Standardized Risk Management: ISO 31000

The topic of risk management is so important that no company can afford to be negligent in this regard. There are dangers – but also opportunities – in a company’s various areas and management must be prepared for them. Only in this way can suitable solution processes be introduced. In order to establish a good risk management system (RMS) in your company, the organizational management should adhere to the ISO 31000 standard.

A business venture is always associated with economic, technical and strategic considerations, as well as other incalculable factors. These risks cannot be eliminated – the company has to face them. The risk management system provides instructions and processes for how you should respond in risky situations in order to limit damages as best as possible. However, ISO 31000 does not view risks as always negative. According to the standard, there are also positive risks. Whenever there is uncertainty as to whether a future event causes a deviation from self-defined objectives, we are dealing with risk.

The International Organization for Standardization (ISO) has established various standards for the management of companies: ISO 9001 deals with quality management, ISO 14001 provides guidelines for environmental management, and ISO 50001 is a standard for energy management. ISO 31000, on the other hand, has risk management as its focus. Here it is a matter of handling different risks within the company. The standard is designed this way so that any risk can be addressed, and the application of systems is also not defined for specific companies. Both small and medium-sized businesses and large corporations can organize their companies with more confidence by implementing the guidelines.

In contrast to other ISO standards, ISO 31000 is specifically not intended for certification. While with similar standards, a system is designed according to prescribed guidelines before undergoing an audit and, if successful, receives the respective certificate that is valid internationally, this is not the case with ISO 31000. Instead, the standard should be understood as a reference or set of guidelines: Anyone who would like to implement an efficient RMS within their company can make use of the regulations.

In addition to an introductory chapter and an appendix, the standard comprises principles, a framework, and an explanation of the process.

With 11 principles, ISO 31000 specifies a framework which the subsequent models of the standard can be based on. They clarify the importance of risk management and provide basic instructions for structuring a risk management system.

• Value: An RMS ensures that company goals are met, thereby creating value.
• Integration: If the decision is taken to implement RMS within a company, it must be integrated into all areas.
• Decisions: If decisions are taken that affect the future of the company, an RMS should be used.
• Uncertainty: An uncertain future is a central component of an RMS and in this respect is considered as a given.
• System: A sound and up-to-date structure is essential for keeping the system in good functioning order.
• Information: With the help of an RMS, all available data forms the basis for decision-making.
• Adaptation: The RMS must be customized and adapted to the company’s circumstances.
• Individual: A good RMS takes the factors of culture and the individual seriously and is aligned accordingly.
• Transparency: All involved stakeholders have full insight into the RMS.
• Dynamics: A well-functioning RMS adjusts to new circumstances without any issues.
• Improvement: A continuous process enables the RMS to steadily improve.

The fourth chapter of ISO 31000 describes a framework for the risk management system. This is based on the principles and in turn establishes five different points that a system needs to comply with.

• Integration: Before a risk management system can be successfully implemented, the company’s exact structure must be understood. The management then decides on a strategy and assigns responsibilities.
• Structuring: Internal and external factors are taken into consideration when structuring an RMS. In a written statement, the organizational management pledges their commitment to risk management and makes the strategy and role distribution clear to all employees.
• Implementation: In order to implement an RMS in a company, changes to the operational processes are required. The goal is to have the system accepted by all employees and become part of their work routine.
• Assessment: In order to guarantee long-term effectiveness, the RMS must be regularly evaluated. Here, the defined goals are compared with the actual results.
• Improvement: The regular checks also enable constant improvements. The RMS should dynamically adapt to company changes and in doing so become more and more effective with time.

If you have implemented the framework within your company, it is then a matter of introducing and executing risk management processes. In contrast to the framework and the basic principles, the processes are specific actions that are tailored to the company. ISO 31000 should be generally applicable to all companies in any industry, however, the standard here only provides initial suggestions. These have to be adapted to the company when implementing the standard.

In doing so, two factors play the greatest roles: communication and risk assessment. The stakeholders (all individuals affected by risk management according to ISO 31000) must be informed about the implementation steps. Through conversations with all employees, the RMS can also always be better adjusted to the needs of the company over time.

Part of risk assessment is initially identifying potential risks. Once an overview of the risks has been created, they can be distributed to the responsible parties. These individuals subsequently analyze and assess the risks based on the analysis. The risk assessment in turn provides information for determining to what extent and with what resources these potential events are to be faced.

If you have carried out the assessment, risk controlling can begin. Here it is possible to either completely avoid certain risks, whose magnitude can only be reduced, or to accept the effects and do nothing about them. The company can also decide to hand over their management to an external third party. The monitoring of risks as well as reporting about the findings conclude the process.

Other ISO standards related to business management have the big advantage of enabling companies to strive toward certification. With a certificate, a company can prove at an international level that it has implemented a standardized system. ISO 31000 does not provide for this option, yet it is still worth implementing the guidelines.

Whether or not risk management is successful can have consequences that are critical for the business: If a company implements an inadequate RMS, the risks sometimes might not be identified at all or only too late. Without a sound risk management system, there are also no suitable instructions for controlling risk. In contrast, in the ISO 31000 standard you can find tips and directions for action that have been prepared by experts. Anyone who adheres to the guidelines has therefore implemented a very useful system within their company.

However, introducing or switching to an RMS that complies with ISO 31000 also comes with a disadvantage: The implementation is time-intensive and sometimes also cost-intensive. The standard demands an in-depth analysis of the topic. Necessary changes cannot be planned in one meeting and then executed in a matter of days. Instead, you need to intensively consider the circumstances of your company, the potential risks, as well as a system for dealing with these risks. Planning and implementation can involve a lot of work. The responsible stakeholders also need to make the necessary capacities available to this end. This can lead to additional costs.