ISO 31000: in this article you will find an easy and practical explanation of the ISO 31000 method. Next
After reading, you will understand how useful this tool can be for risk management in companies.
Introduction ISO 31000
Before going deeper into what this method is all about, it is necessary to emphasise the importance of analysing the possible risks that a company may face at any stage of its development. No company, regardless of its size or development, is free from the risks that may arise.
These risks can arise from the business’ internal processes, such as problems in manufacturing, machinery, human talent, communication, among others, to external processes such as a bad reputation, poor quality products and customer service.
This is where risk management comes in. It aims to identify and handle unforeseen events. A company should always be aware of this, as it is a priority rule for the proper functioning of the organisation. With this clear and reviewed, we will proceed to explain the international ISO 31000 method that is directly related to risk management activities.
What is ISO 31000?
ISO 31000 is the international standard of risk management, developed by the International Organization for Standardization. Its purpose is to increase the probability of achieving objectives, improve the identification of opportunities and threats and allocate and efficiently use resources for the treatment of risks at a strategic and operational level.
It was first published in 2009, with the objective that all companies, regardless of size, should be able to manage enterprise risks efficiently. This means that organisations develop, implement and improve the framework for each of their risk management activities.
Gradually, ISO 31000 has grown and evolved into other versions such as:
- ISO 31000 – Risk Management – Principles and Guidelines
- ISO / IEC 31010 – Risk Management – Risk Assessment – Technical risk assessment
- ISO Guide 73:2009 – Risk management – Vocabulary – Management
- ISO 31000:2018 – Risk management – Principles and Guidelines
In this article, we will focus on ISO 31000:2018, which is the latest update.
Principles for ISO 31000 risk management
Implementing ISO 31000 creates value in risk management. It improves the performance of the company, through the monitoring and review of the system and processes. Examples of areas where ISO 31000 has proven its value are: safety, occupational health, environmental protection, among others.
Integration of organisational processes
It should not be a separate process; it should be connected to the other processes of the company.
Risk management helps to make assertive decisions by analysing the different alternatives that exist to solve possible problems that may occur in the organisation.
By identifying potential risks and the decisions that need to be taken in order to get out of a negative situation, uncertainty management is controlled.
Systematic, structured and efficient
Managing risk management processes in a systematic and structured way will bring reliable results for the company.
Based on the best available information
The risk management process is based on collected data, experience, observation and expert opinion. It is considered to be important and essential for carrying out activities and recognising models and data that are important.
Necessary and adaptive
Risk management is aligned to the internal and external context of the organisation and its risk profile. This risk management is adapted to the resources available to the company, such as personnel resources, finances, track record, among others.
Human and cultural factors taken into account
It understands the importance of the employees and people involved in the company’s processes to achieve its objectives. By understanding the culture of the people who work for the organisation, it will facilitate the achievement of objectives and their positive results in operations.
Transparency and participation
It emphasises the importance of maintaining stakeholder engagement (employees, investors, customers) in order to recognise internal and external communication to maintain constant updates on risk management.
Dynamic, iterative and responsive to change
It is important for today’s companies to understand that trends and the environment change both internally and externally. This means that new risks may emerge in such transformations or changes. Risk management must be aware and must be updated and adapted when this happens.
Facilitating and continuously improving the company
By making strategies and implementing them, you continuously improve, both in risk management and in other aspects of the company.
Framework of reference
The framework for risk management has been developed to assist the organisation in integrating risk management into all its major activities and functions. This integration, including decision making, will have a positive impact on the company’s processes when done appropriately.
Leadership and commitment
Identify the organisation’s risks, to define a risk management policy. Anticipating ahead of events is essential.
- Allocate financial resources to risk management
- Communicate the benefits of risk management so there will be fewer operational losses
- Assign roles and responsibilities
- Be accountable for managing risk
The integration of risk management depends on the understanding of the structures and context of the organisation. The company must fully understand its internal and external contexts when designing the framework.
As mentioned above, integration should not be isolated from the processes that the company has in place. Integration must go hand in hand with leadership, as this is where the company’s strategies, objectives and operations lie in order to meet its goals.
Risk management process
The risk management process is the systematic implementation of policies, procedures and practices where the situation is identified, analysed, and assessed through risk assessment.
How to do a risk assessment in the company?
1. Identification of
- Tangible and intangible sources
- Opportunities, strengths and weaknesses
- The internal and external context and its changes
- General risk indicators
- The company’s assets and resources
- Probability of events and their consequences
- Magnitude of consequences
- Time-related factors
- Controls and effectiveness
3. Risk assessment
Compare the analysis results with the risk criteria and make decisions such as doing nothing, options to address the risk, doing extra analysis, maintaining existing controls or reconsidering objectives.
This process should be recorded, communicated and validated in each area of the business.
The purpose of risk mitigation is to select and implement options to address risk.
Risk mitigation involves a dynamic process of:
Formulating and selecting responses for risks; it requires knowing how much it will cost and what implications it will have and the consequences, who it will affect. These actions can:
- Eliminate the risk
- Accept the risk
- Reduce the occurrence of the risk
- Reduce the impact of the risk
- Share the risk or retain the risk
- Plan and implement the risk treatment; it is the order in which the actions should be implemented and the way in which they will be connected with the company’s processes
- Evaluate the effectiveness of that treatment; follow up and review at each stage of the risk management processes
- Decide whether the residual risk is acceptable; if not acceptable, carry out additional treatment
Advantages of ISO 31000
Benefits for the organisation
- Security and confidence for employees and customers
- Adequate risk management
- Culture of prevention
- Improvement of management systems
- Allows to understand the importance of identifying, analysing, monitoring and dealing with risk at each stage
- Helps to identify threats, weaknesses, opportunities and strengths in the process
- Helps in complying with the legal requirements of international standards
- It creates a solid and reliable strategy focused on decision making and planning
Benefits ISO 31000 for stakeholders
- Security for stakeholders
- Effectiveness in emergency situations
- Actions in case of threats or risks
- Improved financial management of the company and confidence of economic stakeholders
- Credibility and prestige
- Security and trust
- Prevents losses that may occur
ISO 31000 is a vital method to protect a company from various problems and risks that may arise. A threat can also become an opportunity, which needs to be exploited.
How do you deal with a critical situation that can bring risk to the company in the short, medium or long term? This is where ISO 31000 comes in to rethink a risk situation and help your company deal with it.
Now It’s Your Turn
What do you think? Did you know about ISO 31000 risk management before? Have you implemented it in your company? If so, please share your experience with us. Do you have anything else to add or any suggestions?
Share your experience and knowledge in the comments box below.
- Purdy, G. (2010). ISO 31000: 2009—setting a new standard for risk management. Risk Analysis: An International Journal, 30(6), 881-886.
- Lalonde, C., & Boiral, O. (2012). Managing risks through ISO 31000: A critical analysis. Risk management, 14(4), 272-300.
- de Oliveira, U. R., Marins, F. A. S., Rocha, H. M., & Salomon, V. A. P. (2017). The ISO 31000 standard in supply chain risk management. Journal of Cleaner Production, 151, 616-633.
How to cite this article:
Ospina Avendano, D. (2021). ISO 31000: Principles, risk management & framework. Retrieved [insert date] from Toolshero: https://www.toolshero.com/quality-management/iso-31000
Published on: 10/03/2021 | Last update: 12/08/2022
Add a link to this page on your website:
<a href=”https://www.toolshero.com/quality-management/iso-31000″>Toolshero: ISO 31000: Principles, risk management & framework</a>
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?