Today we want to talk about the ISO 31000 risk management guidelines — 16 glorious pages that define the state of the art in risk management. It’s an authoritative tome so packed tight with invaluable wisdom that when IRM attempted to unpack it with their paper, “A Risk Practitioners Guide to ISO 31000” they ended up adding 4 pages.
It’s that good.
… Most of the time, at least.
This time, they made it to be dense, over-complicated, and confusing in places. It gets the broad strokes right but gets mired in its explanations. It’s an example of academics falling deeply in love with their subject and never leaving their offices as a result. It looks great on paper but doesn’t always translate to the outside world.
This article will attempt to contextualize the document in real-world practices. We don’t follow it precisely. We shake it up, rejigger a few things, and flop the order of some of its elements. We honor its essence by improving its particulars. In the process, we’ve built a system that works exceedingly well, no matter what a company does and what industry it’s in. Who are we to deconstruct and claim an improvement to the beloved ISO 31000?
We’re RISKID. Get used to it.
ISO 31000 is organized into three main sections — principles, framework, and process. We’ll discuss each and demonstrate how we put them into practice.
We lied for the principles part. Because these are relatively straightforward and don’t need any extra love, so we’ll just list them. The ISO is founded on eight principles that describe essential features of efficient, effective risk management. They’re useful for explaining the ISO’s purpose and communicating its value.
The following descriptions come directly from the ISO document. They’re authoritative, so question them at your own peril. According to the authors, risk management should be:
Risk management is an integral part of all organizational activities.
A structured and comprehensive approach to risk management contributes to consistent and comparable results.
The risk management framework and process are customized and proportionate to the organization’s external and internal context related to its objectives.
Appropriate and timely involvement of stakeholders enables their knowledge, views, and perceptions to be considered. This results in improved awareness and informed risk management.
Risks can emerge, change, or disappear as an organization’s external and internal context changes. Risk management anticipates, detects, acknowledges, and responds to those changes and events in an appropriate and timely manner.
The inputs to risk management are based on historical and current information, as well as on future expectations. Risk management explicitly takes into account any limitations and uncertainties associated with such information and expectations. Information should be timely, clear, and available to relevant stakeholders.
Human behavior and culture significantly influence all aspects of risk management at each level and stage.
Risk management is continually improved through learning and experience.
Eight principles that set the stage for everything to come. They’re a guide to help organizations develop a practical risk management framework — the framework that we’re about to talk about.
Risk management can only be effective when integrated into an organization’s significant activities on a fundamental level. The ISO 31000 framework provides the tools needed to incorporate risk management into governance and decision-making functions fully.
It also helps build support from management and other stakeholders. Buy-in is critical at all levels, as is the need to customize this framework to fit an organization’s individual needs. If care isn’t taken to adapt the framework to match each group’s specific goals, its usefulness is limited.
ISO 31000 breaks its framework into six broad components — Leadership & Commitment, Integration, Design, Implementation, Evaluation, and Improvement. This iterative structure builds on previous efforts, constantly refining itself to better fit an organization’s goals.
We’ve simplified this framework a bit to help develop a more straightforward, logical flow, combining steps and reordering others where necessary. We’ll let you know how our structure relates to the original framework as we go so that it’s clear why we made the changes we did.
But the beginning remains the same because it’s a crucial first step. None of this works if upper management doesn’t accept and actively support risk management efforts.
(= Leadership & Commitment)
Risk management flows from the top down. Upper management serves as a conduit for, and an example of proper procedures. It’s up to them to formalize an action plan, communicate its value, earmark needed resources, and establish command and control structures.
A concerted, consistent effort starting at the top helps an organization align risk management with its objectives, strategy, and culture and monitor their progress.
In practice, you should assign a CRO or some other risk champion equivalent. Task them with implementing proper risk management structures and ensuring these structures get the attention they deserve at the board/management level.
If they can’t put effort into this, then the first step is to grow into the appropriate risk maturity level before doing any risk management implementations or investments.
This step incorporates most of ISO 31000’s Design phase. Design occurs third, after integration, but in our minds, you can’t talk about integration until your design work is complete.
To properly design a risk management framework, it’s important to fit it to your organization’s internal and external contexts. Internally, this means understanding how your mission, governance, goals, capabilities, and culture influence risk factors. Externally, you must consider social, cultural, political, and regulatory factors as well as key trends that affect company objectives and critical external stakeholder relationships.
Upper management should also be prepared to clearly articulate the organization’s commitment to risk management, define responsibilities, provide needed resources, create a monitoring framework, and determine how to measure success.
In the end, all of these factors and your risk management framework must tie directly to company objectives. Identified risks at all levels must be traced back to these goals to realize the purpose of risk management — to avoid hazards that hinder your objectives while wisely and prudently taking advantage of the risks that provide critical opportunities for success.
( = Integration and Implementation)
This next step combines Integration and Implementation from the ISO, recognizing their inevitable interactions.
Risk must be managed at all levels within an organization’s structure. Proper integration will necessarily involve every member. Deciding on an accountability structure and roles and responsibilities, from governance down through management, is a critical step.
This involves developing an appropriate plan, identifying how different types of decisions are made and by whom, and making certain that these risk management arrangements are clearly understood and practiced.
It can be difficult to tackle this across an entire organization at once. In practice, it’s often better to start with a single department or discipline. Determine which has the highest risk maturity and roll out your framework. Use this as a success story to communicate the benefits of risk management. Point to specific results and explain how they can telescope out to the rest of the organization. This makes achieving consensus much easier.
(= Evaluation and Improvement)
Because Evaluation and Improvement are two sides of the same coin, we’ve combined those last two steps here.
To keep your risk management framework relevant and useful, it’s important to periodically measure it against its purpose, implementation plans, indicators, and expected behavior. Elements that remain applicable should be continually refined and improved. Those that are losing significance should be adapted to fit their changing circumstances.
In practice, you should perform these evaluations quarterly or yearly, depending on your organization’s internal and external situations. If you operate in a highly volatile environment, more frequent examinations are in order. Otherwise, annual check-ins are fine.
Your CRO should conduct these surveys with feedback from the work floor. Decide in as much detail as possible what’s still working and what can be improved.
These four steps define your risk management framework, set up necessary structures, and ensure it remains applicable. Once this is in place, you’re ready to build your risk management process.
Your framework defines the importance of risk management for the organization, fits it to your specific internal and external obligations, and establishes the command and control structures necessary for execution.
Within that framework, you define the specific policies, procedures, and practices that all involved parties must follow. This is the process your organization will follow to ensure success. These policies must be uniform across strategic, operational, program, and project levels and be an integral part of management and decision-making.
Like the framework before it, your process should be iterative, always seeking to refine and improve itself. It’s also worth mentioning that we’ve altered the process defined in ISO 31000. The basic assumptions haven’t changed, but we’ve reordered quite a bit of the content to help with implementation and create a more logical flow.
As you build your risk management process, you should always be aware of the scope under consideration. Are you looking at the organization as a whole, a specific department, or a particular function? Because your processes exist to promote your organization’s objectives, you must match the goals you examine to the scope of the sample in question.
In practice, you can define strategic, departmental, and project objectives by questioning your internal client for the scope being defined. Ask what risks they see that could hinder them from achieving their objectives. Be sure they speak to the level you’re defining. For example, if they operate on a project level, don’t question them about company objectives. Keep them in their lane.
You can’t manage risks you aren’t aware of. This step brings all stakeholders together to identify the many dangers your organization faces. As you brainstorm, try to keep people focused on specific threats, their positive and negative ramifications, the uncertainties surrounding them, and the timescale within which they operate. Determine both the causes and the effects of each risk considered.
Involve stakeholders from every level of the organization. You’ll help ensure that you cover every threat and opportunity facing/available to the group. And be sure stakeholders understand that risks aren’t all negative. Some risks present as opportunities, but because of underlying uncertainties, are still risky endeavors.
Given current COVID restrictions, this step doesn’t need to be performed in person. It’s fine to leverage an online platform that allows stakeholders to input their risks safely on their own time.
Some risks are more likely to affect your organization than others. And some have outsized effects relative to the rest. To efficiently use available resources to mitigate/take advantage of as much risk as possible, you should score each risk to determine how pressing it is. Remember that risks can have multiple causes and affect multiple objectives.
Your scoring criteria should include the likelihood of events and the impact of the consequences.
When scoring risks, it’s wise to enable all stakeholders, regardless of station or department, to provide their thoughts on the probability and impact of identified risks. There is often cross-pollination of risk throughout the organization. The more perspectives you consider, the more holistic your understanding will be.
Robust discussion will reveal hidden connections. You may find that an avoidance risk is actually an opportunity when considered from the right perspective. This is particularly true of risks that haven’t reached a consensus among participants.
In a series of online, group meetings, discuss these risks until a shared understanding is attained. Then create a final, prioritized list of every risk in discussion.
Once you’ve detailed the risks you’re facing, you need to decide how best to deal with them. ISO 31000 lists these options:
As earlier, it’s wise to get perspectives from stakeholders throughout the organization. Once you’ve drawn up a treatment plan, you should assign critical risks, and their measures to a specific owner to be sure each is appropriately policed.
Make sure that everyone understands what’s involved with mitigating the risks present in their sphere of influence. This plan should include the reasons why specific treatment options were selected, the expected benefits, accountabilities, proposed actions, any relevant constraints, and the method with which both the risk and progress will be monitored and measured.
As we’ve said, risk management is an iterative process. Treatments that work are continued and improved. Those that don’t are tweaked or replaced. Have appropriate monitoring processes in place will provide your team with the feedback needed to evaluate each intervention’s effectiveness.
Have measure owners update their progress regularly. This will allow risk scores to be adjusted up or down as treatment options play out.
Documenting treatment outcomes creates a resource for communicating an organization’s risk management activities to every involved party. It also centralizes information to help in decision-making, risk management improvement, and accountability concerns. Using a dashboard can help stakeholders interpret the information.
In practice, management should report on key risks, comparing progress to the reported status. Depending on the significance of the risk, this can be done on a weekly, monthly, or quarterly basis. Along with these comparisons, you should periodically perform updated risk sessions with stakeholders to amend risks and measures, removing obsolete risks, and checking for new ones.
The result of your monitoring, reporting, and discussion activities should be actionable lessons that lead to improved processes and better risk management.
For example, you may discover that a specific treatment measure doesn’t work as intended and costs quite a bit to prosecute. Managers should learn from this and make certain not to pursue the same strategy on the next project. You might also uncover a new risk in a project that should be mitigated in all future projects.
Improvements aren’t just limited to risk treatment measures. The processes used to monitor and discover risks are also fair game. Risk managers can learn new techniques that increase the effectiveness of risk assessment sessions.
Our hope is that this article clarifies some of the difficulties that people have with the standard. It’s an immaculately-conceived document that’s relevant no matter the size of your organization or what it does. By contextualizing it in actual practices, its dense language yields a profound method for analyzing and dealing with organizational risk.
If you have any questions about ISO 31000, we’d be happy to discuss them with you. Geeking out on risk management processes is how we spend our time.
Do we have all the answers? Certainly not. The standard and its practices will continue to be refined by risk management professionals. But we do offer powerful software solutions to help your teams assess, manage, and score risks in a collaborative, online environment. Give us a call today to find out more.