Risks affecting organizations can have consequences in terms of economic performance and professional reputation, as well as environmental, safety and societal outcomes. Therefore, managing risk effectively helps organizations to perform well in an environment full of uncertainty.
ISO 31000:2009 provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization..
The scope of this approach to risk management is to enable all strategic, management and operational tasks of an organization throughout projects, functions, and processes to be aligned to a common set of risk management objectives.
Accordingly, ISO 31000:2009 is intended for a broad stakeholder group including:
- executive level stakeholders
- appointment holders in the enterprise risk management group
- risk analysts and management officers
- line managers and project managers
- compliance and internal auditors
- Independent practitioners.
One of the key paradigm shifts proposed in ISO 31000 is a controversial change in how risk is conceptualized. Under the ISO 31000:2009 and a consequential major revision of the terminology in ISO Guide 73, the definition of “risk” is no longer “chance or probability of loss”, but “the effect of uncertainty on objectives” … thus causing the word “risk” to refer to positive possibilities as well as negative ones.
ISO 31000:2009 has been developed on the basis of an existing standard on risk management, AS/NZS 4360:2004 (In the form of AS/NZS ISO 31000:2009). Whereas the initial Standards Australia approach provided a process by which risk management could be undertaken, ISO 31000:2009 addresses the entire management system that supports the design, implementation, maintenance and improvement of risk management processes.
The intent of ISO 31000 is to be applied within existing management systems to formalize and improve risk management processes as opposed to wholesale substitution of legacy management practices. Subsequently, when implementing ISO 31000, attention is to be given to integrating existing risk management processes in the new paradigm addressed in the standard.
The focus of many ISO 31000 ‘harmonization’ programs have centered on:
- Transferring accountability gaps in enterprise risk management
- Aligning objectives of the governance frameworks with ISO 31000
- Embedding management system reporting mechanisms
- Creating uniform risk criteria and evaluation metrics
Most implications for adopting the new standard concern the re-engineering of existing management practices to conform with the documentation, communication and socialization of the new risk management operating paradigm; as opposed to wholesale re-orientation of management practice throughout an organization. Accordingly, most senior position holders in an enterprise risk management organization will need to be cognizant of the implication for adopting the standard and be able to develop effective strategies for implementing the standard across supply chains and commercial operations.
In ISO 31000:2009 certain aspects of top management accountability, strategic policy implementation and effective governance frameworks, will require more consideration by organizations that have previously used now redundant risk management methodologies.
In some domains that concern risk management, in particular security and corporate social responsibility, which may operate using relatively unsophisticated risk management processes, more material change will be required, particularly regarding a clearly articulated risk management policy, formalizing risk ownership processes, structuring framework processes and adopting continuous improvement programs.
ISO 31000:2009 gives a list on how to deal with risk:
- Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
- Accepting or increasing the risk in order to pursue an opportunity
- Removing the risk source
- Changing the likelihood
- Changing the consequences
- Sharing the risk with another party or parties (including contracts and risk financing)
- Retaining the risk by informed decision
Contact Us Today or send an Enquiry for your ISO 31000:2009 requirements.
