If you have implemented the framework within your company, it is then a matter of introducing and executing risk management processes. In contrast to the framework and the basic principles, the processes are specific actions that are tailored to the company. ISO 31000 should be generally applicable to all companies in any industry, however, the standard here only provides initial suggestions. These have to be adapted to the company when implementing the standard.
In doing so, two factors play the greatest roles: communication and risk assessment. The stakeholders (all individuals affected by risk management according to ISO 31000) must be informed about the implementation steps. Through conversations with all employees, the RMS can also always be better adjusted to the needs of the company over time.
Part of risk assessment is initially identifying potential risks. Once an overview of the risks has been created, they can be distributed to the responsible parties. These individuals subsequently analyze and assess the risks based on the analysis. The risk assessment in turn provides information for determining to what extent and with what resources these potential events are to be faced.
If you have carried out the assessment, risk controlling can begin. Here it is possible to either completely avoid certain risks, whose magnitude can only be reduced, or to accept the effects and do nothing about them. The company can also decide to hand over their management to an external third party. The monitoring of risks as well as reporting about the findings conclude the process.