Risk Practitioners Guide to ISO 31000: 2018 in PDF Free Download
There are many recommended approaches to risk management (RM) and several different guides and risk management frameworks and standards have been published. This guide explains the approach used in ISO 31000:2018 Risk management – Guidelines and identifies the importance and relevance of ISO 31000 and other frameworks. This guide also outlines the practical application of the ISO 31000 guidelines and provides commentary on implementation.
It remains a challenge for risk professionals to clearly demonstrate the value of making resources available for risk management. In view of this continuing challenge, ISO has published an updated version of ISO 31000 Risk management – Guidelines. This IRM guide provides commentary on the revised ISO 31000. In 2017 COSO published ‘ERM – Integrating Strategy and Performance’ and a separate IRM guide to the updated COSO framework has also been published.
In order to evaluate ISO 31000 and, in the separate guide, the updated COSO framework, a recognized format is necessary. The International Standards Organisation (ISO) published a highly regarded guide to the format for management system standards entitled Annex SL. The Annex SL format for management system standards is summarised in Appendix A of this guide.
Annex SL describes seven substantive components of a management system standard. These are grouped in this guide as ‘Scope and Design’ components and ‘Control and Develop’ components, as illustrated in Figure 1 and Figure 2, respectively. This guide considers these two groups of components as the means of comparing ISO 31000 with the Annex SL format. The conclusion is that ISO 31000 includes all the required features of a management system standard, but with an emphasis on the ‘Control and Develop’ components.
Overall, ISO 31000 provides detailed guidelines on the plan, implement, measure, and learn features of a risk management system, but less explicit information on the context, leadership, and support features required of a management system standard. An analysis of the components of ISO 31000 is provided in Appendix B. The message for risk professionals is that their employer or client organizations should implement the ISO 31000 principles and components that are best suited to their particular circumstances and modify other principles and components, as necessary.
ISO 31000 contains much valuable information and it represents robust, high-level guidelines for the management of risk. However, there is no step-by-step checklist to the implementation of the risk management initiative. The challenge for risk professionals is to rearrange the guidance in ISO 31000 to align with their own approach to implementing a risk management initiative. This guide provides an analysis of ISO 31000, a comparison with the ISO format for management system standards (Annex SL), and outlines a checklist for the implementation of risk management.
ISO 31000:2018 Risk Management – Guidelines
A lot of the complicated language has been eliminated, so the text is leaner and more precise. The new draft is shorter, but it gains in clarity and precision and is much easier to read. It includes improvements, such as the importance of human and cultural factors in achieving an organization’s objectives and an emphasis on embedding risk management within the decision-making process.
As with all ISO standards and guidelines, the first substantive section defines key terms. A total of eight terms are defined, including the definition of risk as “the effect of uncertainty on objectives”. This definition is clarified by a note to the definition stating that risk is usually expressed in terms of risk sources, potential events, their consequences, and their likelihood.
The new version of ISO 31000 is shorter than the earlier version, and it presents a high-level overview of risk management and how a risk management initiative can be implemented. ISO 31000 suggests that effective risk management is characterized by principles, frameworks, and processes. The separation of principles, framework, and process is not in line with the suggested format for management system standards, as described in Annex SL. This may present the risk professional with a challenge when seeking to produce an implementation plan or checklist for their risk management initiative based on ISO 31000.
The overall structure and approach adopted by the 2018 edition of ISO 31000 is best illustrated by the diagram included in ISO 31000 and reproduced over the page as Figure
3. ISO 31000 states that managing risk is based on the principles, framework, and process described in the guidelines. It also states that these principles and components might already exist in full or in part within an organization, but they might need to be adapted or improved so that managing risk is efficient, effective, and consistent.
Figure 3: Principles, framework and risk management process from ISO 31000
Risk management architecture
- Committee structure and terms of reference
- Roles and responsibilities
- Internal reporting requirements
- External reporting controls
- Risk management assurance arrangements
Risk management strategy
- Risk management philosophy
- Arrangements for embedding risk management
- Risk appetite and attitude to risk
- Benchmark tests for significance
- Specific risk statements/policies
- Risk assessment techniques
- Risk priorities for the present year
Risk management protocols
- • Tools and techniques
- Risk classification system
- Risk assessment procedures
- Risk control rules and procedures
- Responding to incidents, issues, and events
- Documentation and record keeping
- Training and communications
- Audit procedures and protocols
- Reporting/disclosures/certification
