Scribd
Upload
123 views3 pages

The ISO 31000 Standard

The ISO 31000 standard provides principles and guidelines for effective risk management that can be applied to different risk types and organizations. It defines a risk management framework with procedures, roles, and responsibilities. The standard innovated by providing a definition of risk as the effect of uncertainty on achieving objectives, introducing the notion of risk appetite, and emphasizing risk management as part of strategic decision making. The risk management process in the standard includes activities like risk identification, analysis, evaluation, treatment, and monitoring.

Uploaded by

Marcos Toti
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
123 views3 pages

The ISO 31000 Standard

The ISO 31000 standard provides principles and guidelines for effective risk management that can be applied to different risk types and organizations. It defines a risk management framework with procedures, roles, and responsibilities. The standard innovated by providing a definition of risk as the effect of uncertainty on achieving objectives, introducing the notion of risk appetite, and emphasizing risk management as part of strategic decision making. The risk management process in the standard includes activities like risk identification, analysis, evaluation, treatment, and monitoring.

Uploaded by

Marcos Toti
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

The ISO 31000 standard

Risk management: principles and guidelines

Overview

ISO 31000 is an
international standard published in 2009 that provides principles and guidelines for
effective risk management. It outlines a generic approach to risk management, which
can be applied to different types of risks (financial, safety, project risks) and used by
any type of organization. The standard provides a uniform vocabulary and concepts for
discussing risk management. It provides guidelines and principles that can help to
undertake a critical review of your organization’s risk management process.

The standard does not provide detailed instructions or requirements on how to manage
specific risks, nor any advice related to a specific application domain; it remains at a
generic level.

Relative to older standards on risk management, the 31000 standard innovates in several
areas:

 it provides a new definition of risk as the effect of uncertainty on the possibility


of achieving the organization’s objectives, highlighting the importance of defining
objectives before attempting to control risks, and emphasizing the role of uncertainty

 it introduces the (sometimes controversial) notion of risk appetite, or the level of


risk which the organization accepts to take on in return for expected value

 it defines a risk management framework with different organizational


procedures, roles and responsibilities in the management of risks
 it outlines a management philosophy where risk management is seen as an
integral part of strategic decision-making and the management of change

Course material

          Slide 1 / 43

The ISO 31000 standard

 Lecture slides (PDF)

The risk management process outlined in the ISO 31000 standard includes the following
activities:

 Risk identification: identifying what could prevent us from achieving our


objectives.

 Risk analysis: understanding the sources and causes of the identified risks;
studying probabilities and consequences given the existing controls, to identify the level
of residual risk.

 Risk evaluation: comparing risk analysis results with risk criteria to determine
whether the residual risk is tolerable.

 Risk treatment: changing the magnitude and likelihood of consequences, both


positive and negative, to achieve a net increase in benefit.

 Establishing the context: this activity, which was not included in earlier risk
management process descriptions, consists of defining the scope for the risk
management process, defining the organization’s objectives, and establishing the risk
evaluation criteria. The context comprises both external elements (regulatory
environment, market conditions, stakeholder expectations) and internal elements (the
organization’s governance, culture, standards and rules, capabilities, existing contracts,
worker expectations, information systems, etc.).

 Monitoring and review: this task consists of measuring risk management


performance against indicators, which are periodically reviewed for appropriateness. It
involves checking for deviations from the risk management plan, checking whether the
risk management framework, policy and plan are still appropriate, given organizations’
external and internal context, reporting on risk, progress with the risk management plan
and how well the risk management policy is being followed, and reviewing the
effectiveness of the risk management framework.
 Communication and consultation. This task helps understand stakeholders’
interests and concerns, to check that the risk management process is focusing on the
right elements, and also helps explain the rationale for decisions and for particular risk
treatment options.

The standard includes a number of principles that risk management should verify:

 creates and protects value


 is based on the best information
 is an integral part of organizational processes
 is tailored
 is part of decision-making
 takes human and cultural factors into account
 explicitly addresses uncertainty
 is transparent and inclusive
 is systematic, structured and timely
 is dynamic, iterative and responsive to change
 facilitates continual improvement of the organization

Note that the standards document is very expensive to purchase. The slides above
suggest an alternative source of information that may be useful to some learners.

You might also like