ISO 31000 Risk Management
All organisations are affected by risks that can have consequences on their financial performance, their environmental and societal outcomes as well as their reputation.
Some organisations are exposed to more risks than others due to the nature of their business or their business environment. Some organisations are willing to accept more risk than others, because with more risk we expect more return. However, one thing that is common in all organisations, is that to protect their value, all organisations must have an effective process to manage risk.
What do you mean by Risk and what is Risk Management?
In a nutshell risk is uncertainty. Due to internal and external factors organisations face uncertainty as to whether they will achieve their objectives. ISO 31000 quite neatly defines risk in this way as the “effect of uncertainty on objectives”. Risk management refers to the systematic process to try and address this uncertainty or as described by ISO 31000 Risk Management is the “coordinated activities to direct and control an organisation with regard to risk”.
ARE YOU READY FOR RISK MANAGEMENT?
Why does an organisation need Risk Management?
Risk management can also help an organisation ensure that it complies with relevant legal and regulatory requirements and it can also improve stakeholder confidence and trust in an organisations performance.
The Australian Stock Exchange (ASX) highlights that a listed entity should establish a sound risk management framework as a failure to recognise or manage risk can adversely impact not only the entity and it’s security holders but many other stakeholders. This would include employees, customers, creditors, suppliers, consumers, taxpayers and the broader community that the entity operates. These same principles apply for all businesses no matter how big or small.
What does ISO 31000 Risk Management Principles and Guidelines give me?
ISO 31000 establishes a set of risk management principles that organisations seeking an effective risk management process should comply with. It also establishes a risk management framework, which ensures that there is sufficient mandate and commitment from senior management and that organisations understand their own organisational context. This makes sure the risk management process is tailored to the organisations needs. The third part of the ISO 31000 Risk Management Principles and Guidelines is the risk management process. This process looks at how an organisation can assess their risks and select the appropriate treatments.
What are some of the key Principles in ISO31000 and how can they help my business?
The risk management principles are a key part of ISO 31000 and they also support why a business would want to invest in an effective risk management process. Some of the key principles include:
What is the framework for ISO31000 and how does it work with the Principles?
A key aspect of the risk management framework as described in ISO 31000 is that it is designed to assist an organisation to integrate risk management into its overall management system. The benefit of this is that it saves on duplication of processes, and hence additional administration cost for your business. It also re-enforces the point highlighted in the principles that risk management must be tailored to your organisation.
The framework identifies that for risk management to be effective it is critical that there is a strong mandate and commitment from the management of the organisation. This commitment must also be sustained. Ensuring that the culture of the organisation and its risk management policy are aligned, aligning risk management with the organisations strategy, ensuring that risk management is resourced and that benefits are communicated to all stakeholders are some of the key areas here.
The steps to design a framework for managing risk are also identified. Following and applying these ensures that you understand your organisations internal and external operating environment, highlighting again the principle that to be effective this must be tailored to your organisation. This design will also consider communication, as it is critical to underpinning any risk management process, engaging internal stakeholders allocating accountability and ensuring ownership as well as ensuring appropriate interaction with external stakeholders. ISO 31000 also highlights the steps to consider when implementing risk management and monitoring and reviewing the framework.
Through monitoring and reviewing of the framework it can be ensured that the risk management continues to be effective for the organisation and continues to support the achievement of its objectives. The output of this step is to provide feedback and create decisions to ensure the continual improvement of the framework. This in itself is an important consideration as risk management needs to ‘live and breathe’ within an organisation. To be effective, it must continually improve to ensure it adds value. It is not a ‘set and forget’ process.
What about the risk management process, how does this work?
Aligning with the principles and framework, ISO 31000 also establishes a risk management process that can be used as a guideline for implementation in an organisation. This considers how an organisation can:
- Communicate and consult with its stakeholders
- Establish the internal and external context that it is operating in
- Develop and implement a risk assessment process, how risks are identified, analysed and evaluated.
- Identify and select the most appropriate treatment for its risks.
- Monitor and review the process ensuring feedback is provided and corrective actions implemented to develop a continual improvement process.
In summary, what are the benefits of implementing ISO 31000?
Above it was highlighted that the benefits of an effective risk management process to increase the likelihood of an organisation achieving its objectives. Risk management can be a tricky to identify benefits. Once there has been a costly ‘risk event’ or a ‘crisis’ it can be easy to identify a tangible benefit. Consider the increased focus on risk management since the GFC. However, if there has not been such an event it may be harder to quantify a benefit.
Well an effective risk management process will assist in the identification of opportunities and threats to an organisation. Once these are established, the likelihood and consequence assessed a robust risk management process can start to identify it’s own benefits and let’s not forget that a risk management can help you capture opportunities that you may have otherwise forgone.
Top management buy-in and support is fundamental to implementing a Quality Management System…
Ensure you understand all of your internal and external requirements and have considered these in the development…
Implement the System
There is no golden rule to how to implement the system and every organisation’s requirements and circumstances will vary. But we have some key principles ….
Don’t wait until you believe your system is bullet proof or gold plated before engaging Compass Assurance Services to certify your system. …
Not all auditors and not all certification bodies are the same. We do things differently. We explain the process, we keep it simple, we only use the most skilled & experienced auditors who can communicate at all levels in your organisation and who will partner with you over the journey. Our auditors know their stuff but don’t pretend to know everything. We will share our experience and help you value add to your safety system at the same time as determining compliance.
We adapt based on your circumstances and objectives. We understand that organisations operating in high risk industries such as construction and mining require different outcomes from certification to an office based business that is just starting out on their safety journey.
We understand you want highly skilled safety auditors with experience in your industry, who understands your risks and hazards and your compliance issues.
When undertaking certification for ISO 31000 Risk Management, there are a number of key things to focus on. Knowing what they are, and how your organisation scores for these, is helpful in determining whether you are ready for certification or not. In order to assist you, we’ve put together a helpful ISO 31000 Risk Management Self Assessment Checklist. Download it now to start your journey towards ISO 31000 certification.