The ISO 31000 standard can be summarised on one A4. It comprises 11 principles, a framework and a process. But this is the easy part. Translating these principles into practice, building a powerful framework and using the process on a daily basis and this from top to bottom, is the real challenge. Most people occupied with risk management are men of practice. They focus on the tools used during the risk management process. Often, certainly in the financial world, they are the experts in mathematical and statistical methods such as for instance Monte Carlo simulations. These tools are used in order to determine the level of uncertainty involved and determine the amount of money at risk. These professionals sometimes think risk management is solely about uncertainty and risk management is about making sure investments pay off or possible setbacks can be hedged. Although for their profession this might be right, to me, uncertainty is not the most important part of risk management. More important is the understanding of the involved objectives, because it is only in understanding the objectives of relevant stakeholders which will bring understanding in the risk regarding specific objectives.
Obviously, in the financial world, the objective of the shareholders is clear and, most of the time, it is only the uncertainty regarding a desired outcome which needs to be analysed and determined to take appropriate decisions. Indeed, this could lead people to think risk is solely about uncertainty, as the overarching objectives hardly change and the risk criteria have been set by international agreements. At least that could be the perception and I sometimes get the feeling financial risk management is indeed another ball game.
However, in my humble opinion, this is not true. Risk is the effect of uncertainty on objectives and both the effect as well as the objectives themselves are uncertain. Objectives change over time and it is the complex interconnectedness of objectives of stakeholders, how these objectives can change and how these stakeholders will deal with those changes, which also creates the uncertainty affecting corporate goals. It is also my personal conviction that understanding and aligning objectives of stakeholders is also a very important way to influence risk and take appropriate decisions. And for sure, ISO 31000 can help organisations to do that, not only for financial risk, but for all the risks organisations have to deal with.
Implementing ISO 31000 starts with embracing the principles and translate them into a clear and strong mandate and commitment from the top. It is the most important step to make when one truly wants to integrate risk management and ISO 31000 in one’s organisation. Every principle in itself holds important objectives an organisation has to pursue. The ISO 31000 risk management principles are excellent business practices and therefore these principles are an important key to success. A strong mandate and commitment translates these business goals into transparent and engaging organisational objectives and associated risk criteria, which are the overarching guidance to manage the uncertainty regarding more specific and more trivial day to day goals. In this way they help taking the appropriate decisions throughout the entire organisation. From top to bottom and back.
Therefore, risk management starts by embracing these eleven principles:
- Risk management creates value
- Risk management is an integral part of organizational processes
- Risk management is part of decision making
- Risk management explicitly addresses uncertainty
- Risk management is systematic, structured and timely
- Risk management is based on the best available information
- Risk management is tailored
- Risk management takes human and cultural factors into account
- Risk management is transparent and inclusive
- Risk management is dynamic, iterative and responsive to change
- Risk management facilitates continual improvement and enhancement of the organization
In case you want to know more about ISO 31000 or if you want to become an ISO 31000 certified risk professional, you can always find interesting training and certification opportunities on the G31000 website: http://g31000.org/training/training-events/
When this is something for you, I will be honoured guiding you during these trainings and prepare you for the C31000 certification exam in Brussels (May or November) or Amsterdam (October)!
More information on:
Since September 2014, Peter is also employed at TUDelft, working as a PhD researcher for the Safety Sciences section of the Technology Policy and Management faculty.
As the managing director of G31000 Europe he is now a trainer and consultant using the ISO 31000 Risk Management Standard.
Some of his articles can be read on LinkedIn