include all aspects of the ‘end-to-end’ workflow and all of the people related to the flow (4.4.1 a & b).
- Dynamic – risk and opportunities are always changing and you will benefit from assessing how well you’re managing all aspects related to your organization (Performance Measurement 9.1.3 e] and Management Review 9.3.2 e)
- Best available information – don’t become a victim of ‘paralysis from analysis. You may never have 100% of the information you’d like to have before you have to make a decision (8.2.3 – review of customer requirements, 9.1.3 – Performance Evaluation, measurement and analysis)
- Human and culture factors – a system won’t reduce risk, but people will. This links to 4.1 Context, 7.1.2 People, 7.1.4 Work environment, and most of 5 – Leadership.
- Continual Improvement – to reduce surprises: 9.2 Internal Audits, 10.2 Corrective Action, 10.3 Improvement
The ‘Framework’ is centred around Leadership and Commitment.
This is no surprise and adds another dimension to the Leadership role required by ISO 9001 (and others) Clause 5. The details are in ISO 31000 – here’s a bird’s eye view of what you’ll find there:
- Integration – weave risk-based thinking into the fabric. Make sure it’s not something ‘extra’. It needs to be part of everyone’s thinking patterns.
- Design – use a cross-functional team to get the best results and the best survey of ‘risk’ and where it’s hiding.
- Implementation – Leaders need to know what is needed in all areas of the organization. Areas that are managing risk well need to get credit for that and not be forced to undo what they’ve already done
- Evaluation – Top Management needs to understand how well risk is being managed and relate it to the strategic direction of your organization
- Improvement – just like ‘rust’, risk never sleeps
That’s the ‘Framework’ section from ISO 31000. There will be more detail about ‘Process’ in the next post. These ideas will help you get started on your risk management journey, but be sure to get a copy of ISO 31000 if you want more guidance for your activities. All of your efforts will pay you a surprising return on your investment!
In the ‘Process’ section (Clause 6) suggests that risk management yields benefits when an organization applies policies, procedures and practices to the activities related to treating and communicating risk.
ISO 31000 Includes a ‘Process’ for a Structured Approach:
- Communication and Consultation start the ball rolling…
- Help relevant stakeholders understand the program of managing risk
- Make sure everyone understands what Top Management means by ‘risk treatment’
- Set the stage for clear communication (acknowledge privacy issues!)
- Define the scope, context and criteria of your risk program
- Are you looking at Strategic, Operational, Project or any other activities?
- Are relevant ‘Objectives’ in need of a risk treatment?
- Does everything align with our Strategic direction?
- Do a risk assessment
- Identify areas of concern within the context of #1 and #2
- Carry out an analysis to determine ‘Likelihood’ and ‘Consequence’
- Rank the findings
- Create a risk ‘treatment’
- Consider some options
- Select an approach suitable for the identified vulnerabilities
- Prepare and implement the plan of action
- Monitor and review the treatments
- Make sure it worked – are risks being managed better (see ISO 9001, clause 9.1.3 e and 9.3.2 e)
- Record risk management results and report on them
- Spread the news – consider information sensitivity as well as the internal and external contexts of your organization
- Incorporate into business decisions
- Improve your risk management process (see ISO 9001, clause 9.1.3 e and 9.3.2 e)
That’s the tip of the risk iceberg from ISO 31000. These ideas will help you get started on your risk management journey, but be sure to get a copy of ISO 31000 if you want more guidance for your activities. All of your efforts will pay you a surprising return on your investment!
Know Quality, Know Profits…No Quality, No Profits
If you’d like to see how we’ve designed our platform to help manage risk, schedule a demo and we’ll see if it can make your ‘ISO life’ simpler and