ISO 31000 Risk Management Framework: Complete Implementation Guide

ISO 31000 is the international standard for risk management, which gives organizations a world-wide recognized structure to systematically identify, assess and control risks. This framework is published by the International Organization for Standardization and is applicable to various fields of business and is scalable to both corporations, non-profit organizations, government agencies and educational institutions.

iso-31000-vs-coso-erm

The 2018 revision of the standard is a complete restructuring of the standard from its predecessor in 2009, into a more flexible, principles based approach. The ISO 31000 is not prescriptive, it focuses on embedding the risk management within the organizational culture and decision making processes.

Table of Contents

Why Organizations Implement ISO 31000

ISO 31000 is put into practice by organizations to boost the quality of decision making, build stakeholder trust and safeguard assets against unforeseen events and disruptions. With all the various challenges of digital transformation, complexity of the supply chain, regulatory changes and geopolitical uncertainty, systematic risk management cannot be ignored, it is a key element for competitive survival. Adopting this framework has proven to yield better operational resilience, quicker response to crisis and greater stakeholder relationship among companies.

The 11 Foundational Principles of ISO 31000

The 11 interlocking principles in the 2018 ISO 31000 framework are the philosophical underpinning for good risk management:

1. Develops and Safeguards Value

Risk management is not all about defensive play. If done correctly, it provides the insight for ideas about improvement, reduction of expenses, and innovation. Let’s say you have a manufacturing company that is doing a risk assessment on its supply chain, which helps them identify issues and they find that alternative suppliers are available that have better pricing and sustainability strategies.

2. Form Part of Organizational Processes

Risk management is not just a compliance matter! It should seep through the strategy, project management, the budget and operational processes. The integration has to be driven by executive commitment and cultural change, rather than policy documents.

3. Part of Decision Making

Any organizational decision has implications for risk. ISO 31000 incorporates the consideration of risk into the allocation of resources, capital expenditure decisions and strategic pivots. In this way, it avoids making an opportunity that may have an appeal that is not fully explored and understood yet also poses threats.

4. Addresses Uncertainty Explicitly

ISO 31000 recognizes uncertainty as a threat, as well as an opportunity, in contrast to the traditional approach to business planning that views uncertainty and its implications as stable. The “what if” scenarios are examined by effective frameworks, not as if the future is predictable.

5. Organized, On Time, and Organized

Failing to have ad hoc risk management. Organized and consistent processes applied to all the organization are required by ISO 31000. Timing is crucial—risks need to be evaluated before they are implemented and not after they arise.

6. Using the Best Available Information

Risk decisions should be based on the most up to date data, expert input, historical data and specialized knowledge. This principle protects against emotions and assumption-driven decision-making or judgement that ignore the key risks.

7. Adapted to Organizational Context

There is no remedy that fits all the time. Your risk strategy should be aligned to your industry, size, geographic reach, technology landscape and goals. Fintech startups are at risk from various angles that are distinct from what a regional credit union would be at risk from, and thus have different frameworks.

8. Takes into Account Human and Cultural Factors

The culture of an organization can positively or negatively influence risk management. The framework is ineffective, no matter how well the documentation is done, if the employees don’t feel safe in reporting risks; if the leaders are not paying attention to the emerging risks; or if they are rewarded for taking risks without any regard for the consequences.

9. Transparent and Inclusive

The management of risk needs to be participative, involving people at all levels of the organization. Risks may become apparent before the board of directors before they are recognized by front-line staff. Clearly explaining risk assessments and why some risk mitigations are selected increase the acceptance of the organization.

10. Dynamic, Iterative and Responsive to Change

Risk landscapes are continuously changing. New technologies brings new danger. M&A provide greater exposure. Geopolitical events lead to disruption in the supply chain. The framework needs to be flexible, and not cyclical each year.

11. Facilitates Continuous Improvement

There are learning opportunities associated with all risks, both managed and mismanaged. Post incident reviews, near-miss analysis and regular framework assessments lead to continual improvement of risk management capabilities.

The ISO 31000 Risk Management Process

It is important to have a good understanding of the structured process to implement it. The framework is divided into five interrelated phases of Risk Management:

iso-31000-process

Step 1 – Establishing Context

To identify any risks, you first have to define the internal and external context. Internal context refers to the organization’s structure, capabilities, culture, governance systems and strategic goals. External context includes market conditions, regulatory frameworks, technological advancements, competitive dynamics, and stakeholder expectations.

For a healthcare system setting up context, the key elements identified are internal capabilities (existing IT systems, staff skills and knowledge, and financial resources), strategic objectives (growing rural clinics, enhancing patient results, ensuring financial viability), and external factors (changing Medicare reimbursement rates, aging patient demographics, cybersecurity threats to medical systems).

Step 2 – Risk Identification

This phase methodically discovers potential risks that may affect objectives. Methods include:

  • Brainstorming sessions to uncover risks from multiple viewpoints.
  • Document reviews and analysis of industry and incidents in the past
  • Interviews with department heads, departmental operational staff and external advisors.
  • What if scenarios – exploring ‘what if’ situations
  • Checklists and questionnaires that provide systematic coverage by risk categories
  • Identify vulnerabilities in workflows/process interactions through process mapping

Good risk identification nets a large catch. The risks include strategic (market disruption, leadership transition), operational (process failure, equipment failure), financial (currency risk, credit risk), compliance (regulatory risk, certification risk), and reputational (public relations risk, data security risk).

Real-world application: Companies that had done pandemic scenario planning prior to the COVID-19 pandemic noticed and acted on risks sooner than other companies did, and mitigated them before they could. The identification of the risk proved their worth when it came to practice.

Step 3 – Risk Analysis

The known risks must be analyzed in a structured way to get a grasp on how they could affect the project and what the probability of it happening is. At this stage, uncertainty is measured and attention is paid to uncertainty.

Likelihood assessment is an assessment of the probability of this risk happening: Will this risk actually happen? Is it very unlikely, possible, probably or very likely?

An impact assessment assesses the impact of the risk: What is the impact if this risk becomes true? Is it going to have any effect on the minor, significant, organizational or market leadership damage?

Risk ratings involve assessing likelihood and impact and creating priority matrices. A low likelihood, but high impact event (such as a data center fire destroying all of the backups) may be given more priority than a common, but minor inconvenience.

Step 4 – Risk Response

There are four main ways of responding, which can be employed together:

Avoid: Neglect the activity which is causing the risk. A software firm may not want to spend a ton of money to beef up data security when there are serious weaknesses.

Mitigate: Prevent or reduce risk/impact, by controls. An airline’s managers are able to develop their crew fatigue management programs to lower the likelihood of accidents. Backup systems minimize impact of data loss.

Transfer: Insure, outsource or contract out risk to third party. This doesn’t remove risk, rather it moves the liability onto financial risk transfer.

Accept: Recognize the risk, and develop response plans to cope if it happens. Many organizations take on low probability risk without any investment in prevention, they have plans in place for contingencies.

Practical application: A retail business evaluating data breach risk could: (1) install encryption and access controls to limit the risk of breach occurring, (2) ensure that it has cyber insurance that covers them if it does, (3) have an incident response plan to limit the damage of a breach, and (4) accept that there could be some operational downtime despite taking precautions.

Step 5 – Monitoring and Review

Risk management is not “set and forget”. Continuous monitoring ensures:

  • Effectiveness of controls: are mitigation measures having an effect?
  • New risks: Have there been new types of risks?
  • Changing context: Is there a change in risk profiles in businesses?
  • Compliance: are you keeping up with changing requirements?

The monitoring mechanisms are key risk indicators (like KPIs), regular compliance assessments, incident tracking and quarterly risk reviews.

Implementation Framework by Organization Size

Small Business Implementation (1-100 Employees)

Many small companies think that ISO 31000 is a very time-consuming and cumbersome process, and therefore think they have to do a lot of paperwork. In practice, “simplified” implementation can be very effective:

  • Start small: With critical business functions. A software development company of 15 may start with a list of client data security, project delivery risk and cash flow risks – not all the risks.
  • Don’t go over the top with a spreadsheet: Risk registers don’t have to be complicated. A few words stating risks, existing control measures and suggestions for improvement will do.
  • Don’t use enterprise software: Free or low-cost risk management templates are just fine at this level.
  • Use informal communication: Owner-operator get a clear view of the operation, therefore the risks will come to him as part of the natural process of the operation. Make this formal by holding regular team risk discussions and not creating lots of rules and regulations.

Mid-Market Implementation (100-1000 Employees)

Organizations of medium size can have more complicated organizational structures but can still prevent excessive bureaucracy:

  • Establish cross-functional risk committee: HR, compliance, operations and finances meet quarterly to review risks in the organization.
  • Create department level risk registers: Have department level risk registers covering their function (summarized at enterprise level).
  • Use risk management software: Systems such as LogicGate, Resolver or even advanced spreadsheets can help to track risks systematically from department to department.
  • Assign risk ownership: Ownership of risk categories (operational risk, compliance risk, etc.), thus owning the risks.

Enterprise Implementation (1000+ Employees)

In large organisations, governance is likely to be more complex:

  • ERM function: Board audit committee and senior leadership have a dedicated risk team.
  • Integrated risk framework: Risk management is integrated with the execution of strategy, project portfolio management and performance management systems.
  • Advanced Analytics: Predict upcoming risks and stress test scenarios through data analytics.
  • Compliance integration: Make ISO 31000 compatible with other compliance rules (banking regulations, healthcare HIPAA rules, and so on).

ISO 31000 vs. Other Risk Frameworks

By understanding how ISO 31000 fits in comparison to other approaches, the organization can make an informed decision on which approach to take:

ISO 31000 vs. COSO ERM

The COSO (Committee of Sponsoring Organizations) ERM framework, which is mostly employed in North America, focuses on internal control on risk identification. ISO 31000 is broader, and approaches risk management as something to be incorporated into decision making, rather than adopting a narrow focus on control mechanisms. COSO fits into the framework of existing processes, while ISO 31000 is more appropriate for organizations that have to consider how risks affect the organization’s strategy.

Feature ISO 31000 COSO ERM
Type International risk management standard Enterprise risk management framework
Developed By International Organization for Standardization (ISO) Committee of Sponsoring Organizations (COSO)
Primary Focus Managing risk across the entire organization Integrating risk with governance, strategy, and internal controls
Approach Principles-based and flexible Governance- and control-focused
Best For Organizations of all sizes and industries Medium to large organizations, especially corporations
Implementation Can be adapted to any organizational structure More structured and formal implementation
Scope Enterprise-wide risk management Enterprise risk management with emphasis on governance
Certification No certification available No certification available
Strength Flexibility and adaptability Strong governance and internal control integration

ISO 31000 vs. RMBOK

This provides an overview of the similarities and differences between ISO 31000 and the Risk Management Body of Knowledge (RMBOK).

The methodology in RMBOK gives detailed information on how to do project level risk management which is useful for projects such as construction, IT or engineering projects. The ISO 31000 is applied at organizational level, to manage strategic and operational risks in all functions. Many organizations have implemented both: ISO 31000 for Enterprise governance and RMBOK for project specific implementation.

ISO 31000 vs. Agile Risk Management

Traditional approaches are based on the premise that the environment is stable and that risks can be predicted. Agile risk management is taking an iterative and adaptive approach, with some changes going on throughout. Although the principles of agile development were not included in ISO 31000, the principles were not prohibited by the 2018 revision because they were present in the previous version, and have since been adopted by the standard in the hope that they will help people in agile environments.

Common Implementation Challenges and Solutions

Challenge 1 – Leadership Misalignment

The challenge: When leaders don’t promote risk management it becomes a compliance item, not a strategy.

Answer: Make risk management a business asset. Share examples of competition that had poor management of risks, and then faced the market. Tie executive compensation to risk management performance. Include risk discussions as regular items on the board agenda.

Challenge 2 – Over-Complexity

The issue: Organizations generate extensive documentation, but it is never used, and they think of it as compliance.

Solution: Simplify. Stay away from jargon and use simple risk registers; don’t over produce reports, just give insights. As maturity increases so can complexity.

Challenge 3 – Risk Fatigue

The issue is that the risk identification is a continuous process and can create a problem called “alert fatigue.” Organizations cease to identify critical risks and minor issues.

Action Step: Create prioritization criteria. Priority focus monitoring of risks. Monthly Critical risks, quarterly Medium priority risks. This helps to avoid the “everything is urgent” attitude.

Challenge 4 – Siloed Thinking

The challenge: Risk management is still a function of compliance or audit teams and not part of the business decision making process.

Solution: Engage operational leaders in risk identification and response. Provide training for train managers to use risk assessment in project planning and resource allocation. Incorporate risk into business case templates.

Measuring ISO 31000 Effectiveness

The challenge is to measure the effectiveness of risk management. What are the indicators you have that your ISO 31000 implementation is effective? The following KPIs are important:

  • Early warning of risks: Do emerging risks get detected or until they become realized?
  • Effectiveness of control: do controls that are implemented actually reduce the likelihood or impact of risk?
  • Incident reduction: are there a reduction in near misses and minor incidents?
  • Senior leader engagement: do senior leaders fully engage in risk reviews?
  • Stakeholder input: Are workers comfortable in disclosing risks?
  • Adherence to compliance: Do risk management practices comply with every department?

Self-assessment against the ISO 31000 maturity scale (ad hoc, repeatable, managed, optimized): Organizations can measure themselves against the ISO 31000 maturity scale and gain a greater understanding of those areas in which they can improve.

Common Misconceptions About ISO 31000 Certification

One Common Mistake

Organizations may believe that they require ISO 31000 certification.

The truth: ISO 31000 is not a certification standard, as opposed to ISO 9001 (quality) or ISO 27001 (information security). ISO 31000 does not have an “ISO-Certified” by a third party. On the contrary, organizations individually assess their performance against the standard, and may have independent audits to ensure implementation quality.

There are also some registrars that provide “ISO 31000 compliance audits”, which are not the same as certifications. The point is the rigor with which the framework is followed and not the certificate.

Technology and Tools for Risk Management

Enterprise Risk Management Software

Some platforms such as LogicGate, Workiva, Riskonnect, etc. offer:

  • Centralized risk registers that are available throughout the departments.
  • Automated workflow for identifying and assessing risk.
  • Ensuring compliance needs. Ensuring compliance needs is integration with compliance.
  • Leadership visibility dashboards in real-time.
  • Compliance with the audit trails.

Simple Alternatives

Enterprise software isn’t suitable for every organization. For smaller organizations, sophisticated spreadsheets with conditional formatting, simple databases or even Google Forms with the info combined will do the job.

Data Analytics for Risk Prediction

Advanced organizations use machine learning to detect new risk patterns in the operational data, financial transactions or customer behavior before they are detected by traditional risk detection.

Industry-Specific Applications

Financial Services: Credit Risk, Market Risk, Operational Risk and regulatory compliance are key areas of emphasis for banks and insurance companies, where ISO 31000 is the governance framework.

Healthcare: Hospitals implement ISO 31000 to handle patient safety related issues, clinical mistakes, safety data breach issues, and regulatory compliance (HIPAA, clinical trial regulations).

Manufacturing: ISO 31000 principles help produce manage risk in the supply chain, equipment failure probability, product liability and workplace safety.

Technology Companies: Technology obsolescence risk, cyber security, talent retention, and market disruption risks are a few of the risks systematically mitigated by ISO 31000, given the rapid innovation that is happening in the technology sector.

Government and Nonprofit: ISO 31000 is adopted by the public sector (governments, NGOs, etc.) for disaster preparedness, service continuity, fraud prevention and protection of stakeholders.

Integrating ISO 31000 with Strategy Execution

The best ones integrate the management of risk within strategy and not as a separate function.

Practical integration approach:

  • Strategic risk assessment: Carry out a scenario analysis, identifying strategic risks, before considering new market entry, acquisitions or significant investments.
  • Strategic risk ownership: Identify board-level risk owners for each of the board’s strategic initiatives.
  • Risk adjusted decisions: Risk analysis to modify strategy. When there’s too much risk in entering the market, don’t rush into a big expansion; instead, go for a phased entrance.
  • Performance management: Incorporate risk management in executive scorecards and compensation.
  • Regular board reporting: Risk governance is given executive attention with regular attention in the board.

Conclusion

The ISO 31000 risk management framework represents a fundamental change in the way that organizations manage uncertainty. This framework, not the crisis, is what leads to companies significantly mitigating risks in proportion to their likelihood in a systematic manner and integrating risk into their business decisions routinely.

The strength of the framework is based on its principles-based flexibility and not in prescriptive procedures. From a 20-person start-up to a multinational corporation, ISO 31000 scales and adapts to fit your needs and size. Commitment of leadership, communication and a change in culture will be needed to implement, not just documentation.

Frequently Asked Questions

Q1: Do companies need to be ISO 31000 certified to comply with business?

No, ISO 31000 is not a certification standard program, it is another standard that ISO publishes. An organization does its own self-assessment based on the framework, and can also have third party audits to verify the implementation of the framework; however, there is currently no formal certification or no requirement for certification under law.

Q2: What is the approximate time needed for implementing ISO 31000?

The length of the timeline will depend on the size of the organization and its maturity. Basic (2-3 months), mature (6-12 months), and full implementation (18+ months) of risk management can be achieved depending on the size of the business. Things seem to come easily in weeks, but take time to mature.

Q3: What is the difference between Risk Management and Compliance?

Risk management involves identifying and managing risks against the objectives. Compliance ensures adherence to regulations. Although they are related, they’re different – your organization can be compliant, but have substantial operational risks. ISO 31000 does not just provide for regulation, it addresses the wider risk universe.

Q4: Is it possible for small companies to effectively implement ISO 31000?

Absolutely. In the 2018 revision, the principles take precedence over the prescriptive procedures, which makes it possible to scale up. Keep it simple with the areas of the business that matter the most, ease into the tools and then add more sophistication as needed. Complexity isn’t prerequisite for effectiveness.

Q5: When are risk assessments needed to take place?

Frequency of risk assessment is based on the level of volatility in the environment and the risk category. The risks that are critical should be monitored on a continuous or monthly basis. Medium priority risks should be reviewed on a quarterly basis. Low priority risks can be evaluated on an annual basis. Extraordinary assessments occur in response to external changes, such as a change in the market, the change of regulations or an acquisition, irrespective of the schedule.

Q6: What’s the relationship between ISO 31000 and business continuity planning?

ISO 31000 lists risks that could put the continuity of an organization at risk; business continuity planning outlines the mitigation strategies to use for high impact, low frequency risks. Business continuity is a risk response activity that is applicable in crisis situations.

Q7: What to do about employee resistance to the risk management processes?

Explain that the goal of risk management is to safeguard jobs and the success of the organization, rather than punishment. Educate workers on not blaming but improving themselves when identifying risks. Share stories of successful implementation of prevented problems. Celebrate and reinforce awareness of risk across the organization.

Q8: Can ISO 31000 be applied in highly regulated organizations, such as banks?

Yes, ISO 31000 can be applied effectively. The ISO 31000 standard is a framework that can be used to create strong risk management in banking regulations. Many banks incorporate the principles of ISO 31000 along with industry-specific rules (Basel III, Dodd-Frank) in order to develop a comprehensive governance.

Leave a Comment