Introduction to the ISO 31K Risk Management Framework

Guest Post by Peter Holtmann (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

This article is the first in our risk management series. The series will be taking a look at the risk management guidelines under the ISO 31000 Standard to help you better understand them and how they relate to your own risk management activities. In doing so we’ll be walking through the core aspects of the Standard and giving you practical guidance on how to implement it.

In this particular article, we’ll be introducing you to the ISO 31000 Standards, the guiding principles, and outlining the risk management framework.

The ISO 31000 Standard was introduced to give organisations practical guidance on how to manage their risk. This risk can be applicable in any aspect of your organisation, whether it be internal or external, current or prospective. Whatever the case may be, the Standard helps organisations customise their risk management practices to their wants and needs. It also holds beauty in the fact that it isn’t time sensitive; it’s structured in a way that allows it to grow and evolve with your organisation. Another great characteristic is that it isn’t industry or organisation specific. It has the capacity to be tailored to any activity at any level. It’s incredibly versatile.

That being said, there are a number of guiding principles to the Standard. These principles are the foundation and guiding light for our organisation’s operations and processes, as well as how they relate to our risk management practices and procedures.

At the core of these principles is one uniting principle, being the creation of value and protection of value. Consider the concept of quality assurance for a moment. You may even have quality assurance practices in your own organisation. By why? It’s because of this uniting principle. Not only do we want to create and protect the value of our products through risk management practices, but we also want to create and protect the value that those practices offer.

While united by the prospect of creating and protecting value, the guiding principles are focused on how to do so. The Standard also does not deem any principle as more important than the other. Rather, the Standard gives you the space to determine which guiding principle may be more useful to you in your decision making practices from time to time. Ideally, however, these principles will be used holistically to help you in your risk management practices.

Here is a brief overview of the eight guiding principles:

• Continual improvement: this refers to how we leverage our learning experience/s to better develop and improve our current practices and processes.
• Integrated: this refers to how well your practices fit within your organisation. Do your risk management practices fit well? Are they cohesive with everything else going on around it? Essentially, is it integrated?
• Structured and comprehensive: this refers to how well rounded your practices are. Good risk management practices are thorough, of which is usually achieved through a structured and comprehensive approach.
• Customised: this refers to whether or not the practices you have are tailored to your organisation’s needs and objectives both internally and externally. Your strategic plan will be helpful here in addressing your objectives.
• Inclusive: this principle creates a space for your key stakeholders to be involved with contributing to and developing your risk management practices. In particular, this involvement is to be in a timely manner so you can leverage your stakeholder’s knowledge to strengthen your practices.
• Dynamic: this principle refers to the threats that may arise from having stoic risk management practices. It seeks to encourage a responsive and proactive approach to risk management, largely as some risks may emerge, change, or disappear over time.
• Best available information: this refers to evidence-based management, and how such evidence should be critically analysed. This includes consideration of the credibility and limitations of current data together with the uncertainties that data may pose. Ideally, such analysis will be based on current and historical data which is relevant, timely, and clear.
• Human and cultural factors: this refers to the implications that human behaviour and culture can influence our risk management practices at any and every stage of our organisation. This is all about the people that are working with your risk management practices and procedures.

If we turn our attention now to the second focus of this article, we’re able to consider the risk management framework. Ultimately, the goal of the framework is to help your organisational activities and functions operate effectively alongside your risk management policies and procedures. How successful these two factors will work depends on how well you address and integrate the core components of the framework.

Much like the concept of value creation and protection in the guiding principles, the framework has a similar uniting factor. This factor is that of leadership and commitment. The importance of leadership and commitment here is that the elements to the framework work best when driven from the top-down and when risk management is seen as a priority among all levels of the organisation.

The key components to the framework are, from afar, rather simplistic. We’ll briefly outline them now, noting that we’ll get into the nitty gritty of them all later in the series.

The remaining key components of the framework include:

• Integration: much like the principle relating to integration, this part of the framework looks at how we understand all of the aspects to our organisation’s structure and the environment in which they operate. Good governance is critical for successful integration here as the structures that management chooses to take on all translate to how well risk management practices will sit within those structures. As these structures are typically quite rigid, it’s important for our approach to integration to remain dynamic and iterative.
• Design: this refers to how our organisation structures our risk management framework. In terms of designing that structure, we need to give consideration to external matters such as legal, domestic, international, and competitive factors, as well as internal factors relating to our mission, strategy, organisational culture, resource allocation, and capabilities. Neither of these internal or external considerations are exhaustive.
• Implementation: this refers to how the risk management framework is to be introduced and rolled-out throughout your organisation. It includes things like a plan for how to do so, a team responsible for it, how it should be modified if it needs iteration, and how to ensure that what is being proposed is actually understood, and therefore actually practised. A lot of the focus of this framework component is on engagement with stakeholders, of which helps to identify any shortcomings with the current plan so we can make amendments as soon as possible.
• Evaluation: this refers to how we determine the success of our risk management framework. The Standard offers two key considerations for us to think about. The first is periodic measurement that the framework is actually fulfilling its purpose. The second is that we need to determine whether or not the framework continues to satisfy the needs and objectives of our organisation.
• Improvement: this refers to how we are able to identify the shortcomings in our current framework and how we’re able to overcome them through continual improvement and iteration. In identifying exactly what these shortcomings could be, there is a focus on working with stakeholders and acting on their advice in a timely manner. This primarily links back to the ‘continual improvement’ principle which we outlined earlier.

It’s important to note that the components to the risk management framework do not operate in an exclusively linear fashion. It is not a process; it is a framework. Know that you can approach any part of the framework as your organisation deems fit, with the same able to be said for the guiding principles. As we mentioned earlier, this is the beauty of the Standard as a whole; its ability to be tailored to your organisation’s wants and needs.

In any event, good risk management practices and procedures can be established and maintained through use of the ISO 31000 Standard. In this article we’ve introduced you to the Standard, its guiding principles and its risk management framework. If you’re interested in reading more about the Standard and how it can be applied, stay tuned for the coming articles to this series.

If you have any stories – good or bad – about how you’ve introduced the risk management framework into your business, I would love to hear them.

If you’re looking at incorporating the risk management framework into your practices and procedures and would like some guidance or a conversation to help you on your journey, please contact me. I’m more than happy to guide you.

About the author

Peter is the Founder and Director of Holtmann Professional Services, a global provider of executive coaching, business excellence consulting and career path development. Peter has 20 years of experience in executive roles and has been the President and CEO of a global non-profit. Peter has written for many journals and blogs, is a keynote speaker and is a champion of prosperity through excellence of leadership.

If you are interested in working with Peter, please reach out to peter@holtmann.com.au.