What Is Missing In The ISO 31000 Guidelines
Drafted by the International Organization for Standardization, ISO 31000 is a set of guidelines that is intended to help organisation implement better risk management. It is designed to be used by any organisation operating in any industry. There is no certification for ISO 31000, unlike other ISO standards. With the application of ISO 31000, companies may be able to better understand and manage risks such as equipment damage, occupational health or safety issues, cybersecurity breaches and financial losses, among many other challenges. The ISO 31000 Framework helps to embed the risk management process into the organisation’s overall business plan.
First published in 2009, the ISO 31000 Framework was updated in 2018. From its inception, the Framework has been targeted primarily at those involved in creating and protecting value in organisations by managing risks, making decisions, setting and achieving objectives, and improving performance. Its framework components – with Leadership & Commitment central to everything, supporting Integration, Programme Design, Implementation, Evaluation and Improvement – provide the basic framework that organisations need to establish, to embed risk management principles. It is a comprehensive guide on what to look at when applying more robust management to an organisation’s risks.
However, although ISO 31000 explains how to manage risk effectively, it does not explain how to make the changes which are necessary to ensure that the organisation’s approach to managing risk improves and becomes fully integrated into its operations. This is because every organisation has its own peculiar characteristics and internal dynamics – its “organisational culture” – which determine how successful its risk management efforts will be. Developing a culture that is risk management-oriented takes time and education. Some organisations have a blinkered perspective of risk management, viewing it as something that concerns only the Board and senior management.
But it is in fact the implementation of best practices across the organisation that will protect it in the event of exposure to disruption and uncertainty. Risk is anything which prevents an organisation from achieving its objectives, and in today’s business environment these barriers are numerous, dangerous and continually changing. Government policies shift; enforcement tightens; new regulations are applied; markets evolve; and stakeholders become ever more vocal. The elements which any company must now take into consideration if it wants to remain competitive are so numerous and varied that it is almost impossible to get a handle on them all.
Having an international guidance document for risk management like ISO 31000 is therefore crucial for businesses which want to respond effectively to changes in the environment. As they progress, they will find themselves having to strategise and make decisions that will require a comprehensive understanding of the risks involved; they will need to apply appropriate risk management principles to ensure optimum outcomes. How an organisation manages its risks depends on its intent and capacity, which is part of its governance. Hence, it is this intent and capacity which dictates how robust its risk management should be.
Intent and capacity will hinge on the tone from the top; availability of the appropriate skills and competence of its workforce; regulatory requirements; and the organisation’s own commitment to its community social responsibilities and stakeholder groups. As all these elements reflect the character and diversity of the organisation itself, it is in its own interests to determine how it can best manage its risks. This will also include the integration of risk management into its processes and procedures in the way that best suits its workforce, because the risk management framework should not replace but enhance the capability of people who are managing the organisation’s risk.
Risk impacts everyone in an organisation; thus, everyone needs to be involved in its management. But this involves the appropriate tools, a comprehensive approach to training, education and communication, and the development of a viable organisational risk culture. As each organisation is unique in its risks, its risk management needs to be customised accordingly. Applying the ISO 31000 Priniples will support these efforts. In its most recent iteration (2018), the guidelines have less complex language, and emphasises the importance of human and cultural factors in achieving organisational objectives. It also stresses the role of risk management in the decision-making process.
Recognising that the way risk management works in an organisation depends on its business structure, objectives, culture and level of maturity, ISO 31000 guidelines acknowledge that some of its necessary components may already exist within the organisation, and urges their improvement or adaptation, in line with the firm’s response to change. While the guidelines have demonstrated positive impacts where they have been applied, some users have pointed out that the concepts of uncertainty, knowledge and information, although referred to (“best available information” for example), are not defined or explained.
However, the purpose of the ISO 31000 Guideline is to provide a foundation for designing and implementing risk management policies, procedures and controls; and systematic guidance for these. It is a generic, not detailed or specific, approach to risk management, and does not provide detailed instructions of how to manage specific risks. What it outlines is where risk management is integral to strategic decision-making and change management. The ISO 31000 Framework is not a one-size-fits-all solution. Rather, it is an open-ended process that can be customised to individual organisational needs, with guidelines that support firms as they develop or improve their own processes.