Risks affecting organizations may have consequences in terms of societal, environmental, technological, safety and security outcomes ; commercial, financial and economic results, as well as social, cultural and political reputation impacts. ISO 31000:2009 will help organizations of all types and sizes to manage risk effectively.
ISO 31000 provides principles, a framework and a process for managing any form of risk in a transparent, systematic and credible manner within any scope or context. It recommends that organizations develop, implement and continuously improve a risk management framework as an integral component of their management system. Kevin W. Knight AM1 ) , Chair of the ISO working group that developed the standard explains, “ ISO 31000 is a practical document that seeks to assist organizations in developing their own approach to the management of risk. But this is not a standard that organizations can seek certification to. By implementing ISO 31000, organizations can compare their risk management practices with an internationally recognized benchmark, providing sound principles for effective management.” ISO Guide 73:2009, Risk management vocabulary, complements ISO 31000 by providing a collection of terms and definitions relating to the management of risk. ISO 31000 is designed to help organizations :
- Increase the likelihood of achieving objectives
- Encourage proactive management
- Be aware of the need to identify and treat risk throughout the organization
- Improve the identification of opportunities and threats
- Comply with relevant legal and regulatory requirements and international norms
- Improve financial reporting
- Improve governance
- Improve stakeholder confidence and trust
- Establish a reliable basis for decision making and planning
- Improve controls
- Effectively allocate and use resources for risk treatment
- Improve operational effectiveness and efficiency
- Enhance health and safety performance, as well as environmental protection
- Improve loss prevention and incident management
- Minimize losses
- Improve organizational learning
- Improve organizational resilience.
“Risk is inherent in all activities. And it can be argued that the global financial crisis resulted from the failure of boards and executive management to effectively manage risk. ISO 31000 is expected to help industry and commerce, public and private, to confidently emerge from the crisis,” said Mr. Knight.
When risks occur, organizations always have to ask the question: “Is the level of risk tolerable or acceptable, and does it require further treatment ?”
Risk assessment is an integral part of risk management which provides a structured process for organizations to identify how objectives may be affected. It is used to analyse risk in terms of consequences and their probabilities, before the organization decides on further treatment, if required.
The third standard, ISO/IEC 31010:2009, Risk management – Risk assessment techniques, has been developed jointly by ISO and its partner IEC (International Electrotechnical Commission).
Risk assessment provides decision-makers and responsible parties with an improved understanding of risks that could affect achievement of objectives, as well as of the adequacy and effectiveness of controls already in place. The standard provides a basis for decision about the most appropriate approach to treat particular risks and select between options. ISO/IEC 31010 will assist organizations in implementing the risk management principles and guidelines provided in ISO 31000. ISO/IEC 31010 reflects current good practice and answers the following questions :
- What can happen and why?
- What are the consequences?
- What is the probability of their future occurrence?
- Are there any factors that mitigate the consequences of the risk or that reduce the probability of the risk?
The application of a range of techniques is introduced, with specific references to other relevant International Standards. Risk assessment is not a stand-alone activity and should be fully integrated into the other components in the risk management process.
Eric Mahy, Project leader of the standard comments, “ISO/IEC 31010 has been developed for application by both the risk management novice and the seasoned risk professional. It forms part of an integrated risk management structure of standards , developed with a view to providing a ‘best practice’ approach.”
To be used by all
ISO 31000, ISO Guide 73, ISO/IEC 31010 can be applied to any public, private or community enterprise, association, group or individual. The documents will be useful to :
- Those responsible for implementing risk management within their organizations
- Those who need to ensure that an organization manages risk
- Those needing to evaluate an organization’ practices in managing risk
- Developers of standards, guides procedures and codes of practice relating to the management of risk. ISO 31000 and ISO Guide 73 were developed by the ISO Working Group on Risk Management while, ISO/IEC 31010:2009 was prepared by IEC technical committee 56, Dependability, together with the ISO Working Group on Risk Management.