Working in an environment with full of uncertainty encourages the organisations to manage the risks affecting their economic performance and professional reputation, as well as environmental, safety and societal outcomes. Risk and risk management are strongly addressed in the new revision of ISO standards of quality, safety and environmental management systems including ISO 9001 and ISO 14001 which are planned to be published in 2015 and ISO 45001 which is planned to be published in 2016.
ISO 31000:2009, Risk management – Principles and guidelines, provides principles, framework and a process for managing risk. It can be used by any organisation regardless of its size, activity or sector. Using ISO 31000 can help organisations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment.
However, ISO 31000 is not a certifiable standard, but provides an extensive guidance for internal or external audit programmes and can be used as an internationally recognised best practice for benchmarking purpose
The objective of this Standard is to achieve:
As the necessity of using a consistent set of terms in risk management in order to have greater clarity and a wider understanding of risk management, many of the pre-existing terms and definitions that had arisen from different forms of risk and applications of risk management had to change. Fortunately, ISO combined the creation of the standard with a revision of the existing ISO/IEC vocabulary for risk management in Guide 73:2002 and both documents were published at the same time and will be updated together in future.
In order to ensure that the risks are managed effectively and efficiently, the principles of effective risk management in ISO 31000 are that it should:
A second list of attributes, in an annex to the standard, contains unavoidable characteristics of managing risk effectively that are also powerful indicators of risk management performance.
After considering numerous options and variants, ISO 31000:2009 largely adopted the same broad process as AS/NZS 4360:2004 for managing risk as shown in Fig. 1.
There are two elements of the process that can be considered as continually acting. These are:
The central spine of the risk management process starts establishing the context as an essential predecessor to risk identification.
Risk identification requires the application of a systematic process to understand what could happen, how, when, and why.
Risk analysis is concerned with developing an understanding of each risk, its consequences, and the likelihood of those consequences. Whether the end result is expressed as a qualitative, semi-quantitative, or quantitative manner, gaining this understanding requires consideration of the effect and reliability of existing controls and any control gaps.
Risk evaluation then involves making a decision about the level of risk and the priority for attention through the application of the criteria developed when the context was established.
Risk treatment is the process by which existing controls are improved or new controls are developed and implemented. It involves evaluation of and selection from options, including analysis of costs and benefits and assessment of new risks that might be generated by each option, and then prioritising and implementing the selected treatment through a planned process. The options can be elimination, substitution, engineering, administration and using Personal Protective Equipment (PPE) to eliminate or mitigate the risks.
ISO 31000:2009 gives a set of general options to be considered when risk is treated. The order of the list reflects preference. Importantly, the options deal with both risks that have a downside and/or upside consequences.
One of the recurrent themes in IS0 31000 is that to be effective, risk management must be integrated into an organisation’s decision-making processes (which, of course, is how risk is generated). Clause 4 of the standard concerns implementation of the risk management process through integration by using a management framework, which consists of the policies, arrangements, and organisational structures to implement, sustain, and improve the process. The standard not only describes the important elements that are required in such a framework but also describes how an organisation should go about creating, implementing, and keeping these elements up to date and relevant.
A number of other standards also relate to risk management.
Please contact us to find out how our training courses, workshops and coaching sessions can assist you to meet all requirements of ISO 31000 standard.