ISO 31000 is an international standard which provides guidelines and principles for effective risk management. It helps organisations identify, assess, treat, monitor and communicate risks that may affect the organisation’s objectives, performance, reputation and sustainability. First published by ISO in 2009 and revised in 2018, it provides the framework, principles and risk management processes that organisations can follow to link risk management to the organisation’s strategic goals. All this can be customised according to the needs of the organisation, and is not industry or sector specific. ISO 31000:2018 was designed to be applied to any organisational activity, including decision-making.
Risk management can create and protect value but how does ISO 31000 help to achieve organisational sustainability? The standard offers eight principles for organisations which want to establish their risk management framework and processes. Individuals and organisations today rely less on tradition and superstition to make decisions; they rely on pragmatism, information and rationality. Risk is an inevitable part of doing business, thus proper risk management processes have to be applied to effectively mitigate them, for sustainability. Successful organisations have the ability to identify and manage risks before these disrupt operations or negatively affect their reputation.
Like all robust systems, ISO 31000 does have challenges when it comes to effective implementation for the achievement of organisational sustainability. Firms should ensure, firstly, that their risk management framework is properly aligned with their strategy, objectives and stakeholder expectations. An in-depth understanding of internal and external factors which influence the firm’s risk profile, appetite and tolerance is necessary for this. Risk management policy, processes and roles should also be consistent and coherent across the company; board and senior management should define and communicate risk management vision, goals and responsibilities.
Risk professionals assisting in their organisations’ efforts to implement ISO 31000 may find there is resistance to change, arising mostly from the culture, habits, beliefs and behaviours prevalent in the company. Risk management does require a shift in mindset, attitude and practice; a culture of risk awareness, openness, learning and innovation must be fostered, for risk management to be effective. There are other factors to consider as well, such as the fear of failure, blame culture, silo mentality, the lack of resources, skills or tools, and conflicting priorities. These factors may be managed through appropriate staff engagement, training, incentives and rewards.
Implementing ISO 31000 effectively requires identification and assessment of the sources, causes, impacts and likelihood of risks that could affect the organisation in a complex, uncertain environment. Both positive and negative risks must be evaluated. The firm can then decide how to deal with them when the costs, benefits and trade-offs have been analysed. Interdependencies, interaction and the influence of multiple risks, stakeholders and scenarios need to be considered. The firm will also have to adapt to changes, disruptions and opportunities over the long term which can further complicate matters in the efforts to maintain sustainability.
A systematic, structured, transparent approach that uses reliable data and evidence will support the organisation’s efforts to cope with complexity and uncertainty to a certain extent. Also helpful will be consultation and collaboration with other parties, and regular monitoring and review of risks. Communication and reporting is imperative when implementing ISO 31000, particularly with stakeholders. Organisations need their input, feedback, understanding and support. Risk professionals should try to tailor reporting to their various audiences – the board, management, staff, customers, regulators, investors, media and other communities where the firm operates.
Use appropriate channels according to the needs of the respective stakeholders to provide clear, concise messages. Feedback should be encouraged. This will help in the monitoring and measurement process as well. The risk indicators, actions, results and impacts must be assessed to determine if the firm is achieving its objectives. This is part of the review and evaluation of frameworks, policies, processes and roles, and will help determine if they are efficient, effective and fit for purpose. It will also flag what policies and processes need adjustment or improvement; for continuous improvement, monitoring and review should be regular and cyclical.
Data and other evidence collected should be documented, analysed and shared. It is a challenge to continue improving the risk management process with the objective of achieving sustainability, even with all these elements in place. Implementing ISO 31000 is not a one-off exercise. It needs constant review and evaluation of frameworks, policies, processes and roles. There is no room for passivity or complacency in its implementation. Furthermore, the risk management framework and its related processes need to be customised and proportionate to the organisation’s context and resources. Its process of continuous improvement involves encouraging feedback, and supporting learning.
While the input for risk management is based primarily on historical and current information, it also has to take into consideration the organisation’s future expectations, as well as the limitations and uncertainties associated with these. Human and cultural factors also come into play; these influence risk management at all levels and every stage. Effective implementation of standards depends to a great extent on being top-driven. Board and management need to drive risk management by assigning authority, responsibility and accountability, and ensuring that the necessary resources are allocated to managing risk.
ISO 31000 provides the principles and framework, and recommends processes that organisations can follow and link to their strategic goals. Its overall purpose is to integrate risk management into organisational policy and strategy. Organisations can choose what to follow, depending on their resources and capability, and the level of desired sustainability. While the standard covers the full scope of requirements, the organisation must determine its own checklist and action plan. For the firm’s long-term risk management and sustainability, risk professionals must extract the guidance and advice from the standard which is most relevant to their respective organisations.
