Thanks to Karel Simpson for this guest post
ISO 31000 – Risk Management
This short article is an introduction towards a two part blog entry on the subject of the standard on risk management, ISO 31000.
Although the standard itself has been around for a few years now, it seems that the inclusion in the draft of ISO 9001 on risk management seems to have got people thinking and an interest in risk management in general.
I personally like some of the terminology used around the standard itself and the fact it describes ‘Risk Management’ as being the architecture for managing risk, it is the framework, principles to be applied and procedures. ‘Managing Risk’ is the implementation of this architecture. I come across people who say that they conduct risk management and maybe get confused whereas they are really managing risk, although you can argue terminology does not matter I do believe a clear distinction is needed between them both, as everybody understands the need to manage risk but perhaps think risk management is someone else’s job to do. I hope that makes sense!
A key point that does frustrate and annoy me is the fact companies claim that they are certified to ISO 31000. Firstly this will not be a UKAS certification etc, secondly the standard is asset of principles and guidelines and most importantly the standard itself states that it is not for certification.
The next follow up posts, coming over the next few weeks will allow me the chance to explain a little bit more about the standard, although ISO 31000 does cover risks and identifies some generic processes that will allow organisations to move forward with their own risk management practices, it aims to encourage you to build your own framework for the management of risk. In my next article I will look to give an oversight on the principles and framework involved for creating risk management practices in a business.
So why should you manage risk? Let’s finish off with some food for thought in what the standard states an organisation can be assisted towards when managing risk.
The management of risk, if following the standard can enable an organisation to
- Increase the likelihood of achieving objectives
- Encourage proactive management
- Be aware of the need to identify and treat risk throughout the organisation
- Improve the identification of opportunities and threats
- Comply with relevant legal and regulatory requirements and internationals norms
- Improve mandatory and voluntary reporting
- Improve governance
- Improve stakeholder confidence and trust
- Establish a reliable basis for decision making and planning
- Improve controls
- Effectively allocate and use resources for risk treatment
- Improve operational effectiveness and efficiency
- Enhance health and safety performance, as well as environmental protection
- Improve loss prevention and incident management
- Minimise losses
- Improve organisational learning
- Improve organisational resilience
The standard intends to meet the needs of a wide range of stakeholders, including
- Those responsible for developing risk management policy within their organisation
- Those accountable for the ensuring that risk is effectively managed
- Those who need to evaluate an organisations effectiveness in managing risk
- Developers of standards, guides, procedures and codes of practice that (in whole or part) set out how risk is to be managed
It claims a lot can be achieved, what is this like in real practice….stay tuned for the future posts on this topic.
The ISO 31000 standard can be purchased and downloaded from the BSI website