Updated: May 9, 2019
We make decisions to address risks in our everyday life. Those risks may be encountered on a personal basis or in our workplace, where we need to address risks in a structured way. For example, a CEO of a commercial entity or a Director General of a government agency may need to make risk judgements and decisions associated with very complex situations, where a structured approach is needed. Non-effective risks judgements and decisions may have detrimental effect on the organisation we work in. Dealing with risk is part of good governance, management and leadership, and is fundamental to how an organization is managed at all levels.
New and evolving threats may require new risk management practices and solutions. These considerations were at the heart of the latest published ISO 31000:2018 - Risk management – Guidelines. This international standard delivers a clearer, shorter and more concise guide that will help organizations use risk management principles to improve planning and make better decisions in addressing risks.
Jason Brown, Chair of technical committee ISO/TC 262 on risk management that developed the standard, says: “ISO 31000:2018 focuses on the integration with the organization and the role of leaders and their responsibility. Risk practitioners are often at the margins of organizational management and this emphasis will help them demonstrate that risk management is an integral part of business.”
The standard was designed and written in the spirit of clarity, using simpler language for better understanding and make it accessible to all stakeholders. It places greater emphasis on creating and protecting value as the key driver of risk management and features other related principles such as continual improvement, the inclusion of stakeholders, being customized to the organization and consideration of human and cultural factors. Risk is defined as the “effect of uncertainty on objectives”. It focuses on the effect of incomplete information and knowledge or circumstances on an organization’s decision making. This requires organizations to adapt and design risk management to their needs and objectives.
ISO 31000 provides a risk management framework that supports organisation-wide activities, including decision making across all levels of the organization. The framework and its processes should be integrated with management systems to ensure consistency and the effectiveness of risk management across all areas and levels of the organization. Strategic planning, organizational resilience and sustainability, crisis management, business continuity, Information Technology, good corporate governance, human resource, quality, health and safety, cyber crime and security are part and parcel of the ensemble.
8 Principles for Managing Risks as Outlined in ISO 31000:2018
The purpose of risk management is the creation and protection of value. It improves performance, encourages innovation and supports the achievement of objectives.
The principles outlined in Figure 1 provide guidance on the characteristics of effective and efficient risk management, communicating its value and explaining its intention and purpose. The principles are the foundation for managing risk and should be considered when establishing the organization’s risk management framework and processes. These principles should enable an organization to manage the effects of uncertainty on its objectives.
Effective risk management requires the elements of Figure 1 and can be further explained as follows:
Integrated - risk management is an integral part of all organizational activities.
Structured and comprehensive - a structured and comprehensive approach to risk management contributes to consistent and comparable results.
Customized - the risk management framework and process are customized and proportionate to the organization’s external and internal context related to its objectives.
Inclusive - appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions to be considered. This results in improved awareness and informed risk management.
Dynamic - risks can emerge, change or disappear as an organization’s external and internal context changes. Risk management anticipates, detects, acknowledges and responds to those changes and events in an appropriate and timely manner.
Best available information - the inputs to risk management are based on historical and current information, as well as on future expectations. Risk management explicitly takes into account any limitations and uncertainties associated with such information and expectations. Information should be timely, clear and available to relevant stakeholders.
Human and cultural factors - human behavior and culture significantly influence all aspects of risk management at each level and stage.
Continual improvement - risk management is continually improved through learning and experience.
(Copies of this Standards can be purchased online from International Organization for Standardization's website.)