After approval by the ISO member bodies, the ISO Technical Management Board Working Group on risk management released ISO 31000:2009, Risk Management – Principles and Guidelines in November of 2009. The authors designed the standard to be applicable for any organization and any risk type, but, unlike the familiar ISO quality standards, ISO 31000 is not certifiable.
For those familiar with the AS/NZS 4360:2004 standard on risk management, this ISO standard should be easily recognizable. With the exception of wording changes, ISO 31000 is essentially the same standard. If your organization adopted the AS/NZS standard, the transition to ISO 31000 should be relatively seamless. Further, the auxiliary document, Risk Management Guidelines Companion to AS/NZS 4360:2004, provides guidance on the design and implementation of risk assessment and management techniques. Similarly, ISO/IEC 31010:2009 is the auxiliary document that supports the new ISO 31000 standard.
For those unfamiliar with the AS/NZS standard, or those unfamiliar with a formal, structured risk management process, the remainder of this article will discuss the structure and key elements of ISO 31000.
The two primary components of the ISO 31000 risk management process are:
- The Framework, which guides the overall structure and operation of risk management across an organization; and
- The Process, which describes the actual method of identifying, analyzing, and treating risks.
The ISO 31000 Framework mirrors the plan, do, check, act (PDCA) cycle, which is common to all management system designs. The standard states, however, that, “This Framework is not intended to prescribe a management system, but rather to assist the organization to integrate risk management into its overall management system”. This statement should encourage organizations to be flexible in incorporating elements of the framework as needed.
Major elements of the Framework include:
- Policy and Governance
Provides the mandate and demonstrates the commitment of the organization
- Program Design
Design of the overall Framework for managing risk on an ongoing basis
Implementing the risk management structure and program
- Monitoring and Review
Oversight of the management system structure and performance
- Continual Improvement
Improvements to the performance of the overall management system
Organizations, particularly those without a prior familiarity with management systems, should prepare to spend considerable time establishing a robust framework and avoid the urge to dive directly into the risk assessment process. Process design is an important step because the Framework provides the stability and continuity to assist in establishing a program as opposed to just executing a project.
Key elements that organizations should not overlook include:
- Establishing management commitment both during the implementation and on a long-term basis, including:
- Development and approval of a formal policy
- Identification and allocation of needed resources, including sufficient expertise and budget to sustain the program
- Establishment of a regular review cycle to maintain program visibility to management and motivate all participants
- Developing a program that works within the organization, its culture and environment, including:
- Understanding the external forces – industry trends, regulatory requirements, and expectations of key external stakeholders
- Understanding the internal forces – existing governance, organizational structure, culture, and organizational capabilities
The extent to which an organization considers and implements any of these elements is dependent on the organizational purpose and needs. The goal is a visible, adequately-equipped program that is compatible with the organization’s culture and objectives and sustainable for the long-term.
After establishing the risk management Framework, an organization is ready to develop the Process. The Process, as defined by ISO 31000, is “multi-step and iterative; designed to identify and analyze risks in the organizational context.”
Major elements of the Process, as seen in the diagram below, include:
- Active Communication
- Communication and consultation with all stakeholders
- Process Execution
- Establishing the context
- Risk identification
- Risk analysis
- Risk evaluation
- Risk treatment
- Similar to the Framework, regular monitoring and review is required
As noted in the diagram above, the first and third activities should occur regularly during the risk assessment Process. Early in the Process, regular communication is critical to understanding stakeholders’ interests and concerns, thus validating the focus of the Process. At later stages, regular communication helps convey the rationale behind decisions and why the organization needs certain risk treatments. In addition, regular oversight ensures that the organization addresses changes in the risk environment and processes and that controls operate effectively. Together, these activities ensure that all stakeholders clearly understand expectations and that the organization addresses change as quickly as possible.
The actual process of assessing risks first requires definition of what ISO 31000 calls the “context”. The context is a combination of the external and internal environments, both viewed in relation to organizational objectives and strategies. The context setting process begins during the Framework phase with the examination of the organization’s internal and external environments, but management should continue this assessment in greater detail here and focus on the scope of the particular risk management Process.
The remaining assessment steps involve developing techniques to identify, analyze, and evaluate specific risks. While multiple documented methods and techniques exist, all should include the following key elements:
- Risk Identification
- Identification of the sources of a particular risk, areas of impacts, and potential events including their causes and consequences
- Classification of the source as internal or external
- Risk Analysis
- Identification of potential consequences and factors that affect the consequences
- Assessment of the likelihood
- Identification and evaluation of the controls currently in place
- Risk Evaluation
- Comparison of the identified risks to the established rick criteria
- Decisions made to treat or accept risks with consideration of internal, legal, regulatory and external party requirements
Those interested in each of the risk assessment techniques and methods should consult ISO/IEC 31010, the supporting auxiliary document mentioned earlier. Of note, the complexity of methods and the extent of analysis required are highly dependent on the nature of the organization and management should consult with all stakeholders when developing an appropriate approach.
Overall, management should develop and implement risk treatments to reduce residual risks to levels acceptable to key stakeholders and monitor/adjust to ensure efficiency and effectiveness.
Relationship to ASIS SPC.1-2009 and Business Continuity
The release of both ISO 31000 and the ASIS SPC.1 Organizational Risk standard in such close proximity to each other raised several questions. Since both are management systems-based, should the industry view them as equivalent or interchangeable? How do they relate to business continuity? And which, if either, is a sound basis for Enterprise Risk Management (ERM)?
While both standards leverage the management systems processes and describe a similar process structure, SPC.1 presents a somewhat more limited scope, defining Organizational Resilience in terms of security, preparedness and continuity while ISO 31000 maintains a broader – perhaps more strategic – focus.
Regarding business continuity, it is just one of the many risk treatments that would comprise a more strategic risk management program espoused by ISO 31000. As a result, business continuity should be viewed a sub-component of the risk management program described in ISO 31000 because it addresses one specific risk (process, resource and technology availability).
Overall, the risk management principles and processes described in ISO 31000 and supported by the guidance of ISO/IEC 31010 provide a robust system that allows an organization to design and implement a repeatable, proactive and strategic program. The design of specific program elements is highly dependent on the goals, resource, and circumstances of the individual organization. Regardless of the level of implementation, management involvement in setting direction and regularly reviewing results should be a part of every program, which will not only elevate the management of risk, but also ensure an appropriate treatment of risk based on organizational objectives and long-term strategies.
Glen Bricker, Managing Consultant
Avalution Consulting: Business Continuity Consulting