3.2 ISO 31000:2018
The International Organization for Standardization (ISO) developed and published an international standard for risk management in 2009 that has been updated into its present version, ISO 31000:2018. It is a generic risk management standard developed to address and manage risk in an organization of any size or complexity. The ISO 31000:2018 definition of risk is “the effect of uncertainty on objectives” (International Organization for Standardization, 2018), which is reflective of more modern thinking about risk. Uncertainty suggests that the outcome has the potential of having either positive or negative outcomes, an upside or a downside that reflects an enterprise approach. Therefore, this standard can be used by an organization to manage all its key business risks under the four major categories of hazard, operational, financial and strategic.
The ISO 31000:2018 standard is divided into five key sections:
Principles
There are eight key principles listed in the ISO 31000:2018 that the standard is built on that will contribute to the risk management strategy and protect the value of the organization:
- Integrated risk management
- Structured and comprehensive approach to risk management
- Customized approach to the risk management framework and process
- Involvement of all stakeholders
- Ability to respond to change
- Actions based on the best available data and information
- Influence of human and cultural factors
- Continued learning for improvement
Framework
ISO 31000:2018 provides guidance on how to establish a risk management framework that can be integrated into the organization’s objectives and operations throughout the entire organization. The first step in establishing a successful risk management framework is to determine the context, followed by the introduction of a risk management policy for the organization. The context can be internal and/or external, with the purpose of describing the goals and objectives of the risk management offering, as well as the scope, responsibilities, and activities involved. The risk management policy is structured to guide the organization in the management of its risks. When all the internal/external risk management contexts have been contemplated, the risks that have been identified (including emerging risks) should be documented in a risk register.
Process
In addition to establishing the internal/external risk contexts, the organization must be able to follow a cycle of assessing, treating and monitoring risks. The ISO 31000:2018 definition of a risk assessment also consists of the identification and analysis of risks but also includes a third element of risk evaluation, which means applying risk criteria to determine the scale, significance and priority of the risk; in other words, the amount and type of risk that an organization can tolerate. ISO Guide 31073:2022 defines risk criteria as ‘terms of reference against which the significance of a risk is evaluated.’ The risk management process should reflect an enterprise approach by listing all the risks that have the potential to benefit or adversely affect the organization.
Risk Assessment
The first step in the risk assessment process is placing importance on identifying as many risks as possible with an emphasis on risks that influence the organization’s objectives. The second step is analyzing the identified risks by examining the potential likelihood of each risk and the consequences. Quantitative or qualitative techniques can be used to analyze the risks that have been identified. Often, both techniques are required to conduct an analysis of the risks. The third step involves evaluating the risks by applying risk criteria to the levels of the risks to evaluate their significance and priority. The level of risk considers the combined effects of the likelihood and impact of the risk on the organization. On a risk map, the levels of risk for likelihood could be rare, unlikely, moderate, likely or almost certain. For impact or consequences, the levels of risk could be negligible, low, medium, very high or extreme. Responses to risks or risk treatments will be based on the level of risk.
Risk Treatment
Risk treatment is the implementation of actions and techniques for responding to both hazard and speculative risks by avoiding risks, modifying risks, retaining risks or transferring risks. Organizations will often combine risk treatments when responding to risks. Risks that are determined to produce positive outcomes should be embraced by the organization.
Risk Monitoring and Review
Risk management processes are generally cyclical in nature and the internal and external environments should be reviewed with necessary adjustments made. The organization’s risk register is a useful tool that can be used to conduct this activity.