Challenges of ISO 31000
On the other hand, ISO 31000 risk management adoption has challenges that need to be considered. Some of these include:
- Continuous effort: Like every ISO standard, upkeep is a continuous process. If an organization does not keep ISO 31000 concept in its business performance, the risk mitigation plans will quickly become outdated
- False security: Although this may seem unlikely, organizations may need to realize that some risks may remain undetected even with an effective risk assessment.
How To Implement ISO 31000 in your Organisation
The ISO 31000 risk management framework describes the implementation process. However, this may seem oversimplified, as risk managers must ensure that a few key steps are undertaken to ensure that organizations don’t become inundated with bureaucracy. Such steps include:
- Objectives – Organizations create business plans and respective aims to define growth. The risk mitigation strategy should essentially support such goals to ensure that enough safeguards are in place without allowing a sense of false hope.
- Level of commitment – It is widespread practice that organizations try to create the most significant profit by investing the least resources in a project. In such a case, management may be under the impression that having a Lead Risk Manager may be enough to implement such an ISO while reaping the most benefits. Thus, organizations must consider the resources they are willing to invest in risk mitigation before implementing ISO 31000.
Let us look at some of the clauses that define ISO 31000 and learn more about their requirements. Remember that in order to be fully in line with ISO 31000, you should always consider getting an ISO Specialist such as Luke Desira to help out in the implementation. Having an extra set of eyes carrying an external perspective is always helpful!
Clause 4.0 Principles
Risk management is crucial for the overall improvement in performance and should encourage innovation to achieve particular objectives. For this reason, ISO 31000 risk management framework outlines several principles to assist organisations in becoming effective and efficient by improving communication and explaining its intention and purpose.
Clause 5.0 Framework
ISO 3100 explains the framework to carry out risk management to integrate risk management into significant activities and functions. The effectiveness of such risk management usually depends on various governance of the organisations, including decision-making. This will require top management involvement and would play an essential role in the success of risk management.
Clause 5.2 Leadership and commitment
Risk management would not be effectively integrated into all organisational activities without crucial top management involvement. Thus ISO 31000 lists several aspects which will allow such leadership and commitments and how such elements will help the organisation.
Clause 5.3 Integration
If top management provides all the necessary support, it is equally essential that risk management is integrated into the internal policies of the organisation. Such policies may differ from one organisation to another, even more so when different sizes of the organisation are present. Such internal policies will give strategic guidance and the necessary objectives to achieve adequate performance. However, one most significant misconceptions about risk management are that this is a one-time process. On the contrary, risk management is a dynamic process and should be customised to the organisation’s needs and culture. Without this, risk management would not be effective, and most employees would not feel integrated into it.
Clause 5.4 Design
As explained above, designing risk management for the organisation’s needs and culture is crucial for effectiveness and employee acceptance. ISO 31000 manual describes in detail the requirements for such designs for organisations to fit well within the structure.
Clause 5.4.1 Understanding the organisation and its context
In designing the framework for risk management, the organisation should understand the main context of its operations. This will include external, such as customer relationships, networks, environmental etc. and internal contexts, such as vision, objective, culture, data, capabilities etc.
Clause 5.4.2 Articulating risk management commitment
Like in many ISO requirements, management must clearly formulate a policy to state the organisation’s objectives and commitment. Such a promise should include various statements, such as integration of risk management into core business operations, authorities and responsibilities, resources required, conflicting objectives etc. This policy is then made available to all those within the organisation and to any stakeholders, including clients, as needed.
Clause 5.4.3 Assigning organisational roles, authorities, responsibilities and accountabilities.
Authority, responsibility and accountability are essential aspects of risk management. For this reason, management should ensure that such relevant roles are assigned and communicated at all levels.
Clause 5.4.4 Allocating resources
Resources should be allocated appropriately in various aspects such as competencies, tools for managing risks, document control, information management systems and training.
Clause 5.4.5 Establishing Communication and Consultation
Communication and consultation help facilitate the practical application of risk management. These need to be timely and ensure that relevant information from stakeholders is collected and shared, with necessary feedback and improvements.
Clause 5.5 Implementation
Implementation of risk management requires developing an appropriate plan with sufficient time and resources. Key decision-makers must be identified, with the necessary decision-making processes modified to the organisation’s requirements. Only with proper engagement and awareness of all stakeholders would an organisation be able to implement the framework required successfully. This is especially so to allow the framework to be part of the day-to-day processes, which will allow most activities to blend well throughout the organisation, with the proper decision-making and change processes occurring.
Clause 5.6 Evaluation
Like in all processes, setting risk management will require periodic review of its performance against its purpose, implementation plans, indicators and expected behaviour. This must be compounded with the fact that risk management remains suitable to achieve the objectives set out by the organisation.
Clause 5.7 Improvement
Adapting and improving risk management frameworks are crucial for a successful risk management framework. Gaps or improvement opportunities must be identified and assigned for proper implementation and eventual improvement of risk management.
Clause 6.0 Process
The risk management process is an essential part of the management and decision-making policy, which must be integrated into the organisation’s structure, operations and functions.
Clause 6.2 Communication and Consultation
The purpose of communication and consultation is to get all relevant stakeholders to understand the concept of risk and the basis for decisions to ensure proper mitigation. Communication will promote awareness and understanding, which will lead to acceptance, whereas consultation involves obtaining feedback and information to support decision-making. These two require close coordination to ensure timely and effective exchange while ensuring confidentiality and integrity of data. The main scope of this should be:
- Efficient coordination of different views throughout the whole process;
- Effective communication and consultation during each step;
- Sufficient information to ensure proper decision-making;
- Inclusiveness and ownership among stakeholders.
Clause 6.3 Scope, Context and Criteria
Risk management cannot be one-size-fits-all and thus requires scope, context and criteria for risk management customisation. This will ensure practical risk assessment and appropriate risk treatment.
Clause 6.3.2 Defining the scope.
These should include:
- Objectives and decisions;
- Outcomes;
- Time, location and requirements;
- Appropriate tools and techniques;
- Resources needed, responsibilities and records to be stored;
- Relationships between stakeholders.
Clause 6.3.3 External and internal context
This context includes the environment in which the organisation seeks to define and achieve its objectives. Understanding is vital to:
- Establish risk management context concerning the objectives and activities of the organisation;
- Identify risk source due to organisational factors;
- Establish any overlap purpose and scope with the goals of the organisation.
Clause 6.3.4 Defining risk criteria.
Defining risks is crucial for the success of risk management. Organisations of different sizes may be able to handle a more considerable amount of risk from a smaller organisation. Thus organisations must specify the amount and type of risks they can take. All of this will concern their objectives and the level of significance they can take for decision-making. For this reason, risk criteria are usually aligned with the organisation’s values, goals and, most important, resources. Having said that, as mentioned before, one must keep in mind that risk management is a dynamic process, and like it, so must the criteria defining these processes. The manual sets the following for consideration:
- The uncertainties that can affect outcomes and objectives
- The consequences of the risk management and how they are defined and measured;
- Time-related factors which need to be taken into consideration;
- Consistency of risks;
- Determining the levels of risks and if these can be combined or defined individually;
- The capacity of the organisation.
Clause 6.4 Risk assessment
Risk assessment is the combined effort of risk identification, risk analysis and evaluation.
Clause 6.4.2 Risk identification
This is to recognise and identify risks and their causes that may affect an organisation’s activity. Thus the following is suggested to be taken into consideration:
- The sources of risk;
- Events and causes that may lead to risks;
- Threats and opportunities, weakness and strengths;
- Changes within the organisation;
- Indicators leading to risks;
- Assets and resources;
- Consequences and impacts of hazards on activities of the organisation;
- Limitations in both the knowledge and reliability of the information
- Time-related factors;
- Assumptions and beliefs of stakeholders involved.
Clause 6.4.3 Risk analysis
Risk analysis is to understand the level of risks and their characteristics. This may include detailed consideration of uncertainties, sources, consequences, likelihood, events, control and effectiveness. In other ISO’s, one may try to identify the root cause. However, in risk management, an event can have multiple causes and affect various objectives. For this reason, analysis needs to be carried out with different levels of detail and complexity, depending on the purpose, availability and reliability of the information, and the resources available. The following factors should be considered:
- The likelihood of it happening;
- The impact of the risk;
- The complexity;
- Time-related factors;
- The effectiveness of the existing controls;
- The confidence levels of it happening.
Risk assessments may not be easy, as one may need to be objective in the evaluation. Highly uncertain events can be challenging to quantify, so combination techniques must be carried out to provide further insight.
Clause 6.4.4 Risk Evaluation
This is the decision-making process, where results are compared with the risk criteria and the actions determined. Such decisions could conclude:
- Do nothing
- Consider risk treatment options
- Carry out further analysis
- Maintain current controls
- Reconsider objectives
Clause 6.5 Risk treatment
Upon identifying risks, one must select and implement options. This must be a logical process, where solutions must be identified, planned, assessed and decided. No conclusion could also require further treatment.
Clause 6.5.2 Selection of risk treatment options
Risk treatment options may not be appropriate in all circumstances and may involve several options, including:
- Stopping the activity gives rise to the risk;
- Increasing the chance to pursue an objective;
- Removing the source;
- Changing the likelihood but changing goals;
- Changing the impact;
- Sharing the risk;
- Retaining the risk by assessing all options (some chances are easier to deal with than removing them completely).
Resources usually are the most fundamental reason for risk treatment justification. However, one must not solely focus on the economic considerations but should consider all of the organisation’s obligations, activities and objectives. The organisation must also include the stakeholders’ values and perceptions and find ways to communicate and even consult with them about options. Not all risks can produce the expected outcomes, even though all choices and decisions would have been exhausted. In such cases, monitoring and review would be the organisation’s best option to ensure that different treatment options remain effective.
Clause 6.5.3 Preparing and implementing risk treatment plans.
Treatment plans specify how treatment options are to be implemented, and progress plans can be monitored. A process should identify how much risk treatment is to be implemented.
A treatment plan should include:
- The decisions for selection and expected benefits to be gained;
- Stakeholders involved, authorisation levels and implementation criteria;
- Proposed actions;
- Resources required;
- Performance measures;
- Limitations;
- Reporting and monitoring required;
- Actions expected.
Clause 6.6 Monitoring and review
Monitoring and review are crucial for the quality and assurance of the effectiveness of the process design, implementation and outcomes. Monitoring and review need to take place at all stages and must include:
- Planning;
- Gathering and analysis of information;
- Recording results;
- Providing feedback.
Clause 6.7 Recording and reporting
The risk management process requires that its outcomes must be documented and reported appropriately. Such reporting should aim to:
- Communicate risk management activities and outcomes;
- Provide information for decision-making;
- Improve risk management activities;
- Assist interaction with stakeholders.
Reporting is an integral part of any quality system and should enhance the quality of dialogue with stakeholders and support top management. Factors to consider include:
- Stakeholders and their differing needs and requirements;
- Cost, frequency and timeliness of reporting;
- Method of reporting;
- Relevance of information concerning the objectives and decision-making.
EAGER TO LEARN MORE ABOUT Risk Management and ISO 31000?
Luke Desira is an ISO management system consultant whose main goal is to put your company on a class of its own! Learn more ISO 31000 Risk Management by listening to what Luke Desira, the man himself, has to say about it.
Luke offers a variety of ISO certification services that puts him as the leading ISO Certification consultant in Malta. He can help you achieve ISO accreditation efficiently. When ready, just call Luke Desira – he’ll be happy to lend a helping hand.
Don’t forget to follow us on our Facebook and LinkedIn profiles, and subscribe to our Youtube Channel. Keep your head up for more great content coming your way.