how iso 31000:2018 integrates risk management into … · iso 31000:2018 offers detailed guidelines...

HOW ISO 31000:2018 INTEGRATES RISK MANAGEMENT INTO YOUR ORGANISATION

[email protected] | www.riskza.com | 0861 RISK ZA | 28 Siphosethu Road, Mt. Edgecombe, KZN

© Risk ZA Corporate Sustainability (PTY) Ltd.

How ISO 31000:2018 Integrates Risk Management Into Your Organisation

CONTENTSINTRODUCTION 3

WHAT IS RISK MANAGEMENT? 3

WHAT IS IN THE ISO 31000:2018 RISK MANAGEMENT STANDARD? 4

STEPS TO EFFECTIVE IMPLEMENTATION & INTEGRATION 5

SUMMARY 6

WORK WITH RISK ZA 6



INTRODUCTIONRisk is inherent in an organisation’s activities. A successful enterprise has the ability to identify and manage risks before they can damage its reputation and ability to operate.

Arthur Rudolph, project director of the Saturn V moon rocket, described risk tolerance perfectly:

“You want a valve that doesn’t leak and you try everything possible to develop one. But the real world provides you with a leaky valve. You have to determine how much leaking you can tolerate.” - Arthur Rudolph

After the subprime mortgage shock in 2008 the International Organization for Standardization published the ISO 31000:2009 Risk Management Standard. An update was released in 2018 providing more strategic guidance.

Here we look at what the ISO 31000:2018 Risk Management Standard offers and how these risk management solutions can benefit your organisation.

WHAT IS RISK MANAGEMENT?Risk Management is the process of identifying, analysing and responding to risk factors throughout the life of an organisation or a project in the best interests of its objectives.

Proper risk management is, rather than reactive, a proactive process and is applied to control future events. It reduces the likelihood of a negative event and the extent of its impact and is intended to avoid retroactive crisis management.

Risk Management Systems such as ISO 31000:2018 are designed to do more than just identify risk, helping to measure risk and predict its impact and outcome. The acceptance of a risk usually depends on the organisation’s Risk Appetite, or its tolerance of risk.

As a continuous, disciplined process, risk management aims to identify, measure and manage risks throughout the life of an organisation or project and to supplement and support other systems such as planning, budgeting and cost control.

ISO 31000:2018 offers detailed guidelines on how to plan, implement and measure an effective Risk Management System. It is a universal approach to risk management that can be used in any sector orindustry and applied to any type of risk, whether financial, technological, natural or project.

The ISO Risk Management Standard helps organisations to perform systematic, continuous risk assessments to balance reward over uncertainty and losses. The standard can help an organisation to achieve its objectives, improve the identification of opportunities and threats and effectively



allocate resources for risk treatment.

The core purpose of the ISO 31000:2018 Risk Management standard is to create and protect value and to link the framework and practice of risk management to the organisation’s strategic goals.

WHAT IS IN THE ISO 31000:2018 RISK MANAGEMENT STANDARD?The ISO 31000:2018 Risk Management Standard is divided into five main sections:

Introduction and document references, including terminology and definitions.Risk management principles.The risk management framework.Risk management processes .And a bibliography.

It includes:Definitions and terms relevant to risk management.Principles that inform effective risk management.Recommendations for establishing a risk management framework and a risk management process.

THE EIGHT RISK MANAGEMENT PRINCIPLES

To create and protect value, improve performance, encourage innovation and support the achievement of objectives, the 8 Risk Management Principles are:

Create and protect valueBe integrated into the organisation’s decision making and processesBe structured and comprehensiveBe customised to link to the organisation objectives and tailored to fit its contextBe inclusive of stakeholders taking into account their knowledge, views and perceptionsBe dynamic, detecting and responding appropriately to internal and external changesUse the best available information taking into account the limitations and uncertainties provided by historical and current information and future expectationsBe conscious of human and cultural factors influencing risk managementContinually improve its systems and processes.

DESIGNING A RISK MANAGEMENT FRAMEWORK

“The purpose of the risk management framework is to assist the organization in integrating risk management into significant activities and functions.” - ISO 31000:2018

Board level responsible management drafts a framework document to ensure that an organisation wide risk management process is supported, iterative and effective, ensuring that risk management



will be an active component in governance, strategy and planning, management reporting processes, policies, values and culture.

The framework can be adapted to the particular needs and structure of all organisations regardless of their size. Top management needs to facilitate the process but this commitment is not enough - an enterprise-wide risk culture needs to be nurtured.

The framework includes activities such as:Demonstrating leadership and commitment to risk managementIntegrating risk management into organisational processesDesigning the framework for managing riskAssigning roles, authorities, responsibilities and accountabilitiesAllocating appropriate resourcesEstablishing communication and consultationImplementing and evaluating the risk management processAdapting and continually improving the framework.

STEPS TO EFFECTIVE IMPLEMENTATION & INTEGRATIONThe risk management process assesses existing or potential risks, evaluates the risks and treats them using risk treatment options. This process is used in all decision making.

Below we outline the steps in the ISO 31000:2018 Standard that effectively embed the Risk Management process into an organisation:

ESTABLISHING THE CONTEXT

The organisation’s context need to be understood and the full range of risks identified.

RISK IDENTIFICATION

Identifying risks is a formal, structured process involving input from a variety of sources.

RISK ANALYSIS

Each identified risk is analysed using formal techniques to define whether the risk is acceptable or not and to modify the risk.

RISK EVALUATION

Ranking the importance of each risk so that a treatment priority can be established.



RISK TREATMENT

Proper risk management relies on informed decisions about risk treatment. Treatments may include avoiding the activity, managing the risk or risk-taking in order to pursue an opportunity.

COMMUNICATION & CONSULTATION

Ongoing communication promotes awareness and understanding of risk. Consultation elicits feedback and information to support decision-making.

RECORDING & REPORTING

Outcomes of the risk management process are documented and reported and provide the information for making informed decisions.

MONITORING & REVIEW

This helps organisations assure and improve the quality and effectiveness of the risk management process.

SUMMARYISO 31000:2018 provides best-practice risk management and is aimed at people who create and protect value in all types of organisations. The standard contains a set of principles, a comprehensive risk management framework and a risk management process, which we have discussed in this Guide.

ISO 31000:2018 offers organisations an excellent opportunity to understand the sources of risks and identify the necessary risk treatments in order to reduce the uncertainty of their future.

WORK WITH RISK ZARisk ZA has collective experience of over 30 years in training, consulting and implementing ISO related solutions for organisations of all types and sizes in the Southern African region.

We are leading experts in the field of ISO 31000:2018 Enterprise Risk Management Systems, and are well-positioned to assist your organisation build a solid foundation for growth – both now and into the future.

Click here for details of our comprehensive ISO Training and Consulting Services.

Call +27 (0) 31 569 5900 or email us at [email protected] for further assistance!

http://www.riskza.com

how iso 31000:2018 integrates risk management into … · iso 31000:2018 offers detailed guidelines...

Documents