ISO defines a risk management framework as “a set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization”.
ISO’s 31000:2009 risk management standard is designed for all types of businesses, regardless of size, industry and risk portfolio. ISO’s framework allows your company to compare its risk management programme with an internationally recognized benchmark and seek guidance on auditing and governance.
Managing risk in an organization requires the cohesive application of the ISO 31000 principles, framework and risk management process.
ISO identifies 11 key principles in risk management.
Risk management should:
- Create value – meet corporate objectives through mitigating risk and taking positive risks.
- Be an integral part of organizational decision making and processes – embed risk management into the business.
- Explicitly address uncertainty – identify and define uncertainties in order to plan the company’s standpoint and approach.
- Be systematic, structured and timely – be clear on how to react to events and keep within timescales.
- Be based on the best information available – use up-to-date and reliable information and highlight possible limitations to avoid bad decision making.
- Be tailored to your business – align risk management decisions to business goals, risk profile and individual internal and external factors.
- Take human and cultural factors into account – understand how employee capabilities and perceptions as well as the company’s culture might affect risk management
- Be transparent and inclusive of all stakeholders – ensure management buy in to the framework, include relevant parties in decisions and communicate to the whole organization to mitigate resistance to change.
- Be dynamic, iterative and responsive to change – risk management evolves and so must the framework.
- Facilitate continual improvement and enhancement of the organization – continue to improve risk management processes and use risk management to improve the organization.
Creating a risk management framework and process
Using these principles to oversee enterprise risk management and gain organizational commitment, risk managers then need to create a framework and implement, monitor and review it to continue to improve it. Our article on developing an enterprise risk management framework gives more insight into this process.
Once the framework is in place, the final part of ISO 31000 is creating and implementing processes. This aspect is about taking the guidance in the framework and turning this into usable practices. This could mean giving steps to follow or a threshold to adhere to during specific scenarios.
These processes must be communicated throughout the business and adopted by everyone – not just those responsible for risk management. Monitoring and reviewing these processes completes the cycle.
Advantages of ISO
Implementing a risk management framework like the one set out in ISO 31000 is key to supporting an effective business. Although ISO 31000 is not a certification, it does provide an easy to use and adapt guide to help organizations manage risk in order to achieve objectives, identify opportunities and threats and allocate resources for risk treatment.
You have a risk management framework, what’s next?
When you have your risk management framework and processes in place, you might find that you have huge quantities of data which is gathered from many people across departments. To get consistency and accuracy in collation and reporting, a good risk management information system is key.