ISO 31000: Difference between revisions
(The LinkTitles extension automatically added links to existing pages (<a target="_blank" rel="noreferrer noopener" class="external free" href="https://github.com/bovender/LinkTitles">https://github.com/bovender/LinkTitles</a>).) |
m (Text cleaning) |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
'''ISO 31000 - [[Risk]] [[Management]] - Principles and Guidelines''' is an international [[standard]] released by ISO in 2009. It's aim is to provide guidelines on [[risk management]]. It is not intended for certification (like ISO 9001 or 27001). Thanks to principles, framework and [[process]] presented in the standard, enterprises can easily implement risk management. | '''ISO 31000 - [[Risk]] [[Management]] - Principles and Guidelines''' is an international [[standard]] released by ISO in 2009. It's aim is to provide guidelines on [[risk management]]. It is not intended for certification (like ISO 9001 or 27001). Thanks to principles, framework and [[process]] presented in the standard, enterprises can easily implement risk management. | ||
Line 20: | Line 4: | ||
The issue of risk in management systems appeared in the ISO standards in 1996, with the publication of ISO 13335-1. It was developed by ISO 13335-3 in 1998. Those standards were developed in context of [[information]] security. Their approach was adopted by standard for [[information security management system]]s ([[ISO 27001]]:2005). Those standards were withdrawn. | The issue of risk in management systems appeared in the ISO standards in 1996, with the publication of ISO 13335-1. It was developed by ISO 13335-3 in 1998. Those standards were developed in context of [[information]] security. Their approach was adopted by standard for [[information security management system]]s ([[ISO 27001]]:2005). Those standards were withdrawn. | ||
In 2009 an alternative emerged | In 2009 an alternative emerged - ISO 31000 Risk management - principles and guidelines. That standard presented new, less bureaucratic approach, closer to [[project]] risk management and [[operational risk]] management methodologies. Model of risk management in ISO 31000 was presented in fig. 1. This approach is compatible with [[business risk management]] frameworks. | ||
==Principles of risk management== | ==Principles of risk management== | ||
Line 45: | Line 29: | ||
==Risk management process== | ==Risk management process== | ||
The process is the most visible tool of risk management methodology presented in ISO 31000. It comprises three key elements: | The process is the most visible tool of [[risk management methodology]] presented in ISO 31000. It comprises three key elements: | ||
* establishing the context, | * establishing the context, | ||
* risk assessment ([[identification]], analysis, [[evaluation]]) and | * risk assessment ([[identification]], analysis, [[evaluation]]) and | ||
Line 74: | Line 58: | ||
## Recording the risk management process | ## Recording the risk management process | ||
: Annex A. Attributes of enhanced risk management | : Annex A. Attributes of enhanced risk management | ||
==Advantages of ISO 31000== | ==Advantages of ISO 31000== | ||
Line 95: | Line 74: | ||
* It does not provide a detailed implementation [[plan]] for risk management. It provides only the general principles and framework. | * It does not provide a detailed implementation [[plan]] for risk management. It provides only the general principles and framework. | ||
* It does not provide specific guidance on how to assess and manage risks. | * It does not provide specific guidance on how to assess and manage risks. | ||
* It does not provide a detailed list of risk management techniques or strategies, nor does it provide guidance on which techniques should be used in specific situations. | * It does not provide a detailed list of [[risk management techniques]] or strategies, nor does it provide guidance on which techniques should be used in specific situations. | ||
* It does not provide detailed guidance on the roles and responsibilities of individuals in a risk management process. | * It does not provide detailed guidance on the roles and responsibilities of individuals in a risk management process. | ||
* It does not provide detailed guidance on how to report and monitor risk management activities. | * It does not provide detailed guidance on how to report and monitor risk management activities. | ||
Line 102: | Line 81: | ||
==Other approaches related to ISO 31000== | ==Other approaches related to ISO 31000== | ||
ISO 31000 is a standard related to risk management and other approaches to risk management include: | ISO 31000 is a standard related to risk management and other approaches to risk management include: | ||
* COSO ERM Framework | * COSO ERM Framework - Developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the [[Enterprise]] Risk Management (ERM) framework is a widely recognized approach to ERM. It provides a comprehensive [[method]] for evaluating and managing risks by outlining eight components of ERM. | ||
* ISO 27005 | * ISO 27005 - This ISO standard provides guidelines on how to conduct a risk assessment and implement an [[information security]] management [[system]]. It focuses on the implementation of controls to reduce risk and the use of risk assessment techniques to identify security risks. | ||
* NIST Cybersecurity Framework | * NIST Cybersecurity Framework - Developed by the National Institute of Standards and [[Technology]] (NIST), the NIST Cybersecurity Framework is a set of guidelines for managing [[cyber security risk]]. It provides an approach for organizations to analyze, identify, and manage cyber security risks. | ||
In summary, there are a number of approaches related to ISO 31000, including the COSO ERM Framework, ISO 27005, and the NIST Cybersecurity Framework. Each of these approaches provides a different way to analyze, identify, and manage risk. | In summary, there are a number of approaches related to ISO 31000, including the COSO ERM Framework, ISO 27005, and the NIST Cybersecurity Framework. Each of these approaches provides a different way to analyze, identify, and manage risk. | ||
{{infobox5|list1={{i5link|a=[[Strategic risk management]]}} — {{i5link|a=[[Information security management system]]}} — {{i5link|a=[[System safety]]}} — {{i5link|a=[[PMBOK framework]]}} — {{i5link|a=[[Administrative management]]}} — {{i5link|a=[[ISO 9004]]}} — {{i5link|a=[[Corporate governance theory]]}} — {{i5link|a=[[Silvestro model]]}} — {{i5link|a=[[ISO 9001]]}} }} | |||
==References== | ==References== | ||
Line 112: | Line 93: | ||
* [http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43170 ISO 31000:2009] standard | * [http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43170 ISO 31000:2009] standard | ||
* Purdy, G. (2010). ''[http://esvc001356.wic015u.server-web.com/pdfs/articles/art_riskanalysis_iso31000.pdf ISO 31000: 2009—setting a new standard for risk management''. Risk analysis, 30(6), 881-886. | * Purdy, G. (2010). ''[http://esvc001356.wic015u.server-web.com/pdfs/articles/art_riskanalysis_iso31000.pdf ISO 31000: 2009—setting a new standard for risk management''. Risk analysis, 30(6), 881-886. | ||
[[Category:Risk management]] | [[Category:Risk management]] | ||
{{aa|Slawomir Wawak}} | {{aa|Slawomir Wawak}} |
Latest revision as of 22:29, 17 November 2023
ISO 31000 - Risk Management - Principles and Guidelines is an international standard released by ISO in 2009. It's aim is to provide guidelines on risk management. It is not intended for certification (like ISO 9001 or 27001). Thanks to principles, framework and process presented in the standard, enterprises can easily implement risk management.
History
The issue of risk in management systems appeared in the ISO standards in 1996, with the publication of ISO 13335-1. It was developed by ISO 13335-3 in 1998. Those standards were developed in context of information security. Their approach was adopted by standard for information security management systems (ISO 27001:2005). Those standards were withdrawn.
In 2009 an alternative emerged - ISO 31000 Risk management - principles and guidelines. That standard presented new, less bureaucratic approach, closer to project risk management and operational risk management methodologies. Model of risk management in ISO 31000 was presented in fig. 1. This approach is compatible with business risk management frameworks.
Principles of risk management
The ISO 31000:2009 standard presents 11 principles of risk management. According to principles introduced by ISO 31000 (left part of fig. 2), risk management should be integral part of all organizational processes. It should be systematic approach to address risks that are related to organization or its environment. It should include all important aspects of company operation (people, capabilities, culture, etc.). Properly implemented, risk management should facilitate continual improvement of the organization. The principles are:
- Risk management creates and protects value.
- Risk management is an integral part of all organizational processes.
- Risk management is part of decision making.
- Risk management explicitly addresses uncertainty.
- Risk management is systematic, structured and timely.
- Risk management is based on the best available information.
- Risk management is tailored.
- Risk management takes human and cultural factors into account.
- Risk management is transparent and inclusive.
- Risk management is dynamic, iterative and responsive to change.
- Risk management facilitates continual improvement of the organization.
Risk management framework
Risk management framework, which is constructed according to PDCA cycle, includes (center part of fig. 1):
- understanding the organization and its context, integration into processes, establishing communication and reporting mechanisms,
- implementing the framework for managing risk, including risk management process,
- monitoring and review of the framework,
- continual improvement of the framework.
Risk management process
The process is the most visible tool of risk management methodology presented in ISO 31000. It comprises three key elements:
- establishing the context,
- risk assessment (identification, analysis, evaluation) and
- treatment.
Monitoring and communication are complementary elements.
The standard suggests implementation of the process in such a way that is would be possible to call it from any other process, similarly to corrective or preventive actions. It means that the process should be kept simple, flexible, decentralized and quick to use. Otherwise it will add much work to managers and will create unnecessary bureaucracy.
Structure
The ISO 31000:2009 consists of following chapters:
- Scope
- Terms and definitions
- Principles
- Framework
- General
- Mandate and commitment
- Design of framework for managing risk
- Implementing risk management
- Monitoring and review of the framework
- Continual improvement of the framework
- Process
- General
- Communication and consultation
- Establishing the context
- Risk assessment
- Risk treatment
- Monitoring and review
- Recording the risk management process
- Annex A. Attributes of enhanced risk management
Advantages of ISO 31000
ISO 31000 provides a comprehensive set of principles and guidelines which are beneficial for companies in terms of risk management. It provides the following advantages:
- Allows companies to better manage their risks in an efficient manner. It provides a framework and process which can be used to assess, identify, treat and monitor risks.
- Enables companies to identify their potential risks and develop strategies to address them.
- Helps companies to better understand the relationship between risk and reward and to make better decisions.
- Provides a common language for all stakeholders to use when discussing risk management.
- Promotes consistency across different departments and different organizations.
- Helps organizations to identify and address risks in a timely manner.
- Facilitates communication between stakeholders, allowing them to better understand risk management and its implications.
- Improves the transparency of the risk management process, ensuring that all stakeholders are aware of the risks and their implications.
Limitations of ISO 31000
ISO 31000 is an international standard for risk management, however, it does have certain limitations. These include:
- It does not provide a detailed implementation plan for risk management. It provides only the general principles and framework.
- It does not provide specific guidance on how to assess and manage risks.
- It does not provide a detailed list of risk management techniques or strategies, nor does it provide guidance on which techniques should be used in specific situations.
- It does not provide detailed guidance on the roles and responsibilities of individuals in a risk management process.
- It does not provide detailed guidance on how to report and monitor risk management activities.
- It does not provide guidance on how to verify the effectiveness of risk management activities.
ISO 31000 is a standard related to risk management and other approaches to risk management include:
- COSO ERM Framework - Developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the Enterprise Risk Management (ERM) framework is a widely recognized approach to ERM. It provides a comprehensive method for evaluating and managing risks by outlining eight components of ERM.
- ISO 27005 - This ISO standard provides guidelines on how to conduct a risk assessment and implement an information security management system. It focuses on the implementation of controls to reduce risk and the use of risk assessment techniques to identify security risks.
- NIST Cybersecurity Framework - Developed by the National Institute of Standards and Technology (NIST), the NIST Cybersecurity Framework is a set of guidelines for managing cyber security risk. It provides an approach for organizations to analyze, identify, and manage cyber security risks.
In summary, there are a number of approaches related to ISO 31000, including the COSO ERM Framework, ISO 27005, and the NIST Cybersecurity Framework. Each of these approaches provides a different way to analyze, identify, and manage risk.
ISO 31000 — recommended articles |
Strategic risk management — Information security management system — System safety — PMBOK framework — Administrative management — ISO 9004 — Corporate governance theory — Silvestro model — ISO 9001 |
References
- Wawak S. (2016), Risk Management in ISO standards
- ISO 31000:2009 standard
- Purdy, G. (2010). [http://esvc001356.wic015u.server-web.com/pdfs/articles/art_riskanalysis_iso31000.pdf ISO 31000: 2009—setting a new standard for risk management. Risk analysis, 30(6), 881-886.
Author: Slawomir Wawak