Mandate and commitment from top management
The ISO 31000 principles can be seen as elements of leadership, guiding thoughts that answer the question why one should implement risk management in one’s organisation. They are also a set of values, beliefs and convictions, the fundamental mental models, guiding daily operations in organisations and the fundamental ideas on which a risk management system should be built. ISO 31000 proposes a framework to translate these principles and mental models into a structure guiding all action concerning risk management in an organisation.
ISO 31000 defines the risk management framework as a set of components that provide the foundation and organizational arrangements for designing, implementing, monitoring, reviewing and continuously improving risk management throughout the organization.
With the word ‘foundation’, ISO 31000 directs to the overarching risk management policy and objectives, stated in the mandate and commitment, and by ‘organizational arrangements’, it means the plans, relationships, accountabilities, resources, processes and activities, described in the risk management plan.
The ISO 31000 framework is at the same time a methodology and a process that allows organisations to organise and integrate risk management in all of their corporate processes and this at all organisational levels. It determines what managers and leaders need to do to structure and implement risk management in their entire organisation.
In essence, as the definition already reveals, the framework consists of two distinctive parts. An overarching and fundamental part, the ‘foundations’ (mandate and commitment), which translates the essential concepts and mental models, needed to manage risks in the organisation, into a clear statement from the top management and highest responsible bodies. The second part, the so called ‘organizational arrangements’ is a PDCA-like (Plan-Do-Check-Act) continuous improvement process, which consists of making a ‘plan’ (design of the framework), ‘do’ the execution of this plan (implementing risk management), ‘check’ the plan and its execution (monitoring & review) and ‘act’ on the results of the review (improvement of the framework).
The mandate and commitment is the formal declaration of the promise by the top management of the organisation that risk management is important and will get the necessary attention and resources to become integrated in all organisational processes at all organisational levels. It is a statement in which top management defines & endorses the organisation’s risk management policy. This policy should be aligned with the organisational culture and determine what risk management performance indicators will be used in concert with the performance indicators of the organisation. Furthermore, the objectives stated in the risk management policy, should be in line with the objectives and strategies of the organisation, but also with the ISO 31000 principles discussed earlier. It will also ensure that applicable legal and regulatory requirements are complied with and it will determine the strategic responsibilities and accountabilities regarding risk management in the organisation. Together with this, the policy will explicitly name the resources which will be required and provided for the implementation of the risk management policy.
Via this risk management policy, top management communicates the benefits it sees related to risk management to the appropriate stakeholders. It also determines the terms and conditions for the risk management framework to be kept up-to-date and fitting. In a sense, this policy is the part of the vision, mission and ambitions of the organisation regarding its risk management and a broad idea on how risks, in a general sense, need to be approached.
ISO 31000 is the standard on how to integrate risk management in your organisation and existing management systems. This for organisations of any size in any sector, public or private, for profit or not for profit.
To know more:
Since September 2014, Peter is also employed at TUDelft, working as a PhD researcher for the Safety Sciences section of the Technology Policy and Management faculty.
As the managing director of G31000 Europe he is now a trainer and consultant using the ISO 31000 Risk Management Standard.
Some of his articles can be read on LinkedIn