Every organisation has a need to understand its potential risks and opportunities – clearly and objectively. However, there are many opinions about what risk management should be and what it involves.
Whether you’re just starting out with creating a risk management strategy, or your system is already well established, it can often help to get guidance from an expert, impartial source. That’s why, in 2009, the International Standards Organisation (ISO) published standard 31000.
ISO 31000 set out to answer a wide range of questions about risk management and provide details on the recommended implementation of a risk management system.
Recently, it was announced that the standard would be revised to provide more clarity and ensure that it still offers value to users – but what changes can we expect from the planned update, and how will those adjustments affect your existing risk management system?
Taking a closer look at ISO 31000
The full name of the standard in its current form is ISO 31000:2009, Risk management – Principles and guidelines. It provides policies, frameworks and processes for managing risk and can be used by any organisation, regardless of its size, activity or sector.
By using ISO 31000, organisations can increase the likelihood of achieving objectives, while improving the identification of opportunities and threats, and effectively allocating resources for risk treatment.
The standard is designed to provide guidance only – there is no associated certification. However, it does provide information about internal and external audit programmes. This includes an internationally recognised benchmark, which organisations can compare with their own systems.
Some of the information included in the standard includes:
- Definition of risk – While there are many definitions of risk and risk management, the definition provided by ISO 31000 is the “effect of uncertainty on objectives”.
- Risk management principles – Risk management should create and protect value; it should be part of all processes and used to make decisions and handle uncertainty. Transparency and inclusiveness are key, and a risk management system needs to support continual improvement in all aspects of an organisation.
- Risk management framework – An organisation should define its risk management policy, which establishes performance indicators, assigns responsibilities and allocates resources. In order to do this, risk practitioners need to be able to understand an organisation’s internal and external context.
- Risk management process – The risk management process needs to be part of an organisation’s overall management approach, and should be appropriate to specific circumstances in the organisations context.
Since being written, ISO 31000 has been adopted as a national standard in more than 50 national standards bodies – and it covers more than 70 per cent of the global population. In addition, it has been adopted by a number of UN agencies and national governments – particularly in the areas of disaster risk reduction and the management of disaster risk.
What changes can be expected in the 2016 update?
All ISO standards come up for revision every five years – so it’s not a surprise that ISO 31000 will be getting a makeover. According to the International Standards Organisation, a number of risk practitioners indicated that the standard “needed a limited review to ensure it remained relevant to users”.
Since the original document was written, risk practitioners have asked for clarity on certain points. The revision is also an opportunity to build up the standard, thus creating a high-level document that reflects the needs of major corporations and governments.
Commenting on the revision work, FERMA president Julia Graham noted that ISO 31000 has become the most popular enterprise risk management standard in the world – and one of the most popular standards in the ISO library.
“It has stood the test of time very well, but it was published in 2009 and it is considered that some modification is required to bring the content and language up to date,” she added.
Risk and ISO 9001:2015
While not directly related to ISO 31000, a conversation about recent revisions to international standards would be incomplete without a mention of ISO 9001:2015. After all, this quality management standard is highly regarded around the world and over a million certificates have been issued to help organisations demonstrate the quality and consistency of their products.
In previous editions of the standard, risk was not explicitly mentioned. That’s not to say risk is a completely new concept to ISO 9001 – it was always implied. Now, however, it’s much more obvious, with section six stating that organisations must plan actions to address risks and opportunities, and these should be part of the quality management system (QMS).
Standards expert Jack West confirms that risk management is an essential part of any QMS.
“[It is] prudent [that] a well-developed quality management system should have always considered the risk of things going wrong, assessed the potential effects of negative outcomes and taken reasonable action to prevent the problems,” he said in an article for Quality Progress.
He adds that, until recently, many organisations have not formally addressed risk in their QMS, and while the new version of the standard may not completely remedy the situation, it should be seen as a force for change and companies will have three years to update their systems to fall in line with the new requirements.
The soon-to-be-revised version of ISO 31000 should provide guidance and a basic framework for companies that need to improve their risk management in order to maintain – or earn – their ISO 9001 certification. Dedicated risk management software, such as JCAD CORE will also prove useful.
What can JCAD do for you?
Although the standards set out in ISO 31000 are not prescriptive or compulsory, they can provide a huge amount of value to risk managers – no matter the size or nature of the organisation.
Speaking at an international conference about the standard in 2013, Christopher Mandel, senior vice president of strategic solutions at Sedwick Claims Management Services, explained that standards are designed to provide support.
“Standards allow you to proactively address risks with some discipline […] Standards also relate well to the whole idea of focusing on outcomes,” he said.
We are continually developing our systems to ensure they adapt to the ever-changing risk environment using standards such as IRM, ALARM, COSO and ISO 31000 as a guide. The update of ISO 31000 is no exception, and when the new version of the standard is published (it’s expected in mid-2016), we will work to ensure that the software meets the updated guidance.
Of course, there’s no reason to wait until the new standard is published. Now is the perfect time to upgrade your own risk management system, and the dedicated software from JCAD can simplify and streamline your risk management efforts.
To find out more about JCAD CORE, and how it can help your organisation align with ISO 31000 today, and in the future, please get in touch.