ISO 31000:2018 consists of risk management principles, framework and process that have been adopted as a national risk management standard by more than 60 countries
What Is The Key Idea In This Blog ?
The key idea in this blog is that ISO 31000:2018 is a standard that certified companies, consultants, and management system auditors need to know. Why? ISO has integrated risk into ISO 9001:2015 and has adopted the tagline ‘Risk Based Thinking’ (RBT). In this blog, we introduce basic ideas of risk management.
All organizations regardless if they are public or private, for profit or not for profit, large or small face uncertainty.
Uncertainty results in risks.
More organizations will face uncertainty in the design, implementation, and assurance of their Quality Management System (QMS), Environmental Management System (EMS), Information Security Management System (ISMS), and most ISO management systems.
The critical organizational challenge over the next decade is how organizations will address and treat the risks that result from the uncertainty. ISO 31000:2018 was developed to address this growing uncertainty.
Volatility – Uncertainty – Complexity – Ambiguity
We live in a time of Volatility, Uncertainty, Complexity, and Ambiguity (VUCA). We call this VUCA time. There are many implications to the statement. We will discuss these in this blog . In terms of ISO 31000:2018 and ISO 9001:2015, the concept of ‘uncertainty’ is integrated throughout the standards.
The concept of uncertainty is fundamental to ISO 31000:2018 and its supporting standards. The nature, extent, and degree of uncertainty to solve problems and to make accurate and reliable decisions are based on the availability of data and information.
RISK BASED PROBLEM SOLVING AND DECISION MAKING UNCERTAINTIES
Risk Based Problem Solving (RBPS) and Risk Based Decision Making (RBDM) are fraught with uncertainty. Uncertainties may involve:
•Assumptions used in the analysis and decision.
•Inputs into the analysis.
•Process used to conduct the risk analysis.
•Different interpretations of the analysis, data, and information.
•Different understanding and application of the term ‘context.’
•Differing abilities among risk analysts.
•Different application of the methods for conducting the risk assessment.
•Lack of precision and variability in the results.
So, the accuracy and reliability of the risk assessment should be identified as clearly as possible. Sources of uncertainty as well as assumptions should be documented.
What Is ISO 31000:2018?
ISO 31000:2018 consists of risk management principles, framework and process that have been adopted as a national risk management standard by more than 60 countries.
The ISO 31000:2018 process can be used to:
•Support ISO 9000:2015 in the design and implementation of Risk Based Thinking (RBT).
•Form the basis for Risk Based Problem Solving (RBPS) and Risk Based Decision Making (RBDM).
•Establish the basis and foundation for ISO 31000:2018 Enterprise Risk Management (ERM).
•Become the basis for the organization’s risk management principles, framework, and process.
•Identify risk stakeholders, customers, and other interested parties.
•Identify stakeholder risk requirements, needs, and expectations.
•Identify and establish the context for designing, implementing, and assuring a risk management process.
•Evolve as the guideline to evaluate and manage upside risk and down- side risk.
•Design and implement a risk management process.
•Treat and manage risks.
•Report and document the results and effectiveness of risk treatment and risk management.
•Communicate the effectiveness of the ISO 31000:2018 risk management framework and process to stakeholders, customers, and interested parties.
•Monitor and review risks based on organizational risk criteria and risk appetite.
It should be mentioned that ISO 31000:2018 was not intended to be a standard for management system certification. ISO 31000:2018 is a risk management guideline.
Where Did ISO 31000:2018 Come From?
ISO 31000:2018 risk management principles, framework, and process are based on the Australian and New Zealand standard AS/NZS 4360, which was composed of the following sections:
•Communication and consultation.
•Establishing the context.
•Risk assessment consisting of the three steps of identification, analysis, and evaluation.
•Monitoring and review.
As you read this blog, you will see ISO 31000:2018 still retains much of the framework, definitions, and ‘look and feel’ of AS/NZS 4360.
ISO 31010 Risk Assessment
ISO/IEC 31010 was developed in 2009 to support ISO 31000:2009. Its formal title is: ISO/IEC 31010:2009 – Risk Management – Risk Assessment Techniques.
ISO 31010 was developed to support ISO 31000:2009 by providing guidance on how to conduct a risk assessment. ISO 31010 lists 31 risk assessment techniques, which are covered in Chapter 9: Risk Assessment Tools and Techniques.
ISO 31010 assumes the risk assessment will follow the guidelines described in ISO 31000:2018
Risk management process explains the control environment for managing risk. The process consists of seven discrete steps that are described in Chapter 7: ISO 31000 Risk Management Process.
Each process step has policies, procedures, plans, and work instructions that describe how risk identification, assessment, treatment, and controls should be implemented throughout the organization and the supply chain.
Risk assessment being integral to risk management process should be designed in terms of the strategy setting, policies, and risk plan that determines when, who, why, and how risks should be assessed.
ISO 31010 emphasizes the following:
•Risk assessments are a critical problem solving element of the ISO 31000:2018 risk management principles, framework, and risk management process.
•List of risk assessment techniques includes 31 methods.
•ISO 31010 is not intended for statutory, contractual, or certification purposes.
•ISO 31010 does not require the application of specific risk assessment techniques.
The standard relies upon the organization to identify its requirements and select the proper risk assessment technique based on context and other factors.
•ISO 31010 is a partial list and focuses on the most commonly used risk assessment techniques.
•If a risk assessment technique is not listed in the standard, it does not mean that it is not valid.
ISO/ANSI/ASSE TR 31004
ISO 31000:2018 was written to be an international standard that can be used in multiple sectors and by different organizations. This may well be it greatest asset. However, it can be open to different interpretations.
American Society of Safety Engineers, ASSE, formed a committee to develop ISO/ ANSI/ASSE Technical Report (TR) 31004, which is titled Risk Management Criteria for the Implementation of ISO 31000. The Technical Report was developed to help organizations develop risk management programs that are aligned with ISO 31000.
TR 31004 emphasizes that ISO 31000 can be used to:
•Stress the importance of risk to the Board of Directors and governance.
•Emphasize active involvement of executive management in the design and implementation of the ISO 31000:2018 risk management framework and process.
•Provide a generic language of risk management.
•List 8 risk management principles that are the basis of the standard.
•Provide guidance how the 8 principles are aligned and integrated into all aspects and elements of general management.
•Emphasize all elements of the ISO 31000:2018 risk management process should be integrated into an organization.
•Implement risk management framework and process based on the risk management plan in appropriate organizational areas, levels, and functions.
•Emphasize the attainment of management system objectives.
•Identify how the organization identifies risks that inhibit achievement of its objectives.
•Describe how risks are treated or modified as required by the organizational context.
•Provide generic guidelines for ISO 31000:2018 implementation. Until the report was developed, no rules or guidelines existed on how to implement 31000 within an organization.
Risk Management Framework Examples
ISO 31000:2018 is the U.S. national standard for risk management. However, there are additional frameworks and processes. The number of risk processes increase as VUCA becomes the new normal.
The following is a partial list of risk processes:
•ISO 31000:2018 Risk Management Principles and Guidelines on Implementation.
•COSO Enterprise Risk Management Integrated Framework.
•U.S. Department of Energy: Electricity Sector Cyber Security Risk Management Process Guideline.
•BS 31100 Risk Management Code of Practice for Risk Management.
•FERMA Risk Management Standard.
•OCEG Red Book 2.0 (GRC Capability Model).
Critical Elements of a Risk Management Framework
Regardless of the risk management framework or process, they have common features:
•Architect the system. Architecting means determining which elements of the risk management framework or process should be used and tailored based on the organizational context.
•Design the system. Designing the system means determining how each element of the risk management process can be tailored to specific organizational stakeholders, customers, and interested parties.
•Implement the system. Implementing means integrating the risk management framework and process into the organization’s general management system. This step is often a behavioral and cultural change in the
•Assure the system. Assuring means risks are being controlled within the organization’s risk appetite and objectives are being met.
ISO 31000:2018 Benefits
ISO 31000:2018 risk management process is descriptive not prescriptive. It describes in general terms risk management principles and elements of a framework.
The purpose of the framework is to integrate risk management into ISO management systems such as ISO 9001:2015 or ISO 14001:2015. ISO 31000:2018 is written so an organization may tailor its components to its context and specific requirements.
A critical element of ISO 31000:2018 is that it is adaptable to different organizations, contexts, statutes, and environments.
Properly architected, designed, implemented, and assured, ISO 31000:2018 provides these benefits:
•Is an international standard that more than 60 countries have adopted as a national risk standard.
•Is practical for the small to medium sized organization getting into Risk Based Thinking.
•Can be applied and integrated into ISO management systems easier than any risk management framework and process.
•Can be applied to organizations in almost any sector, maturity level, and capability level.
•Is an open ended guideline that is flexible and open to interpretation so it can be applied universally.
•Encourage proactive, preventive, preemptive, and predictive™ decision making rather than reactive management.
•Identify and treat risks throughout the enterprise.
•Improve identification of upside risks (opportunities) and downside risks (threats).
•Comply with legal and regulatory requirements.
•Improve financial reporting.
•Improve corporate governance, risk, and compliance (GRC).
•Improve stakeholder confidence and trust.
•Improve ‘Tone at the Top’ and other soft controls.
•Establish a reliable basis for Risk Based Problem Solving and decision making.
•Improve operational risk controls.
•Allocate resources effectively and efficiently for risk management, treatment, and mitigation.
•Improve operational effectiveness, efficiency, and economics.
•Improve incident management and prevention.
•Identify and minimize possible losses.
•Is structured around the PDCA cycle that most operations, Six Sigma, and operation professionals understand.
•Is a short standard that can be read easily and quickly.
ISO 31000:2018 Challenges
Interestingly, the descriptive nature of the standard may well be its strength, but may be its weakness. The standard without the proper guidance of a risk professional may become discretionary and even arbitrary.
ISO 9001:2015 has Risk Based Thinking requirements. Please note ISO 31000:2018 does not specifically address Risk Based Thinking.
ISO has elevated the RBT concept to the same level of importance as process management. Another challenge, ISO has not defined what Risk Based Thinking is and how it integrates with the ISO 31000:2018 risk management framework and process.
According to ISO 31000:2018, all risk strategies, tactics, and activities should be risk managed. How is this accomplished? ISO believes the basis of managing risks is Risk Based Thinking (RBT).
The definition of terms in ISO 31000:2018 can be problematic. A number of critical terms may be open to interpretation. This was largely intentional by ISO. ISO definitions are broad and discretionary so they can be used in different applications, sectors, functions, and contexts.
The challenge is definitions of critical risk terms can lose their specificity and become discretionary or at worst arbitrary.
If the goal of a Quality Management System or Environmental Management System is consistency, then the interpretation of definitions can affect the architecture, design, implementation, and assurance of the ISO 31000:2018 risk management process.
If the organization has an existing risk management, practices, and procedures then the organization should review, assess, and conduct a gap analysis of its existing risk management against ISO 31000:2018.
ISO 31000:2018 currently has a tactical and process focus. It is what we would call an entry level ERM standard or guideline. For this reason, we call ISO 31000:2018 ‘ERM light.’ ERM often has a governance emphasis.
ERM is used to promote accountability and risk controls through good governance, risk management, and compliance, which is often abbreviated to GRC. In the next iteration of the standard, the developers will probably emphasize GRC and particularly good governance.
ISO 31000:2018 As ERM Guideline
ISO 31000:2018 is 16 pages, but these pages provide an entry level Enterprise Risk Management (ERM) guideline. Why is this important?
An organization develops ISO 31000:2018 ERM capabilities to provide a structured, consistent, disciplined, and achievable approach to risk management that facilitates Risk Based Thinking throughout the organization.
Risk Based Thinking is composed of 1. Risk Based Problem Solving (RBPS) and 2. Risk Based Decision Making (RBDM). Both RBPS and RBDM are the basis for all management and supervision. We discuss this throughout the book.
ISO 31000:2018 ERM is a game changer for companies. Why?
•ERM enables executive management to identify and prioritize strategic goals and strategic risks.
•ERM promotes a risk aware culture that identifies investment opportunities.
•ERM provides the organization the means to align risk strategy, processes, technology, people, and knowledge for the purpose of identifying, assessing, and managing uncertainties in the execution of its risk vision and mission critical objectives.
•ERM allows for a consistent, repeatable, and scalable approach across the organization and into the supply chain.
•ERM enables the organization to more effectively and efficiently manage enterprise risks.
•ERM enables executive management to consider tradeoffs between risks, pursue opportunities (upside risk), determine associated costs, and balance value creation across the enterprise.
•ERM processes provide actionable steps for the organization to make its ISO 31000:2018 risk management process more capable and mature.
•ERM enables risk owners to identify and assess risks and evaluate their impact on the organization’s ability to achieve its mission critical objectives.
•ERM develops and implements an effective ISO 31000:2018 risk management framework and process across the enterprise to enhance stakeholder value.
•ERM involves architecting, designing, implementing, and assuring policies, processes, capabilities, and responsibilities to identify key risks and effectively treat the risks within the organization’s risk appetite.
Implementing ISO 31000:2018 ERM
A risk management approach must support the organization’s ability to identify, analyze, and appropriately treat strategic, operational, and financial risks across the full spectrum of organizational challenges both in the upside as well as the downside.
Implementing an effective and efficient ISO 31000:2018 risk management framework and process across the organization and into the supply stream is essential to the successful execution of the organizational mission to meet objectives.