ISO 31000

Risk Management Systems to Meet the Requirements of ISO 31000

Risk management is an increasingly important business driver and stakeholders have become much more concerned about risk. Risk may be a driver of strategic decisions, it may be a cause of uncertainty in the organization or it may simply be embedded in the activities of the organization. An enterprise-wide approach to risk management enables an organization to consider the potential impact of all types of risks on all processes, activities, stakeholders, products and services. Implementing a comprehensive approach will result in an organization benefiting from what is often referred to as the ‘upside of risk’.

The global financial crisis in 2008 demonstrated the importance of adequate risk management. Since that time, new risk management standards have been published, including the international standard, ISO 31000 ‘Risk management – Principles and guidelines’.

Intended benefits of risk management

For all types of organizations, there is a need to understand the risks being taken when seeking to achieve objectives and attain the desired level of reward. organizations need to understand the overall level of risk embedded within their processes and activities. It is important for organizations to recognize and prioritize significant risks and identify the weakest critical controls.

When setting out to improve risk management performance, the expected benefits of the risk management initiative should be established in advance. The outputs from successful risk management include compliance, assurance and enhanced decision-making. These outputs will provide benefits by way of improvements in the efficiency of operations, effectiveness of tactics (change projects) and the efficacy of the strategy of the organization.

A successful enterprise risk management (ERM) initiative can affect the likelihood and consequences of risks materializing, as well as deliver benefits related to better informed strategic decisions, successful delivery of change and increased operational efficiency. Other benefits include reduced cost of capital, more accurate financial reporting, competitive advantage, improved perception of the organization, better marketplace presence and, in the case of public service organizations, enhanced political and community support.

ISO 31000 as well as setting out a plan on the implementation of an ERM initiative. There are many opinions regarding what risk management involves, how it should be implemented and what it can achieve. International organization for Standardization (ISO) standard 31000 was published in 2009 and seeks to answer these questions. This guide includes a brief commentary on ISO 31000, as well as providing further information on the successful implementation of risk management. Importantly, this guide recognizes that risk has both an upside and downside.

Risk management is a process that is under-pinned by a set of principles. Also, it needs to be supported by a structure that is appropriate to the organization and its external environment or context. A successful risk management initiative should be proportionate to the level of risk in the organization (as related to the size, nature and complexity of the organization), aligned with other corporate activities, comprehensive in its scope, embedded into routine activities and dynamic by being responsive to changing circumstances.

This approach will enable a risk management initiative to deliver outputs, including compliance with applicable governance requirements, assurance to stakeholders regarding the management of risk and improved decision-making. The impact or benefits associated with these outputs include more efficient operations, effective tactics and efficacious strategy. These benefits need to be measurable and sustainable.