ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2018 is to provide principles and generic guidelines on risk management. ISO 31000 seeks to provide a universally recognized paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters, and regions. ISO 31000 is applicable and adaptable for any public, private or community enterprise, association, group or individual. Accordingly, the general scope of ISO 31000 – as a family of risk management standards – is not developed for a particular industry group, management system or subject matter field in mind, rather to provide best practice structure and guidance to all operations concerned with risk management.
ISO 31000 can be used by any organization no matter what size it is or what it does. It can be used by both public and private organizations and by groups, associations, and enterprises of all kinds. It is not specific to any sector or industry and can be
applied to any type of risk.
ISO 31000 can be applied to the achievement of all types of objectives at all levels and in all areas. It can be used at a strategic level to help make decisions and can be applied to all types of activities. It can be used to help manage processes, operations, functions, projects, programs, products, services, and assets.
However, exactly how you apply ISO 31000 is up to you and will depend on your organization’s needs, objectives, and challenges, and should reflect what it does and how it operates.
Risk is the “effect of uncertainty on objectives”, and an effect is a positive or negative deviation from what is expected. So, risk is the chance that there will be a positive or negative deviation from the objective we expect to achieve.
ISO 31000 focuses on creating and protecting value as the key driver of risk management and features other related principles such as continual improvement, the inclusion of stakeholders, being customized to the organization and consideration of human and cultural factors. It provides a risk management framework that supports all activities, including decision making across all levels of the organization. The ISO 31000 framework and its processes should be integrated with management systems to ensure consistency and the effectiveness of management control across all areas of the organization. This would include strategy and planning, organizational resilience, IT, corporate governance, HR, compliance, quality, health and safety, business continuity, crisis management and security.
ISO’s definition recognizes that all of us operate in an uncertain world. Whenever we try to achieve an objective, there is always the chance that things will not go according to plan. Every step has an element of risk that needs to be managed and every outcome is uncertain. Whenever we try to achieve an objective, we do not always get the results we expect. Sometimes we get positive results and sometimes we get negative results and occasionally we get both. Because of this, we need to reduce uncertainty as much as possible. According to ISO 31000, you can reduce your uncertainty and manage your risk, by using a systematic approach to risk management.
The traditional approach to risk combines three elements: it starts with a potential event and then combines its probability with its potential severity. A high-risk event would have a high likelihood of occurring and a severe impact if it occurred.
While ISO 31000 defines risk in a new and unusual way, the old and the new definitions are largely compatible. Both definitions talk about the same phenomena but from two different perspectives. ISO thinks of risk in goal-oriented terms while the traditional definition thinks of risk in event-oriented terms. These two definitions can and do co-exist. They are simply two different ways of talking about the same phenomena.
The diagram below shows how ISO’s three main sections are interrelated and how each of these three sections are, in turn, organized. The standard starts by listing a set of risk management principles. Use these principles to guide the establishment of your risk management framework. Then use the framework to guide the development of your risk management process. Together these three sections comprise the Risk Management Program.
Comply with legal and regulatory requirements.
Enhance your approach to environmental protection.
Improve the effectiveness of your governance activities.
Encourage personnel to identify and treat risk.
Help minimize your organization’s losses.
Improve your risk management controls.
Enhance your organization’s health and safety performance.
Improve loss prevention and incident management activities.
Encourage and support continuous organizational learning.
Help you allocate and use risk treatment resources.
Improve the overall resilience of your organization.
Improve operational efficiency and effectiveness.
Increase the likelihood that objectives will be achieved.
Improve your ability to identify threats and opportunities.
Establish a sound basis for planning and decision making.
Improve the trust and confidence of your stakeholders.
Enhance both mandatory and voluntary reporting.
Comply with international norms and standards.
The ISO 31000 Standard is comprised of 6 clauses/sections which describe how organizations use risk management principles to improve planning and make better decisions.