We analyze and manage risks every day.
From crossing the street, correctly preparing food, fastening seat belts, to coordinating a journey via public transit. Each of these is an example of a risk management process happening in our heads; sometimes the result of “common sense”, sometimes these decisions are made unconsciously.
When it comes to business management, a more rigorous, formalized approach is needed.
One such strategy for managing risk is to utilize standards for risk management, like ISO 31000. This approach is useful in pretty much any situation, for organizations of all shapes and sizes, to manage risk in their everyday operations.
Managing risk effectively is essential to ensure businesses succeed and thrive in an environment of constant uncertainty. This post covers everything you need to know about ISO 31000; here’s a quick rundown of the article structure:
- What is ISO 31000?
- Benefits of ISO 31000
- Principles of ISO 31000
- ISO 31000 framework
- ISO 31000 process
- Importance of risk management leadership
- ISO 31000 and continuous improvement
- Automating ISO 31000
What is ISO 31000?
Simply put, ISO 31000 is a standard for risk management. First published in 2009, with the most current version (at the time of writing) being 2018, it describes a set of guidelines intended to streamline risk management for organizations.
To quote the standard itself:
“[ISO 31000 is designed to be used by] any public, private, or community enterprise, association, group or individual.” – ISO 31000:2018
ISO 31000:2018 is a single standard in a larger family of risk management standards, generally referred to as ISO 31000. The risk management standards of ISO 31000 are all designed to be used broadly, across various industries, niches, and business types, to provide the best practice structure and guidance to all operations seeking to use the principles of risk management.
Introduction to ISO
A standard is just a formalized set of specifications that a lot of people have agreed upon. In this case, the organization responsible for setting the standard is the International Organization for Standardization, a standard-setting body based in Geneva, Switzerland. For an ISO standard to come into existence, it has to be verified by a bunch of different representatives from a wide range of different standards organizations.
So, when you’re using an ISO standard, you’re benefiting from the consensus of over 100 member organizations on the best practice guidelines or requirements.
In the case of ISO 31000, the focus is on best practice principles for implementing, maintaining, and improving a framework for risk management.
It’s important to note that ISO 31000 is a set of guidelines, not requirements. Many ISO standards, like ISO 9001, and ISO 14001, are requirements, which means they compose a strict set of specifications that can be certified to. ISO 31000 is not like that; it can’t be certified to. It’s simply a set of best practice guidelines.
Management system standards: The standardization of risk management
There are a lot of ISO standards, and many of them focus on the idea of a management system. Quality management (ISO 9001), environmental management (ISO 14001), risk management (ISO 31000); these are all examples of ISO standards that share a common management system standard (MSS) structure.
With ISO’s MSS structure, risk management has never been easier to integrate with other frameworks. It allows you to reuse a ton of information and work that you might have implemented for a single management system, in order to streamline the implementation of similar standards.
Check out this post on ISO 19011 for a more in-depth breakdown of ISO management system standards and how to benefit from them (and for auditing your management systems!)
The ISO 31000 family
Like many ISO standards, ISO 31000 refers to an umbrella of risk management standards.
So far, the ISO 31000 family consists of:
- ISO 31000:2018 (Principles and Guidelines on Implementation)
- ISO/IEC 31010:2009 (Risk Assessment Techniques)
- ISO Guide 73:2009 (Risk Management Vocabulary)
Each of these supplements one another; they’re all designed to provide a clear and universally applicable set of guidelines and best practice principles for risk management.
As well as those mentioned above, there is also ISO 21500, which details guidance on integrating project management principles with ISO 31000 for risk management.
Risk management simplified with ISO 31000:2018
ISO 31000 aims to simplify risk management into a set of clearly understandable and actionable guidelines, that should be straightforward to implement, regardless of the size, nature, or location of a business.
Risk for ISO 31000 is defined as “the effect of uncertainty” on business objectives. This effect can be both positive or negative.
What exactly does that mean?
Well, ISO 31000 is an effort to acknowledge that business operations always contain a degree of uncertainty, and therefore, risk. No matter what our business goals, there’s always a chance that things might go wrong.
When you break down a business goal into a process, you can look at that process in terms of each step along the way, towards the eventual outcome of that process. Risk management involves looking at the element of risk present in each of those steps, and trying to manage it.
Risk management frameworks use three key concepts to talk about risk:
- Potential event
- Probability of that event occurring
- The resulting severity of the outcome, should the event occur
This kind of framework produces categorizations like “high-risk events”, meaning an event that has a high likelihood of occurring, as well as a severe outcome.
ISO 31000 defines risk slightly differently; however, these old risk assessment frameworks are still largely applicable and useful in an ISO 31000 risk management system.
It’s talking about the same kind of thing, just from a slightly different perspective. ISO is perhaps more optimistic; it focuses on business goals and outcomes, whereas traditional risk management frameworks tend to be more neutral, if not negative, talking about risk in a more detached way that isn’t necessarily taking into account business goals or objectives.
Again, both of these approaches can be used in tandem; they’re not mutually exclusive. It’s just two different ways of thinking about the same problem.
Another important difference is how, traditionally, risk management frameworks tend to focus on the quantification of risk. That means they try and put a number value to risk, worked out by combining the probability and severity values.
ISO 31000 focuses more on conceptual definitions of risk, tied to higher-level concepts of business objectives and context.
ISO Guide 73:2009
This is one of the supplements to ISO 31000:2018, and quite simply, it’s just a vocabulary of terms relating to risk management.
It’s not necessary, but you might find it useful in understanding some of the terminology and methods outlined in the main ISO 31000 document.
If you’re doing any of the following, you might want to consider taking a look at ISO Guide 73:2009:
- Responsible for overseeing the risk management program
- Responsible for any kind of risk management
- Implementing or engaging with any other ISO standard
- If you are interested or involved in developing standards or guidelines like ISO 31000
Now, with most of the conceptual basics out of the way, we can start to touch on what makes ISO 31000 so appealing to so many businesses and organizations.
Benefits of ISO 31000
Why use ISO 31000? What can it do for your business? Well, aside from streamlining the implementation of a risk management framework by doing most of the structural and conceptual heavy lifting for you, it can also help with:
- Giving you a competitive advantage because ISO is an internationally recognized symbol for quality standards
- Increasing employee awareness of organizational risks by including them in the management framework and giving them responsibility for the processes they commonly use
- Reduce the frequency of, and ultimately eliminate risks by educating employees and stakeholders on identified risks
- Improve trust of stakeholders by maintaining transparency and communicating risks (and demonstrating risk responsibility and mitigation)
- Foster forward-thinking mentalities by encouraging employees to envision all potential outcomes of a given situation
- Improve company culture by bringing disparate departments together to exchange fresh perspectives, and consider how they might work together more effectively
- Improve success rate in all business operations by focusing on the process, thinking preemptively instead of reactively, and giving employees ownership of their work responsibilities
ISO 31000 can be invaluable for preparing a business for all eventualities; by understanding the worst-case scenario, a business is better equipped to make the most of the resources and opportunities currently available to them.
While ISO 31000 is certainly one of many guideline documents for implementing risk management, one of its stand-out strengths is its concise format. You’d have a hard time finding a more comprehensive document that succeeds in condensing so much information into such a coherent and concise set of guidelines.
Without a doubt, ISO 31000 is one of the foremost documents for those who want to waste no time in getting started with risk management, without sacrificing quality or integrity.
Principles of ISO 31000
One of the core ideas of ISO 31000 is that risk management exists to create and protect value.
This idea is expanded upon by the eight principles of ISO 31000, which are:
- Risk management must be integrated into all business operations and activities
- The approach must be structured and comprehensive.
- Processes and the risk management framework should be customized to suit the organization’s goals and context.
- Stakeholders must be involved with the management framework; it must be inclusive.
- Risk management must be dynamic and robust; preemptive thinking, anticipating, detecting, acknowledging and responding to changes.
- Risk management takes into account any limitations of available information.
- Human and cultural factors are paramount, and should be considered at all stages and aspects of risk management.
- The risk management framework is continuously improved through learning and experience.
These principles clearly describe the most important factors for an effective and efficient risk management framework, according to ISO 31000.
Principles one through five are concerned with risk management system design and planning. Sometimes, these first five are written with the acronym PACED:
The remaining six through eight focus on implementation and operation of the framework.
Framework of ISO 31000
The term “framework” is thrown around a lot, especially when talking about any kind of standard. What exactly does it mean?
ISO 31000 defines a risk management framework as:
“a set of components that support and sustain risk management throughout an organization.”– ISO 31000:2018
More specifically, ISO 31000 defines six distinct areas that make up the total “framework” for risk management:
- Leadership and communication
The eight principles of risk management outlined above are closely related to the areas defined in the ISO 31000 framework. For example, the idea of a well-integrated risk management system is both one of the principles, as well as one of the core components of the framework.
How do they relate to one another? The principles are like objectives, describing what needs to be achieved, and the framework is like the information about how to achieve those objectives.
Let’s take a closer look at each one of the framework components.
1. Leadership and commitment
Central to the ISO 31000 framework for risk management is the importance of leadership and commitment.
This component includes things like:
- Aligning risk management with the overall business objectives, strategies, and culture of the company,
- Issuing statements, announcements, or policies that clearly describe the risk management approach, planning, objectives, or actions,
- Making sure resources are adequately allocated and available for the risk management program,
- Determining the acceptable degree of risk that the organization can handle (“risk appetite”).
Perhaps second only to leadership and commitment, integration is super important in any risk management framework. The effectiveness of your entire risk management approach will depend on how extensively (and efficiently) it is integrated into all aspects of your organization, including decision-making processes.
For example, some processes, like an electrical inspection checklist, will have some level of risk involved. This could mean that the decision making process involves multiple individuals, which could easily lead to a bottleneck, and result in a slow, inefficient process.
By effectively integrating the risk management process, these bottlenecks can be bypassed. One way of doing this is by utilizing a BPM software like Process Street to streamline each step along the way.
Using the same example, if a problem was detected by the electrician, they could swiftly notify management, or the client, or whoever might be the most relevant interested party with Process Street’s rich form fields and conditional logic.
That’s just one example. There are a ton of other ways you could use software like Process Street to simplify and improve your risk management framework. For more ideas, check out this introductory webinar:
Returning to the ISO 31000 framework, this component also includes things like:
- Roles and responsibilities of organizational management
- Making sure risk management is part of (integrated) all aspects of the organization
We now come to the final four components of the framework: design, implementation, evaluation, and improvement.
This sequence of four stages is also known as the Plan-Do-Study-Act cycle, which is a model for continuous quality improvement.
ISO 31000:2018 refers to this approach as Plan, Implement, Measure, Learn (PIML), illustrated in the diagram below.
Despite the naming difference, the approach is largely the same. Four distinct stages, beginning with planning (or design), and ending with improvement (or learning), with the common goal of improving the risk management framework.
This component includes things like:
- Understanding the organization and its context (both internal and external)
- Planning and allocating resources for the risk management program
- Establishing communication protocols
Putting the plans in action. Although, there is still a bit of planning that happens here; namely, the specific planning regarding the implementation of the risk management approach.
This component includes things like:
- Setting objectives and deadlines
- Clearly defining the decision-making process
- Evaluating and making changes to the decision-making process where appropriate
Taking a look at what’s working, what’s not, and figuring out if the risk management system is working as it should be.
This involves looking at the perceived versus the desired outcome (e.g. performing a gap analysis), and any other analytics or feedback from the process and implementation so far.
It might include things like:
- Measuring the performance of the risk management system
- Assessing success rate
- Determining whether or not objectives are feasible
Risk management is a cyclic and wholly continuous approach. That means there is always room for improvement.
Despite the fact that there is a step in the ISO 31000 framework dedicated to it, and that the framework is laid out as a series of consecutive steps, the most effective risk management systems adopt a truly continuous approach to improvement.
A big part of that is making sure employees are on board with the risk management approach and that they understand and are able to take ownership of the processes they’re interacting with most frequently. Only by giving process owners the motivation and responsibility to take action on improving their processes will risk management thrive in a business environment.
The improvement component includes things like:
- Continuously monitoring all aspects of the risk management framework
- Addressing internal and external changes
- Planning and taking actions to improve value creation within the risk management system
Process of ISO 31000
Let’s start with the two most important building blocks:
- Risk assessment
- Risk treatment
These two areas form the core of risk management, according to ISO 31000.
We can zoom in a little further – risk assessment breaks down into:
Risk treatment, otherwise known as risk response, is simply the action taken in response to the identification, analysis, and evaluation of risks.
Each of these stages has a whole section of its own in ISO 31000, and I could probably dedicate an article to each of them. They go into detail about best practices for identifying risks, how to analyze them in terms of probability and severity, and how they can be evaluated in terms of the company’s risk appetite.
It’s important to note that ISO 31000 does not outline a process for risk management in and of itself; rather, it is a set of guidelines intended to help you figure out or improve your own process.
For this article, I’ll suffice in saying that you should check out ISO 31000 for yourself if you want to dig deeper into the guidelines for risk management process.
However, here’s a handy diagram that illustrates how all of the components of the ISO 31000 process interact:
This diagram illustrates a set of steps that are designed to be undertaken in a coordinated manner but don’t necessarily have to be performed in sequence. That’s another strength of the PDSA cycle and continuous improvement in general; it is robust in its flexible design.
ISO acknowledges this by stating:
“Although the risk management process is often presented as sequential, in practice it is iterative.”– ISO 31000:2018
Importance of strong risk management leadership
It bears repeating, the importance of leadership in the success of the ISO 31000 risk management system.
Here are a few key points that top management should pay close attention to for a successful ISO 31000 risk management system.
ISO 31000 is not one-size-fits-all
ISO 31000 clearly states that risk management is an open-ended process designed to be highly customized and tailored to the individual needs and contexts of the organization implementing it.
That said, ISO 31000 advises particular attention to the customization of the risk profile, risk appetite, and the communication and facilitation of risk management throughout the company culture.
Executive alignment is crucial
This is one of the most important points; top management must be firmly committed to the risk management program, else the system will not work.
Executives should make sure that the entire risk management process is integrated across all levels and departments of the organization, as well as being strongly aligned with company objectives, strategy, and culture.
Consider how risks will impact value
ISO:2018 says that top management should be responsible for making sure that risks are prioritized in accordance with how they impact the organization’s ability to create and deliver value.
This kind of approach differs from traditional risk management approaches, which would typically rank the risks by numeric value, assigned by considering probability and estimated severity.
Proactive, not reactive
This one is self-explanatory. The basic idea is that risk management should be preemptive, in that it prepares for risks that haven’t yet arisen, rather than simply reacting to the risks that are currently identifiable.
Risk management and continuous improvement
Continuous improvement is another significant concept to understand for ISO 31000.
Without a company culture strongly aligned with principles of continuous improvement, organizations will struggle to implement, let alone maintain successful risk management programs.
This can be challenging in practice, as cultivating a risk management attitude within a company involves aligning risk initiatives with existing company values, policies, and, to put it simply, convincing everyone involved that risk management is worthwhile.
However, improving risk culture is possible and, like many things, it becomes a lot easier when you have a process for it.
Such a process can be separated into three stages:
- Cultural awareness
- Cultural change
- Cultural refinement
Phase one: Building and strengthening cultural awareness
The first stage is the building of cultural awareness; this will take the form of communications, training, and general education initiatives within the organization.
Here is where companies set risk management expectations and objectives, define roles and responsibilities, and clearly communicate all of these things with their employees. You shouldn’t expect your employees to conform to your ideals about risk management without first taking the time to educate and inform them, whether through formal training or access to knowledge base material or similar.
Successfully building and strengthening cultural awareness about continuous improvement includes:
- Establishing a common risk management vocabulary
- Making sure communications are consistent with said vocabulary, and that everyone in the organization has clear access to all relevant documents
- Being clear about risk management responsibilities and accountabilities.
- Launching and maintaining training programs, providing training support and guidance where needed and as required by different roles and responsibilities within the organization
- Making sure onboarding processes adequately cover risk management.
- Making sure recruitment processes adequately cover risk management.
Phase two: Changing the way the organization operates
Once a firm foundation of cultural awareness regarding continuous improvement has been established, it’s time to start thinking about how to gradually begin changing the ways the organization operates to reflect these values.
This phase begins by starting to recognize and reward employees for paying attention to risk, and responding to risk in a way that challenges the previously established (pre-continuous improvement) status quo.
These kinds of motivational systems, rewarding and penalizing behavior according to the established ideals of continuous improvement outlined in the early planning stages, will result in the gradual but certain shift towards a proliferation of continuous improvement-conscious company culture.
Another important element is being able to recognize talent that conforms with the desired vision of continuous improvement, and capitalizing on this alignment by placing them accordingly in relevant, optimized positions of responsibility or seniority. It’s getting people in the right place, to drive the right kind of results.
Some important considerations for this phase:
- Utilizing challenge as a motivator for driving cultural change
- Gamifying and quantifying risk performance metrics, and rewarding/penalizing behavior accordingly.
- Considering risk management and continuous improvement culture in talent management approaches.
Phase three: Optimizing and refining the cultural ecosystem
The third and final stage of cultural adoption of continuous improvement takes place once the company culture has already matured to the point of widespread adoption and desired values are already well-entrenched.
At this point, the focus shifts to monitoring performance versus expectations, and attempting to tweak and refine the system to further improve cultural adoption.
The expectations can and will be influenced by a wide range of stakeholders, not just top management; employees, board of directors, analysts, customers, investors – they all have a say in the definition of cultural expectations, because these expectations should directly reflect the whole entity that is the organization, made up of all its constituent stakeholder parts.
Steps taken during this phase might include:
- Iterating feedback and observations from risk management into training, education, resources, and communications.
- Making sure stakeholders are held responsible for their actions
- Making sure any risk performance metrics or quantifiers are adjusted to reflect changes in risk strategy, goals, and objectives
- The capacity to redeploy and reassign individuals within an organization according to desired risk culture goals
- Continually reflecting on and refining risk culture in accordance with continually changing business goals, objectives, and strategies.
Automating ISO 31000
Is it possible to combine an ISO 31000 approach to risk management with strategies of business process automation?
Due to the cyclic, continuous nature of the ISO 31000 approach, there are many repetitive tasks that are part of the processes required for a successful implementation. And wherever there are repetitive tasks, there is a good chance you can take advantage of automation.
Consider that the process of implementing an ISO 31000 risk management system carries risks of its own – for example, the risk of human error is always present. Even more so when there’s a lot of repetitive manual work to be done.
By using Process Street to automate these manual tasks, you can dramatically reduce the risk of human error – and in some cases eliminate it completely. You’ll also save a bunch of time by cutting out all of that tedious manual work.
There’s a massive library of free, pre-made templates to choose from; marketing processes, ISO audits, hospitality – you name it, we’ve probably got a template for it.
And we’re adding more free templates every day!
Just sign up for a free account, and you can use whatever you need.
If you liked this article, then check these out:
- SWOT Analysis Template: What, How, & Why? (Free Template)
- What is FMEA? A Practical Guide to Failure Analysis (Free Checklist)
- Office Risk Assessment Checklist
- What is Quality Management? The Definitive QMS Guide (Free ISO 9001 Template)
- The Complete Guide to Business Process Management
- Basics of Enterprise Risk Management (ERM): How to Get Started
What are your thoughts on ISO 31000? How do you approach risk management? We’d love to talk – so go ahead and leave a comment!
ISO31000 is key to analyzing business continuity plan. I will to have background knowledge of ISO 31000 full study Package to enable me identify risks and how to evaluate them. Appreciate your kind support.
Thank you Mr. Peterson for the information. Our company is ISO 9001 and FSSC 22000 certified but our recent external audit found us greatly lacking in risk management. This concept is difficult to organize on paper. We are small business with an owner who doesn’t see the importance of his participation, let alone leadership, in this area.
Just this morning I was granted funds to purchase an ISO 31000 guidance. Wish I had found your site first. But I will be a frequent visitor for more insight and understanding.
Hi Shanna, happy you found the article useful.
If organizing your risk management solutions seems overwhelming on paper, be sure to ask your provider for advice on agile ISO. That will probably make your life easier, both for quality management and risk management systems, because it basically eliminates the need for paper forms and allows you to maintain everything digitally. Hopefully your provider is up-to-date on the recent ISO changes.
What would you say is your biggest obstacle in risk management?
Want to be update with current affairs.
Excellent article. Thanks a ton.
Glad you enjoyed it!