The ISO 31000 underlines the development of a framework that will fully integrate the risk management process into an organization. The framework assures that an organization-wide process is supported, iterative and effective. That means that risk management will be an active component in governance, strategy and planning, management reporting processes, policies, values and culture. The framework is intended to be adapted to the particular needs and structure of all organizations, regardless of their size, and it is facilitated by leadership and commitment of the organization’s top management. Successful implementation of the ISO 31000 risk management framework requires the engagement and awareness of stakeholders. This allows organizations to explicitly address uncertainty in decision-making, while also ensuring that any new or subsequent uncertainty can be taken into account as it arises. The framework includes activities such as: demonstrating leadership and commitment to risk management, integrating risk management into organizational processes, designing the framework for managing risk (which includes understanding the organization and its context, articulating risk management commitment, assigning roles, authorities, responsibilities and accountabilities, allocating appropriate resources and establishing communication and consultation), implementing the risk management process, evaluating the risk management process and adapting and continually improving the framework. Recognizing that organizations may already have a set of principles, a framework and process for managing risk, the content has been streamlined to encourage users to customize and improve how they manage risk through the updated standard’s guidance.
ISO 31000:2018 establishes the creation and protection of value as the core purpose of risk management. Working toward this goal, the standard includes eight principles in improving an organization’s risk management framework and process. These principles are designed to help organizations improve performance, encourage innovation and support the achievement of objectives.
Managing risk creates and protects value by:
Integrated: The organization integrates risk management in all of its activities.
Structured and Comprehensive: The risk management is established upon a structured and comprehensive approach.
Customized: The risk management is linked to the organizational objectives, and is tailored to fit the organizations context.
Inclusive: The risk management includes the necessary stakeholders and takes into account their knowledge, views and perceptions.
Dynamic: Considering that both internal and external changes happen, risk management is able to detect and respond to those changes appropriately.
Best available information: Risk management accounts for any limitations and uncertainties regarding the provided historical and current information and future expectation.
Human and cultural factors: Both human behavior and culture influence heavily the risk management; therefore these two characteristics are taken into account in all aspects of risk management.
Continual improvement: The organizations risk management is continually improved.
User questions & answers