ISO defines a risk management framework as “a set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization”.
ISO’s 31000:2009 risk management standard is designed for all types of businesses, regardless of size, industry and risk portfolio. ISO’s framework allows your company to compare its risk management programme with an internationally recognized benchmark and seek guidance on auditing and governance.
Managing risk in an organization requires the cohesive application of the ISO 31000 principles, framework and risk management process.
Principles
ISO identifies 11 key principles in risk management.
Risk management should:
Creating a risk management framework and process
Using these principles to oversee enterprise risk management and gain organizational commitment, risk managers then need to create a framework and implement, monitor and review it to continue to improve it. Our article on developing an enterprise risk management framework gives more insight into this process.
Once the framework is in place, the final part of ISO 31000 is creating and implementing processes. This aspect is about taking the guidance in the framework and turning this into usable practices. This could mean giving steps to follow or a threshold to adhere to during specific scenarios.
These processes must be communicated throughout the business and adopted by everyone – not just those responsible for risk management. Monitoring and reviewing these processes completes the cycle.
Advantages of ISO
Implementing a risk management framework like the one set out in ISO 31000 is key to supporting an effective business. Although ISO 31000 is not a certification, it does provide an easy to use and adapt guide to help organizations manage risk in order to achieve objectives, identify opportunities and threats and allocate resources for risk treatment.
You have a risk management framework, what’s next?
When you have your risk management framework and processes in place, you might find that you have huge quantities of data which is gathered from many people across departments. To get consistency and accuracy in collation and reporting, a good risk management information system is key.