The ISO 31000 standard can be summarized on one A4. It comprises 11 principles, a framework and a process. But this is the easy part. Translating these principles into guidance to be used in practice, building a powerful framework to implement risk management from top to bottom throughout an organisation and using the risk management process on a daily basis for all uncertainties encountered in managing organisations, is the real challenge.
As explained earlier, for ISO 31000, the 11 Risk Management Principles and a well-developed Framework constitute the foundations for implementing risk management and managing risks in any organisation. Together, they guide people on what to do and how to do it in managing the effect of uncertainty on the objectives that matter to the organisation. However, the real practice of risk management comes from implementing and using the ISO 31000 risk management process (See Figure 1).
At first sight, there’s nothing out of the ordinary to be found in this process. The different parts and steps on the diagram seem nothing more than common sense. You need to know the context before you can identify risks, you need to identify risks before you can analyse them and you need to analyse risks before you can properly evaluate them. Finally, when everything is evaluated and the situation is clear, you can take a decision on how to treat the risk.
Figure 1. The ISO 31000 Process
When taking a closer look at the process, it is also possible to discern three separate and different parts. The heart of the process is what risk managers know best. It is the risk assessment part. This is the moment in the process where the hard work of risk management is done by specialists (risk managers) who have the knowledge and skills to use the specific tools that are often associated with traditional risk management. It is the domain where statistical models belong and where very fancy and sometimes complicated mathematical methods can be used, in order to determine levels of risk. This is typical the domain of the “traditional” risk manager.
A second part that can be distinguished in the process, is what comes just before the assessment part and right after it, enveloping as such the more traditional part of the risk management process. You have to look at this as zooming out to a wider circle of people also to be involved in managing the risks that need to be managed, which is all of the managers in the organisation. After all, in a sense, all management is risk management. In this process, managers need to be fully involved in the parts of “establishing the context” and the “treatment of risk”. Actually, this is the domain of every manager at all levels of the organisation. In essence, this is what management is all about. It is about knowing what is going on and setting the criteria for what needs to be assessed and at the end taking the decisions that are needed to achieve and safeguard the objectives involved in the process.
The last part is what seems less important to some, as these are the elements flanking the core of the process. But this perception is not correct. Also this last part in the process, containing the elements “communication and consultation” and “monitoring and review”, are a further zoom out of what is needed to come to sound decisions and effective risk management. As such, it is a crucial part of the process, which provides for obtaining the best available information to get the best possible outcome. Correspondingly to the second part of the process, it is also a zooming out on the larger group of people to be involved in the process, as these are steps of the process where everyone can be called upon to make a contribution to the final outcome of the process, reaching safety and performance in one go. It is also a group of people that can give the feedback needed to learn and progress when results are monitored and reviewed.
If you want to know more about ISO 31000, its vocabulary, principles, framework and process, consider to participate in one of our courses and become a Certified Risk Management Professional.
Since September 2014, Peter is also employed at TUDelft, working as a PhD researcher for the Safety Sciences section of the Technology Policy and Management faculty.
As the managing director of G31000 Europe he is now a trainer and consultant using the ISO 31000 Risk Management Standard.
Some of his articles can be read on LinkedIn