Sunday, 8 February 2015

ISO 31000 has introduced some important and more pertinent terms to the risk management standard and hence helps in better orchestration and implementation of the process across the organization to yield benefits whilst at the same time controlling the costs and the overall optimization of resources.
  • Risk owner is defined as a “person or entity with the accountability and authority to manage a risk.” This definition will help the risk manager reinforce to management that risk ownership must be with management and not with the risk manager.
  • Risk appetite is an area that many organizations struggle with and whilst risk appetite, is not defined in ISO 31000 (it is in ISO Guide 73:2009), the Standard defines risk attitude as the organization’s “approach to assess and eventually pursue, retain, take or turn away from risk”.
  • Risk management policy is also defined as a “statement of the overall intentions and direction of an organization related to risk management”.
  • The risk management plan should specify the “approach, the management components and resources to be applied to the management of risk.”
ISO has released ISO Guide 73:2009 Risk management - Vocabulary to provide further guidance with respect to generic terms and definitions relating to risk management to support consistency. It contains some of the definitions now deleted from ISO 31000. The relationships between the various components of managing risks including the risk management framework is better highlighted and illustrated in ISO 31000 as shown in the figure below.

Mandate and commitment: Risk management is not a one-off project; it is an ongoing activity requiring ongoing commitment. It must be mandated from the Board (or equivalent), implemented by senior management and supported by all levels of management and risk owners to be sustainable.

Design of framework for managing risk: Like all good projects, processes and strategies, risk management processes must be well designed to support effective implementation. Defining the context of risk management framework, formulating
a risk management policy, embedding processes into practice, assigning resources and determining responsibility are all key elements of designing an effective framework to manage risk. Well designed periodic reporting to stakeholders and effective communication mechanisms will support effective implementation.

Implementing risk management: Once the framework has been designed, implementation is about putting the theory into practice and actually bringing the risk management framework to life. Specifically, this is about ensuring the risk management process is understood by risk owners (through good communication and training), and risk management activities actually take place (through risk assessments, risk workshops, internal controls etc) and decisions and business processes actually factor in risk thinking.

Monitoring and review: Involves confirmation that the various risk management elements and activities are actually working effectively in line with expectations. Any gaps identified will need to be documented and remediated.

Continual improvement: This is about continuing to “tweak” and enhance key elements of the risk management framework to either improve current processes and/or progress towards a more mature risk management framework. A highly committed organisation will improve both its processes and mature over time.

Integrated Risk Management Principles, Framework and Processes 


Risk Management Process – Explained
ISO 31000 recognizes the importance of feedback by way of two mechanisms. These are monitoring and review of performance and communication and consultation. Monitoring and review ensures that the organisation monitors risk performance and learns from experience. Communication and consultation is presented in ISO 31000 as part of the risk management process, but it may also be considered to be part of the supporting framework. Reporting and disclosure are only very briefly mentioned in ISO 31000 and they are not included in the process shown in the diagram below. Also, the monitoring and review feedback activities set out in ISO 31000 do not explicitly mention the tasks of monitoring risk performance and reviewing the risk management framework. 

After considering numerous options and variants, ISO 31000:2009 largely adopted the same broad process as AS/NZS 4360:2004 for managing risk, as shown in the above diagram. While the process is essentially step like, in practice there is considerably iteration between the steps and between the continuously applied elements of communication and consultation and monitoring and review. Drawing a picture of this is obviously difficult and for this reason, the diagram used in the standard was deliberately not shown as a flow chart. Its purpose is to show the relationship between clauses of the standard that describe the process. The standard gives a set of general options to be considered when risk is treated. The order of the list reflects preference. Importantly, the options deal with both risks that have downside and/or upside consequences. The options are:
  • Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
  • Taking or increasing the risk in order to pursue an opportunity
  • Removing the risk source
  • Changing the likelihood
  • Changing the consequences
  • Sharing the risk with another party or parties (including contracts and risk financing)
  • Retaining the risk by informed decision.
Source – ISO 31000 standard. 
Author - Vijayakumar Reddy, CTO & Lead Trainer, A2A IMTCS Pvt. LTD.    
© Copyright 2015 A2A - IMTCS. All rights reserved.
The Swirl logo is a trade mark of AXELOS Limited.
ITIL® is a Registered Trade Mark of AXELOS Limited.
M_o_R® is a Registered Trade Mark of AXELOS Limited.