ISO 31000 - Risk Management - Principles and Guidelines is an international standard released by ISO in 2009. It's aim is to provide guidelines on risk management. It is not intended for certification (like ISO 9001 or 27001). Thanks to principles, framework and process presented in the standard, enterprises can easily implement risk management.
The issue of risk in management systems appeared in the ISO standards in 1996, with the publication of ISO 13335-1. It was developed by ISO 13335-3 in 1998. Those standards were developed in context of information security. Their approach was adopted by standard for information security management systems (ISO 27001:2005). Those standards were withdrawn.
In 2009 an alternative emerged – ISO 31000 Risk management – principles and guidelines. That standard presented new, less bureaucratic approach, closer to project risk management and operational risk management methodologies. Model of risk management in ISO 31000 was presented in fig. 1. This approach is compatible with business risk management frameworks.
Principles of risk management
The ISO 31000:2009 standard presents 11 principles of risk management. According to principles introduced by ISO 31000 (left part of fig. 2), risk management should be integral part of all organizational processes. It should be systematic approach to address risks that are related to organization or its environment. It should include all important aspects of company operation (people, capabilities, culture, etc.). Properly implemented, risk management should facilitate continual improvement of the organization. The principles are:
- Risk management creates and protects value.
- Risk management is an integral part of all organizational processes.
- Risk management is part of decision making.
- Risk management explicitly addresses uncertainty.
- Risk management is systematic, structured and timely.
- Risk management is based on the best available information.
- Risk management is tailored.
- Risk management takes human and cultural factors into account.
- Risk management is transparent and inclusive.
- Risk management is dynamic, iterative and responsive to change.
- Risk management facilitates continual improvement of the organization.
Risk management framework
Risk management framework, which is constructed according to PDCA cycle, includes (center part of fig. 1):
- understanding the organization and its context, integration into processes, establishing communication and reporting mechanisms,
- implementing the framework for managing risk, including risk management process,
- monitoring and review of the framework,
- continual improvement of the framework.
Risk management process
The process is the most visible tool of risk management methodology presented in ISO 31000. It comprises three key elements:
Monitoring and communication are complementary elements.
The standard suggests implementation of the process in such a way that is would be possible to call it from any other process, similarly to corrective or preventive actions. It means that the process should be kept simple, flexible, decentralized and quick to use. Otherwise it will add much work to managers and will create unnecessary bureaucracy.
The ISO 31000:2009 consists of following chapters:
- Terms and definitions
- Mandate and commitment
- Design of framework for managing risk
- Implementing risk management
- Monitoring and review of the framework
- Continual improvement of the framework
- Communication and consultation
- Establishing the context
- Risk assessment
- Risk treatment
- Monitoring and review
- Recording the risk management process
- Annex A. Attributes of enhanced risk management
- Wawak S. (2016), Risk Management in ISO standards
- ISO 31000:2009 standard
- Purdy, G. (2010). [http://esvc001356.wic015u.server-web.com/pdfs/articles/art_riskanalysis_iso31000.pdf ISO 31000: 2009—setting a new standard for risk management. Risk analysis, 30(6), 881-886.
Author: Slawomir Wawak