Business leaders are always looking for the best ways to address risks in their organizations, and safety professionals play a key role in identifying, assessing and mitigating them. Published in 2009, the ISO 31000 standard, Risk Management – Principles and Guidelines, was developed to provide organizations with principles, a framework and process for establishing a risk management program.
The standard recently underwent a revision, ISO 31000:2018, to reflect the evolution of risk management over the past decade from a separate, at times departmentalized, activity to an integrated management competency. Here are five things you need to know.
- Simplified language with purpose statements. Language from the 2009 version that was overly technical or would require a detailed understanding of risk management has been rewritten to make ISO 31000:2018 more easily understandable and accessible for users.
Terms and definitions were reduced from twenty-nine to eight. The standard now includes purpose statements of risk management along with the principles, framework and process. Recognizing that organizations may already have a set of principles, a framework and process for managing risk, the content has been streamlined to encourage users to customize and improve how they manage risk through the updated standard’s guidance.
- Value creation and protection. ISO 31000:2018 establishes the creation and protection of value as the core purpose of risk management. Working toward this goal, the standard includes eight principles in improving an organization’s risk management framework and process. These principles are designed to help organizations improve performance, encourage innovation and support the achievement of objectives.
Managing risk creates and protects value by:
- Integrating risk management into an organization’s activities and decision-making
- Taking a structured and comprehensive approach
- Customizing for an organization’s needs and objectives
- Including stakeholder perspectives
- Being dynamic and responsive to organizational changes
- Using the best available information
- Taking human and culture factors into account
- Learning and adapting for continual improvement
- Total integration. Noted among the eight principles, total integration of risk management across the entire organization is crucial to overall success. ISO 31000:2018 places an increased emphasis on integrating risk management into all organizational activities, processes and decision-making. It is important for leadership and those responsible for risk management activities to bear in mind that every employee in every department across the organization is managing risks on a daily basis. Therefore, risk management should be integrated into every aspect of the organization to drive continuous improvements in the organization’s performance objectives.
- Leadership from management. To achieve total integration of risk management across the organization, framework development starts with an understanding of how organizations are organized and governed. As such, ISO 31000:2018 stresses the need for management to be leaders for the cause of risk management. Without commitment and leadership from management in risk management, the process cannot be integrated naturally. The standard emphasizes that top management is accountable for managing risk while oversight bodies are accountable for overseeing risk management.
- Risk management is an iterative process. ISO 31000:2018 reminds those involved in risk management that stakeholders should be communicating and consulting with each other throughout the process. Although the risk management process is depicted as sequential, the standard explicitly states that the process is iterative in practice by decision-makers and affected stakeholders. This emphasizes the importance of managing risk when decisions are being made, rather than as an after-thought or as an additional step after decisions already are made.
Those organizations that currently are using the ISO 31000:2009 standard as guidance for risk management will benefit from considering the shift in perspective for full integration that is key to the revised 2018 version. Further work is under development by Technical Committee 262 to provide a handbook and guidance on utilizing ISO 31000:2018 to integrate the comprehensive elements of risk management principles, framework and process with environmental, quality, safety and other management systems to create and protect value.
Closing the Gap: Between Traditional & Enterprise Risk Management Systems
Managing Risk Perceptions: Safety Program Support Outcomes
The Art of Assessing Risk: Selecting, Modifying & Combining Methods to Assess Operational Risks
Communicating & Managing Risk: The Key Result of Risk Assessment