ISO 31000

Risk management

ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. ISO 31000:2018 provides principles and generic guidelines on managing risks that could be negative faced by organizations as these could have consequence in terms of economic performance and professional reputation.

ISO 31000 seeks to provide a universally recognized paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions. For this purpose, the recommendations provided in ISO 31000 can be customized to any organization and its context

The scope of this approach to risk management is to enable all strategic, management and operational tasks of an organization throughout projects, functions, and processes to be aligned to a common set of risk management objectives.

Accordingly, ISO 31000 is intended for a broad stakeholder group including:

executive level stakeholders

appointment holders in the enterprise risk management group

risk analysts and management officers

line managers and project managers

compliance and internal auditors

independent practitioners.

ISO 31000 gives a list on how to deal with risk:

Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk

Accepting or increasing the risk in order to pursue an opportunity

Removing the risk source

Changing the likelihood

Changing the consequences

Sharing the risk with another party or parties (including contracts and risk financing)

Retaining the risk by informed decision

The risk management process outlined in the ISO 31000 standard includes the following activities:

Risk identification: identifying what could prevent us from achieving our objectives.

Risk analysis: understanding the sources and causes of the identified risks; studying probabilities and consequences given the existing controls, to identify the level of residual risk.

Risk evaluation: comparing risk analysis results with risk criteria to determine whether the residual risk is tolerable.

Risk treatment: changing the magnitude and likelihood of consequences, both positive and negative, to achieve a net increase in benefit.

Establishing the context: this activity, which was not included in earlier risk management process descriptions, consists of defining the scope for the risk management process, defining the organization’s objectives, and establishing the risk evaluation criteria. The context comprises both external elements (regulatory environment, market conditions, external stakeholder expectations) and internal elements (the organization’s governance, culture, standards and rules, capabilities, existing contracts, worker expectations, information systems, etc.).

Monitoring and review: this task consists of measuring risk management performance against indicators, which are periodically reviewed for appropriateness. It involves checking for deviations from the risk management plan, checking whether the risk management framework, policy and plan are still appropriate, given organizations’ external and internal context, reporting on risk, progress with the risk management plan and how well the risk management policy is being followed, and reviewing the effectiveness of the risk management framework.

Communication and consultation. This task helps understand stakeholders’ interests and concerns, to check that the risk management process is focusing on the right elements, and also helps explain the rationale for decisions and for particular risk treatment options.