ISO 31000

ISO 31000 - Risk Management - Principles and Guidelines is an international standard released by ISO in 2009. It's aim is to provide guidelines on risk management. It is not intended for certification (like ISO 9001 or 27001). Thanks to principles, framework and process presented in the standard, enterprises can easily implement risk management.

History

The issue of risk in management systems appeared in the ISO standards in 1996, with the publication of ISO 13335-1. It was developed by ISO 13335-3 in 1998. Those standards were developed in context of information security. Their approach was adopted by standard for information security management systems (ISO 27001:2005). Those standards were withdrawn.

In 2009 an alternative emerged - ISO 31000 Risk management - principles and guidelines. That standard presented new, less bureaucratic approach, closer to project risk management and operational risk management methodologies. Model of risk management in ISO 31000 was presented in fig. 1. This approach is compatible with business risk management frameworks.

Principles of risk management

The ISO 31000:2009 standard presents 11 principles of risk management. According to principles introduced by ISO 31000 (left part of fig. 2), risk management should be integral part of all organizational processes. It should be systematic approach to address risks that are related to organization or its environment. It should include all important aspects of company operation (people, capabilities, culture, etc.). Properly implemented, risk management should facilitate continual improvement of the organization. The principles are:

Risk management principles, framework and process in ISO 31000:2009

1. Risk management creates and protects value.
2. Risk management is an integral part of all organizational processes.
3. Risk management is part of decision making.
4. Risk management explicitly addresses uncertainty.
5. Risk management is systematic, structured and timely.
6. Risk management is based on the best available information.
7. Risk management is tailored.
8. Risk management takes human and cultural factors into account.
9. Risk management is transparent and inclusive.
10. Risk management is dynamic, iterative and responsive to change.
11. Risk management facilitates continual improvement of the organization.

Risk management framework

Risk management framework, which is constructed according to PDCA cycle, includes (center part of fig. 1):

• understanding the organization and its context, integration into processes, establishing communication and reporting mechanisms,
• implementing the framework for managing risk, including risk management process,
• monitoring and review of the framework,
• continual improvement of the framework.

Risk management process

The process is the most visible tool of risk management methodology presented in ISO 31000. It comprises three key elements:

• establishing the context,
• risk assessment (identification, analysis, evaluation) and
• treatment.

Monitoring and communication are complementary elements.

The standard suggests implementation of the process in such a way that is would be possible to call it from any other process, similarly to corrective or preventive actions. It means that the process should be kept simple, flexible, decentralized and quick to use. Otherwise it will add much work to managers and will create unnecessary bureaucracy.

Structure

The ISO 31000:2009 consists of following chapters:

1. Scope
2. Terms and definitions
3. Principles
4. Framework
   1. General
   2. Mandate and commitment
   3. Design of framework for managing risk
   4. Implementing risk management
   5. Monitoring and review of the framework
   6. Continual improvement of the framework
5. Process
   1. General
   2. Communication and consultation
   3. Establishing the context
   4. Risk assessment
   5. Risk treatment
   6. Monitoring and review
   7. Recording the risk management process

Annex A. Attributes of enhanced risk management

Advantages of ISO 31000

ISO 31000 provides a comprehensive set of principles and guidelines which are beneficial for companies in terms of risk management. It provides the following advantages:

• Allows companies to better manage their risks in an efficient manner. It provides a framework and process which can be used to assess, identify, treat and monitor risks.
• Enables companies to identify their potential risks and develop strategies to address them.
• Helps companies to better understand the relationship between risk and reward and to make better decisions.
• Provides a common language for all stakeholders to use when discussing risk management.
• Promotes consistency across different departments and different organizations.
• Helps organizations to identify and address risks in a timely manner.
• Facilitates communication between stakeholders, allowing them to better understand risk management and its implications.
• Improves the transparency of the risk management process, ensuring that all stakeholders are aware of the risks and their implications.

Limitations of ISO 31000

ISO 31000 is an international standard for risk management, however, it does have certain limitations. These include:

• It does not provide a detailed implementation plan for risk management. It provides only the general principles and framework.
• It does not provide specific guidance on how to assess and manage risks.
• It does not provide a detailed list of risk management techniques or strategies, nor does it provide guidance on which techniques should be used in specific situations.
• It does not provide detailed guidance on the roles and responsibilities of individuals in a risk management process.
• It does not provide detailed guidance on how to report and monitor risk management activities.
• It does not provide guidance on how to verify the effectiveness of risk management activities.

Other approaches related to ISO 31000

ISO 31000 is a standard related to risk management and other approaches to risk management include:

• COSO ERM Framework - Developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the Enterprise Risk Management (ERM) framework is a widely recognized approach to ERM. It provides a comprehensive method for evaluating and managing risks by outlining eight components of ERM.
• ISO 27005 - This ISO standard provides guidelines on how to conduct a risk assessment and implement an information security management system. It focuses on the implementation of controls to reduce risk and the use of risk assessment techniques to identify security risks.
• NIST Cybersecurity Framework - Developed by the National Institute of Standards and Technology (NIST), the NIST Cybersecurity Framework is a set of guidelines for managing cyber security risk. It provides an approach for organizations to analyze, identify, and manage cyber security risks.

In summary, there are a number of approaches related to ISO 31000, including the COSO ERM Framework, ISO 27005, and the NIST Cybersecurity Framework. Each of these approaches provides a different way to analyze, identify, and manage risk.

References

• Wawak S. (2016), Risk Management in ISO standards
• ISO 31000:2009 standard
• Purdy, G. (2010). [http://esvc001356.wic015u.server-web.com/pdfs/articles/art_riskanalysis_iso31000.pdf ISO 31000: 2009—setting a new standard for risk management. Risk analysis, 30(6), 881-886.

Author: Slawomir Wawak